module Happstack.Authenticate.OpenId.Core where
import Control.Applicative (Alternative)
import Control.Monad (msum)
import Control.Lens ((?=), (^.), (.=), makeLenses, view, at)
import Control.Monad.Trans (MonadIO(liftIO))
import Data.Acid (AcidState, Query, Update, makeAcidic)
import Data.Acid.Advanced (query', update')
import qualified Data.Aeson as Aeson
import Data.Aeson (Object(..), Value(..), decode, encode)
import Data.Aeson.Types (ToJSON(..), FromJSON(..), Options(fieldLabelModifier), defaultOptions, genericToJSON, genericParseJSON)
import Data.Data (Data, Typeable)
import qualified Data.HashMap.Strict as HashMap
import Data.Map (Map)
import qualified Data.Map as Map
import Data.Maybe (mapMaybe)
import Data.Monoid ((<>))
import Data.SafeCopy (Migrate(..), SafeCopy, base, extension, deriveSafeCopy)
import qualified Data.Text as T
import Data.Text (Text)
import qualified Data.Text.Encoding as T
import qualified Data.Text.Lazy as TL
import qualified Data.Text.Lazy.Encoding as TL
import qualified Data.Map as Map
import Data.UserId (UserId)
import GHC.Generics (Generic)
import Happstack.Authenticate.Core (AuthenticateConfig(..), AuthenticateState, CoreError(..), CreateAnonymousUser(..), GetUserByUserId(..), HappstackAuthenticateI18N(..), addTokenCookie, getToken, jsonOptions, toJSONError, toJSONSuccess, toJSONResponse, tokenIsAuthAdmin, userId)
import Happstack.Authenticate.OpenId.URL
import Happstack.Server (RqBody(..), Happstack, Method(..), Response, askRq, unauthorized, badRequest, internalServerError, forbidden, lookPairsBS, method, resp, takeRequestBody, toResponse, toResponseBS, ok)
import Language.Javascript.JMacro
import Network.HTTP.Conduit (newManager, tlsManagerSettings)
import Text.Shakespeare.I18N (RenderMessage(..), Lang, mkMessageFor)
import Web.Authenticate.OpenId (Identifier)
import Web.Authenticate.OpenId (Identifier, OpenIdResponse(..), authenticateClaimed, getForwardUrl)
$(deriveSafeCopy 1 'base ''Identifier)
data OpenIdError
= UnknownIdentifier
| CoreError { openIdErrorMessageE :: CoreError }
deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
instance ToJSON OpenIdError where toJSON = genericToJSON jsonOptions
instance FromJSON OpenIdError where parseJSON = genericParseJSON jsonOptions
instance ToJExpr OpenIdError where
toJExpr = toJExpr . toJSON
mkMessageFor "HappstackAuthenticateI18N" "OpenIdError" "messages/openid/error" ("en")
data OpenIdState_1 = OpenIdState_1
{ _identifiers_1 :: Map Identifier UserId
}
deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
deriveSafeCopy 1 'base ''OpenIdState_1
makeLenses ''OpenIdState_1
data OpenIdState = OpenIdState
{ _identifiers :: Map Identifier UserId
, _openIdRealm :: Maybe Text
}
deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
deriveSafeCopy 2 'extension ''OpenIdState
makeLenses ''OpenIdState
instance Migrate OpenIdState where
type MigrateFrom OpenIdState = OpenIdState_1
migrate (OpenIdState_1 ids) = OpenIdState ids Nothing
initialOpenIdState :: OpenIdState
initialOpenIdState = OpenIdState
{ _identifiers = Map.fromList []
, _openIdRealm = Nothing
}
identifierToUserId :: Identifier -> Query OpenIdState (Maybe UserId)
identifierToUserId identifier = view (identifiers . at identifier)
associateIdentifierWithUserId :: Identifier -> UserId -> Update OpenIdState ()
associateIdentifierWithUserId ident uid =
identifiers . at ident ?= uid
getOpenIdRealm :: Query OpenIdState (Maybe Text)
getOpenIdRealm = view openIdRealm
setOpenIdRealm :: Maybe Text
-> Update OpenIdState ()
setOpenIdRealm realm = openIdRealm .= realm
makeAcidic ''OpenIdState
[ 'identifierToUserId
, 'associateIdentifierWithUserId
, 'getOpenIdRealm
, 'setOpenIdRealm
]
data SetRealmData = SetRealmData
{ _srOpenIdRealm :: Maybe Text
}
deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
makeLenses ''SetRealmData
instance ToJSON SetRealmData where toJSON = genericToJSON jsonOptions
instance FromJSON SetRealmData where parseJSON = genericParseJSON jsonOptions
realm :: (Happstack m) =>
AcidState AuthenticateState
-> AcidState OpenIdState
-> m Response
realm authenticateState openIdState =
do mt <- getToken authenticateState
case mt of
Nothing -> unauthorized $ toJSONError (CoreError AuthorizationRequired)
(Just (token,_))
| token ^. tokenIsAuthAdmin == False -> forbidden $ toJSONError (CoreError Forbidden)
| otherwise ->
msum [ do method GET
mRealm <- query' openIdState GetOpenIdRealm
ok $ toJSONSuccess mRealm
, do method POST
(Just (Body body)) <- takeRequestBody =<< askRq
case Aeson.decode body of
Nothing -> badRequest $ toJSONError (CoreError JSONDecodeFailed)
(Just (SetRealmData mRealm)) ->
do
update' openIdState (SetOpenIdRealm mRealm)
ok $ toJSONSuccess ()
]
getIdentifier :: (Happstack m) => m Identifier
getIdentifier =
do pairs' <- lookPairsBS
let pairs = mapMaybe (\(k, ev) -> case ev of (Left _) -> Nothing ; (Right v) -> Just (T.pack k, TL.toStrict $ TL.decodeUtf8 v)) pairs'
oir <- liftIO $ do manager <- newManager tlsManagerSettings
authenticateClaimed pairs manager
return (oirOpLocal oir)
token :: (Alternative m, Happstack m) =>
AcidState AuthenticateState
-> AuthenticateConfig
-> AcidState OpenIdState
-> m Response
token authenticateState authenticateConfig openIdState =
do identifier <- getIdentifier
mUserId <- query' openIdState (IdentifierToUserId identifier)
mUser <- case mUserId of
Nothing ->
do user <- update' authenticateState CreateAnonymousUser
update' openIdState (AssociateIdentifierWithUserId identifier (user ^. userId))
return (Just user)
(Just uid) ->
do mu <- query' authenticateState (GetUserByUserId uid)
case mu of
Nothing -> return Nothing
(Just u) ->
return (Just u)
case mUser of
Nothing -> internalServerError $ toJSONError $ CoreError InvalidUserId
(Just user) -> do token <- addTokenCookie authenticateState authenticateConfig user
let tokenBS = TL.encodeUtf8 $ TL.fromStrict token
ok $ toResponseBS "text/html" $ "<html><head><script type='text/javascript'>window.opener.tokenCB('" <> tokenBS <> "'); window.close();</script></head><body></body></html>"