Oauth2 consumer

cmd/web.go

@@ -203,6 +203,8 @@ func runWeb(ctx *cli.Context) error {
 		m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost)
 		m.Get("/reset_password", user.ResetPasswd)
 		m.Post("/reset_password", user.ResetPasswdPost)
+		m.Get("/oauth2/:provider", user.SignInOAuth)
+		m.Get("/oauth2/:provider/callback", user.SignInOAuthCallback)
 	}, reqSignOut)
 
 	m.Group("/user/settings", func() {

models/login_source.go

@@ -21,7 +21,10 @@ import (
 
 	"code.gitea.io/gitea/modules/auth/ldap"
 	"code.gitea.io/gitea/modules/auth/pam"
+	"code.gitea.io/gitea/modules/auth/oauth2"
 	"code.gitea.io/gitea/modules/log"
+	"gopkg.in/macaron.v1"
+	"github.com/go-macaron/session"
 )
 
 // LoginType represents an login type.
@@ -30,19 +33,21 @@ type LoginType int
 // Note: new type must append to the end of list to maintain compatibility.
 const (
 	LoginNoType LoginType = iota
-	LoginPlain            // 1
-	LoginLDAP             // 2
-	LoginSMTP             // 3
-	LoginPAM              // 4
-	LoginDLDAP            // 5
+	LoginPlain   // 1
+	LoginLDAP    // 2
+	LoginSMTP    // 3
+	LoginPAM     // 4
+	LoginDLDAP   // 5
+	LoginOAuth2  // 6
 )
 
 // LoginNames contains the name of LoginType values.
 var LoginNames = map[LoginType]string{
-	LoginLDAP:  "LDAP (via BindDN)",
-	LoginDLDAP: "LDAP (simple auth)", // Via direct bind
-	LoginSMTP:  "SMTP",
-	LoginPAM:   "PAM",
+	LoginLDAP:   "LDAP (via BindDN)",
+	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind
+	LoginSMTP:   "SMTP",
+	LoginPAM:    "PAM",
+	LoginOAuth2: "OAuth2",
 }
 
 // SecurityProtocolNames contains the name of SecurityProtocol values.
@@ -57,6 +62,7 @@ var (
 	_ core.Conversion = &LDAPConfig{}
 	_ core.Conversion = &SMTPConfig{}
 	_ core.Conversion = &PAMConfig{}
+	_ core.Conversion = &OAuth2Config{}
 )
 
 // LDAPConfig holds configuration for LDAP login source.
@@ -115,6 +121,23 @@ func (cfg *PAMConfig) ToDB() ([]byte, error) {
 	return json.Marshal(cfg)
 }
 
+// OAuth2Config holds configuration for the OAuth2 login source.
+type OAuth2Config struct {
+	Provider     string
+	ClientID     string
+	ClientSecret string
+}
+
+// FromDB fills up an OAuth2Config from serialized format.
+func (cfg *OAuth2Config) FromDB(bs []byte) error {
+	return json.Unmarshal(bs, cfg)
+}
+
+// ToDB exports an SMTPConfig to a serialized format.
+func (cfg *OAuth2Config) ToDB() ([]byte, error) {
+	return json.Marshal(cfg)
+}
+
 // LoginSource represents an external way for authorizing users.
 type LoginSource struct {
 	ID        int64 `xorm:"pk autoincr"`
@@ -162,6 +185,8 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
 			source.Cfg = new(SMTPConfig)
 		case LoginPAM:
 			source.Cfg = new(PAMConfig)
+		case LoginOAuth2:
+			source.Cfg = new(OAuth2Config)
 		default:
 			panic("unrecognized login source type: " + com.ToStr(*val))
 		}
@@ -203,6 +228,11 @@ func (source *LoginSource) IsPAM() bool {
 	return source.Type == LoginPAM
 }
 
+// IsOAuth2 returns true of this source is of the OAuth2 type.
+func (source *LoginSource) IsOAuth2() bool {
+	return source.Type == LoginOAuth2
+}
+
 // HasTLS returns true of this source supports TLS.
 func (source *LoginSource) HasTLS() bool {
 	return ((source.IsLDAP() || source.IsDLDAP()) &&
@@ -217,6 +247,8 @@ func (source *LoginSource) UseTLS() bool {
 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted
 	case LoginSMTP:
 		return source.SMTP().TLS
+	case LoginOAuth2:
+		return true
 	}
 
 	return false
@@ -250,6 +282,11 @@ func (source *LoginSource) PAM() *PAMConfig {
 	return source.Cfg.(*PAMConfig)
 }
 
+// OAuth2 returns OAuth2Config for this source, if of OAuth2 type.
+func (source *LoginSource) OAuth2() *OAuth2Config {
+	return source.Cfg.(*OAuth2Config)
+}
+
 // CreateLoginSource inserts a LoginSource in the DB if not already
 // existing with the given name.
 func CreateLoginSource(source *LoginSource) error {
@@ -266,7 +303,7 @@ func CreateLoginSource(source *LoginSource) error {
 
 // LoginSources returns a slice of all login sources found in DB.
 func LoginSources() ([]*LoginSource, error) {
-	auths := make([]*LoginSource, 0, 5)
+	auths := make([]*LoginSource, 0, 6)
 	return auths, x.Find(&auths)
 }
 
@@ -444,7 +481,7 @@ func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPC
 		idx := strings.Index(login, "@")
 		if idx == -1 {
 			return nil, ErrUserNotExist{0, login, 0}
-		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {
+		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx + 1:]) {
 			return nil, ErrUserNotExist{0, login, 0}
 		}
 	}
@@ -526,8 +563,21 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon
 	return user, CreateUser(user)
 }
 
+//  ________      _____          __  .__     ________
+//  \_____  \    /  _  \  __ ___/  |_|  |__  \_____  \
+//   /   |   \  /  /_\  \|  |  \   __\  |  \  /  ____/
+//  /    |    \/    |    \  |  /|  | |   Y  \/       \
+//  \_______  /\____|__  /____/ |__| |___|  /\_______ \
+//          \/         \/                 \/         \/
+
+// LoginViaOAuth2 queries if login/password is valid against the OAuth2.0 provider,
+// and create a local user if success when enabled.
+func LoginViaOAuth2(cfg *OAuth2Config, ctx *macaron.Context, sess session.Store) {
+	oauth2.Auth(cfg.Provider, cfg.ClientID, cfg.ClientSecret, ctx, sess)
+}
+
 // ExternalUserLogin attempts a login using external source types.
-func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
+func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool, ctx *macaron.Context, sess session.Store) (*User, error) {
 	if !source.IsActived {
 		return nil, ErrLoginSourceNotActived
 	}
@@ -539,13 +589,16 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource,
 		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
 	case LoginPAM:
 		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
+	case LoginOAuth2:
+		LoginViaOAuth2(source.Cfg.(*OAuth2Config), ctx, sess)
+		return nil, nil
 	}
 
 	return nil, ErrUnsupportedLoginType
 }
 
 // UserSignIn validates user name and password.
-func UserSignIn(username, password string) (*User, error) {
+func UserSignIn(username, password string, ctx *macaron.Context, sess session.Store) (*User, error) {
 	var user *User
 	if strings.Contains(username, "@") {
 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}
@@ -576,17 +629,17 @@ func UserSignIn(username, password string) (*User, error) {
 				return nil, ErrLoginSourceNotExist{user.LoginSource}
 			}
 
-			return ExternalUserLogin(user, user.LoginName, password, &source, false)
+			return ExternalUserLogin(user, user.LoginName, password, &source, false, ctx, sess)
 		}
 	}
 
-	sources := make([]*LoginSource, 0, 3)
+	sources := make([]*LoginSource, 0, 5)
 	if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {
 		return nil, err
 	}
 
 	for _, source := range sources {
-		authUser, err := ExternalUserLogin(nil, username, password, source, true)
+		authUser, err := ExternalUserLogin(nil, username, password, source, true, ctx, sess)
 		if err == nil {
 			return authUser, nil
 		}
@@ -596,3 +649,85 @@ func UserSignIn(username, password string) (*User, error) {
 
 	return nil, ErrUserNotExist{user.ID, user.Name, 0}
 }
+
+
+// OAuth2UserLogin attempts a login using a OAuth2 source type
+func OAuth2UserLogin(provider string, ctx *macaron.Context, sess session.Store) (*User, error) {
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil {
+		return nil, err
+	}
+
+	for _, source := range sources {
+		// TODO how to put this in the xorm Find ?
+		if source.Cfg.(*OAuth2Config).Provider == provider {
+			LoginViaOAuth2(source.Cfg.(*OAuth2Config), ctx, sess)
+			return nil, nil
+		}
+	}
+
+	return nil, errors.New("No valid provider found")
+}
+
+// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
+// login the user
+func OAuth2UserLoginCallback(ctx *macaron.Context, sess session.Store) (*User, string, error) {
+	provider := ctx.Params(":provider")
+
+	gothUser, redirectURL, error := oauth2.ProviderCallback(provider, ctx, sess)
+
+	if error != nil {
+		return nil, redirectURL, error
+	}
+
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil {
+		return nil, "", err
+	}
+
+	for _, source := range sources {
+		// TODO how to put this in the xorm Find ?
+		if source.Cfg.(*OAuth2Config).Provider == provider {
+			user := &User{
+				LoginName:   gothUser.UserID,
+				LoginType:   LoginOAuth2,
+				LoginSource: sources[0].ID,
+			}
+
+			hasUser, err := x.Get(user)
+			if err != nil {
+				return nil, "", err
+			}
+
+			if !hasUser {
+				user = &User{
+					LowerName:        strings.ToLower(gothUser.NickName),
+					Name:             gothUser.NickName,
+					Email:            gothUser.Email,
+					LoginType:        LoginOAuth2,
+					LoginSource:      sources[0].ID,
+					LoginName:        gothUser.NickName,
+					IsActive:         true,
+					// TODO should OAuth2 imported emails be private?
+					KeepEmailPrivate: true,
+				}
+				return user, redirectURL, CreateUser(user)
+			}
+
+			return user, redirectURL, nil
+		}
+	}
+
+	return nil, "", errors.New("No valid provider found")
+}
+
+// GetOAuth2Providers returns the map of registered OAuth2 providers
+// key is used as technical name (like in the callbackURL)
+// value is used to display
+func GetOAuth2Providers() map[string]string {
+	// TODO get this from database or somewhere else?
+	// Maybe also seperate used and unused providers so we can force the registration of only 1 active provider for each type
+	return map[string]string{
+		"github":   "GitHub",
+	}
+}

modules/auth/auth.go

@@ -129,7 +129,7 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 			if len(auths) == 2 && auths[0] == "Basic" {
 				uname, passwd, _ := base.BasicAuthDecode(auths[1])
 
-				u, err := models.UserSignIn(uname, passwd)
+				u, err := models.UserSignIn(uname, passwd, ctx, sess)
 				if err != nil {
 					if !models.IsErrUserNotExist(err) {
 						log.Error(4, "UserSignIn: %v", err)

modules/auth/auth_form.go

@@ -12,7 +12,7 @@ import (
 // AuthenticationForm form for authentication
 type AuthenticationForm struct {
 	ID                int64
-	Type              int    `binding:"Range(2,5)"`
+	Type              int    `binding:"Range(2,6)"`
 	Name              string `binding:"Required;MaxSize(30)"`
 	Host              string
 	Port              int
@@ -36,6 +36,9 @@ type AuthenticationForm struct {
 	TLS               bool
 	SkipVerify        bool
 	PAMServiceName    string
+	Oauth2Provider    string
+	Oauth2Key	  string
+	Oauth2Secret      string
 }
 
 // Validate validates fields