Oauth2 integration with CloudStack

api/src/main/java/com/cloud/user/AccountService.java

@@ -70,6 +70,8 @@ User createUser(String userName, String password, String firstName, String lastN
 
     UserAccount getActiveUserAccount(String username, Long domainId);
 
+    List<UserAccount> getActiveUserAccountByEmail(String email, Long domainId);
+
     UserAccount updateUser(UpdateUserCmd updateUserCmd);
 
     Account getActiveAccountById(long accountId);

api/src/main/java/com/cloud/user/User.java

@@ -24,7 +24,7 @@ public interface User extends OwnedBy, InternalIdentity {
 
     // UNKNOWN and NATIVE can be used interchangeably
     public enum Source {
-        LDAP, SAML2, SAML2DISABLED, UNKNOWN, NATIVE
+        OAUTH2, LDAP, SAML2, SAML2DISABLED, UNKNOWN, NATIVE
     }
 
     public static final long UID_SYSTEM = 1;

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -594,6 +594,8 @@ public class ApiConstants {
     public static final String SERVICE_CAPABILITY_LIST = "servicecapabilitylist";
     public static final String CAN_CHOOSE_SERVICE_CAPABILITY = "canchooseservicecapability";
     public static final String PROVIDER = "provider";
+    public static final String OAUTH_PROVIDER = "oauthprovider";
+    public static final String OAUTH_SECRET_KEY = "secretkey";
     public static final String MANAGED = "managed";
     public static final String CAPACITY_BYTES = "capacitybytes";
     public static final String CAPACITY_IOPS = "capacityiops";
@@ -1056,6 +1058,9 @@ public class ApiConstants {
     public static final String VNF_CONFIGURE_MANAGEMENT = "vnfconfiguremanagement";
     public static final String VNF_CIDR_LIST = "vnfcidrlist";
 
+    public static final String CLIENT_ID = "clientid";
+    public static final String REDIRECT_URI = "redirecturi";
+
     /**
      * This enum specifies IO Drivers, each option controls specific policies on I/O.
      * Qemu guests support "threads" and "native" options Since 0.8.8 ; "io_uring" is supported Since 6.3.0 (QEMU 5.0).

api/src/main/java/org/apache/cloudstack/api/command/user/ssh/CreateSSHKeyPairCmd.java

@@ -95,5 +95,4 @@ public void execute() {
         response.setObjectName("keypair");
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/userdata/ListUserDataCmd.java

@@ -76,5 +76,4 @@ public void execute() {
         response.setResponseName(getCommandName());
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/userdata/RegisterUserDataCmd.java

@@ -142,5 +142,4 @@ public void execute() throws ResourceUnavailableException, InsufficientCapacityE
         response.setObjectName(ApiConstants.USER_DATA);
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java

@@ -0,0 +1,53 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.auth;
+
+import com.cloud.utils.component.Adapter;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+public interface UserOAuth2Authenticator extends Adapter {
+    /**
+     * Returns the unique name of the provider
+     * @return returns provider name
+     */
+    String getName();
+
+    /**
+     * Returns description about the OAuth2 provider plugin
+     * @return returns description
+     */
+    String getDescription();
+
+    /**
+     * Verifies if the logged in user is
+     * @return returns true if its valid user
+     */
+    boolean verifyUser(String email, String secretCode);
+
+    /**
+     * Verifies the code provided by provider and fetches email
+     * @return returns email
+     */
+    String verifyCodeAndFetchEmail(String secretCode);
+
+
+    /**
+     * Fetches email using the accessToken
+     * @return returns email
+     */
+    String getUserEmailAddress() throws CloudRuntimeException;
+}

client/pom.xml

@@ -161,6 +161,11 @@
             <artifactId>cloud-plugin-user-authenticator-md5</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-user-authenticator-oauth2</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>
             <artifactId>cloud-plugin-user-authenticator-pbkdf2</artifactId>

core/src/main/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml

@@ -33,7 +33,7 @@
         class="org.apache.cloudstack.spring.lifecycle.registry.ExtensionRegistry">
         <property name="orderConfigKey" value="user.authenticators.order" />
         <property name="excludeKey" value="user.authenticators.exclude" />
-        <property name="orderConfigDefault" value="PBKDF2,SHA256SALT,MD5,LDAP,SAML2,PLAINTEXT" />
+        <property name="orderConfigDefault" value="PBKDF2,SHA256SALT,MD5,LDAP,SAML2,PLAINTEXT,OAUTH2" />
     </bean>
 
     <bean id="userTwoFactorAuthenticatorsRegistry"
@@ -47,7 +47,7 @@
           class="org.apache.cloudstack.spring.lifecycle.registry.ExtensionRegistry">
         <property name="orderConfigKey" value="pluggableApi.authenticators.order" />
         <property name="excludeKey" value="pluggableApi.authenticators.exclude" />
-        <property name="orderConfigDefault" value="SAML2Auth" />
+        <property name="orderConfigDefault" value="SAML2Auth,OAUTH2Auth" />
     </bean>
 
     <bean id="userPasswordEncodersRegistry"

engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java

@@ -27,6 +27,8 @@ public interface UserAccountDao extends GenericDao<UserAccountVO, Long> {
 
     UserAccount getUserAccount(String username, Long domainId);
 
+    List<UserAccountVO> getUserAccountByEmail(String email, Long domainId);
+
     boolean validateUsernameInDomain(String username, Long domainId);
 
     UserAccount getUserByApiKey(String apiKey);

engine/schema/src/main/java/com/cloud/user/dao/UserAccountDaoImpl.java

@@ -59,6 +59,18 @@ public UserAccount getUserAccount(String username, Long domainId) {
         return findOneBy(sc);
     }
 
+    @Override
+    public List<UserAccountVO> getUserAccountByEmail(String email, Long domainId) {
+        if (email == null) {
+            return null;
+        }
+
+        SearchCriteria<UserAccountVO> sc = createSearchCriteria();
+        sc.addAnd("email", SearchCriteria.Op.EQ, email);
+        sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
+        return listBy(sc);
+    }
+
     @Override
     public boolean validateUsernameInDomain(String username, Long domainId) {
         UserAccount userAcct = getUserAccount(username, domainId);

engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql

@@ -557,3 +557,31 @@ CREATE VIEW `cloud`.`snapshot_view` AS
              OR (`snapshot_zone_ref`.`zone_id` = `data_center`.`id`))))
          LEFT JOIN `resource_tags` ON ((`resource_tags`.`resource_id` = `snapshots`.`id`)
              AND (`resource_tags`.`resource_type` = 'Snapshot')));
+
+UPDATE `cloud`.`configuration` SET
+    `options` = concat(`options`, ',OAUTH2'),
+    `default_value` = concat(`default_value`, ',OAUTH2'),
+    `value` = concat(`value`, ',OAUTH2')
+WHERE `name` = 'user.authenticators.order' ;
+
+UPDATE `cloud`.`configuration` SET
+    `options` = concat(`options`, ',OAUTH2Auth'),
+    `default_value` = concat(`default_value`, ',OAUTH2Auth'),
+    `value` = concat(`value`, ',OAUTH2Auth')
+where `name` = 'pluggableApi.authenticators.order' ;
+
+-- Create table for OAuth provider details
+DROP TABLE IF EXISTS `cloud`.`oauth_provider`;
+CREATE TABLE `cloud`.`oauth_provider` (
+  `id` bigint unsigned NOT NULL auto_increment COMMENT 'id',
+  `uuid` varchar(40) NOT NULL COMMENT 'unique identifier',
+  `description` varchar(1024) COMMENT 'description of the provider',
+  `provider` varchar(40) NOT NULL COMMENT 'name of the provider',
+  `client_id` varchar(255) NOT NULL COMMENT 'client id which is configured in the provider',
+  `secret_key` varchar(255) NOT NULL COMMENT 'secret key which is configured in the provider',
+  `redirect_uri` varchar(255) NOT NULL COMMENT 'redirect uri which is configured in the provider',
+  `enabled` int(1) NOT NULL DEFAULT 1 COMMENT 'Enabled or disabled',
+  `created` datetime NOT NULL COMMENT 'date created',
+  `removed` datetime COMMENT 'date removed if not null',
+  PRIMARY KEY (`id`)
+  ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java

@@ -176,6 +176,11 @@ public UserAccount getActiveUserAccount(String username, Long domainId) {
         return null;
     }
 
+    @Override
+    public List<UserAccount> getActiveUserAccountByEmail(String email, Long domainId) {
+        return null;
+    }
+
     @Override
     public User getActiveUser(long arg0) {
         return _systemUser;

plugins/pom.xml

@@ -139,6 +139,7 @@
 
         <module>user-authenticators/ldap</module>
         <module>user-authenticators/md5</module>
+        <module>user-authenticators/oauth2</module>
         <module>user-authenticators/pbkdf2</module>
         <module>user-authenticators/plain-text</module>
         <module>user-authenticators/saml2</module>

plugins/user-authenticators/oauth2/pom.xml

@@ -0,0 +1,63 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>cloud-plugin-user-authenticator-oauth2</artifactId>
+    <name>Apache CloudStack Plugin - User Authenticator OAuth2</name>
+    <parent>
+        <groupId>org.apache.cloudstack</groupId>
+        <artifactId>cloudstack-plugins</artifactId>
+        <version>4.19.0.0-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
+    </parent>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-utils</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-framework-config</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.apis</groupId>
+            <artifactId>google-api-services-docs</artifactId>
+            <version>v1-rev20220609-1.32.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.apis</groupId>
+            <artifactId>google-api-services-oauth2</artifactId>
+            <version>v2-rev20200213-1.32.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.oauth-client</groupId>
+            <artifactId>google-oauth-client-servlet</artifactId>
+            <version>1.34.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client-jackson2</artifactId>
+            <version>1.20.0</version>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+</project>

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/OAuth2AuthManager.java

@@ -0,0 +1,61 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package org.apache.cloudstack.oauth2;
+
+import com.cloud.utils.component.PluggableService;
+import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
+import org.apache.cloudstack.auth.UserOAuth2Authenticator;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.oauth2.api.command.RegisterOAuthProviderCmd;
+import org.apache.cloudstack.oauth2.api.command.UpdateOAuthProviderCmd;
+import org.apache.cloudstack.oauth2.vo.OauthProviderVO;
+
+import java.util.List;
+
+public interface OAuth2AuthManager extends PluggableAPIAuthenticator, PluggableService {
+    public static ConfigKey<Boolean> OAuth2IsPluginEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "oauth2.enabled", "false",
+            "Indicates whether OAuth plugin is enabled or not", false);
+    public static final ConfigKey<String> OAuth2Plugins = new ConfigKey<String>("Advanced", String.class, "oauth2.plugins", "google,github",
+            "List of OAuth plugins", true);
+    public static final ConfigKey<String> OAuth2PluginsExclude = new ConfigKey<String>("Advanced", String.class, "oauth2.plugins.exclude", "",
+            "List of OAuth plugins which are excluded", true);
+
+    /**
+     * Lists user OAuth2 provider plugins
+     * @return list of providers
+     */
+    List<UserOAuth2Authenticator> listUserOAuth2AuthenticationProviders();
+
+    /**
+     * Finds user OAuth2 provider by name
+     * @param providerName name of the provider
+     * @return OAuth2 provider
+     */
+    UserOAuth2Authenticator getUserOAuth2AuthenticationProvider(final String providerName);
+
+    String verifyCodeAndFetchEmail(String code, String provider);
+
+    OauthProviderVO registerOauthProvider(RegisterOAuthProviderCmd cmd);
+
+    List<OauthProviderVO> listOauthProviders(String provider, String uuid);
+
+    boolean deleteOauthProvider(Long id);
+
+    OauthProviderVO updateOauthProvider(UpdateOAuthProviderCmd cmd);
+}