From 573da788598c0ad681245c6f69c59a4a68f150b3 Mon Sep 17 00:00:00 2001 From: Sergiusz Bazanski Date: Fri, 21 Jun 2019 19:59:52 +0200 Subject: [PATCH 1/4] app/gerrit: import OAuth provider and add SSO support This change: - imports gerrit-oauth-provider from upstream - adds sso.hackerspae.pl support to it Change-Id: I92e7053614a9297bf1ced3aac044c0002acd836a --- WORKSPACE | 30 +++ app/gerrit/gerrit-oauth-provider/.gitignore | 11 + app/gerrit/gerrit-oauth-provider/BUILD | 43 ++++ .../gerrit-oauth-provider/LICENSE-Apache2.0 | 201 +++++++++++++++ .../gerrit-oauth-provider/LICENSE-scribe | 22 ++ app/gerrit/gerrit-oauth-provider/README.md | 68 +++++ app/gerrit/gerrit-oauth-provider/bazlets.bzl | 18 ++ .../external_plugin_deps.bzl | 14 ++ .../gerrit/plugins/oauth/AirVantageApi.java | 56 +++++ .../plugins/oauth/AirVantageOAuthService.java | 127 ++++++++++ .../gerrit/plugins/oauth/BitbucketApi.java | 150 +++++++++++ .../plugins/oauth/BitbucketOAuthService.java | 130 ++++++++++ .../gerrit/plugins/oauth/CasApi.java | 53 ++++ .../gerrit/plugins/oauth/CasOAuthService.java | 171 +++++++++++++ .../gerrit/plugins/oauth/DexApi.java | 65 +++++ .../gerrit/plugins/oauth/DexOAuthService.java | 137 ++++++++++ .../oauth/DisabledOAuthLoginProvider.java | 38 +++ .../gerrit/plugins/oauth/Facebook2Api.java | 25 ++ .../plugins/oauth/FacebookOAuthService.java | 142 +++++++++++ .../gerrit/plugins/oauth/GitHub2Api.java | 35 +++ .../plugins/oauth/GitHubOAuthService.java | 132 ++++++++++ .../gerrit/plugins/oauth/GitLabApi.java | 57 +++++ .../plugins/oauth/GitLabOAuthService.java | 126 ++++++++++ .../gerrit/plugins/oauth/Google2Api.java | 63 +++++ .../plugins/oauth/GoogleOAuthService.java | 233 ++++++++++++++++++ .../gerrit/plugins/oauth/HttpModule.java | 116 +++++++++ .../gerrit/plugins/oauth/InitOAuth.java | 161 ++++++++++++ .../gerrit/plugins/oauth/KeycloakApi.java | 68 +++++ .../plugins/oauth/KeycloakOAuthService.java | 138 +++++++++++ .../gerrit/plugins/oauth/Module.java | 37 +++ .../plugins/oauth/OAuth20ServiceImpl.java | 93 +++++++ .../oauth/OAuth2AccessTokenJsonExtractor.java | 49 ++++ .../gerrit/plugins/oauth/Office365Api.java | 62 +++++ .../plugins/oauth/Office365OAuthService.java | 143 +++++++++++ .../plugins/oauth/WarsawHackerspaceApi.java | 65 +++++ .../oauth/WarsawHackerspaceOAuthService.java | 128 ++++++++++ .../OAuth2AccessTokenJsonExtractorTest.java | 70 ++++++ .../gerrit-oauth-provider/tools/bzl/BUILD | 1 + .../tools/bzl/classpath.bzl | 6 + .../gerrit-oauth-provider/tools/bzl/junit.bzl | 6 + .../tools/bzl/maven_jar.bzl | 3 + .../tools/bzl/plugin.bzl | 10 + .../gerrit-oauth-provider/tools/eclipse/BUILD | 9 + .../tools/eclipse/project.sh | 15 ++ .../tools/workspace-status.sh | 17 ++ tools/workspace-status.sh | 17 ++ 46 files changed, 3361 insertions(+) create mode 100644 app/gerrit/gerrit-oauth-provider/.gitignore create mode 100644 app/gerrit/gerrit-oauth-provider/BUILD create mode 100644 app/gerrit/gerrit-oauth-provider/LICENSE-Apache2.0 create mode 100644 app/gerrit/gerrit-oauth-provider/LICENSE-scribe create mode 100644 app/gerrit/gerrit-oauth-provider/README.md create mode 100644 app/gerrit/gerrit-oauth-provider/bazlets.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/external_plugin_deps.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DisabledOAuthLoginProvider.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Facebook2Api.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/FacebookOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHub2Api.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Google2Api.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/HttpModule.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Module.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth20ServiceImpl.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractor.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceApi.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceOAuthService.java create mode 100644 app/gerrit/gerrit-oauth-provider/src/test/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractorTest.java create mode 100644 app/gerrit/gerrit-oauth-provider/tools/bzl/BUILD create mode 100644 app/gerrit/gerrit-oauth-provider/tools/bzl/classpath.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/tools/bzl/junit.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/tools/bzl/maven_jar.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/tools/bzl/plugin.bzl create mode 100644 app/gerrit/gerrit-oauth-provider/tools/eclipse/BUILD create mode 100755 app/gerrit/gerrit-oauth-provider/tools/eclipse/project.sh create mode 100755 app/gerrit/gerrit-oauth-provider/tools/workspace-status.sh create mode 100755 tools/workspace-status.sh diff --git a/WORKSPACE b/WORKSPACE index 66cdf623..d2d7cf6d 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -110,6 +110,36 @@ load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies", "go_repository") gazelle_dependencies() +# For app/gerrit/gerrit-oauth-provider + +git_repository( + name = "com_googlesource_gerrit_bazlets", + remote = "https://gerrit.googlesource.com/bazlets", + commit = "8528a0df69dadf6311d8d3f81c1b693afda8bcf1", +) + +load( + "@com_googlesource_gerrit_bazlets//:gerrit_api.bzl", + "gerrit_api", +) + +gerrit_api() + +load("@com_googlesource_gerrit_bazlets//tools:maven_jar.bzl", "maven_jar") + +maven_jar( + name = "scribe", + artifact = "org.scribe:scribe:1.3.7", + sha1 = "583921bed46635d9f529ef5f14f7c9e83367bc6e", +) + +maven_jar( + name = "commons-codec", + artifact = "commons-codec:commons-codec:1.4", + sha1 = "4216af16d38465bbab0f3dff8efa14204f7a399a", +) + + # Go repositories go_repository( diff --git a/app/gerrit/gerrit-oauth-provider/.gitignore b/app/gerrit/gerrit-oauth-provider/.gitignore new file mode 100644 index 00000000..445b95a8 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/.gitignore @@ -0,0 +1,11 @@ +/.classpath +/.project +/.settings +/bazel-bin +/bazel-genfiles +/bazel-gerrit-oauth-provider +/bazel-out +/bazel-testlogs +/eclipse-out +/.idea +*.swp diff --git a/app/gerrit/gerrit-oauth-provider/BUILD b/app/gerrit/gerrit-oauth-provider/BUILD new file mode 100644 index 00000000..bb266e4c --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/BUILD @@ -0,0 +1,43 @@ +load("//app/gerrit/gerrit-oauth-provider/tools/bzl:junit.bzl", "junit_tests") +load( + "//app/gerrit/gerrit-oauth-provider/tools/bzl:plugin.bzl", + "PLUGIN_DEPS", + "PLUGIN_TEST_DEPS", + "gerrit_plugin", +) + +gerrit_plugin( + name = "gerrit-oauth-provider", + srcs = glob(["src/main/java/**/*.java"]), + manifest_entries = [ + "Gerrit-PluginName: gerrit-oauth-provider", + "Gerrit-HttpModule: com.googlesource.gerrit.plugins.oauth.HttpModule", + "Gerrit-InitStep: com.googlesource.gerrit.plugins.oauth.InitOAuth", + "Implementation-Title: Gerrit OAuth authentication provider", + "Implementation-URL: https://github.com/davido/gerrit-oauth-provider", + ], + resources = glob(["src/main/resources/**/*"]), + deps = [ + "@commons-codec//jar:neverlink", + "@scribe//jar", + ], +) + +junit_tests( + name = "gerrit-oauth-provider_tests", + srcs = glob(["src/test/java/**/*.java"]), + tags = ["oauth"], + deps = [ + ":gerrit-oauth-provider__plugin_test_deps", + ], +) + +java_library( + name = "gerrit-oauth-provider__plugin_test_deps", + testonly = 1, + visibility = ["//visibility:public"], + exports = PLUGIN_DEPS + PLUGIN_TEST_DEPS + [ + ":gerrit-oauth-provider__plugin", + "@scribe//jar", + ], +) diff --git a/app/gerrit/gerrit-oauth-provider/LICENSE-Apache2.0 b/app/gerrit/gerrit-oauth-provider/LICENSE-Apache2.0 new file mode 100644 index 00000000..11069edd --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/LICENSE-Apache2.0 @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/app/gerrit/gerrit-oauth-provider/LICENSE-scribe b/app/gerrit/gerrit-oauth-provider/LICENSE-scribe new file mode 100644 index 00000000..7cea02d0 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/LICENSE-scribe @@ -0,0 +1,22 @@ +The MIT License + +Copyright (c) 2010 Pablo Fernandez + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + diff --git a/app/gerrit/gerrit-oauth-provider/README.md b/app/gerrit/gerrit-oauth-provider/README.md new file mode 100644 index 00000000..414eef69 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/README.md @@ -0,0 +1,68 @@ +Gerrit OAuth2 authentication provider +===================================== + +[![Build Status](https://travis-ci.org/davido/gerrit-oauth-provider.svg?branch=master)](https://travis-ci.org/davido/gerrit-oauth-provider) + + +With this plugin Gerrit can use OAuth2 protocol for authentication. +Supported OAuth providers: + +* [AirVantage](https://doc.airvantage.net/av/reference/cloud/API/#API-GeneralInformation-Authentication) +* [Bitbucket](https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html) +* [CAS](https://www.apereo.org/projects/cas) +* [CoreOS Dex](https://github.com/coreos/dex) +* [Facebook](https://developers.facebook.com/docs/facebook-login) +* [GitHub](https://developer.github.com/v3/oauth/) +* [GitLab](https://about.gitlab.com/) +* [Google](https://developers.google.com/identity/protocols/OAuth2) +* [Keycloak](http://www.keycloak.org/) +* [Office365](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols) + +See the [Wiki](https://github.com/davido/gerrit-oauth-provider/wiki) what it can do for you. + +Prebuilt artifacts +------------------ + +Prebuilt binary artifacts are available on [release page](https://github.com/davido/gerrit-oauth-provider/releases). Make sure to pick the right JAR for your Gerrit version. + +Build +----- + +To build the plugin with Bazel, install +[Bazel](https://bazel.build/versions/master/docs/install.html) and run the +following: + +``` + git clone https://gerrit.googlesource.com/plugins/oauth gerrit-oauth-provider + cd gerrit-oauth-provider && bazel build gerrit-oauth-provider +``` + +Install +------- + +Copy the `bazel-genfiles/oauth.jar` to +`$gerrit_site/plugins` and re-run init to configure it: + +``` + java -jar gerrit.war init -d + [...] + *** OAuth Authentication Provider + *** + Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n + Use Google OAuth provider for Gerrit login ? [Y/n]? + Application client id : + Application client secret : + confirm password : + Link to OpenID accounts? [true]: + Use GitHub OAuth provider for Gerrit login ? [Y/n]? n +``` + +Reporting bugs +-------------- + +Make sure to read the [FAQ](https://github.com/davido/gerrit-oauth-provider/wiki/FAQ) before reporting issues. + +License +------- + +Apache License 2.0 diff --git a/app/gerrit/gerrit-oauth-provider/bazlets.bzl b/app/gerrit/gerrit-oauth-provider/bazlets.bzl new file mode 100644 index 00000000..f089af47 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/bazlets.bzl @@ -0,0 +1,18 @@ +load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository") + +NAME = "com_googlesource_gerrit_bazlets" + +def load_bazlets( + commit, + local_path = None): + if not local_path: + git_repository( + name = NAME, + remote = "https://gerrit.googlesource.com/bazlets", + commit = commit, + ) + else: + native.local_repository( + name = NAME, + path = local_path, + ) diff --git a/app/gerrit/gerrit-oauth-provider/external_plugin_deps.bzl b/app/gerrit/gerrit-oauth-provider/external_plugin_deps.bzl new file mode 100644 index 00000000..e5603441 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/external_plugin_deps.bzl @@ -0,0 +1,14 @@ +load("//tools/bzl:maven_jar.bzl", "maven_jar") + +def external_plugin_deps(omit_commons_codec = True): + maven_jar( + name = "scribe", + artifact = "org.scribe:scribe:1.3.7", + sha1 = "583921bed46635d9f529ef5f14f7c9e83367bc6e", + ) + if not omit_commons_codec: + maven_jar( + name = "commons-codec", + artifact = "commons-codec:commons-codec:1.4", + sha1 = "4216af16d38465bbab0f3dff8efa14204f7a399a", + ) diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageApi.java new file mode 100644 index 00000000..02f4bd5e --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageApi.java @@ -0,0 +1,56 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static java.lang.String.format; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.extractors.JsonTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; + +public class AirVantageApi extends DefaultApi20 { + + private static final String AUTHORIZE_URL = + "https://eu.airvantage.net/api/oauth/authorize?client_id=%s&response_type=code"; + private static final String ACCESS_TOKEN_ENDPOINT = "https://eu.airvantage.net/api/oauth/token"; + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return format(AUTHORIZE_URL, config.getApiKey()); + } + + @Override + public String getAccessTokenEndpoint() { + return ACCESS_TOKEN_ENDPOINT; + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return new JsonTokenExtractor(); + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageOAuthService.java new file mode 100644 index 00000000..a1ec5912 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/AirVantageOAuthService.java @@ -0,0 +1,127 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; +import static javax.servlet.http.HttpServletResponse.SC_OK; +import static org.slf4j.LoggerFactory.getLogger; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; + +@Singleton +public class AirVantageOAuthService implements OAuthServiceProvider { + private static final Logger log = getLogger(AirVantageOAuthService.class); + static final String CONFIG_SUFFIX = "-airvantage-oauth"; + private static final String AV_PROVIDER_PREFIX = "airvantage-oauth:"; + private static final String PROTECTED_RESOURCE_URL = + "https://eu.airvantage.net/api/v1/users/current"; + private final OAuthService service; + + @Inject + AirVantageOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + + service = + new ServiceBuilder() + .provider(AirVantageApi.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + Response response = request.send(); + if (response.getCode() != SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("uid"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain uid field"); + } + JsonElement email = jsonObject.get("email"); + JsonElement name = jsonObject.get("name"); + return new OAuthUserInfo( + AV_PROVIDER_PREFIX + id.getAsString(), + null, + email.getAsString(), + name.getAsString(), + id.getAsString()); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "AirVantage OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketApi.java new file mode 100644 index 00000000..de0f5ea9 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketApi.java @@ -0,0 +1,150 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; +import static java.lang.String.format; +import static javax.servlet.http.HttpServletResponse.SC_OK; +import static org.scribe.model.OAuthConstants.ACCESS_TOKEN; +import static org.scribe.model.OAuthConstants.CODE; + +import com.google.common.io.BaseEncoding; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import org.scribe.builder.api.DefaultApi20; +import org.scribe.exceptions.OAuthException; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; + +public class BitbucketApi extends DefaultApi20 { + + private static final String AUTHORIZE_URL = + "https://bitbucket.org/site/oauth2/authorize?client_id=%s&response_type=code"; + private static final String ACCESS_TOKEN_ENDPOINT = + "https://bitbucket.org/site/oauth2/access_token"; + + public BitbucketApi() {} + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return format(AUTHORIZE_URL, config.getApiKey()); + } + + @Override + public String getAccessTokenEndpoint() { + return ACCESS_TOKEN_ENDPOINT; + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new BitbucketOAuthService(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return new BitbucketTokenExtractor(); + } + + private static final class BitbucketOAuthService implements OAuthService { + private static final String VERSION = "2.0"; + + private static final String GRANT_TYPE = "grant_type"; + private static final String GRANT_TYPE_VALUE = "authorization_code"; + + private final DefaultApi20 api; + private final OAuthConfig config; + + private BitbucketOAuthService(DefaultApi20 api, OAuthConfig config) { + this.config = config; + this.api = api; + } + + @Override + public Token getAccessToken(Token token, Verifier verifier) { + OAuthRequest request = + new OAuthRequest(api.getAccessTokenVerb(), api.getAccessTokenEndpoint()); + request.addHeader("Authorization", prepareAuthorizationHeaderValue()); + request.addBodyParameter(GRANT_TYPE, GRANT_TYPE_VALUE); + request.addBodyParameter(CODE, verifier.getValue()); + Response response = request.send(); + if (response.getCode() == SC_OK) { + Token t = api.getAccessTokenExtractor().extract(response.getBody()); + return new Token(t.getToken(), config.getApiSecret()); + } + + throw new OAuthException( + String.format( + "Error response received: %s, HTTP status: %s", + response.getBody(), response.getCode())); + } + + private String prepareAuthorizationHeaderValue() { + String value = String.format("%s:%s", config.getApiKey(), config.getApiSecret()); + String valueBase64 = BaseEncoding.base64().encode(value.getBytes()); + return String.format("Basic %s", valueBase64); + } + + @Override + public Token getRequestToken() { + throw new UnsupportedOperationException( + "Unsupported operation, please use 'getAuthorizationUrl' and redirect your users there"); + } + + @Override + public String getVersion() { + return VERSION; + } + + @Override + public void signRequest(Token token, OAuthRequest request) { + request.addQuerystringParameter(ACCESS_TOKEN, token.getToken()); + } + + @Override + public String getAuthorizationUrl(Token token) { + return api.getAuthorizationUrl(config); + } + } + + private static final class BitbucketTokenExtractor implements AccessTokenExtractor { + + @Override + public Token extract(String response) { + JsonElement json = JSON.newGson().fromJson(response, JsonElement.class); + if (json.isJsonObject()) { + JsonObject jsonObject = json.getAsJsonObject(); + JsonElement id = jsonObject.get(ACCESS_TOKEN); + if (id == null || id.isJsonNull()) { + throw new OAuthException("Response doesn't contain 'access_token' field"); + } + JsonElement accessToken = jsonObject.get(ACCESS_TOKEN); + return new Token(accessToken.getAsString(), ""); + } + + throw new OAuthException(String.format("Invalid JSON '%s': not a JSON Object", json)); + } + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketOAuthService.java new file mode 100644 index 00000000..c1524e9b --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/BitbucketOAuthService.java @@ -0,0 +1,130 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; +import static javax.servlet.http.HttpServletResponse.SC_OK; +import static org.slf4j.LoggerFactory.getLogger; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; + +@Singleton +public class BitbucketOAuthService implements OAuthServiceProvider { + private static final Logger log = getLogger(BitbucketOAuthService.class); + static final String CONFIG_SUFFIX = "-bitbucket-oauth"; + private static final String BITBUCKET_PROVIDER_PREFIX = "bitbucket-oauth:"; + private static final String PROTECTED_RESOURCE_URL = "https://bitbucket.org/api/1.0/user/"; + private final boolean fixLegacyUserId; + private final OAuthService service; + + @Inject + BitbucketOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + fixLegacyUserId = cfg.getBoolean(InitOAuth.FIX_LEGACY_USER_ID, false); + service = + new ServiceBuilder() + .provider(BitbucketApi.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + Response response = request.send(); + if (response.getCode() != SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonObject userObject = jsonObject.getAsJsonObject("user"); + if (userObject == null || userObject.isJsonNull()) { + throw new IOException("Response doesn't contain 'user' field"); + } + JsonElement usernameElement = userObject.get("username"); + String username = usernameElement.getAsString(); + + JsonElement displayName = jsonObject.get("display_name"); + return new OAuthUserInfo( + BITBUCKET_PROVIDER_PREFIX + username, + username, + null, + displayName == null || displayName.isJsonNull() ? null : displayName.getAsString(), + fixLegacyUserId ? username : null); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Bitbucket OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java new file mode 100644 index 00000000..76d4011a --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasApi.java @@ -0,0 +1,53 @@ +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.OAuthEncoder; + +public class CasApi extends DefaultApi20 { + private static final String AUTHORIZE_URL = + "%s/oauth2.0/authorize?response_type=code&client_id=%s&redirect_uri=%s"; + + private final String rootUrl; + + public CasApi(String rootUrl) { + this.rootUrl = rootUrl; + } + + @Override + public String getAccessTokenEndpoint() { + return String.format("%s/oauth2.0/accessToken", rootUrl); + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return String.format( + AUTHORIZE_URL, rootUrl, config.getApiKey(), OAuthEncoder.encode(config.getCallback())); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java new file mode 100644 index 00000000..e90c5b38 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java @@ -0,0 +1,171 @@ +// Copyright (C) 2016 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonArray; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import javax.servlet.http.HttpServletResponse; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +class CasOAuthService implements OAuthServiceProvider { + private static final Logger log = LoggerFactory.getLogger(CasOAuthService.class); + static final String CONFIG_SUFFIX = "-cas-oauth"; + private static final String CAS_PROVIDER_PREFIX = "cas-oauth:"; + private static final String PROTECTED_RESOURCE_URL = "%s/oauth2.0/profile"; + + private final String rootUrl; + private final boolean fixLegacyUserId; + private final OAuthService service; + + @Inject + CasOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + rootUrl = cfg.getString(InitOAuth.ROOT_URL); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + fixLegacyUserId = cfg.getBoolean(InitOAuth.FIX_LEGACY_USER_ID, false); + service = + new ServiceBuilder() + .provider(new CasApi(rootUrl)) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + final String protectedResourceUrl = String.format(PROTECTED_RESOURCE_URL, rootUrl); + OAuthRequest request = new OAuthRequest(Verb.GET, protectedResourceUrl); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + + Response response = request.send(); + if (response.getCode() != HttpServletResponse.SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (!userJson.isJsonObject()) { + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + JsonObject jsonObject = userJson.getAsJsonObject(); + + JsonElement id = jsonObject.get("id"); + if (id == null || id.isJsonNull()) { + throw new IOException(String.format("CAS response missing id: %s", response.getBody())); + } + + JsonElement attrListJson = jsonObject.get("attributes"); + if (attrListJson == null) { + throw new IOException( + String.format("CAS response missing attributes: %s", response.getBody())); + } + + String email = null, name = null, login = null; + + if (attrListJson.isJsonArray()) { + // It is possible for CAS to be configured to not return any attributes (email, name, login), + // in which case, + // CAS returns an empty JSON object "attributes":{}, rather than "null" or an empty JSON array + // "attributes": [] + + JsonArray attrJson = attrListJson.getAsJsonArray(); + for (JsonElement elem : attrJson) { + if (elem == null || !elem.isJsonObject()) { + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", elem)); + } + JsonObject obj = elem.getAsJsonObject(); + + String property = getStringElement(obj, "email"); + if (property != null) email = property; + property = getStringElement(obj, "name"); + if (property != null) name = property; + property = getStringElement(obj, "login"); + if (property != null) login = property; + } + } + + return new OAuthUserInfo( + CAS_PROVIDER_PREFIX + id.getAsString(), + login, + email, + name, + fixLegacyUserId ? id.getAsString() : null); + } + + private String getStringElement(JsonObject o, String name) { + JsonElement elem = o.get(name); + if (elem == null || elem.isJsonNull()) return null; + + return elem.getAsString(); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Generic CAS OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexApi.java new file mode 100644 index 00000000..2386e24f --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexApi.java @@ -0,0 +1,65 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.extractors.JsonTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.OAuthEncoder; + +public class DexApi extends DefaultApi20 { + + private static final String AUTHORIZE_URL = + "%s/dex/auth?client_id=%s&response_type=code&redirect_uri=%s&scope=%s"; + + private final String rootUrl; + + public DexApi(String rootUrl) { + this.rootUrl = rootUrl; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return String.format( + AUTHORIZE_URL, + rootUrl, + config.getApiKey(), + OAuthEncoder.encode(config.getCallback()), + config.getScope().replaceAll(" ", "+")); + } + + @Override + public String getAccessTokenEndpoint() { + return String.format("%s/dex/token", rootUrl); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return new JsonTokenExtractor(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexOAuthService.java new file mode 100644 index 00000000..255d394a --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DexOAuthService.java @@ -0,0 +1,137 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.common.base.Preconditions; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import org.apache.commons.codec.binary.Base64; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.Token; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; + +@Singleton +public class DexOAuthService implements OAuthServiceProvider { + + static final String CONFIG_SUFFIX = "-dex-oauth"; + private static final String DEX_PROVIDER_PREFIX = "dex-oauth:"; + private final OAuthService service; + private final String rootUrl; + private final String domain; + private final String serviceName; + + @Inject + DexOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + + rootUrl = cfg.getString(InitOAuth.ROOT_URL); + domain = cfg.getString(InitOAuth.DOMAIN, null); + serviceName = cfg.getString(InitOAuth.SERVICE_NAME, "Dex OAuth2"); + + service = + new ServiceBuilder() + .provider(new DexApi(rootUrl)) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .scope("openid profile email offline_access") + .callback(canonicalWebUrl + "oauth") + .build(); + } + + private String parseJwt(String input) { + String[] parts = input.split("\\."); + Preconditions.checkState(parts.length == 3); + Preconditions.checkNotNull(parts[1]); + return new String(Base64.decodeBase64(parts[1])); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + JsonElement tokenJson = JSON.newGson().fromJson(token.getRaw(), JsonElement.class); + JsonObject tokenObject = tokenJson.getAsJsonObject(); + JsonElement id_token = tokenObject.get("id_token"); + + JsonElement claimJson = + JSON.newGson().fromJson(parseJwt(id_token.getAsString()), JsonElement.class); + + // Dex does not support basic profile currently (2017-09), extracting info + // from access token claim + + JsonObject claimObject = claimJson.getAsJsonObject(); + JsonElement emailElement = claimObject.get("email"); + JsonElement nameElement = claimObject.get("name"); + if (emailElement == null || emailElement.isJsonNull()) { + throw new IOException("Response doesn't contain email field"); + } + if (nameElement == null || nameElement.isJsonNull()) { + throw new IOException("Response doesn't contain name field"); + } + String email = emailElement.getAsString(); + String name = nameElement.getAsString(); + String username = email; + if (domain != null && domain.length() > 0) { + username = email.replace("@" + domain, ""); + } + + return new OAuthUserInfo( + DEX_PROVIDER_PREFIX + email /*externalId*/, + username /*username*/, + email /*email*/, + name /*displayName*/, + null /*claimedIdentity*/); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return serviceName; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DisabledOAuthLoginProvider.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DisabledOAuthLoginProvider.java new file mode 100644 index 00000000..4a62e3d9 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/DisabledOAuthLoginProvider.java @@ -0,0 +1,38 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthLoginProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.inject.Inject; +import com.google.inject.Singleton; +import java.io.IOException; + +@Singleton +class DisabledOAuthLoginProvider implements OAuthLoginProvider { + private final String pluginName; + + @Inject + DisabledOAuthLoginProvider(@PluginName String pluginName) { + this.pluginName = pluginName; + } + + @Override + public OAuthUserInfo login(String username, String secret) throws IOException { + throw new UnsupportedOperationException( + "git over oauth is not implemented by " + pluginName + " plugin"); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Facebook2Api.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Facebook2Api.java new file mode 100644 index 00000000..a547bfbd --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Facebook2Api.java @@ -0,0 +1,25 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.FacebookApi; +import org.scribe.extractors.AccessTokenExtractor; + +public class Facebook2Api extends FacebookApi { + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return OAuth2AccessTokenJsonExtractor.instance(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/FacebookOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/FacebookOAuthService.java new file mode 100644 index 00000000..bc5818ae --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/FacebookOAuthService.java @@ -0,0 +1,142 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import javax.servlet.http.HttpServletResponse; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +class FacebookOAuthService implements OAuthServiceProvider { + private static final Logger log = LoggerFactory.getLogger(FacebookOAuthService.class); + static final String CONFIG_SUFFIX = "-facebook-oauth"; + private static final String PROTECTED_RESOURCE_URL = "https://graph.facebook.com/me"; + + private static final String FACEBOOK_PROVIDER_PREFIX = "facebook-oauth:"; + private static final String SCOPE = "email"; + private static final String FIELDS_QUERY = "fields"; + private static final String FIELDS = "email,name"; + private final OAuthService service; + + @Inject + FacebookOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + + service = + new ServiceBuilder() + .provider(Facebook2Api.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .scope(SCOPE) + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + request.addQuerystringParameter(FIELDS_QUERY, FIELDS); + service.signRequest(t, request); + Response response = request.send(); + + if (response.getCode() != HttpServletResponse.SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("id"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain id field"); + } + JsonElement email = jsonObject.get("email"); + JsonElement name = jsonObject.get("name"); + // Heads up! + // Lets keep `login` equal to `email`, since `username` field is + // deprecated for Facebook API versions v2.0 and higher + JsonElement login = jsonObject.get("email"); + + return new OAuthUserInfo( + FACEBOOK_PROVIDER_PREFIX + id.getAsString(), + login == null || login.isJsonNull() ? null : login.getAsString(), + email == null || email.isJsonNull() ? null : email.getAsString(), + name == null || name.isJsonNull() ? null : name.getAsString(), + null); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + OAuthToken result = new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + + return result; + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Facebook OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHub2Api.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHub2Api.java new file mode 100644 index 00000000..4b8419bb --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHub2Api.java @@ -0,0 +1,35 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.model.OAuthConfig; +import org.scribe.utils.OAuthEncoder; + +public class GitHub2Api extends DefaultApi20 { + private static final String AUTHORIZE_URL = + "https://github.com/login/oauth/authorize?client_id=%s&redirect_uri=%s"; + + @Override + public String getAccessTokenEndpoint() { + return "https://github.com/login/oauth/access_token"; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return String.format( + AUTHORIZE_URL, config.getApiKey(), OAuthEncoder.encode(config.getCallback())); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java new file mode 100644 index 00000000..1c73c0ea --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java @@ -0,0 +1,132 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import javax.servlet.http.HttpServletResponse; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +class GitHubOAuthService implements OAuthServiceProvider { + private static final Logger log = LoggerFactory.getLogger(GitHubOAuthService.class); + static final String CONFIG_SUFFIX = "-github-oauth"; + private static final String GITHUB_PROVIDER_PREFIX = "github-oauth:"; + private static final String PROTECTED_RESOURCE_URL = "https://api.github.com/user"; + + private static final String SCOPE = "user:email"; + private final boolean fixLegacyUserId; + private final OAuthService service; + + @Inject + GitHubOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + fixLegacyUserId = cfg.getBoolean(InitOAuth.FIX_LEGACY_USER_ID, false); + service = + new ServiceBuilder() + .provider(GitHub2Api.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .scope(SCOPE) + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + Response response = request.send(); + if (response.getCode() != HttpServletResponse.SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("id"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain id field"); + } + JsonElement email = jsonObject.get("email"); + JsonElement name = jsonObject.get("name"); + JsonElement login = jsonObject.get("login"); + return new OAuthUserInfo( + GITHUB_PROVIDER_PREFIX + id.getAsString(), + login == null || login.isJsonNull() ? null : login.getAsString(), + email == null || email.isJsonNull() ? null : email.getAsString(), + name == null || name.isJsonNull() ? null : name.getAsString(), + fixLegacyUserId ? id.getAsString() : null); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + OAuthToken result = new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + return result; + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "GitHub OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabApi.java new file mode 100644 index 00000000..db0851fa --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabApi.java @@ -0,0 +1,57 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; + +public class GitLabApi extends DefaultApi20 { + private static final String AUTHORIZE_URL = + "%s/oauth/authorize?client_id=%s&response_type=code&redirect_uri=%s"; + + private final String rootUrl; + + public GitLabApi(String rootUrl) { + this.rootUrl = rootUrl; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return String.format(AUTHORIZE_URL, rootUrl, config.getApiKey(), config.getCallback()); + } + + @Override + public String getAccessTokenEndpoint() { + return String.format("%s/oauth/token", rootUrl); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return OAuth2AccessTokenJsonExtractor.instance(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabOAuthService.java new file mode 100644 index 00000000..ed4c456b --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GitLabOAuthService.java @@ -0,0 +1,126 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; +import static javax.servlet.http.HttpServletResponse.SC_OK; +import static org.slf4j.LoggerFactory.getLogger; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; + +@Singleton +public class GitLabOAuthService implements OAuthServiceProvider { + private static final Logger log = getLogger(GitLabOAuthService.class); + static final String CONFIG_SUFFIX = "-gitlab-oauth"; + private static final String PROTECTED_RESOURCE_URL = "%s/api/v3/user"; + private static final String GITLAB_PROVIDER_PREFIX = "gitlab-oauth:"; + private final OAuthService service; + private final String rootUrl; + + @Inject + GitLabOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + rootUrl = cfg.getString(InitOAuth.ROOT_URL); + service = + new ServiceBuilder() + .provider(new GitLabApi(rootUrl)) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + final String protectedResourceUrl = String.format(PROTECTED_RESOURCE_URL, rootUrl); + OAuthRequest request = new OAuthRequest(Verb.GET, protectedResourceUrl); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + + Response response = request.send(); + if (response.getCode() != SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + JsonObject jsonObject = userJson.getAsJsonObject(); + if (jsonObject == null || jsonObject.isJsonNull()) { + throw new IOException("Response doesn't contain 'user' field" + jsonObject); + } + JsonElement id = jsonObject.get("id"); + JsonElement username = jsonObject.get("username"); + JsonElement email = jsonObject.get("email"); + JsonElement name = jsonObject.get("name"); + return new OAuthUserInfo( + GITLAB_PROVIDER_PREFIX + id.getAsString(), + username == null || username.isJsonNull() ? null : username.getAsString(), + email == null || email.isJsonNull() ? null : email.getAsString(), + name == null || name.isJsonNull() ? null : name.getAsString(), + null); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "GitLab OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Google2Api.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Google2Api.java new file mode 100644 index 00000000..88c640d1 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Google2Api.java @@ -0,0 +1,63 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static org.scribe.utils.OAuthEncoder.encode; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.Preconditions; + +// Source: https://github.com/FeedTheCoffers/scribe-java-extras +// License: Apache 2 +// https://github.com/FeedTheCoffers/scribe-java-extras/blob/master/pom.xml +public class Google2Api extends DefaultApi20 { + private static final String AUTHORIZE_URL = + "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=%s&redirect_uri=%s&scope=%s"; + + @Override + public String getAccessTokenEndpoint() { + return "https://accounts.google.com/o/oauth2/token"; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + Preconditions.checkValidUrl( + config.getCallback(), "Must provide a valid url as callback. Google does not support OOB"); + Preconditions.checkEmptyString( + config.getScope(), "Must provide a valid value as scope. Google does not support no scope"); + + return String.format( + AUTHORIZE_URL, config.getApiKey(), encode(config.getCallback()), encode(config.getScope())); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return OAuth2AccessTokenJsonExtractor.instance(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java new file mode 100644 index 00000000..d6fcacfc --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java @@ -0,0 +1,233 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import java.io.UnsupportedEncodingException; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.Arrays; +import java.util.List; +import javax.servlet.http.HttpServletResponse; +import org.apache.commons.codec.binary.Base64; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +class GoogleOAuthService implements OAuthServiceProvider { + private static final Logger log = LoggerFactory.getLogger(GoogleOAuthService.class); + static final String CONFIG_SUFFIX = "-google-oauth"; + private static final String GOOGLE_PROVIDER_PREFIX = "google-oauth:"; + private static final String PROTECTED_RESOURCE_URL = + "https://www.googleapis.com/oauth2/v2/userinfo"; + private static final String SCOPE = "email profile"; + private final OAuthService service; + private final String canonicalWebUrl; + private final List domains; + private final boolean useEmailAsUsername; + private final boolean fixLegacyUserId; + + @Inject + GoogleOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + if (cfg.getBoolean(InitOAuth.LINK_TO_EXISTING_OPENID_ACCOUNT, false)) { + log.warn( + String.format( + "The support for: %s is disconinued", InitOAuth.LINK_TO_EXISTING_OPENID_ACCOUNT)); + } + fixLegacyUserId = cfg.getBoolean(InitOAuth.FIX_LEGACY_USER_ID, false); + this.domains = Arrays.asList(cfg.getStringList(InitOAuth.DOMAIN)); + this.useEmailAsUsername = cfg.getBoolean(InitOAuth.USE_EMAIL_AS_USERNAME, false); + this.service = + new ServiceBuilder() + .provider(Google2Api.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .scope(SCOPE) + .build(); + if (log.isDebugEnabled()) { + log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl); + log.debug("OAuth2: scope={}", SCOPE); + log.debug("OAuth2: domains={}", domains); + log.debug("OAuth2: useEmailAsUsername={}", useEmailAsUsername); + } + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + Response response = request.send(); + if (response.getCode() != HttpServletResponse.SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("id"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain id field"); + } + JsonElement email = jsonObject.get("email"); + JsonElement name = jsonObject.get("name"); + String login = null; + + if (domains.size() > 0) { + boolean domainMatched = false; + JsonObject jwtToken = retrieveJWTToken(token); + String hdClaim = retrieveHostedDomain(jwtToken); + for (String domain : domains) { + if (domain.equalsIgnoreCase(hdClaim)) { + domainMatched = true; + break; + } + } + if (!domainMatched) { + // TODO(davido): improve error reporting in OAuth extension point + log.error("Error: hosted domain validation failed: {}", Strings.nullToEmpty(hdClaim)); + return null; + } + } + if (useEmailAsUsername && !email.isJsonNull()) { + login = email.getAsString().split("@")[0]; + } + return new OAuthUserInfo( + GOOGLE_PROVIDER_PREFIX + id.getAsString() /*externalId*/, + login /*username*/, + email == null || email.isJsonNull() ? null : email.getAsString() /*email*/, + name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/, + fixLegacyUserId ? id.getAsString() : null /*claimedIdentity*/); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + private JsonObject retrieveJWTToken(OAuthToken token) { + JsonElement idToken = JSON.newGson().fromJson(token.getRaw(), JsonElement.class); + if (idToken != null && idToken.isJsonObject()) { + JsonObject idTokenObj = idToken.getAsJsonObject(); + JsonElement idTokenElement = idTokenObj.get("id_token"); + if (idTokenElement != null && !idTokenElement.isJsonNull()) { + String payload = decodePayload(idTokenElement.getAsString()); + if (!Strings.isNullOrEmpty(payload)) { + JsonElement tokenJsonElement = JSON.newGson().fromJson(payload, JsonElement.class); + if (tokenJsonElement.isJsonObject()) { + return tokenJsonElement.getAsJsonObject(); + } + } + } + } + return null; + } + + private static String retrieveHostedDomain(JsonObject jwtToken) { + JsonElement hdClaim = jwtToken.get("hd"); + if (hdClaim != null && !hdClaim.isJsonNull()) { + String hd = hdClaim.getAsString(); + log.debug("OAuth2: hd={}", hd); + return hd; + } + log.debug("OAuth2: JWT doesn't contain hd element"); + return null; + } + + /** + * Decode payload from JWT according to spec: "header.payload.signature" + * + * @param idToken Base64 encoded tripple, separated with dot + * @return openid_id part of payload, when contained, null otherwise + */ + private static String decodePayload(String idToken) { + Preconditions.checkNotNull(idToken); + String[] jwtParts = idToken.split("\\."); + Preconditions.checkState(jwtParts.length == 3); + String payloadStr = jwtParts[1]; + Preconditions.checkNotNull(payloadStr); + return new String(Base64.decodeBase64(payloadStr)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + OAuthToken result = new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + return result; + } + + @Override + public String getAuthorizationUrl() { + String url = service.getAuthorizationUrl(null); + try { + if (domains.size() == 1) { + url += "&hd=" + URLEncoder.encode(domains.get(0), StandardCharsets.UTF_8.name()); + } else if (domains.size() > 1) { + url += "&hd=*"; + } + } catch (UnsupportedEncodingException e) { + throw new IllegalArgumentException(e); + } + if (log.isDebugEnabled()) { + log.debug("OAuth2: authorization URL={}", url); + } + return url; + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Google OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/HttpModule.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/HttpModule.java new file mode 100644 index 00000000..e9e0b8fa --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/HttpModule.java @@ -0,0 +1,116 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import com.google.gerrit.extensions.annotations.Exports; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.inject.Inject; +import com.google.inject.servlet.ServletModule; + +class HttpModule extends ServletModule { + + private final PluginConfigFactory cfgFactory; + private final String pluginName; + + @Inject + HttpModule(PluginConfigFactory cfgFactory, @PluginName String pluginName) { + this.cfgFactory = cfgFactory; + this.pluginName = pluginName; + } + + @Override + protected void configureServlets() { + PluginConfig cfg = + cfgFactory.getFromGerritConfig(pluginName + GoogleOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(GoogleOAuthService.CONFIG_SUFFIX)) + .to(GoogleOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + GitHubOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(GitHubOAuthService.CONFIG_SUFFIX)) + .to(GitHubOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + BitbucketOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(BitbucketOAuthService.CONFIG_SUFFIX)) + .to(BitbucketOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + CasOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(CasOAuthService.CONFIG_SUFFIX)) + .to(CasOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + FacebookOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(FacebookOAuthService.CONFIG_SUFFIX)) + .to(FacebookOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + GitLabOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(GitLabOAuthService.CONFIG_SUFFIX)) + .to(GitLabOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + DexOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(DexOAuthService.CONFIG_SUFFIX)) + .to(DexOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + KeycloakOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(KeycloakOAuthService.CONFIG_SUFFIX)) + .to(KeycloakOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + Office365OAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(Office365OAuthService.CONFIG_SUFFIX)) + .to(Office365OAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + WarsawHackerspaceOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(WarsawHackerspaceOAuthService.CONFIG_SUFFIX)) + .to(WarsawHackerspaceOAuthService.class); + } + + cfg = cfgFactory.getFromGerritConfig(pluginName + WarsawHackerspaceOAuthService.CONFIG_SUFFIX); + if (cfg.getString(InitOAuth.CLIENT_ID) != null) { + bind(OAuthServiceProvider.class) + .annotatedWith(Exports.named(WarsawHackerspaceOAuthService.CONFIG_SUFFIX)) + .to(WarsawHackerspaceOAuthService.class); + } + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java new file mode 100644 index 00000000..50c05905 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java @@ -0,0 +1,161 @@ +// Copyright (C) 2015 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package com.googlesource.gerrit.plugins.oauth; + +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.pgm.init.api.ConsoleUI; +import com.google.gerrit.pgm.init.api.InitStep; +import com.google.gerrit.pgm.init.api.Section; +import com.google.inject.Inject; + +class InitOAuth implements InitStep { + static final String PLUGIN_SECTION = "plugin"; + static final String CLIENT_ID = "client-id"; + static final String CLIENT_SECRET = "client-secret"; + static final String LINK_TO_EXISTING_OPENID_ACCOUNT = "link-to-existing-openid-accounts"; + static final String FIX_LEGACY_USER_ID = "fix-legacy-user-id"; + static final String DOMAIN = "domain"; + static final String USE_EMAIL_AS_USERNAME = "use-email-as-username"; + static final String ROOT_URL = "root-url"; + static final String REALM = "realm"; + static final String SERVICE_NAME = "service-name"; + static String FIX_LEGACY_USER_ID_QUESTION = "Fix legacy user id, without oauth provider prefix?"; + + private final ConsoleUI ui; + private final Section googleOAuthProviderSection; + private final Section githubOAuthProviderSection; + private final Section bitbucketOAuthProviderSection; + private final Section casOAuthProviderSection; + private final Section facebookOAuthProviderSection; + private final Section gitlabOAuthProviderSection; + private final Section dexOAuthProviderSection; + private final Section keycloakOAuthProviderSection; + private final Section office365OAuthProviderSection; + private final Section airVantageOAuthProviderSection; + private final Section warsawHackerspaceOAuthProviderSection; + + @Inject + InitOAuth(ConsoleUI ui, Section.Factory sections, @PluginName String pluginName) { + this.ui = ui; + this.googleOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + GoogleOAuthService.CONFIG_SUFFIX); + this.githubOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + GitHubOAuthService.CONFIG_SUFFIX); + this.bitbucketOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + BitbucketOAuthService.CONFIG_SUFFIX); + this.casOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + CasOAuthService.CONFIG_SUFFIX); + this.facebookOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + FacebookOAuthService.CONFIG_SUFFIX); + this.gitlabOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + GitLabOAuthService.CONFIG_SUFFIX); + this.dexOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + DexOAuthService.CONFIG_SUFFIX); + this.keycloakOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + KeycloakOAuthService.CONFIG_SUFFIX); + this.office365OAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + Office365OAuthService.CONFIG_SUFFIX); + this.airVantageOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + AirVantageOAuthService.CONFIG_SUFFIX); + this.warsawHackerspaceOAuthProviderSection = + sections.get(PLUGIN_SECTION, pluginName + WarsawHackerspaceOAuthService.CONFIG_SUFFIX); + } + + @Override + public void run() throws Exception { + ui.header("OAuth Authentication Provider"); + + boolean configureGoogleOAuthProvider = + ui.yesno(true, "Use Google OAuth provider for Gerrit login ?"); + if (configureGoogleOAuthProvider) { + configureOAuth(googleOAuthProviderSection); + googleOAuthProviderSection.string(FIX_LEGACY_USER_ID_QUESTION, FIX_LEGACY_USER_ID, "false"); + } + + boolean configueGitHubOAuthProvider = + ui.yesno(true, "Use GitHub OAuth provider for Gerrit login ?"); + if (configueGitHubOAuthProvider) { + configureOAuth(githubOAuthProviderSection); + githubOAuthProviderSection.string(FIX_LEGACY_USER_ID_QUESTION, FIX_LEGACY_USER_ID, "false"); + } + + boolean configureBitbucketOAuthProvider = + ui.yesno(true, "Use Bitbucket OAuth provider for Gerrit login ?"); + if (configureBitbucketOAuthProvider) { + configureOAuth(bitbucketOAuthProviderSection); + bitbucketOAuthProviderSection.string( + FIX_LEGACY_USER_ID_QUESTION, FIX_LEGACY_USER_ID, "false"); + } + + boolean configureCasOAuthProvider = ui.yesno(true, "Use CAS OAuth provider for Gerrit login ?"); + if (configureCasOAuthProvider) { + casOAuthProviderSection.string("CAS Root URL", ROOT_URL, null); + configureOAuth(casOAuthProviderSection); + casOAuthProviderSection.string(FIX_LEGACY_USER_ID_QUESTION, FIX_LEGACY_USER_ID, "false"); + } + + boolean configueFacebookOAuthProvider = + ui.yesno(true, "Use Facebook OAuth provider for Gerrit login ?"); + if (configueFacebookOAuthProvider) { + configureOAuth(facebookOAuthProviderSection); + } + + boolean configureGitLabOAuthProvider = + ui.yesno(true, "Use GitLab OAuth provider for Gerrit login ?"); + if (configureGitLabOAuthProvider) { + gitlabOAuthProviderSection.string("GitLab Root URL", ROOT_URL, null); + configureOAuth(gitlabOAuthProviderSection); + } + + boolean configureDexOAuthProvider = ui.yesno(true, "Use Dex OAuth provider for Gerrit login ?"); + if (configureDexOAuthProvider) { + dexOAuthProviderSection.string("Dex Root URL", ROOT_URL, null); + configureOAuth(dexOAuthProviderSection); + } + + boolean configureKeycloakOAuthProvider = + ui.yesno(true, "Use Keycloak OAuth provider for Gerrit login ?"); + if (configureKeycloakOAuthProvider) { + keycloakOAuthProviderSection.string("Keycloak Root URL", ROOT_URL, null); + keycloakOAuthProviderSection.string("Keycloak Realm", REALM, null); + configureOAuth(keycloakOAuthProviderSection); + } + + boolean configureOffice365OAuthProvider = + ui.yesno(true, "Use Office365 OAuth provider for Gerrit login ?"); + if (configureOffice365OAuthProvider) { + configureOAuth(office365OAuthProviderSection); + } + + boolean configureAirVantageOAuthProvider = + ui.yesno(true, "Use AirVantage OAuth provider for Gerrit login ?"); + if (configureAirVantageOAuthProvider) { + configureOAuth(airVantageOAuthProviderSection); + } + + boolean configureWarsawHackerspaceOAuthProvider = + ui.yesno(true, "Use Warsaw Hackerspace OAuth provider for Gerrit login?"); + if (configureWarsawHackerspaceOAuthProvider) { + configureOAuth(warsawHackerspaceOAuthProviderSection); + } + } + + private void configureOAuth(Section s) { + s.string("Application client id", CLIENT_ID, null); + s.passwordForKey("Application client secret", CLIENT_SECRET); + } + + @Override + public void postRun() throws Exception {} +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakApi.java new file mode 100644 index 00000000..581d562c --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakApi.java @@ -0,0 +1,68 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.extractors.JsonTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.OAuthEncoder; + +public class KeycloakApi extends DefaultApi20 { + + private static final String AUTHORIZE_URL = + "%s/auth/realms/%s/protocol/openid-connect/auth?client_id=%s&response_type=code&redirect_uri=%s&scope=%s"; + + private final String rootUrl; + private final String realm; + + public KeycloakApi(String rootUrl, String realm) { + this.rootUrl = rootUrl; + this.realm = realm; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + return String.format( + AUTHORIZE_URL, + rootUrl, + realm, + config.getApiKey(), + OAuthEncoder.encode(config.getCallback()), + config.getScope().replaceAll(" ", "+")); + } + + @Override + public String getAccessTokenEndpoint() { + return String.format("%s/auth/realms/%s/protocol/openid-connect/token", rootUrl, realm); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return new JsonTokenExtractor(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakOAuthService.java new file mode 100644 index 00000000..b6a0cdf5 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakOAuthService.java @@ -0,0 +1,138 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.common.base.Preconditions; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import java.io.IOException; +import org.apache.commons.codec.binary.Base64; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.Token; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class KeycloakOAuthService implements OAuthServiceProvider { + + private static final Logger log = LoggerFactory.getLogger(KeycloakOAuthService.class); + + static final String CONFIG_SUFFIX = "-keycloak-oauth"; + private static final String KEYCLOAK_PROVIDER_PREFIX = "keycloak-oauth:"; + private final OAuthService service; + private final String serviceName; + + @Inject + KeycloakOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + + String rootUrl = cfg.getString(InitOAuth.ROOT_URL); + String realm = cfg.getString(InitOAuth.REALM); + serviceName = cfg.getString(InitOAuth.SERVICE_NAME, "Keycloak OAuth2"); + + service = + new ServiceBuilder() + .provider(new KeycloakApi(rootUrl, realm)) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .scope("openid") + .callback(canonicalWebUrl + "oauth") + .build(); + } + + private String parseJwt(String input) { + String[] parts = input.split("\\."); + Preconditions.checkState(parts.length == 3); + Preconditions.checkNotNull(parts[1]); + return new String(Base64.decodeBase64(parts[1])); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + JsonElement tokenJson = JSON.newGson().fromJson(token.getRaw(), JsonElement.class); + JsonObject tokenObject = tokenJson.getAsJsonObject(); + JsonElement id_token = tokenObject.get("id_token"); + + JsonElement claimJson = + JSON.newGson().fromJson(parseJwt(id_token.getAsString()), JsonElement.class); + + JsonObject claimObject = claimJson.getAsJsonObject(); + if (log.isDebugEnabled()) { + log.debug("Claim object: {}", claimObject); + } + JsonElement usernameElement = claimObject.get("preferred_username"); + JsonElement emailElement = claimObject.get("email"); + JsonElement nameElement = claimObject.get("name"); + if (usernameElement == null || usernameElement.isJsonNull()) { + throw new IOException("Response doesn't contain preferred_username field"); + } + if (emailElement == null || emailElement.isJsonNull()) { + throw new IOException("Response doesn't contain email field"); + } + if (nameElement == null || nameElement.isJsonNull()) { + throw new IOException("Response doesn't contain name field"); + } + String username = usernameElement.getAsString(); + String email = emailElement.getAsString(); + String name = nameElement.getAsString(); + + return new OAuthUserInfo( + KEYCLOAK_PROVIDER_PREFIX + username /*externalId*/, + username /*username*/, + email /*email*/, + name /*displayName*/, + null /*claimedIdentity*/); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return serviceName; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Module.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Module.java new file mode 100644 index 00000000..72d59d14 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Module.java @@ -0,0 +1,37 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import com.google.gerrit.extensions.annotations.Exports; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthLoginProvider; +import com.google.inject.AbstractModule; +import com.google.inject.Inject; + +public class Module extends AbstractModule { + private final String pluginName; + + @Inject + Module(@PluginName String pluginName) { + this.pluginName = pluginName; + } + + @Override + protected void configure() { + bind(OAuthLoginProvider.class) + .annotatedWith(Exports.named(pluginName)) + .to(DisabledOAuthLoginProvider.class); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth20ServiceImpl.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth20ServiceImpl.java new file mode 100644 index 00000000..ecd8f263 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth20ServiceImpl.java @@ -0,0 +1,93 @@ +// Copyright (C) 2017 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static org.slf4j.LoggerFactory.getLogger; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.model.OAuthConfig; +import org.scribe.model.OAuthConstants; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; + +/** TODO(gildur): remove when updating to newer scribe lib */ +final class OAuth20ServiceImpl implements OAuthService { + private static final Logger log = getLogger(OAuth20ServiceImpl.class); + + private static final String VERSION = "2.0"; + + private static final String GRANT_TYPE = "grant_type"; + private static final String GRANT_TYPE_VALUE = "authorization_code"; + + private final DefaultApi20 api; + private final OAuthConfig config; + + /** + * Default constructor + * + * @param api OAuth2.0 api information + * @param config OAuth 2.0 configuration param object + */ + public OAuth20ServiceImpl(DefaultApi20 api, OAuthConfig config) { + this.api = api; + this.config = config; + } + + @Override + public Token getAccessToken(Token requestToken, Verifier verifier) { + OAuthRequest request = new OAuthRequest(api.getAccessTokenVerb(), api.getAccessTokenEndpoint()); + request.addBodyParameter(OAuthConstants.CLIENT_ID, config.getApiKey()); + request.addBodyParameter(OAuthConstants.CLIENT_SECRET, config.getApiSecret()); + request.addBodyParameter(OAuthConstants.CODE, verifier.getValue()); + request.addBodyParameter(OAuthConstants.REDIRECT_URI, config.getCallback()); + if (config.hasScope()) { + request.addBodyParameter(OAuthConstants.SCOPE, config.getScope()); + } + request.addBodyParameter(GRANT_TYPE, GRANT_TYPE_VALUE); + if (log.isDebugEnabled()) { + log.debug("Access token request: {}", request); + } + Response response = request.send(); + if (log.isDebugEnabled()) { + log.debug("Access token response: {}", response.getBody()); + } + return api.getAccessTokenExtractor().extract(response.getBody()); + } + + @Override + public Token getRequestToken() { + throw new UnsupportedOperationException( + "Unsupported operation, please use 'getAuthorizationUrl' and redirect your users there"); + } + + @Override + public String getVersion() { + return VERSION; + } + + @Override + public void signRequest(Token accessToken, OAuthRequest request) { + request.addQuerystringParameter(OAuthConstants.ACCESS_TOKEN, accessToken.getToken()); + } + + @Override + public String getAuthorizationUrl(Token requestToken) { + return api.getAuthorizationUrl(config); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractor.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractor.java new file mode 100644 index 00000000..6c2f1a0e --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractor.java @@ -0,0 +1,49 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static org.scribe.model.OAuthConstants.ACCESS_TOKEN; + +import com.google.common.annotations.VisibleForTesting; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import org.scribe.exceptions.OAuthException; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.Token; +import org.scribe.utils.Preconditions; + +class OAuth2AccessTokenJsonExtractor implements AccessTokenExtractor { + private static final Pattern ACCESS_TOKEN_REGEX_PATTERN = + Pattern.compile("\"" + ACCESS_TOKEN + "\"\\s*:\\s*\"(\\S*?)\""); + + private OAuth2AccessTokenJsonExtractor() {} + + private static final AccessTokenExtractor INSTANCE = new OAuth2AccessTokenJsonExtractor(); + + static AccessTokenExtractor instance() { + return INSTANCE; + } + + @VisibleForTesting + @Override + public Token extract(String response) { + Preconditions.checkEmptyString(response, "Cannot extract a token from a null or empty String"); + Matcher matcher = ACCESS_TOKEN_REGEX_PATTERN.matcher(response); + if (matcher.find()) { + return new Token(matcher.group(1), "", response); + } + throw new OAuthException("Cannot extract an access token. Response was: " + response); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java new file mode 100644 index 00000000..8a285204 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365Api.java @@ -0,0 +1,62 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static org.scribe.utils.OAuthEncoder.encode; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.Preconditions; + +public class Office365Api extends DefaultApi20 { + private static final String AUTHORIZE_URL = + "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=%s"; + + @Override + public String getAccessTokenEndpoint() { + return "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"; + } + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + Preconditions.checkValidUrl( + config.getCallback(), + "Must provide a valid url as callback. Office365 does not support OOB"); + Preconditions.checkEmptyString( + config.getScope(), + "Must provide a valid value as scope. Office365 does not support no scope"); + + return String.format( + AUTHORIZE_URL, config.getApiKey(), encode(config.getCallback()), encode(config.getScope())); + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return OAuth2AccessTokenJsonExtractor.instance(); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java new file mode 100644 index 00000000..aee8f636 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/Office365OAuthService.java @@ -0,0 +1,143 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import javax.servlet.http.HttpServletResponse; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Singleton +class Office365OAuthService implements OAuthServiceProvider { + private static final Logger log = LoggerFactory.getLogger(Office365OAuthService.class); + static final String CONFIG_SUFFIX = "-office365-oauth"; + private static final String OFFICE365_PROVIDER_PREFIX = "office365-oauth:"; + private static final String PROTECTED_RESOURCE_URL = "https://graph.microsoft.com/v1.0/me"; + private static final String SCOPE = + "openid offline_access https://graph.microsoft.com/user.readbasic.all"; + private final OAuthService service; + private final String canonicalWebUrl; + private final boolean useEmailAsUsername; + + @Inject + Office365OAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + this.useEmailAsUsername = cfg.getBoolean(InitOAuth.USE_EMAIL_AS_USERNAME, false); + this.service = + new ServiceBuilder() + .provider(Office365Api.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .callback(canonicalWebUrl + "oauth") + .scope(SCOPE) + .build(); + if (log.isDebugEnabled()) { + log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl); + log.debug("OAuth2: scope={}", SCOPE); + log.debug("OAuth2: useEmailAsUsername={}", useEmailAsUsername); + } + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + request.addHeader("Accept", "*/*"); + request.addHeader("Authorization", "Bearer " + token.getToken()); + Response response = request.send(); + if (response.getCode() != HttpServletResponse.SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("id"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain id field"); + } + JsonElement email = jsonObject.get("mail"); + JsonElement name = jsonObject.get("displayName"); + String login = null; + + if (useEmailAsUsername && !email.isJsonNull()) { + login = email.getAsString().split("@")[0]; + } + return new OAuthUserInfo( + OFFICE365_PROVIDER_PREFIX + id.getAsString() /*externalId*/, + login /*username*/, + email == null || email.isJsonNull() ? null : email.getAsString() /*email*/, + name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/, + null); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + OAuthToken result = new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + return result; + } + + @Override + public String getAuthorizationUrl() { + String url = service.getAuthorizationUrl(null); + return url; + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Office365 OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceApi.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceApi.java new file mode 100644 index 00000000..d66cff70 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceApi.java @@ -0,0 +1,65 @@ +// Copyright (C) 2018 The Android Open Source Project +// Copyright (C) 2019 Serge Bazanski +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static java.lang.String.format; +import static org.scribe.utils.OAuthEncoder.encode; + +import org.scribe.builder.api.DefaultApi20; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.extractors.JsonTokenExtractor; +import org.scribe.model.OAuthConfig; +import org.scribe.model.Verb; +import org.scribe.oauth.OAuthService; +import org.scribe.utils.Preconditions; + +public class WarsawHackerspaceApi extends DefaultApi20 { + + private static final String AUTHORIZE_URL = + "https://sso.hackerspace.pl/oauth/authorize?client_id=%s&response_type=code&scope=%s&redirect_uri=%s"; + private static final String ACCESS_TOKEN_ENDPOINT = "https://sso.hackerspace.pl/oauth/token"; + + @Override + public String getAuthorizationUrl(OAuthConfig config) { + Preconditions.checkValidUrl( + config.getCallback(), + "Must provide a valid url as callback. Warsaw Hackerspace SSO does not support OOB"); + Preconditions.checkEmptyString( + config.getScope(), + "Must provide a valid value as scope. Warsaw Hackerspace SSO does not support no scope"); + return format(AUTHORIZE_URL, config.getApiKey(), encode(config.getScope()), encode(config.getCallback())); + } + + @Override + public String getAccessTokenEndpoint() { + return ACCESS_TOKEN_ENDPOINT; + } + + @Override + public Verb getAccessTokenVerb() { + return Verb.POST; + } + + @Override + public AccessTokenExtractor getAccessTokenExtractor() { + return new JsonTokenExtractor(); + } + + @Override + public OAuthService createService(OAuthConfig config) { + return new OAuth20ServiceImpl(this, config); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceOAuthService.java b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceOAuthService.java new file mode 100644 index 00000000..728386f0 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/main/java/com/googlesource/gerrit/plugins/oauth/WarsawHackerspaceOAuthService.java @@ -0,0 +1,128 @@ +// Copyright (C) 2018 The Android Open Source Project +// Copyright (C) 2019 Serge Bazanski +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static com.google.gerrit.json.OutputFormat.JSON; +import static javax.servlet.http.HttpServletResponse.SC_OK; +import static org.slf4j.LoggerFactory.getLogger; + +import com.google.common.base.CharMatcher; +import com.google.gerrit.extensions.annotations.PluginName; +import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider; +import com.google.gerrit.extensions.auth.oauth.OAuthToken; +import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo; +import com.google.gerrit.extensions.auth.oauth.OAuthVerifier; +import com.google.gerrit.server.config.CanonicalWebUrl; +import com.google.gerrit.server.config.PluginConfig; +import com.google.gerrit.server.config.PluginConfigFactory; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.inject.Inject; +import com.google.inject.Provider; +import com.google.inject.Singleton; +import java.io.IOException; +import org.scribe.builder.ServiceBuilder; +import org.scribe.model.OAuthRequest; +import org.scribe.model.Response; +import org.scribe.model.Token; +import org.scribe.model.Verb; +import org.scribe.model.Verifier; +import org.scribe.oauth.OAuthService; +import org.slf4j.Logger; + +@Singleton +public class WarsawHackerspaceOAuthService implements OAuthServiceProvider { + private static final Logger log = getLogger(WarsawHackerspaceOAuthService.class); + static final String CONFIG_SUFFIX = "-warsawhackerspace-oauth"; + private static final String HSWAW_PROVIDER_PREFIX = "warsawhackerspace-oauth:"; + private static final String PROTECTED_RESOURCE_URL = + "https://sso.hackerspace.pl/api/1/userinfo"; + private final OAuthService service; + + @Inject + WarsawHackerspaceOAuthService( + PluginConfigFactory cfgFactory, + @PluginName String pluginName, + @CanonicalWebUrl Provider urlProvider) { + PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX); + String canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/"; + + service = + new ServiceBuilder() + .provider(WarsawHackerspaceApi.class) + .apiKey(cfg.getString(InitOAuth.CLIENT_ID)) + .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET)) + .scope("profile:read") + .callback(canonicalWebUrl + "oauth") + .build(); + } + + @Override + public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException { + OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL); + Token t = new Token(token.getToken(), token.getSecret(), token.getRaw()); + service.signRequest(t, request); + Response response = request.send(); + if (response.getCode() != SC_OK) { + throw new IOException( + String.format( + "Status %s (%s) for request %s", + response.getCode(), response.getBody(), request.getUrl())); + } + JsonElement userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class); + if (log.isDebugEnabled()) { + log.debug("User info response: {}", response.getBody()); + } + if (userJson.isJsonObject()) { + JsonObject jsonObject = userJson.getAsJsonObject(); + JsonElement id = jsonObject.get("sub"); + if (id == null || id.isJsonNull()) { + throw new IOException("Response doesn't contain uid field"); + } + JsonElement email = jsonObject.get("email"); + return new OAuthUserInfo( + HSWAW_PROVIDER_PREFIX + id.getAsString(), + id.getAsString(), + email.getAsString(), + id.getAsString(), + id.getAsString()); + } + + throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson)); + } + + @Override + public OAuthToken getAccessToken(OAuthVerifier rv) { + Verifier vi = new Verifier(rv.getValue()); + Token to = service.getAccessToken(null, vi); + return new OAuthToken(to.getToken(), to.getSecret(), to.getRawResponse()); + } + + @Override + public String getAuthorizationUrl() { + return service.getAuthorizationUrl(null); + } + + @Override + public String getVersion() { + return service.getVersion(); + } + + @Override + public String getName() { + return "Warsaw Hackerspace OAuth2"; + } +} diff --git a/app/gerrit/gerrit-oauth-provider/src/test/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractorTest.java b/app/gerrit/gerrit-oauth-provider/src/test/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractorTest.java new file mode 100644 index 00000000..09df7ee0 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/src/test/java/com/googlesource/gerrit/plugins/oauth/OAuth2AccessTokenJsonExtractorTest.java @@ -0,0 +1,70 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.googlesource.gerrit.plugins.oauth; + +import static org.junit.Assert.assertEquals; +import static org.scribe.model.OAuthConstants.ACCESS_TOKEN; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; +import org.scribe.exceptions.OAuthException; +import org.scribe.extractors.AccessTokenExtractor; +import org.scribe.model.Token; + +public class OAuth2AccessTokenJsonExtractorTest { + private static final AccessTokenExtractor extractor = OAuth2AccessTokenJsonExtractor.instance(); + private static final String TOKEN = "I0122HHJKLEM21F3WLPYHDKGKZULAUO4SGMV3ABKFTDT3T3X"; + private static final String RESPONSE = "{\"" + ACCESS_TOKEN + "\":\"" + TOKEN + "\"}'"; + private static final String RESPONSE_NON_JSON = ACCESS_TOKEN + "=" + TOKEN; + private static final String RESPONSE_WITH_BLANKS = + "{ \"" + ACCESS_TOKEN + "\" : \"" + TOKEN + "\"}'"; + private static final String MESSAGE = "Cannot extract a token from a null or empty String"; + + @Rule public ExpectedException exception = ExpectedException.none(); + + @Test + public void parseResponse() throws Exception { + Token token = extractor.extract(RESPONSE); + assertEquals(token.getToken(), TOKEN); + } + + @Test + public void parseResponseWithBlanks() throws Exception { + Token token = extractor.extract(RESPONSE_WITH_BLANKS); + assertEquals(token.getToken(), TOKEN); + } + + @Test + public void failParseNonJsonResponse() throws Exception { + exception.expect(OAuthException.class); + exception.expectMessage("Cannot extract an access token. Response was: " + RESPONSE_NON_JSON); + extractor.extract(RESPONSE_NON_JSON); + } + + @Test + public void shouldThrowExceptionIfForNullParameter() throws Exception { + exception.expect(IllegalArgumentException.class); + exception.expectMessage(MESSAGE); + extractor.extract(null); + } + + @Test + public void shouldThrowExceptionIfForEmptyString() throws Exception { + exception.expect(IllegalArgumentException.class); + exception.expectMessage(MESSAGE); + extractor.extract(""); + } +} diff --git a/app/gerrit/gerrit-oauth-provider/tools/bzl/BUILD b/app/gerrit/gerrit-oauth-provider/tools/bzl/BUILD new file mode 100644 index 00000000..c5ed0b74 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/bzl/BUILD @@ -0,0 +1 @@ +# Empty file required by Bazel diff --git a/app/gerrit/gerrit-oauth-provider/tools/bzl/classpath.bzl b/app/gerrit/gerrit-oauth-provider/tools/bzl/classpath.bzl new file mode 100644 index 00000000..c921d01c --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/bzl/classpath.bzl @@ -0,0 +1,6 @@ +load( + "@com_googlesource_gerrit_bazlets//tools:classpath.bzl", + _classpath_collector = "classpath_collector", +) + +classpath_collector = _classpath_collector diff --git a/app/gerrit/gerrit-oauth-provider/tools/bzl/junit.bzl b/app/gerrit/gerrit-oauth-provider/tools/bzl/junit.bzl new file mode 100644 index 00000000..97307bd2 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/bzl/junit.bzl @@ -0,0 +1,6 @@ +load( + "@com_googlesource_gerrit_bazlets//tools:junit.bzl", + _junit_tests = "junit_tests", +) + +junit_tests = _junit_tests diff --git a/app/gerrit/gerrit-oauth-provider/tools/bzl/maven_jar.bzl b/app/gerrit/gerrit-oauth-provider/tools/bzl/maven_jar.bzl new file mode 100644 index 00000000..35ea8cef --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/bzl/maven_jar.bzl @@ -0,0 +1,3 @@ +load("@com_googlesource_gerrit_bazlets//tools:maven_jar.bzl", _maven_jar = "maven_jar") + +maven_jar = _maven_jar diff --git a/app/gerrit/gerrit-oauth-provider/tools/bzl/plugin.bzl b/app/gerrit/gerrit-oauth-provider/tools/bzl/plugin.bzl new file mode 100644 index 00000000..4d2dbdd6 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/bzl/plugin.bzl @@ -0,0 +1,10 @@ +load( + "@com_googlesource_gerrit_bazlets//:gerrit_plugin.bzl", + _gerrit_plugin = "gerrit_plugin", + _plugin_deps = "PLUGIN_DEPS", + _plugin_test_deps = "PLUGIN_TEST_DEPS", +) + +gerrit_plugin = _gerrit_plugin +PLUGIN_DEPS = _plugin_deps +PLUGIN_TEST_DEPS = _plugin_test_deps diff --git a/app/gerrit/gerrit-oauth-provider/tools/eclipse/BUILD b/app/gerrit/gerrit-oauth-provider/tools/eclipse/BUILD new file mode 100644 index 00000000..0dced85f --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/eclipse/BUILD @@ -0,0 +1,9 @@ +load("//app/gerrit/gerrit-oauth-provider/tools/bzl:classpath.bzl", "classpath_collector") + +classpath_collector( + name = "main_classpath_collect", + testonly = 1, + deps = [ + "//:gerrit-oauth-provider__plugin_test_deps", + ], +) diff --git a/app/gerrit/gerrit-oauth-provider/tools/eclipse/project.sh b/app/gerrit/gerrit-oauth-provider/tools/eclipse/project.sh new file mode 100755 index 00000000..8e4ed79f --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/eclipse/project.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Copyright (C) 2017 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +`bazel query @com_googlesource_gerrit_bazlets//tools/eclipse:project --output location | sed s/BUILD:.*//`project.py -n oauth -r . diff --git a/app/gerrit/gerrit-oauth-provider/tools/workspace-status.sh b/app/gerrit/gerrit-oauth-provider/tools/workspace-status.sh new file mode 100755 index 00000000..8fba3040 --- /dev/null +++ b/app/gerrit/gerrit-oauth-provider/tools/workspace-status.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# This script will be run by bazel when the build process starts to +# generate key-value information that represents the status of the +# workspace. The output should be like +# +# KEY1 VALUE1 +# KEY2 VALUE2 +# +# If the script exits with non-zero code, it's considered as a failure +# and the output will be discarded. + +function rev() { + cd $1; git describe --always --match "v[0-9].*" --dirty +} + +echo STABLE_BUILD_GERRIT-OAUTH-PROVIDER_LABEL $(rev .) diff --git a/tools/workspace-status.sh b/tools/workspace-status.sh new file mode 100755 index 00000000..8fba3040 --- /dev/null +++ b/tools/workspace-status.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# This script will be run by bazel when the build process starts to +# generate key-value information that represents the status of the +# workspace. The output should be like +# +# KEY1 VALUE1 +# KEY2 VALUE2 +# +# If the script exits with non-zero code, it's considered as a failure +# and the output will be discarded. + +function rev() { + cd $1; git describe --always --match "v[0-9].*" --dirty +} + +echo STABLE_BUILD_GERRIT-OAUTH-PROVIDER_LABEL $(rev .) From a7e26ccfe10b430a6cf8b58c5b3537bfe1e8b57d Mon Sep 17 00:00:00 2001 From: Sergiusz Bazanski Date: Fri, 21 Jun 2019 20:38:35 +0200 Subject: [PATCH 2/4] app/gerrit/kube: implement This change impelements the k8s machinery for Gerrit. This might look somewhat complex at first, but the gist of it is: - k8s mounts etc, git, cache, db, index as RW PVs - k8s mounts a configmap containing gerrit.conf into an external directory - k8s mounts a secret containing secure.conf into an external directory - on startup, gerrit's entrypoint will copy over {gerrit,secure}.conf and start a small updater script that copies over gerrit.conf if there's any change. This should, in theory, make gerrit reload its config. This is already running on production. You're probably looking at this change through the instance deployed by itself :) Change-Id: Ida9dff721c17cf4da7fb6ccbb54d2c4024672572 --- .bazelrc | 3 + WORKSPACE | 9 ++ app/gerrit/BUILD | 33 +++++ app/gerrit/entrypoint.sh | 43 +++++++ app/gerrit/kube/gerrit.libsonnet | 209 +++++++++++++++++++++++++++++++ app/gerrit/kube/prod.jsonnet | 19 +++ 6 files changed, 316 insertions(+) create mode 100644 .bazelrc create mode 100644 app/gerrit/BUILD create mode 100755 app/gerrit/entrypoint.sh create mode 100644 app/gerrit/kube/gerrit.libsonnet create mode 100644 app/gerrit/kube/prod.jsonnet diff --git a/.bazelrc b/.bazelrc new file mode 100644 index 00000000..17fa9d43 --- /dev/null +++ b/.bazelrc @@ -0,0 +1,3 @@ +# Required for app/gerrit/gerrit-oauth-provider +build --workspace_status_command=./tools/workspace-status.sh +test --build_tests_only diff --git a/WORKSPACE b/WORKSPACE index d2d7cf6d..96648b6a 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -60,6 +60,7 @@ container_repositories() # Docker base images load("@io_bazel_rules_docker//container:container.bzl", "container_pull") + container_pull( name = "prodimage-bionic", registry = "index.docker.io", @@ -68,6 +69,14 @@ container_pull( digest = "sha256:b36667c98cf8f68d4b7f1fb8e01f742c2ed26b5f0c965a788e98dfe589a4b3e4", ) +container_pull( + name = "gerrit-3.0.0", + registry = "index.docker.io", + repository = "gerritcodereview/gerrit", + tag = "3.0.0-ubuntu18", + digest = "sha256:f107729011d8b81611e35a0ad452f21a424c1820664e9f95d135ad411e87b9bb", +) + # HTTP stuff from the Internet load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") http_file( diff --git a/app/gerrit/BUILD b/app/gerrit/BUILD new file mode 100644 index 00000000..aaff8a05 --- /dev/null +++ b/app/gerrit/BUILD @@ -0,0 +1,33 @@ +load("@io_bazel_rules_docker//container:container.bzl", "container_image") + +container_image( + name="with_plugins", + base="@gerrit-3.0.0//image", + files = [ + "//app/gerrit/gerrit-oauth-provider:gerrit-oauth-provider", + ], + # we cannot drop it directly in /var/gerrit/plugins as that changes the + # directory owner to 0:0 and then breaks the gerrit installer that wants + # to overwrite plugins. + directory = "/var/gerrit-plugins", +) +container_image( + name="3.0.0-r7", + base=":with_plugins", + files = [":entrypoint.sh"], + directory = "/", + entrypoint = ["/entrypoint.sh"], +) + +genrule( + name = "push_latest", + srcs = [":3.0.0-r7"], + outs = ["version.sh"], + executable = True, + cmd = """ + tag=3.0.0-r7 + docker tag bazel/app/gerrit:$$tag registry.k0.hswaw.net/app/gerrit:$$tag + docker push registry.k0.hswaw.net/app/gerrit:$$tag + echo -ne "#!/bin/sh\necho Pushed $$tag.\n" > $(OUTS) + """, +) diff --git a/app/gerrit/entrypoint.sh b/app/gerrit/entrypoint.sh new file mode 100755 index 00000000..ffea5f30 --- /dev/null +++ b/app/gerrit/entrypoint.sh @@ -0,0 +1,43 @@ +#!/bin/bash -e + +ls -la /var/gerrit/* + +if [ ! -d /var/gerrit/git/All-Projects.git ] || [ "$1" == "init" ] +then + echo "Initializing Gerrit site ..." + java -jar /var/gerrit/bin/gerrit.war init --batch --install-all-plugins -d /var/gerrit + java -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit +fi + +echo "Running hscloud init setup..." + +rm -f /var/gerrit/etc/gerrit.config +cp /var/gerrit-config/gerrit.config /var/gerrit/etc/gerrit.config + +rm -f /var/gerrit/etc/secure.config +cp /var/gerrit-secure/secure.config /var/gerrit/etc/secure.config + +cp /var/gerrit-plugins/* /var/gerrit/plugins/ + +echo "Starting config updater..." +# Keep copying config over in background. We cannot run directly from +# the configmap filesystem as gerrit really wants a read-write FS. +( + src=/var/gerrit-config/gerrit.config + dst=/var/gerrit/etc/gerrit.config + while true; do + sleep 60 + if ! cmp -s $src $dst; then + echo "HSCLOUD: bumping config" + cp $src $dst + fi + done +) & + +ls -la /var/gerrit/* + +if [ "$1" != "init" ] +then + echo "Running Gerrit ..." + exec /var/gerrit/bin/gerrit.sh run +fi diff --git a/app/gerrit/kube/gerrit.libsonnet b/app/gerrit/kube/gerrit.libsonnet new file mode 100644 index 00000000..2cd6f594 --- /dev/null +++ b/app/gerrit/kube/gerrit.libsonnet @@ -0,0 +1,209 @@ +local kube = import "../../../kube/kube.libsonnet"; + +{ + local gerrit = self, + local cfg = gerrit.cfg, + + cfg:: { + namespace: error "namespace must be set", + appName: "gerrit", + prefix: "", # if set, should be 'foo-' + domain: error "domain must be set", + identity: error "identity (UUID) must be set", + + // The secret must contain a key named 'secure.config' containing (at least): + // [auth] + // registerEmailPrivateKey = + // [plugin "gerrit-oauth-provider-warsawhackerspace-oauth"] + // client-id = foo + // client-secret = bar + // [sendemail] + // smtpPass = foo + // [receiveemail] + // password = bar + secureSecret: error "secure secret name must be set", + + storageClass: error "storage class must be set", + storageSize: { + git: "50Gi", // Main storage for repositories and NoteDB. + index: "10Gi", // Secondary Lucene index + cache: "10Gi", // H2 cache databases + db: "1Gi", // NoteDB is used, so database is basically empty (H2 accountPatchReviewDatabase) + etc: "1Gi", // Random site stuff. + }, + + email: { + server: "mail.hackerspace.pl", + username: "gerrit", + address: "gerrit@hackerspace.pl", + }, + + tag: "3.0.0-r7", + image: "registry.k0.hswaw.net/app/gerrit:" + cfg.tag, + resources: { + requests: { + cpu: "100m", + memory: "500Mi", + }, + limits: { + cpu: "1", + memory: "2Gi", + }, + }, + }, + + name(suffix):: cfg.prefix + suffix, + + metadata(component):: { + namespace: cfg.namespace, + labels: { + "app.kubernetes.io/name": cfg.appName, + "app.kubernetes.io/managed-by": "kubecfg", + "app.kubernetes.io/component": "component", + }, + }, + + configmap: kube.ConfigMap(gerrit.name("gerrit")) { + metadata+: gerrit.metadata("configmap"), + data: { + "gerrit.config": ||| + [gerrit] + basePath = git + canonicalWebUrl = https://%(domain)s/ + serverId = %(identity)s + + [container] + javaOptions = -Djava.security.edg=file:/dev/./urandom + + [auth] + type = OAUTH + gitBasicAuthPolicy = HTTP + + [httpd] + listenUrl = proxy-http://*:8080 + + [sshd] + advertisedAddress = %(domain)s + + [user] + email = %(emailAddress)s + + [sendemail] + enable = true + from = MIXED + smtpServer = %(emailServer)s + smtpServerPort = 465 + smtpEncryption = ssl + smtpUser = %(emailUser)s + + [receiveemail] + protocol = IMAP + host = %(emailServer)s + username = %(emailUser)s + encryption = TLS + enableImapIdle = true + + ||| % { + domain: cfg.domain, + identity: cfg.identity, + emailAddress: cfg.email.address, + emailServer: cfg.email.server, + emailUser: cfg.email.username, + }, + }, + }, + + volumes: { + [name]: kube.PersistentVolumeClaim(gerrit.name(name)) { + metadata+: gerrit.metadata("storage"), + spec+: { + storageClassName: cfg.storageClassName, + accessModes: ["ReadWriteOnce"], + resources: { + requests: { + storage: cfg.storageSize[name], + }, + }, + }, + } + for name in ["etc", "git", "index", "cache", "db"] + }, + + local volumeMounts = { + [name]: { mountPath: "/var/gerrit/%s" % name } + for name in ["etc", "git", "index", "cache", "db"] + } { + // ConfigMap gets mounted here + config: { mountPath: "/var/gerrit-config" }, + // SecureSecret gets mounted here + secure: { mountPath: "/var/gerrit-secure" }, + }, + deployment: kube.Deployment(gerrit.name("gerrit")) { + metadata+: gerrit.metadata("deployment"), + spec+: { + replicas: 1, + template+: { + spec+: { + securityContext: { + fsGroup: 1000, # gerrit uid + }, + volumes_: { + config: kube.ConfigMapVolume(gerrit.configmap), + secure: { secret: { secretName: cfg.secureSecret} }, + } { + [name]: kube.PersistentVolumeClaimVolume(gerrit.volumes[name]) + for name in ["etc", "git", "index", "cache", "db"] + }, + containers_: { + gerrit: kube.Container(gerrit.name("gerrit")) { + image: cfg.image, + ports_: { + http: { containerPort: 8080 }, + ssh: { containerPort: 29418 }, + }, + resources: cfg.resources, + volumeMounts_: volumeMounts, + }, + }, + }, + }, + }, + }, + + svc: kube.Service(gerrit.name("gerrit")) { + metadata+: gerrit.metadata("service"), + target_pod:: gerrit.deployment.spec.template, + spec+: { + ports: [ + { name: "http", port: 80, targetPort: 8080, protocol: "TCP" }, + { name: "ssh", port: 22, targetPort: 29418, protocol: "TCP" }, + ], + type: "ClusterIP", + }, + }, + + ingress: kube.Ingress(gerrit.name("gerrit")) { + metadata+: gerrit.metadata("ingress") { + annotations+: { + "kubernetes.io/tls-acme": "true", + "certmanager.k8s.io/cluster-issuer": "letsencrypt-prod", + "nginx.ingress.kubernetes.io/proxy-body-size": "0", + }, + }, + spec+: { + tls: [ + { hosts: [cfg.domain], secretName: gerrit.name("acme") }, + ], + rules: [ + { + host: cfg.domain, + http: { + paths: [ + { path: "/", backend: gerrit.svc.name_port }, + ], + }, + } + ], + }, + }, +} diff --git a/app/gerrit/kube/prod.jsonnet b/app/gerrit/kube/prod.jsonnet new file mode 100644 index 00000000..565772f3 --- /dev/null +++ b/app/gerrit/kube/prod.jsonnet @@ -0,0 +1,19 @@ +local kube = import "../../../kube/kube.libsonnet"; +local gerrit = import "gerrit.libsonnet"; +{ + namespace: kube.Namespace("gerrit"), + + gerrit: gerrit { + cfg+: { + namespace: "gerrit", + prefix: "", + + domain: "gerrit.hackerspace.pl", + identity: "7b6244cf-e30b-42c5-ba91-c329ef4e6cf1", + + storageClassName: "waw-hdd-redundant-1", + + secureSecret: "gerrit", + }, + }, +} From dec401c7dd37994d6390af871c33b55607b7a152 Mon Sep 17 00:00:00 2001 From: Sergiusz Bazanski Date: Fri, 21 Jun 2019 22:31:13 +0200 Subject: [PATCH 3/4] cluster/kube/lib/cockroach: move client to deployment This prevents a bug where kubecfg fails to update the client pod when running a cluster/kube/cluster.jsonnet update. The pod update is attempted because of runtime/intent differences at serviceAccounts specification, which causes kubecfg to see a diff, which causes it to attempt and update, which causes kube-apiserver to reject the change (because pods are immutable), which causes kubecfg to fail. Change-Id: I20b0ecbb264213a2eb483d475c7683b4965c82be --- cluster/kube/lib/cockroachdb.libsonnet | 75 ++++++++++++++------------ 1 file changed, 40 insertions(+), 35 deletions(-) diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet index 4ce2af7d..4df69b60 100644 --- a/cluster/kube/lib/cockroachdb.libsonnet +++ b/cluster/kube/lib/cockroachdb.libsonnet @@ -15,7 +15,7 @@ #}, # # After the cluster is up, you can get to an administrateive SQL shell: -# $ kubectl -n q3k exec -it q3kdb-client /cockroach/cockroach sql +# $ NS=q3k kubectl -n $NS exec -it $(kubectl -n $NS get pods -o name | grep client- | cut -d/ -f 2) /cockroach/cockroach sql # root@q3kdb-cockroachdb-0.q3kdb-internal.q3k.svc.cluster.local:26257/defaultdb> # # Then, you can create some users and databases for applications: @@ -365,51 +365,56 @@ local cm = import "cert-manager.libsonnet"; }, }, - clientPod: kube.Pod(cluster.name("client")) { + client: kube.Deployment(cluster.name("client")) { metadata+: cluster.metadata { labels+: { "app.kubernetes.io/component": "client", }, }, - spec: { - terminationGracePeriodSeconds: 5, - containers: [ - kube.Container("cockroachdb-client") { - image: cluster.cfg.image, - env_: { - "COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs", - "COCKROACH_HOST": cluster.publicService.host, - "COCKROACH_PORT": std.toString(cluster.cfg.portServe), - }, - command: ["sleep", "2147483648"], //(FIXME) keep the client pod running indefinitely - volumeMounts: [ - { - name: "certs", - mountPath: "/cockroach/cockroach-certs/ca.crt", - subPath: "ca.crt", + spec+: { + template: { + metadata: cluster.client.metadata, + spec+: { + terminationGracePeriodSeconds: 5, + containers: [ + kube.Container("cockroachdb-client") { + image: cluster.cfg.image, + env_: { + "COCKROACH_CERTS_DIR": "/cockroach/cockroach-certs", + "COCKROACH_HOST": cluster.publicService.host, + "COCKROACH_PORT": std.toString(cluster.cfg.portServe), + }, + command: ["sleep", "2147483648"], //(FIXME) keep the client pod running indefinitely + volumeMounts: [ + { + name: "certs", + mountPath: "/cockroach/cockroach-certs/ca.crt", + subPath: "ca.crt", + }, + { + name: "certs", + mountPath: "/cockroach/cockroach-certs/client.root.crt", + subPath: "tls.crt", + }, + { + name: "certs", + mountPath: "/cockroach/cockroach-certs/client.root.key", + subPath: "tls.key", + }, + ], }, + ], + volumes: [ { name: "certs", - mountPath: "/cockroach/cockroach-certs/client.root.crt", - subPath: "tls.crt", - }, - { - name: "certs", - mountPath: "/cockroach/cockroach-certs/client.root.key", - subPath: "tls.key", + secret: { + secretName: cluster.pki.clientCertificate.spec.secretName, + defaultMode: kube.parseOctal("400") + } }, ], }, - ], - volumes: [ - { - name: "certs", - secret: { - secretName: cluster.pki.clientCertificate.spec.secretName, - defaultMode: kube.parseOctal("400") - } - }, - ], + }, }, }, }, From 184678b0f4c55a480183ad55a30a012dab48ad1b Mon Sep 17 00:00:00 2001 From: Sergiusz Bazanski Date: Sat, 22 Jun 2019 02:07:41 +0200 Subject: [PATCH 4/4] cluster/cube/lib/cockroachdb: clean up topology IP addresses are not necessary in the topology definitions of a cockroach cluster. They were mis-commited leftovers from trying to run the cluster on DaemonSets with hostNetworking: true. Change-Id: I4ef1f6ed9a745efc6b05846bc13aba9d1f8dc7c8 --- cluster/kube/cluster.jsonnet | 6 +++--- cluster/kube/lib/cockroachdb.libsonnet | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet index 1b988b9e..fc0db19a 100644 --- a/cluster/kube/cluster.jsonnet +++ b/cluster/kube/cluster.jsonnet @@ -99,9 +99,9 @@ local Cluster(fqdn) = { waw1: cockroachdb.Cluster("crdb-waw1") { cfg+: { topology: [ - { name: "bc01n01", node: "bc01n01.hswaw.net", ip: "185.236.240.35" }, - { name: "bc01n02", node: "bc01n02.hswaw.net", ip: "185.236.240.36" }, - { name: "bc01n03", node: "bc01n03.hswaw.net", ip: "185.236.240.37" }, + { name: "bc01n01", node: "bc01n01.hswaw.net" }, + { name: "bc01n02", node: "bc01n02.hswaw.net" }, + { name: "bc01n03", node: "bc01n03.hswaw.net" }, ], hostPath: "/var/db/crdb-waw1", }, diff --git a/cluster/kube/lib/cockroachdb.libsonnet b/cluster/kube/lib/cockroachdb.libsonnet index 4df69b60..e2b6844c 100644 --- a/cluster/kube/lib/cockroachdb.libsonnet +++ b/cluster/kube/lib/cockroachdb.libsonnet @@ -6,9 +6,9 @@ # cfg+: { # namespace: "q3k", // if not given, will create 'q3kdb' namespace # topology: [ -# { name: "a", node: "bc01n01.hswaw.net", ip: "185.236.240.35" }, -# { name: "b", node: "bc01n02.hswaw.net", ip: "185.236.240.36" }, -# { name: "c", node: "bc01n03.hswaw.net", ip: "185.236.240.37" }, +# { name: "a", node: "bc01n01.hswaw.net" }, +# { name: "b", node: "bc01n02.hswaw.net" }, +# { name: "c", node: "bc01n03.hswaw.net" }, # ], # hostPath: "/var/db/cockroach-q3k", # },