Task #2852 ยป tdf-oauth.patch
| src/main/java/com/googlesource/gerrit/plugins/oauth/HttpModule.java | ||
|---|---|---|
|
.to(GitLabOAuthService.class);
|
||
|
}
|
||
|
cfg = cfgFactory.getFromGerritConfig(pluginName + LemonLDAPOAuthService.CONFIG_SUFFIX);
|
||
|
if (cfg.getString(InitOAuth.CLIENT_ID) != null) {
|
||
|
bind(OAuthServiceProvider.class)
|
||
|
.annotatedWith(Exports.named(LemonLDAPOAuthService.CONFIG_SUFFIX))
|
||
|
.to(LemonLDAPOAuthService.class);
|
||
|
}
|
||
|
cfg = cfgFactory.getFromGerritConfig(pluginName + DexOAuthService.CONFIG_SUFFIX);
|
||
|
if (cfg.getString(InitOAuth.CLIENT_ID) != null) {
|
||
|
bind(OAuthServiceProvider.class)
|
||
| src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java | ||
|---|---|---|
|
private final Section casOAuthProviderSection;
|
||
|
private final Section facebookOAuthProviderSection;
|
||
|
private final Section gitlabOAuthProviderSection;
|
||
|
private final Section lemonldapOAuthProviderSection;
|
||
|
private final Section dexOAuthProviderSection;
|
||
|
private final Section keycloakOAuthProviderSection;
|
||
|
private final Section office365OAuthProviderSection;
|
||
| ... | ... | |
|
sections.get(PLUGIN_SECTION, pluginName + FacebookOAuthService.CONFIG_SUFFIX);
|
||
|
this.gitlabOAuthProviderSection =
|
||
|
sections.get(PLUGIN_SECTION, pluginName + GitLabOAuthService.CONFIG_SUFFIX);
|
||
|
this.lemonldapOAuthProviderSection =
|
||
|
sections.get(PLUGIN_SECTION, pluginName + LemonLDAPOAuthService.CONFIG_SUFFIX);
|
||
|
this.dexOAuthProviderSection =
|
||
|
sections.get(PLUGIN_SECTION, pluginName + DexOAuthService.CONFIG_SUFFIX);
|
||
|
this.keycloakOAuthProviderSection =
|
||
| ... | ... | |
|
configureOAuth(gitlabOAuthProviderSection);
|
||
|
}
|
||
|
boolean configureLemonLDAPOAuthProvider =
|
||
|
ui.yesno(true, "Use LemonLDAP OAuth provider for Gerrit login ?");
|
||
|
if (configureLemonLDAPOAuthProvider) {
|
||
|
lemonldapOAuthProviderSection.string("LemonLDAP Root URL", ROOT_URL, null);
|
||
|
configureOAuth(lemonldapOAuthProviderSection);
|
||
|
}
|
||
|
boolean configureDexOAuthProvider = ui.yesno(true, "Use Dex OAuth provider for Gerrit login ?");
|
||
|
if (configureDexOAuthProvider) {
|
||
|
dexOAuthProviderSection.string("Dex Root URL", ROOT_URL, null);
|
||
| src/main/java/com/googlesource/gerrit/plugins/oauth/LemonLDAPApi.java | ||
|---|---|---|
|
// Copyright (C) 2017 The Android Open Source Project
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
package com.googlesource.gerrit.plugins.oauth;
|
||
|
import org.scribe.builder.api.DefaultApi20;
|
||
|
import org.scribe.extractors.AccessTokenExtractor;
|
||
|
import org.scribe.model.OAuthConfig;
|
||
|
import org.scribe.model.Verb;
|
||
|
import org.scribe.oauth.OAuthService;
|
||
|
public class LemonLDAPApi extends DefaultApi20 {
|
||
|
private static final String AUTHORIZE_URL =
|
||
|
"%s/oauth2/authorize?client_id=%s&response_type=code&scope=openid+email+profile&redirect_uri=%s";
|
||
|
private final String rootUrl;
|
||
|
public LemonLDAPApi(String rootUrl) {
|
||
|
this.rootUrl = rootUrl;
|
||
|
}
|
||
|
@Override
|
||
|
public String getAuthorizationUrl(OAuthConfig config) {
|
||
|
return String.format(AUTHORIZE_URL, rootUrl, config.getApiKey(), config.getCallback());
|
||
|
}
|
||
|
@Override
|
||
|
public String getAccessTokenEndpoint() {
|
||
|
return String.format("%s/oauth2/token", rootUrl);
|
||
|
}
|
||
|
@Override
|
||
|
public Verb getAccessTokenVerb() {
|
||
|
return Verb.POST;
|
||
|
}
|
||
|
@Override
|
||
|
public OAuthService createService(OAuthConfig config) {
|
||
|
return new OAuth20ServiceImpl(this, config);
|
||
|
}
|
||
|
@Override
|
||
|
public AccessTokenExtractor getAccessTokenExtractor() {
|
||
|
return OAuth2AccessTokenJsonExtractor.instance();
|
||
|
}
|
||
|
}
|
||
| src/main/java/com/googlesource/gerrit/plugins/oauth/LemonLDAPOAuthService.java | ||
|---|---|---|
|
// Copyright (C) 2017 The Android Open Source Project
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
package com.googlesource.gerrit.plugins.oauth;
|
||
|
import static com.google.gerrit.server.OutputFormat.JSON;
|
||
|
import static javax.servlet.http.HttpServletResponse.SC_OK;
|
||
|
import static org.slf4j.LoggerFactory.getLogger;
|
||
|
import com.google.common.base.CharMatcher;
|
||
|
import com.google.gerrit.extensions.annotations.PluginName;
|
||
|
import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
|
||
|
import com.google.gerrit.extensions.auth.oauth.OAuthToken;
|
||
|
import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
|
||
|
import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
|
||
|
import com.google.gerrit.server.config.CanonicalWebUrl;
|
||
|
import com.google.gerrit.server.config.PluginConfig;
|
||
|
import com.google.gerrit.server.config.PluginConfigFactory;
|
||
|
import com.google.gson.JsonElement;
|
||
|
import com.google.gson.JsonObject;
|
||
|
import com.google.inject.Inject;
|
||
|
import com.google.inject.Provider;
|
||
|
import com.google.inject.Singleton;
|
||
|
import java.io.IOException;
|
||
|
import org.scribe.builder.ServiceBuilder;
|
||
|
import org.scribe.model.OAuthRequest;
|
||
|
import org.scribe.model.Response;
|
||
|
import org.scribe.model.Token;
|
||
|
import org.scribe.model.Verb;
|
||
|
import org.scribe.model.Verifier;
|
||
|
import org.scribe.oauth.OAuthService;
|
||
|
import org.slf4j.Logger;
|
||
|
@Singleton
|
||
|
public class LemonLDAPOAuthService implements OAuthServiceProvider {
|
||
|
private static final Logger log = getLogger(LemonLDAPOAuthService.class);
|
||
|
static final String CONFIG_SUFFIX = "-lemonldap-oauth";
|
||
|
private static final String PROTECTED_RESOURCE_URL = "%s/oauth2/userinfo";
|
||
|
private static final String LEMONLDAP_PROVIDER_PREFIX = "tdf-oauth:";
|
||
|
private final OAuthService service;
|
||
|
private final String rootUrl;
|
||
|
@Inject
|
||
|
LemonLDAPOAuthService(
|
||
|
PluginConfigFactory cfgFactory,
|
||
|
@PluginName String pluginName,
|
||
|
@CanonicalWebUrl Provider<String> urlProvider) {
|
||
|
PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX);
|
||
|
String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/";
|
||
|
rootUrl = cfg.getString(InitOAuth.ROOT_URL);
|
||
|
service =
|
||
|
new ServiceBuilder()
|
||
|
.provider(new LemonLDAPApi(rootUrl))
|
||
|
.apiKey(cfg.getString(InitOAuth.CLIENT_ID))
|
||
|
.apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET))
|
||
|
.callback(canonicalWebUrl + "oauth")
|
||
|
.build();
|
||
|
}
|
||
|
@Override
|
||
|
public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
|
||
|
final String protectedResourceUrl = String.format(PROTECTED_RESOURCE_URL, rootUrl);
|
||
|
OAuthRequest request = new OAuthRequest(Verb.GET, protectedResourceUrl);
|
||
|
Token t = new Token(token.getToken(), token.getSecret(), token.getRaw());
|
||
|
service.signRequest(t, request);
|
||
|
Response response = request.send();
|
||
|
if (response.getCode() != SC_OK) {
|
||
|
throw new IOException(
|
||
|
String.format(
|
||
|
"Status %s (%s) for request %s",
|
||
|
response.getCode(), response.getBody(), request.getUrl()));
|
||
|
}
|
||
|
JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class);
|
||
|
if (log.isDebugEnabled()) {
|
||
|
log.debug("User info response: {}", response.getBody());
|
||
|
}
|
||
|
JsonObject jsonObject = userJson.getAsJsonObject();
|
||
|
if (jsonObject == null || jsonObject.isJsonNull()) {
|
||
|
throw new IOException("Response doesn't contain 'user' field" + jsonObject);
|
||
|
}
|
||
|
JsonElement id = jsonObject.get("sub");
|
||
|
JsonElement username = jsonObject.get("username");
|
||
|
JsonElement email = jsonObject.get("email");
|
||
|
JsonElement name = jsonObject.get("name");
|
||
|
return new OAuthUserInfo(
|
||
|
LEMONLDAP_PROVIDER_PREFIX + id.getAsString(),
|
||
|
username == null || username.isJsonNull() ? null : username.getAsString(),
|
||
|
email == null || email.isJsonNull() ? null : email.getAsString(),
|
||
|
name == null || name.isJsonNull() ? null : name.getAsString(),
|
||
|
null);
|
||
|
}
|
||
|
@Override
|
||
|
public OAuthToken getAccessToken(OAuthVerifier rv) {
|
||
|
Verifier vi = new Verifier(rv.getValue());
|
||
|
Token to = service.getAccessToken(null, vi);
|
||
|
return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse());
|
||
|
}
|
||
|
@Override
|
||
|
public String getAuthorizationUrl() {
|
||
|
return service.getAuthorizationUrl(null);
|
||
|
}
|
||
|
@Override
|
||
|
public String getVersion() {
|
||
|
return service.getVersion();
|
||
|
}
|
||
|
@Override
|
||
|
public String getName() {
|
||
|
return "The Document Foundation OAuth2";
|
||
|
}
|
||
|
}
|
||