porter-dev · ferozemohideen · May 2, 2024 · May 2, 2024 · May 2, 2024 · May 2, 2024
diff --git a/api/server/handlers/oauth_callback/neon.go b/api/server/handlers/oauth_callback/neon.go
@@ -0,0 +1,118 @@
+package oauth_callback
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/porter-dev/porter/api/server/handlers"
+	"github.com/porter-dev/porter/api/server/shared"
+	"github.com/porter-dev/porter/api/server/shared/apierrors"
+	"github.com/porter-dev/porter/api/server/shared/config"
+	"github.com/porter-dev/porter/internal/models/integrations"
+	"github.com/porter-dev/porter/internal/telemetry"
+)
+
+// OAuthCallbackNeonHandler is the handler responding to the neon oauth callback
+type OAuthCallbackNeonHandler struct {
+	handlers.PorterHandlerReadWriter
+}
+
+// NewOAuthCallbackNeonHandler generates a new OAuthCallbackNeonHandler
+func NewOAuthCallbackNeonHandler(
+	config *config.Config,
+	decoderValidator shared.RequestDecoderValidator,
+	writer shared.ResultWriter,
+) *OAuthCallbackNeonHandler {
+	return &OAuthCallbackNeonHandler{
+		PorterHandlerReadWriter: handlers.NewDefaultPorterHandler(config, decoderValidator, writer),
+	}
+}
+
+// ServeHTTP gets the neon oauth token from the callback code then creates a new neon integration
+func (p *OAuthCallbackNeonHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx, span := telemetry.NewSpan(r.Context(), "serve-oauth-callback-neon")
+	defer span.End()
+
+	r = r.Clone(ctx)
+
+	session, err := p.Config().Store.Get(r, p.Config().ServerConf.CookieName)
+	if err != nil {
+		err = telemetry.Error(ctx, span, err, "session could not be retrieved")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	if _, ok := session.Values["state"]; !ok {
+		err = telemetry.Error(ctx, span, nil, "state not found in session")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	if r.URL.Query().Get("state") != session.Values["state"] {
+		err = telemetry.Error(ctx, span, nil, "state does not match")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	projID, ok := session.Values["project_id"].(uint)
+	if !ok {
+		err = telemetry.Error(ctx, span, nil, "project id not found in session")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+	telemetry.WithAttributes(span,
+		telemetry.AttributeKV{Key: "project-id", Value: projID},
+	)
+
+	if projID == 0 {
+		err = telemetry.Error(ctx, span, nil, "project id not found in session")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	code := r.URL.Query().Get("code")
+	if code == "" {
+		err = telemetry.Error(ctx, span, nil, "code not found in query params")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusForbidden))
+		return
+	}
+
+	token, err := p.Config().NeonConf.Exchange(ctx, code)
+	if err != nil {
+		err = telemetry.Error(ctx, span, err, "exchange failed")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusForbidden))
+		return
+	}
+
+	if !token.Valid() {
+		err = telemetry.Error(ctx, span, nil, "invalid token")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusForbidden))
+		return
+	}
+
+	oauthInt := integrations.NeonIntegration{
+		SharedOAuthModel: integrations.SharedOAuthModel{
+			AccessToken:  []byte(token.AccessToken),
+			RefreshToken: []byte(token.RefreshToken),
+			Expiry:       token.Expiry,
+		},
+		ProjectID: projID,
+	}
+
+	_, err = p.Repo().NeonIntegration().Insert(ctx, oauthInt)
+	if err != nil {
+		err = telemetry.Error(ctx, span, err, "error creating oauth integration")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	redirect := "/dashboard"
+	if redirectStr, ok := session.Values["redirect_uri"].(string); ok && redirectStr != "" {
+		redirectURI, err := url.Parse(redirectStr)
+		if err == nil {
+			redirect = fmt.Sprintf("%s?%s", redirectURI.Path, redirectURI.RawQuery)
+		}
+	}
+	http.Redirect(w, r, redirect, http.StatusFound)
+}
diff --git a/api/server/handlers/project_oauth/neon.go b/api/server/handlers/project_oauth/neon.go
@@ -0,0 +1,51 @@
+package project_oauth
+
+import (
+	"net/http"
+
+	"github.com/porter-dev/porter/internal/telemetry"
+
+	"golang.org/x/oauth2"
+
+	"github.com/porter-dev/porter/api/server/handlers"
+	"github.com/porter-dev/porter/api/server/shared"
+	"github.com/porter-dev/porter/api/server/shared/apierrors"
+	"github.com/porter-dev/porter/api/server/shared/config"
+	"github.com/porter-dev/porter/internal/oauth"
+)
+
+// ProjectOAuthNeonHandler is the handler which redirects to the neon oauth flow
+type ProjectOAuthNeonHandler struct {
+	handlers.PorterHandlerReadWriter
+}
+
+// NewProjectOAuthNeonHandler generates a new ProjectOAuthNeonHandler
+func NewProjectOAuthNeonHandler(
+	config *config.Config,
+	decoderValidator shared.RequestDecoderValidator,
+	writer shared.ResultWriter,
+) *ProjectOAuthNeonHandler {
+	return &ProjectOAuthNeonHandler{
+		PorterHandlerReadWriter: handlers.NewDefaultPorterHandler(config, decoderValidator, writer),
+	}
+}
+
+// ServeHTTP populates the oauth session with state and project id then redirects the user to the neon oauth flow
+func (p *ProjectOAuthNeonHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx, span := telemetry.NewSpan(r.Context(), "serve-project-oauth-neon")
+	defer span.End()
+
+	r = r.Clone(ctx)
+
+	state := oauth.CreateRandomState()
+
+	if err := p.PopulateOAuthSession(ctx, w, r, state, true, false, "", 0); err != nil {
+		err = telemetry.Error(ctx, span, err, "population oauth session failed")
+		p.HandleAPIError(w, r, apierrors.NewErrPassThroughToClient(err, http.StatusInternalServerError))
+		return
+	}
+
+	url := p.Config().NeonConf.AuthCodeURL(state, oauth2.AccessTypeOffline)
+
+	http.Redirect(w, r, url, http.StatusFound)
+}
diff --git a/api/server/router/oauth_callback.go b/api/server/router/oauth_callback.go
@@ -75,6 +75,30 @@ func GetOAuthCallbackRoutes(
 		Router:   r,
 	})
 
+	// GET /api/oauth/neon/callback -> oauth_callback.NewOAuthCallbackNeonHandler
+	neonEndpoint := factory.NewAPIEndpoint(
+		&types.APIRequestMetadata{
+			Verb:   types.APIVerbGet,
+			Method: types.HTTPVerbGet,
+			Path: &types.Path{
+				Parent:       basePath,
+				RelativePath: relPath + "/neon/callback",
+			},
+		},
+	)
+
+	neonHandler := oauth_callback.NewOAuthCallbackNeonHandler(
+		config,
+		factory.GetDecoderValidator(),
+		factory.GetResultWriter(),
+	)
+
+	routes = append(routes, &router.Route{
+		Endpoint: neonEndpoint,
+		Handler:  neonHandler,
+		Router:   r,
+	})
+
 	// GET /api/oauth/digitalocean/callback -> oauth_callback.NewOAuthCallbackDOHandler
 	doEndpoint := factory.NewAPIEndpoint(
 		&types.APIRequestMetadata{

diff --git a/api/server/router/project_oauth.go b/api/server/router/project_oauth.go
@@ -110,6 +110,34 @@ func getProjectOAuthRoutes(
 		Router:   r,
 	})
 
+	// GET /api/projects/{project_id}/oauth/neon -> project_integration.NewProjectOAuthNeonHandler
+	neonEndpoint := factory.NewAPIEndpoint(
+		&types.APIRequestMetadata{
+			Verb:   types.APIVerbGet,
+			Method: types.HTTPVerbGet,
+			Path: &types.Path{
+				Parent:       basePath,
+				RelativePath: relPath + "/neon",
+			},
+			Scopes: []types.PermissionScope{
+				types.UserScope,
+				types.ProjectScope,
+			},
+		},
+	)
+
+	neonHandler := project_oauth.NewProjectOAuthNeonHandler(
+		config,
+		factory.GetDecoderValidator(),
+		factory.GetResultWriter(),
+	)
+
+	routes = append(routes, &router.Route{
+		Endpoint: neonEndpoint,
+		Handler:  neonHandler,
+		Router:   r,
+	})
+
 	// GET /api/projects/{project_id}/oauth/digitalocean -> project_integration.NewProjectOAuthDOHandler
 	doEndpoint := factory.NewAPIEndpoint(
 		&types.APIRequestMetadata{

diff --git a/api/server/shared/config/config.go b/api/server/shared/config/config.go
@@ -79,6 +79,9 @@ type Config struct {
 	// UpstashConf is the configuration for an Upstash OAuth client
 	UpstashConf oauth2.Config
 
+	// NeonConf is the configuration for a Neon OAuth client
+	NeonConf oauth2.Config
+
 	// WSUpgrader upgrades HTTP connections to websocket connections
 	WSUpgrader *websocket.Upgrader
 

diff --git a/api/server/shared/config/env/envconfs.go b/api/server/shared/config/env/envconfs.go
@@ -85,6 +85,10 @@ type ServerConf struct {
 	UpstashEnabled  bool   `env:"UPSTASH_ENABLED,default=false"`
 	UpstashClientID string `env:"UPSTASH_CLIENT_ID"`
 
+	NeonEnabled      bool   `env:"NEON_ENABLED,default=false"`
+	NeonClientID     string `env:"NEON_CLIENT_ID"`
+	NeonClientSecret string `env:"NEON_CLIENT_SECRET"`
+
 	BillingPrivateKey       string `env:"BILLING_PRIVATE_KEY"`
 	BillingPrivateServerURL string `env:"BILLING_PRIVATE_URL"`
 	BillingPublicServerURL  string `env:"BILLING_PUBLIC_URL"`

diff --git a/api/server/shared/config/loader/loader.go b/api/server/shared/config/loader/loader.go
@@ -265,13 +265,24 @@ func (e *EnvConfigLoader) LoadConfig() (res *config.Config, err error) {
 		res.Logger.Info().Msg("Creating Upstash client")
 		res.UpstashConf = oauth.NewUpstashClient(&oauth.Config{
 			ClientID:     sc.UpstashClientID,
-			ClientSecret: "",
+			ClientSecret: "", // Upstash doesn't require a secret
 			Scopes:       []string{"offline_access"},
 			BaseURL:      sc.ServerURL,
 		})
 		res.Logger.Info().Msg("Created Upstash client")
 	}
 
+	if sc.NeonEnabled && sc.NeonClientID != "" && sc.NeonClientSecret != "" {
+		res.Logger.Info().Msg("Creating Neon client")
+		res.NeonConf = oauth.NewNeonClient(&oauth.Config{
+			ClientID:     sc.NeonClientID,
+			ClientSecret: sc.NeonClientSecret,
+			Scopes:       []string{"urn:neoncloud:projects:create", "urn:neoncloud:projects:read", "urn:neoncloud:projects:update", "urn:neoncloud:projects:delete", "offline", "offline_access"},
+			BaseURL:      sc.ServerURL,
+		})
+		res.Logger.Info().Msg("Created Neon client")
+	}
+
 	res.WSUpgrader = &websocket.Upgrader{
 		WSUpgrader: &gorillaws.Upgrader{
 			ReadBufferSize:  1024,

diff --git a/internal/models/integrations/neon.go b/internal/models/integrations/neon.go
@@ -0,0 +1,12 @@
+package integrations
+
+import "gorm.io/gorm"
+
+// NeonIntegration is an integration for the Neon service
+type NeonIntegration struct {
+	gorm.Model
+
+	ProjectID uint `json:"project_id"`
+
+	SharedOAuthModel
+}
diff --git a/internal/oauth/config.go b/internal/oauth/config.go
@@ -125,6 +125,20 @@ func NewUpstashClient(cfg *Config) oauth2.Config {
 	}
 }
 
+// NewNeonClient creates a new oauth2.Config for Neon
+func NewNeonClient(cfg *Config) oauth2.Config {
+	return oauth2.Config{
+		ClientID:     cfg.ClientID,
+		ClientSecret: cfg.ClientSecret,
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  "https://oauth2.neon.tech/oauth2/auth",
+			TokenURL: "https://oauth2.neon.tech/oauth2/token",
+		},
+		RedirectURL: cfg.BaseURL + "/api/oauth/neon/callback",
+		Scopes:      cfg.Scopes,
+	}
+}
+
 func CreateRandomState() string {
 	b := make([]byte, 16)
 	rand.Read(b)

diff --git a/internal/repository/gorm/migrate.go b/internal/repository/gorm/migrate.go
@@ -86,6 +86,7 @@ func AutoMigrate(db *gorm.DB, debug bool) error {
 		&ints.GithubAppOAuthIntegration{},
 		&ints.SlackIntegration{},
 		&ints.UpstashIntegration{},
+		&ints.NeonIntegration{},
 		&models.Ipam{},
 		&models.AppEventWebhooks{},
 		&models.ClusterHealthReport{},