Working OAuth2 support. Needs some more debugging (error handling is not

great and imc_logout() gets (rightfully) confused when jabber_data is empty).

6 files changed, 309 insertions, 43 deletions

diff --git a/lib/oauth.h b/lib/oauth.h
index 8270a545..5c4ef4b0 100644
--- a/lib/oauth.h
+++ b/lib/oauth.h
@@ -91,4 +91,7 @@ char *oauth_to_string( struct oauth_info *oi );
 struct oauth_info *oauth_from_string( char *in, const struct oauth_service *sp );
 
 /* For reading misc. data. */
+void oauth_params_add( GSList **params, const char *key, const char *value );
+void oauth_params_free( GSList **params );
+char *oauth_params_string( GSList *params );
 const char *oauth_params_get( GSList **params, const char *key );
diff --git a/lib/oauth2.c b/lib/oauth2.c
index eb923795..d9eefa9f 100644
--- a/lib/oauth2.c
+++ b/lib/oauth2.c
@@ -22,7 +22,10 @@
 \***************************************************************************/
 
 #include <glib.h>
+#include "http_client.h"
 #include "oauth2.h"
+#include "oauth.h"
+#include "url.h"
 
 struct oauth2_service oauth2_service_google =
 {
@@ -40,3 +43,139 @@ char *oauth2_url( const struct oauth2_service *sp, const char *scope )
 	                    "&client_id=", sp->consumer_key,
 	                    NULL );
 }
+
+struct oauth2_access_token_data
+{
+	oauth2_token_callback func;
+	gpointer data;
+};
+
+static char *oauth2_json_dumb_get( const char *json, const char *key );
+static void oauth2_access_token_done( struct http_request *req );
+
+int oauth2_access_token( const struct oauth2_service *sp,
+                         const char *auth_type, const char *auth,
+                         oauth2_token_callback func, gpointer data )
+{
+	GSList *args = NULL;
+	char *args_s, *s;
+	url_t url_p;
+	struct http_request *req;
+	struct oauth2_access_token_data *cb_data;
+	
+	if( !url_set( &url_p, sp->base_url ) )
+		return 0;
+	
+	oauth_params_add( &args, "client_id", sp->consumer_key );
+	oauth_params_add( &args, "client_secret", sp->consumer_secret );
+	oauth_params_add( &args, "grant_type", auth_type );
+	if( strcmp( auth_type, OAUTH2_AUTH_CODE ) == 0 )
+	{
+		oauth_params_add( &args, "redirect_uri", "urn:ietf:wg:oauth:2.0:oob" );
+		oauth_params_add( &args, "code", auth );
+	}
+	else
+	{
+		oauth_params_add( &args, "refresh_token", auth );
+	}
+	args_s = oauth_params_string( args );
+	oauth_params_free( &args );
+	
+	s = g_strdup_printf( "POST %s%s HTTP/1.0\r\n"
+	                     "Host: %s\r\n"
+	                     "Content-Type: application/x-www-form-urlencoded\r\n"
+	                     "Content-Length: %zd\r\n"
+	                     "Connection: close\r\n"
+	                     "\r\n"
+	                     "%s", url_p.file, "token", url_p.host, strlen( args_s ), args_s );
+	g_free( args_s );
+	
+	cb_data = g_new0( struct oauth2_access_token_data, 1 );
+	cb_data->func = func;
+	cb_data->data = data;
+	
+	req = http_dorequest( url_p.host, url_p.port, url_p.proto == PROTO_HTTPS,
+	                      s, oauth2_access_token_done, cb_data );
+	
+	g_free( s );
+	
+	if( req == NULL )
+		g_free( cb_data );
+	
+	return req != NULL;
+}
+
+static void oauth2_access_token_done( struct http_request *req )
+{
+	struct oauth2_access_token_data *cb_data = req->data;
+	char *atoken = NULL, *rtoken = NULL;
+	
+	if( req->status_code == 200 )
+	{
+		atoken = oauth2_json_dumb_get( req->reply_body, "access_token" );
+		rtoken = oauth2_json_dumb_get( req->reply_body, "refresh_token" );
+	}
+	cb_data->func( cb_data->data, atoken, rtoken );
+	g_free( atoken );
+	g_free( rtoken );
+	g_free( cb_data );
+}
+
+/* Super dumb. I absolutely refuse to use/add a complete json parser library
+   (adding a new dependency to BitlBee for the first time in.. 6 years?) just
+   to parse 100 bytes of data. So I have to do my own parsing because OAuth2
+   dropped support for XML. (GRRR!) This is very dumb and for example won't
+   work for integer values, nor will it strip/handle backslashes. */
+static char *oauth2_json_dumb_get( const char *json, const char *key )
+{
+	int is_key; /* 1 == reading key, 0 == reading value */
+	int found_key = 0;
+		
+	while( json && *json )
+	{
+		/* Grab strings and see if they're what we're looking for. */
+		if( *json == '"' || *json == '\'' )
+		{
+			char q = *json;
+			const char *str_start;
+			json ++;
+			str_start = json;
+			
+			while( *json )
+			{
+				/* \' and \" are not string terminators. */
+				if( *json == '\\' && json[1] == q )
+					json ++;
+				/* But without a \ it is. */
+				else if( *json == q )
+					break;
+				json ++;
+			}
+			if( *json == '\0' )
+				return NULL;
+			
+			if( is_key && strncmp( str_start, key, strlen( key ) ) == 0 )
+			{
+				found_key = 1;
+			}
+			else if( !is_key && found_key )
+			{
+				char *ret = g_memdup( str_start, json - str_start + 1 );
+				ret[json-str_start] = '\0';
+				return ret;
+			}
+			
+		}
+		else if( *json == '{' || *json == ',' )
+		{
+			found_key = 0;
+			is_key = 1;
+		}
+		else if( *json == ':' )
+			is_key = 0;
+		
+		json ++;
+	}
+	
+	return NULL;
+}
diff --git a/lib/oauth2.h b/lib/oauth2.h
index c2985ef6..657a0ab3 100644
--- a/lib/oauth2.h
+++ b/lib/oauth2.h
@@ -1,7 +1,7 @@
 /***************************************************************************\
 *                                                                           *
 *  BitlBee - An IRC to IM gateway                                           *
-*  Simple OAuth client (consumer) implementation.                           *
+*  Simple OAuth2 client (consumer) implementation.                          *
 *                                                                           *
 *  Copyright 2010-2011 Wilmer van der Gaast <wilmer@gaast.net>              *
 *                                                                           *
@@ -21,28 +21,10 @@
 *                                                                           *
 \***************************************************************************/
 
-struct oauth2_info;
+/* Implementation mostly based on my experience with writing the previous OAuth
+   module, and from http://code.google.com/apis/accounts/docs/OAuth2.html . */
 
-/* Callback function called twice during the access token request process.
-   Return FALSE if something broke and the process must be aborted. */
-typedef gboolean (*oauth_cb)( struct oauth2_info * );
-
-struct oauth2_info
-{
-	const struct oauth_service *sp;
-	
-	oauth_cb func;
-	void *data;
-	
-	struct http_request *http;
-	
-//	char *auth_url;
-//	char *request_token;
-	
-//	char *token;
-//	char *token_secret;
-//	GSList *params;
-};
+typedef void (*oauth2_token_callback)( gpointer data, const char *atoken, const char *rtoken );
 
 struct oauth2_service
 {
@@ -51,19 +33,19 @@ struct oauth2_service
 	char *consumer_secret;
 };
 
+/* Currently suitable for authenticating to Google Talk only, and only for
+   accounts that have 2-factor authorization enabled. */
 extern struct oauth2_service oauth2_service_google;
 
-/* http://oauth.net/core/1.0a/#auth_step1 (section 6.1) 
-   Request an initial anonymous token which can be used to construct an
-   authorization URL for the user. This is passed to the callback function
-   in a struct oauth2_info. */
-char *oauth2_url( const struct oauth2_service *sp, const char *scope );
+#define OAUTH2_AUTH_CODE "authorization_code"
+#define OAUTH2_AUTH_REFRESH "refresh_token"
 
-/* http://oauth.net/core/1.0a/#auth_step3 (section 6.3)
-   The user gets a PIN or so which we now exchange for the final access
-   token. This is passed to the callback function in the same
-   struct oauth2_info. */
-gboolean oauth2_access_token( const char *pin, struct oauth2_info *st );
+/* Generate a URL the user should open in his/her browser to get an
+   authorization code. */
+char *oauth2_url( const struct oauth2_service *sp, const char *scope );
 
-/* Shouldn't normally be required unless the process is aborted by the user. */
-void oauth2_info_free( struct oauth2_info *info );
+/* Exchanges an auth code or refresh token for an access token.
+   auth_type is one of the two OAUTH2_AUTH_.. constants above. */
+int oauth2_access_token( const struct oauth2_service *sp,
+                         const char *auth_type, const char *auth,
+                         oauth2_token_callback func, gpointer data );
diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c
index bd9bbe23..64858de2 100644
--- a/protocols/jabber/jabber.c
+++ b/protocols/jabber/jabber.c
@@ -97,9 +97,7 @@ static void jabber_login( account_t *acc )
 {
 	struct im_connection *ic = imcb_new( acc );
 	struct jabber_data *jd = g_new0( struct jabber_data, 1 );
-	struct ns_srv_reply **srvl = NULL, *srv = NULL;
-	char *connect_to, *s;
-	int i;
+	char *s;
 	
 	/* For now this is needed in the _connected() handlers if using
 	   GLib event handling, to make sure we're not handling events
@@ -139,6 +137,30 @@ static void jabber_login( account_t *acc )
 	jd->node_cache = g_hash_table_new_full( g_str_hash, g_str_equal, NULL, jabber_cache_entry_free );
 	jd->buddies = g_hash_table_new( g_str_hash, g_str_equal );
 	
+	if( set_getbool( &acc->set, "oauth" ) )
+	{
+		/* For the first login with OAuth, we have to authenticate via the browser.
+		   For subsequent logins, exchange the refresh token for a valid access
+		   token (even though the last one maybe didn't expire yet). */
+		if( strncmp( acc->pass, "refresh_token=", 14 ) != 0 )
+			sasl_oauth2_init( ic );
+		else
+			sasl_oauth2_refresh( ic, acc->pass + 14 );
+	}
+	else
+		jabber_connect( ic );
+}
+
+/* Separate this from jabber_login() so we can do OAuth first if necessary.
+   Putting this in io.c would probably be more correct. */
+void jabber_connect( struct im_connection *ic )
+{
+	account_t *acc = ic->acc;
+	struct jabber_data *jd = ic->proto_data;
+	int i;
+	char *connect_to;
+	struct ns_srv_reply **srvl = NULL, *srv = NULL;
+	
 	/* Figure out the hostname to connect to. */
 	if( acc->server && *acc->server )
 		connect_to = acc->server;
@@ -280,6 +302,19 @@ static int jabber_buddy_msg( struct im_connection *ic, char *who, char *message,
 	if( g_strcasecmp( who, JABBER_XMLCONSOLE_HANDLE ) == 0 )
 		return jabber_write( ic, message, strlen( message ) );
 	
+	if( g_strcasecmp( who, "jabber_oauth" ) == 0 )
+	{
+		if( sasl_oauth2_get_refresh_token( ic, message ) )
+		{
+			return 1;
+		}
+		else
+		{
+			imcb_error( ic, "OAuth failure" );
+			imc_logout( ic, TRUE );
+		}
+	}
+	
 	if( ( s = strchr( who, '=' ) ) && jabber_chat_by_jid( ic, s + 1 ) )
 		bud = jabber_buddy_by_ext_jid( ic, who, 0 );
 	else
diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h
index adf9a291..8d65a7e3 100644
--- a/protocols/jabber/jabber.h
+++ b/protocols/jabber/jabber.h
@@ -92,6 +92,8 @@ struct jabber_data
 	char *username;		/* USERNAME@server */
 	char *server;		/* username@SERVER -=> server/domain, not hostname */
 	
+	char *oauth2_access_token;
+	
 	/* After changing one of these two (or the priority setting), call
 	   presence_send_update() to inform the server about the changes. */
 	const struct jabber_away_state *away_state;
@@ -231,6 +233,9 @@ struct jabber_transfer
 #define XMLNS_BYTESTREAMS  "http://jabber.org/protocol/bytestreams"              /* XEP-0065 */
 #define XMLNS_IBB          "http://jabber.org/protocol/ibb"                      /* XEP-0047 */
 
+/* jabber.c */
+void jabber_connect( struct im_connection *ic );
+
 /* iq.c */
 xt_status jabber_pkt_iq( struct xt_node *node, gpointer data );
 int jabber_init_iq_auth( struct im_connection *ic );
@@ -315,6 +320,9 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data );
 xt_status sasl_pkt_challenge( struct xt_node *node, gpointer data );
 xt_status sasl_pkt_result( struct xt_node *node, gpointer data );
 gboolean sasl_supported( struct im_connection *ic );
+void sasl_oauth2_init( struct im_connection *ic );
+int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg );
+int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token );
 
 /* conference.c */
 struct groupchat *jabber_chat_join( struct im_connection *ic, const char *room, const char *nick, const char *password );
diff --git a/protocols/jabber/sasl.c b/protocols/jabber/sasl.c
index 0bbbae11..a7c3dd6f 100644
--- a/protocols/jabber/sasl.c
+++ b/protocols/jabber/sasl.c
@@ -75,13 +75,31 @@ xt_status sasl_pkt_mechanisms( struct xt_node *node, gpointer data )
 	reply = xt_new_node( "auth", NULL, NULL );
 	xt_add_attr( reply, "xmlns", XMLNS_SASL );
 	
-	if( sup_oauth2 && set_getbool( &ic->acc->set, "oauth" ) )
+	if( set_getbool( &ic->acc->set, "oauth" ) )
 	{
-		imcb_log( ic, "Open this URL in your browser to authenticate: %s",
-		          oauth2_url( &oauth2_service_google,
-		                      "https://www.googleapis.com/auth/googletalk" ) );
-		xt_free_node( reply );
-		reply = NULL;
+		int len;
+		
+		if( !sup_oauth2 )
+		{
+			imcb_error( ic, "OAuth requested, but not supported by server" );
+			imc_logout( ic, FALSE );
+			xt_free_node( reply );
+			return XT_ABORT;
+		}
+		
+		/* X-OAUTH2 is, not *the* standard OAuth2 SASL/XMPP implementation.
+		   It's currently used by GTalk and vaguely documented on
+		   http://code.google.com/apis/cloudprint/docs/rawxmpp.html . */
+		xt_add_attr( reply, "mechanism", "X-OAUTH2" );
+		
+		len = strlen( jd->username ) + strlen( jd->oauth2_access_token ) + 2;
+		s = g_malloc( len + 1 );
+		s[0] = 0;
+		strcpy( s + 1, jd->username );
+		strcpy( s + 2 + strlen( jd->username ), jd->oauth2_access_token );
+		reply->text = base64_encode( (unsigned char *)s, len );
+		reply->text_len = strlen( reply->text );
+		g_free( s );
 	}
 	else if( sup_digest )
 	{
@@ -357,3 +375,84 @@ gboolean sasl_supported( struct im_connection *ic )
 	
 	return ( jd->xt && jd->xt->root && xt_find_attr( jd->xt->root, "version" ) ) != 0;
 }
+
+void sasl_oauth2_init( struct im_connection *ic )
+{
+	char *msg, *url;
+	
+	imcb_log( ic, "Starting OAuth authentication" );
+	
+	/* Temporary contact, just used to receive the OAuth response. */
+	imcb_add_buddy( ic, "jabber_oauth", NULL );
+	url = oauth2_url( &oauth2_service_google,
+	                  "https://www.googleapis.com/auth/googletalk" );
+	msg = g_strdup_printf( "Open this URL in your browser to authenticate: %s", url );
+	imcb_buddy_msg( ic, "jabber_oauth", msg, 0, 0 );
+	imcb_buddy_msg( ic, "jabber_oauth", "Respond to this message with the returned "
+	                                    "authorization token.", 0, 0 );
+	
+	g_free( msg );
+	g_free( url );
+}
+
+static gboolean sasl_oauth2_remove_contact( gpointer data, gint fd, b_input_condition cond )
+{
+	struct im_connection *ic = data;
+	imcb_remove_buddy( ic, "jabber_oauth", NULL );
+	return FALSE;
+}
+
+static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token );
+
+int sasl_oauth2_get_refresh_token( struct im_connection *ic, const char *msg )
+{
+	char *code;
+	int ret;
+	
+	imcb_log( ic, "Requesting OAuth access token" );
+	
+	/* Don't do it here because the caller may get confused if the contact
+	   we're currently sending a message to is deleted. */
+	b_timeout_add( 1, sasl_oauth2_remove_contact, ic );
+	
+	code = g_strdup( msg );
+	g_strstrip( code );
+	ret = oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_CODE,
+	                           code, sasl_oauth2_got_token, ic );
+	
+	g_free( code );
+	return ret;
+}
+
+int sasl_oauth2_refresh( struct im_connection *ic, const char *refresh_token )
+{
+	return oauth2_access_token( &oauth2_service_google, OAUTH2_AUTH_REFRESH,
+	                            refresh_token, sasl_oauth2_got_token, ic );
+}
+
+static void sasl_oauth2_got_token( gpointer data, const char *access_token, const char *refresh_token )
+{
+	struct im_connection *ic = data;
+	struct jabber_data *jd;
+	
+	if( g_slist_find( jabber_connections, ic ) == NULL )
+		return;
+	
+	jd = ic->proto_data;
+	
+	if( access_token == NULL )
+	{
+		imcb_error( ic, "OAuth failure (missing access token)" );
+		imc_logout( ic, TRUE );
+	}
+	if( refresh_token != NULL )
+	{
+		g_free( ic->acc->pass );
+		ic->acc->pass = g_strdup_printf( "refresh_token=%s", refresh_token );
+	}
+	
+	g_free( jd->oauth2_access_token );
+	jd->oauth2_access_token = g_strdup( access_token );
+	
+	jabber_connect( ic );
+}