Oauth2 consumer

cmd/web.go

@@ -203,6 +203,10 @@ func runWeb(ctx *cli.Context) error {
 		m.Post("/sign_up", bindIgnErr(auth.RegisterForm{}), user.SignUpPost)
 		m.Get("/reset_password", user.ResetPasswd)
 		m.Post("/reset_password", user.ResetPasswdPost)
+		m.Group("/oauth2", func() {
+			m.Get("/:provider", user.SignInOAuth)
+			m.Get("/:provider/callback", user.SignInOAuthCallback)
+		})
 		m.Group("/two_factor", func() {
 			m.Get("", user.TwoFactor)
 			m.Post("", bindIgnErr(auth.TwoFactorAuthForm{}), user.TwoFactorPost)

models/login_source.go

@@ -21,7 +21,9 @@ import (
 
 	"code.gitea.io/gitea/modules/auth/ldap"
 	"code.gitea.io/gitea/modules/auth/pam"
+	"code.gitea.io/gitea/modules/auth/oauth2"
 	"code.gitea.io/gitea/modules/log"
+	"net/http"
 )
 
 // LoginType represents an login type.
@@ -30,19 +32,21 @@ type LoginType int
 // Note: new type must append to the end of list to maintain compatibility.
 const (
 	LoginNoType LoginType = iota
-	LoginPlain            // 1
-	LoginLDAP             // 2
-	LoginSMTP             // 3
-	LoginPAM              // 4
-	LoginDLDAP            // 5
+	LoginPlain   // 1
+	LoginLDAP    // 2
+	LoginSMTP    // 3
+	LoginPAM     // 4
+	LoginDLDAP   // 5
+	LoginOAuth2  // 6
 )
 
 // LoginNames contains the name of LoginType values.
 var LoginNames = map[LoginType]string{
-	LoginLDAP:  "LDAP (via BindDN)",
-	LoginDLDAP: "LDAP (simple auth)", // Via direct bind
-	LoginSMTP:  "SMTP",
-	LoginPAM:   "PAM",
+	LoginLDAP:   "LDAP (via BindDN)",
+	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind
+	LoginSMTP:   "SMTP",
+	LoginPAM:    "PAM",
+	LoginOAuth2: "OAuth2",
 }
 
 // SecurityProtocolNames contains the name of SecurityProtocol values.
@@ -57,6 +61,7 @@ var (
 	_ core.Conversion = &LDAPConfig{}
 	_ core.Conversion = &SMTPConfig{}
 	_ core.Conversion = &PAMConfig{}
+	_ core.Conversion = &OAuth2Config{}
 )
 
 // LDAPConfig holds configuration for LDAP login source.
@@ -115,6 +120,23 @@ func (cfg *PAMConfig) ToDB() ([]byte, error) {
 	return json.Marshal(cfg)
 }
 
+// OAuth2Config holds configuration for the OAuth2 login source.
+type OAuth2Config struct {
+	Provider     string
+	ClientID     string
+	ClientSecret string
+}
+
+// FromDB fills up an OAuth2Config from serialized format.
+func (cfg *OAuth2Config) FromDB(bs []byte) error {
+	return json.Unmarshal(bs, cfg)
+}
+
+// ToDB exports an SMTPConfig to a serialized format.
+func (cfg *OAuth2Config) ToDB() ([]byte, error) {
+	return json.Marshal(cfg)
+}
+
 // LoginSource represents an external way for authorizing users.
 type LoginSource struct {
 	ID        int64 `xorm:"pk autoincr"`
@@ -162,6 +184,8 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
 			source.Cfg = new(SMTPConfig)
 		case LoginPAM:
 			source.Cfg = new(PAMConfig)
+		case LoginOAuth2:
+			source.Cfg = new(OAuth2Config)
 		default:
 			panic("unrecognized login source type: " + com.ToStr(*val))
 		}
@@ -203,6 +227,11 @@ func (source *LoginSource) IsPAM() bool {
 	return source.Type == LoginPAM
 }
 
+// IsOAuth2 returns true of this source is of the OAuth2 type.
+func (source *LoginSource) IsOAuth2() bool {
+	return source.Type == LoginOAuth2
+}
+
 // HasTLS returns true of this source supports TLS.
 func (source *LoginSource) HasTLS() bool {
 	return ((source.IsLDAP() || source.IsDLDAP()) &&
@@ -250,6 +279,11 @@ func (source *LoginSource) PAM() *PAMConfig {
 	return source.Cfg.(*PAMConfig)
 }
 
+// OAuth2 returns OAuth2Config for this source, if of OAuth2 type.
+func (source *LoginSource) OAuth2() *OAuth2Config {
+	return source.Cfg.(*OAuth2Config)
+}
+
 // CreateLoginSource inserts a LoginSource in the DB if not already
 // existing with the given name.
 func CreateLoginSource(source *LoginSource) error {
@@ -266,7 +300,7 @@ func CreateLoginSource(source *LoginSource) error {
 
 // LoginSources returns a slice of all login sources found in DB.
 func LoginSources() ([]*LoginSource, error) {
-	auths := make([]*LoginSource, 0, 5)
+	auths := make([]*LoginSource, 0, 6)
 	return auths, x.Find(&auths)
 }
 
@@ -444,7 +478,7 @@ func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPC
 		idx := strings.Index(login, "@")
 		if idx == -1 {
 			return nil, ErrUserNotExist{0, login, 0}
-		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {
+		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx + 1:]) {
 			return nil, ErrUserNotExist{0, login, 0}
 		}
 	}
@@ -526,6 +560,26 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon
 	return user, CreateUser(user)
 }
 
+//  ________      _____          __  .__     ________
+//  \_____  \    /  _  \  __ ___/  |_|  |__  \_____  \
+//   /   |   \  /  /_\  \|  |  \   __\  |  \  /  ____/
+//  /    |    \/    |    \  |  /|  | |   Y  \/       \
+//  \_______  /\____|__  /____/ |__| |___|  /\_______ \
+//          \/         \/                 \/         \/
+
+// OAuth2Providers contains the map of registered OAuth2 providers in Gitea (based on goth)
+// key is used as technical name (for use in the callbackURL)
+// value is used to display
+var OAuth2Providers = map[string]string{
+	"github":   "GitHub",
+}
+
+// LoginViaOAuth2 queries if login/password is valid against the OAuth2.0 provider,
+// and create a local user if success when enabled.
+func LoginViaOAuth2(cfg *OAuth2Config, request *http.Request, response http.ResponseWriter) {
+	oauth2.Auth(cfg.Provider, cfg.ClientID, cfg.ClientSecret, request, response)
+}
+
 // ExternalUserLogin attempts a login using external source types.
 func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
 	if !source.IsActived {
@@ -580,7 +634,7 @@ func UserSignIn(username, password string) (*User, error) {
 		}
 	}
 
-	sources := make([]*LoginSource, 0, 3)
+	sources := make([]*LoginSource, 0, 5)
 	if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {
 		return nil, err
 	}
@@ -596,3 +650,90 @@ func UserSignIn(username, password string) (*User, error) {
 
 	return nil, ErrUserNotExist{user.ID, user.Name, 0}
 }
+
+// OAuth2UserLogin attempts a login using a OAuth2 source type
+func OAuth2UserLogin(provider string, request *http.Request, response http.ResponseWriter) (*User, error) {
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil {
+		return nil, err
+	}
+
+	for _, source := range sources {
+		// TODO how to put this in the xorm Find ?
+		if source.Cfg.(*OAuth2Config).Provider == provider {
+			LoginViaOAuth2(source.Cfg.(*OAuth2Config), request, response)
+			return nil, nil
+		}
+	}
+
+	return nil, errors.New("No valid provider found")
+}
+
+// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
+// login the user
+func OAuth2UserLoginCallback(provider string, request *http.Request, response http.ResponseWriter) (*User, string, error) {
+	gothUser, redirectURL, error := oauth2.ProviderCallback(provider, request, response)
+
+	if error != nil {
+		return nil, redirectURL, error
+	}
+
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil {
+		return nil, "", err
+	}
+
+	for _, source := range sources {
+		// TODO how to put this in the xorm Find ?
+		if source.OAuth2().Provider == provider {
+			user := &User{
+				LoginName:   gothUser.UserID,
+				LoginType:   LoginOAuth2,
+				LoginSource: sources[0].ID,
+			}
+
+			hasUser, err := x.Get(user)
+			if err != nil {
+				return nil, "", err
+			}
+
+			if !hasUser {
+				user = &User{
+					LowerName:        strings.ToLower(gothUser.NickName),
+					Name:             gothUser.NickName,
+					Email:            gothUser.Email,
+					LoginType:        LoginOAuth2,
+					LoginSource:      sources[0].ID,
+					LoginName:        gothUser.NickName,
+					IsActive:         true,
+					// TODO should OAuth2 imported emails be private?
+					KeepEmailPrivate: true,
+				}
+				return user, redirectURL, CreateUser(user)
+			}
+
+			return user, redirectURL, nil
+		}
+	}
+
+	return nil, "", errors.New("No valid provider found")
+}
+
+// GetActiveOAuth2Providers returns the map of configured active OAuth2 providers
+// key is used as technical name (like in the callbackURL)
+// value is used to display
+func GetActiveOAuth2Providers() (map[string]string, error) {
+	// Maybe also seperate used and unused providers so we can force the registration of only 1 active provider for each type
+
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil {
+		return nil, err
+	}
+
+	providers := make(map[string]string)
+	for _, source := range sources {
+		providers[source.OAuth2().Provider] = OAuth2Providers[source.OAuth2().Provider]
+	}
+
+	return providers, nil
+}

modules/auth/auth.go

@@ -188,7 +188,7 @@ func AssignForm(form interface{}, data map[string]interface{}) {
 func getRuleBody(field reflect.StructField, prefix string) string {
 	for _, rule := range strings.Split(field.Tag.Get("binding"), ";") {
 		if strings.HasPrefix(rule, prefix) {
-			return rule[len(prefix) : len(rule)-1]
+			return rule[len(prefix): len(rule) - 1]
 		}
 	}
 	return ""
@@ -246,7 +246,7 @@ func validate(errs binding.Errors, data map[string]interface{}, f Form, l macaro
 		}
 
 		if errs[0].FieldNames[0] == field.Name {
-			data["Err_"+field.Name] = true
+			data["Err_" + field.Name] = true
 
 			trName := field.Tag.Get("locale")
 			if len(trName) == 0 {

modules/auth/auth_form.go

@@ -12,7 +12,7 @@ import (
 // AuthenticationForm form for authentication
 type AuthenticationForm struct {
 	ID                int64
-	Type              int    `binding:"Range(2,5)"`
+	Type              int    `binding:"Range(2,6)"`
 	Name              string `binding:"Required;MaxSize(30)"`
 	Host              string
 	Port              int
@@ -36,6 +36,9 @@ type AuthenticationForm struct {
 	TLS               bool
 	SkipVerify        bool
 	PAMServiceName    string
+	Oauth2Provider    string
+	Oauth2Key	  string
+	Oauth2Secret      string
 }
 
 // Validate validates fields

modules/auth/oauth2/oauth2.go

@@ -0,0 +1,57 @@
+package oauth2
+
+import (
+	"code.gitea.io/gitea/modules/setting"
+	"github.com/gorilla/sessions"
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/gothic"
+	"github.com/markbates/goth/providers/github"
+	"net/http"
+	"os"
+	"github.com/satori/go.uuid"
+)
+
+var (
+	sessionUsersStoreKey = "gitea-oauth-sessions"
+	providerHeaderKey = "gitea-oauth-provider"
+)
+
+func init() {
+	gothic.Store = sessions.NewFilesystemStore(os.TempDir(), []byte(sessionUsersStoreKey))
+
+	gothic.SetState = func(req *http.Request) string {
+		return uuid.NewV4().String()
+	}
+
+	gothic.GetProviderName = func(req *http.Request) (string, error) {
+		return req.Header.Get(providerHeaderKey), nil
+	}
+}
+
+// Auth OAuth2 auth service
+func Auth(provider, clientID, clientSecret string, request *http.Request, response http.ResponseWriter) {
+	// not sure if goth is thread safe (?) when using multiple providers
+	request.Header.Set(providerHeaderKey, provider)
+
+	if gothProvider, _ := goth.GetProvider(provider); gothProvider == nil {
+		goth.UseProviders(
+			github.New(clientID, clientSecret, setting.AppURL + "user/oauth2/" + provider + "/callback", "user:email"),
+		)
+	}
+
+	gothic.BeginAuthHandler(response, request)
+}
+
+// ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url
+// this will trigger a new authentication request, but because we save it in the session we can use that
+func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, string, error) {
+		// not sure if goth is thread safe (?) when using multiple providers
+	request.Header.Set(providerHeaderKey, provider)
+
+	user, err := gothic.CompleteUserAuth(response, request)
+	if err != nil {
+		return user, "", err
+	}
+
+	return user, "", nil
+}

options/locale/locale_en-US.ini

@@ -1083,6 +1083,9 @@ auths.allowed_domains_helper = Leave it empty to not restrict any domains. Multi
 auths.enable_tls = Enable TLS Encryption
 auths.skip_tls_verify = Skip TLS Verify
 auths.pam_service_name = PAM Service Name
+auths.oauth2_provider = OAuth2 provider
+auths.oauth2_clientID = Client ID (Key)
+auths.oauth2_clientSecret = Client Secret
 auths.enable_auto_register = Enable Auto Registration
 auths.tips = Tips
 auths.edit = Edit Authentication Setting

public/js/index.js

@@ -969,9 +969,9 @@ function initAdmin() {
     // New authentication
     if ($('.admin.new.authentication').length > 0) {
         $('#auth_type').change(function () {
-            $('.ldap, .dldap, .smtp, .pam, .has-tls').hide();
+            $('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls').hide();
 
-            $('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .has-tls input[required]').removeAttr('required');
+            $('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required] .has-tls input[required]').removeAttr('required');
 
             var authType = $(this).val();
             switch (authType) {
@@ -992,6 +992,10 @@ function initAdmin() {
                     $('.dldap').show();
                     $('.dldap div.required input').attr('required', 'required');
                     break;
+                case '6':     // OAuth2
+                    $('.oauth2').show();
+                    $('.oauth2 input').attr('required', 'required');
+                    break;
             }
 
             if (authType == '2' || authType == '5') {