Files
kicad-source-mirror/common/remote_provider_client.cpp
Seth Hillbrand 2dbba4a60a Remote Symbol: consolidate, update and harden
Extract duplicated helpers from remote provider files into shared
utilities.  Split sendRpcMessage into purpose-specific functions.
Implement standard nonce-based exchange for re-auth.  Provide
additional models for more efficient model/symbol/fp/etc using
external URLs.  This allows us to better handle connection errors,
retries and large data packets.

Fixes https://gitlab.com/kicad/code/kicad/-/issues/23381
2026-03-11 06:41:44 -07:00

492 lines
17 KiB
C++

/*
* This program source code file is part of KiCad, a free EDA CAD application.
*
* Copyright The KiCad Developers, see AUTHORS.txt for contributors.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 3 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <remote_provider_client.h>
#include <curl/curl.h>
#include <kicad_curl/kicad_curl_easy.h>
#include <oauth/oauth_session.h>
#include <remote_provider_utils.h>
#include <wx/datetime.h>
#include <wx/intl.h>
namespace
{
wxString joinUrl( const wxString& aBaseUrl, const wxString& aPath )
{
if( aPath.StartsWith( wxS( "https://" ) ) || aPath.StartsWith( wxS( "http://" ) ) )
return aPath;
wxString base = aBaseUrl;
while( base.EndsWith( wxS( "/" ) ) )
base.RemoveLast();
if( aPath.StartsWith( wxS( "/" ) ) )
return base + aPath;
return base + wxS( "/" ) + aPath;
}
wxString buildPartsUrl( const REMOTE_PROVIDER_METADATA& aProvider, const wxString& aPartId )
{
wxString endpoint = aProvider.parts_endpoint_template;
endpoint.Replace( wxS( "{part_id}" ), UrlEncode( aPartId ) );
return joinUrl( aProvider.api_base_url, endpoint );
}
bool defaultHttpHandler( const REMOTE_PROVIDER_HTTP_REQUEST& aRequest, REMOTE_PROVIDER_HTTP_RESPONSE& aResponse,
wxString& aError )
{
KICAD_CURL_EASY curl;
curl.SetUserAgent( "KiCad-RemoteProvider/1.0" );
curl.SetFollowRedirects( true );
curl.SetConnectTimeout( 10 );
if( !curl.SetURL( aRequest.url.ToStdString() ) )
{
aError = wxString::Format( wxS( "Unable to set URL '%s'." ), aRequest.url );
return false;
}
for( const REMOTE_PROVIDER_HTTP_HEADER& header : aRequest.headers )
curl.SetHeader( header.name.ToStdString(), header.value.ToStdString() );
if( aRequest.method == REMOTE_PROVIDER_HTTP_METHOD::POST )
curl.SetPostFields( aRequest.body.ToStdString() );
int result = curl.Perform();
if( result != CURLE_OK )
{
aError = wxString::FromUTF8( curl.GetErrorText( result ).c_str() );
return false;
}
aResponse.status_code = curl.GetResponseStatusCode();
aResponse.body = wxString::FromUTF8( curl.GetBuffer().c_str() );
return true;
}
} // namespace
REMOTE_PROVIDER_CLIENT::REMOTE_PROVIDER_CLIENT() :
m_handler( defaultHttpHandler )
{
}
REMOTE_PROVIDER_CLIENT::REMOTE_PROVIDER_CLIENT( REMOTE_PROVIDER_HTTP_HANDLER aHandler ) :
m_handler( std::move( aHandler ) )
{
}
wxString REMOTE_PROVIDER_CLIENT::MetadataDiscoveryUrl( const wxString& aProviderUrl )
{
static const wxString suffix = wxS( "/.well-known/kicad-remote-provider" );
if( aProviderUrl.EndsWith( suffix ) )
return aProviderUrl;
wxString base = aProviderUrl;
while( base.EndsWith( wxS( "/" ) ) )
base.RemoveLast();
return base + suffix;
}
bool REMOTE_PROVIDER_CLIENT::DiscoverProvider( const wxString& aProviderUrl, REMOTE_PROVIDER_METADATA& aMetadata,
REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::GET;
request.url = MetadataDiscoveryUrl( aProviderUrl );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
nlohmann::json responseJson;
if( !FetchJson( request, responseJson, aError ) )
return false;
wxString error;
std::optional<REMOTE_PROVIDER_METADATA> metadata = REMOTE_PROVIDER_METADATA::FromJson( responseJson, error );
if( !metadata )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = error;
return false;
}
aMetadata = *metadata;
return true;
}
bool REMOTE_PROVIDER_CLIENT::FetchOAuthServerMetadata( const REMOTE_PROVIDER_METADATA& aProvider,
REMOTE_PROVIDER_OAUTH_SERVER_METADATA& aMetadata,
REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
if( aProvider.auth.type != REMOTE_PROVIDER_AUTH_TYPE::OAUTH2 )
{
aMetadata = REMOTE_PROVIDER_OAUTH_SERVER_METADATA();
return true;
}
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::GET;
request.url = aProvider.auth.metadata_url;
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
nlohmann::json responseJson;
if( !FetchJson( request, responseJson, aError ) )
return false;
wxString error;
std::optional<REMOTE_PROVIDER_OAUTH_SERVER_METADATA> metadata =
REMOTE_PROVIDER_OAUTH_SERVER_METADATA::FromJson( responseJson, aProvider.allow_insecure_localhost, error );
if( !metadata )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = error;
return false;
}
aMetadata = *metadata;
return true;
}
bool REMOTE_PROVIDER_CLIENT::ExchangeAuthorizationCode(
const REMOTE_PROVIDER_OAUTH_SERVER_METADATA& aMetadata, const OAUTH_SESSION& aSession,
const wxString& aCode, OAUTH_TOKEN_SET& aTokens, REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::POST;
request.url = aMetadata.token_endpoint;
request.body = wxString( wxS( "grant_type=authorization_code" ) )
+ wxS( "&code=" ) + UrlEncode( aCode )
+ wxS( "&client_id=" ) + UrlEncode( aSession.client_id )
+ wxS( "&redirect_uri=" ) + UrlEncode( aSession.redirect_uri )
+ wxS( "&code_verifier=" ) + UrlEncode( aSession.code_verifier );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
request.headers.push_back(
{ wxS( "Content-Type" ), wxS( "application/x-www-form-urlencoded" ) } );
request.headers.push_back( { wxS( "Cache-Control" ), wxS( "no-store" ) } );
REMOTE_PROVIDER_HTTP_RESPONSE response;
if( !SendRequest( request, response, aError ) )
return false;
return ParseTokenResponse( response, aTokens, aError );
}
bool REMOTE_PROVIDER_CLIENT::RefreshAccessToken(
const REMOTE_PROVIDER_OAUTH_SERVER_METADATA& aMetadata, const wxString& aClientId,
const wxString& aRefreshToken, OAUTH_TOKEN_SET& aTokens, REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::POST;
request.url = aMetadata.token_endpoint;
request.body = wxString( wxS( "grant_type=refresh_token" ) )
+ wxS( "&refresh_token=" ) + UrlEncode( aRefreshToken )
+ wxS( "&client_id=" ) + UrlEncode( aClientId );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
request.headers.push_back(
{ wxS( "Content-Type" ), wxS( "application/x-www-form-urlencoded" ) } );
request.headers.push_back( { wxS( "Cache-Control" ), wxS( "no-store" ) } );
REMOTE_PROVIDER_HTTP_RESPONSE response;
if( !SendRequest( request, response, aError ) )
return false;
return ParseTokenResponse( response, aTokens, aError );
}
bool REMOTE_PROVIDER_CLIENT::RevokeToken( const REMOTE_PROVIDER_OAUTH_SERVER_METADATA& aMetadata,
const wxString& aClientId, const wxString& aToken,
REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
if( aMetadata.revocation_endpoint.IsEmpty() )
return true;
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::POST;
request.url = aMetadata.revocation_endpoint;
request.body = wxString( wxS( "token=" ) ) + UrlEncode( aToken )
+ wxS( "&client_id=" ) + UrlEncode( aClientId );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
request.headers.push_back(
{ wxS( "Content-Type" ), wxS( "application/x-www-form-urlencoded" ) } );
REMOTE_PROVIDER_HTTP_RESPONSE response;
return SendRequest( request, response, aError );
}
REMOTE_PROVIDER_SIGNIN_STATE REMOTE_PROVIDER_CLIENT::GetSignInState( const REMOTE_PROVIDER_METADATA& aProvider,
const wxString& aAccessToken ) const
{
if( aProvider.auth.type != REMOTE_PROVIDER_AUTH_TYPE::OAUTH2 )
return REMOTE_PROVIDER_SIGNIN_STATE::NOT_REQUIRED;
if( aAccessToken.IsEmpty() )
return REMOTE_PROVIDER_SIGNIN_STATE::REQUIRED;
return REMOTE_PROVIDER_SIGNIN_STATE::AVAILABLE;
}
bool REMOTE_PROVIDER_CLIENT::FetchManifest( const REMOTE_PROVIDER_METADATA& aProvider, const wxString& aPartId,
const wxString& aAccessToken, REMOTE_PROVIDER_PART_MANIFEST& aManifest,
REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
if( GetSignInState( aProvider, aAccessToken ) == REMOTE_PROVIDER_SIGNIN_STATE::REQUIRED )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::AUTH_REQUIRED;
aError.message = _( "Sign in required for this provider." );
return false;
}
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::GET;
request.url = buildPartsUrl( aProvider, aPartId );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
if( !aAccessToken.IsEmpty() )
request.headers.push_back( { wxS( "Authorization" ), wxS( "Bearer " ) + aAccessToken } );
nlohmann::json responseJson;
if( !FetchJson( request, responseJson, aError ) )
return false;
wxString error;
std::optional<REMOTE_PROVIDER_PART_MANIFEST> manifest =
REMOTE_PROVIDER_PART_MANIFEST::FromJson( responseJson, aProvider.allow_insecure_localhost, error );
if( !manifest )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = error;
return false;
}
aManifest = *manifest;
return true;
}
bool REMOTE_PROVIDER_CLIENT::ExchangeBootstrapNonce( const REMOTE_PROVIDER_METADATA& aMetadata,
const wxString& aAccessToken, wxString& aNonceUrl,
REMOTE_PROVIDER_ERROR& aError ) const
{
aError.Clear();
if( aMetadata.session_bootstrap_url.IsEmpty() )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = _( "Provider metadata does not include a session bootstrap URL." );
return false;
}
nlohmann::json body;
body["access_token"] = aAccessToken.ToStdString();
body["next_url"] = aMetadata.panel_url.ToStdString();
REMOTE_PROVIDER_HTTP_REQUEST request;
request.method = REMOTE_PROVIDER_HTTP_METHOD::POST;
request.url = aMetadata.session_bootstrap_url;
request.body = wxString::FromUTF8( body.dump().c_str() );
request.headers.push_back( { wxS( "Accept" ), wxS( "application/json" ) } );
request.headers.push_back( { wxS( "Content-Type" ), wxS( "application/json" ) } );
nlohmann::json responseJson;
if( !FetchJson( request, responseJson, aError ) )
return false;
if( !responseJson.contains( "nonce_url" ) || !responseJson["nonce_url"].is_string() )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = _( "Bootstrap response did not include a nonce URL." );
return false;
}
aNonceUrl = wxString::FromUTF8( responseJson["nonce_url"].get_ref<const std::string&>().c_str() );
wxString securityError;
if( !ValidateRemoteUrlSecurity( aNonceUrl, aMetadata.allow_insecure_localhost, securityError,
wxS( "Bootstrap nonce URL" ) ) )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = securityError;
return false;
}
if( NormalizedUrlOrigin( aNonceUrl ) != NormalizedUrlOrigin( aMetadata.session_bootstrap_url ) )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = _( "Bootstrap nonce URL origin does not match the bootstrap endpoint." );
return false;
}
return true;
}
bool REMOTE_PROVIDER_CLIENT::SendRequest( const REMOTE_PROVIDER_HTTP_REQUEST& aRequest,
REMOTE_PROVIDER_HTTP_RESPONSE& aResponse,
REMOTE_PROVIDER_ERROR& aError ) const
{
wxString transportError;
if( !m_handler( aRequest, aResponse, transportError ) )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::NETWORK;
aError.message = transportError;
return false;
}
aError.http_status = aResponse.status_code;
if( aResponse.status_code < 200 || aResponse.status_code >= 300 )
{
if( aResponse.status_code == 401 )
aError.type = REMOTE_PROVIDER_ERROR_TYPE::AUTH_REQUIRED;
else if( aResponse.status_code == 403 )
aError.type = REMOTE_PROVIDER_ERROR_TYPE::ACCESS_DENIED;
else if( aResponse.status_code == 404 )
aError.type = REMOTE_PROVIDER_ERROR_TYPE::NOT_FOUND;
else if( aResponse.status_code >= 500 )
aError.type = REMOTE_PROVIDER_ERROR_TYPE::SERVER;
else
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = wxString::Format( _( "Remote provider request failed with HTTP %d." ),
aResponse.status_code );
return false;
}
return true;
}
bool REMOTE_PROVIDER_CLIENT::FetchJson( const REMOTE_PROVIDER_HTTP_REQUEST& aRequest, nlohmann::json& aJson,
REMOTE_PROVIDER_ERROR& aError ) const
{
REMOTE_PROVIDER_HTTP_RESPONSE response;
if( !SendRequest( aRequest, response, aError ) )
return false;
try
{
aJson = nlohmann::json::parse( response.body.ToStdString() );
}
catch( const std::exception& e )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message =
wxString::Format( _( "Remote provider returned invalid JSON: %s" ), wxString::FromUTF8( e.what() ) );
return false;
}
return true;
}
bool REMOTE_PROVIDER_CLIENT::ParseTokenResponse( const REMOTE_PROVIDER_HTTP_RESPONSE& aResponse,
OAUTH_TOKEN_SET& aTokens,
REMOTE_PROVIDER_ERROR& aError ) const
{
nlohmann::json json;
try
{
json = nlohmann::json::parse( aResponse.body.ToStdString() );
}
catch( const std::exception& e )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = wxString::Format( _( "Remote provider returned invalid token JSON: %s" ),
wxString::FromUTF8( e.what() ) );
return false;
}
try
{
aTokens = OAUTH_TOKEN_SET();
aTokens.access_token =
wxString::FromUTF8( json.at( "access_token" ).get_ref<const std::string&>().c_str() );
aTokens.refresh_token = json.contains( "refresh_token" )
? wxString::FromUTF8(
json.at( "refresh_token" ).get_ref<const std::string&>().c_str() )
: wxString();
aTokens.id_token = json.contains( "id_token" )
? wxString::FromUTF8(
json.at( "id_token" ).get_ref<const std::string&>().c_str() )
: wxString();
aTokens.token_type = json.contains( "token_type" )
? wxString::FromUTF8(
json.at( "token_type" ).get_ref<const std::string&>().c_str() )
: wxString( "Bearer" );
aTokens.scope = json.contains( "scope" )
? wxString::FromUTF8( json.at( "scope" ).get_ref<const std::string&>().c_str() )
: wxString();
const long long expiresIn = json.contains( "expires_in" ) ? json.at( "expires_in" ).get<long long>() : 0;
aTokens.expires_at = static_cast<long long>( wxDateTime::Now().GetTicks() ) + expiresIn;
}
catch( const std::exception& e )
{
aError.type = REMOTE_PROVIDER_ERROR_TYPE::INVALID_RESPONSE;
aError.message = wxString::Format( _( "Remote provider token response was incomplete: %s" ),
wxString::FromUTF8( e.what() ) );
return false;
}
return true;
}