Expose extension point for generic OAuth providers

Further development of OAuth authentication scheme support suggested in
I86fb8fab3 is to restrict the core to expose only the OAuth extension
point and use Gerrit plugin concept for OAuth provider implementations.

When multiple OAuth providers are deployed on Gerrit site (from one or
multiple plugins) selection page is shown to select OAuth provider per
user base (as it's known for OpenID authentication scheme). The only
difference is that the user can only select between deployed providers.

OAuth logo was borrowed from:

http://en.wikipedia.org/wiki/OAuth and
http://en.wikipedia.org/wiki/File:Oauth_logo.svg
The OAuth logo, designed by Chris Messina
Creative Commons Attribution-Share Alike 3.0 Unported license

Converted as base64 using: http://www.base64-image.de
Source for OAuth protocol description: the same link as above.

Bug: issue 2677
Bug: issue 2715
Contributed-by: Luca Milanesio <luca.milanesio@gmail.com>
Change-Id: I7da0a6b3f2a99b6188bd14cf2818f673a3ddd680

gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthLogoutServlet.java

@@ -0,0 +1,57 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd.auth.oauth;
+
+import com.google.gerrit.audit.AuditService;
+import com.google.gerrit.common.Nullable;
+import com.google.gerrit.extensions.registration.DynamicItem;
+import com.google.gerrit.httpd.HttpLogoutServlet;
+import com.google.gerrit.httpd.WebSession;
+import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.config.AuthConfig;
+import com.google.gerrit.server.config.CanonicalWebUrl;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Singleton
+class OAuthLogoutServlet extends HttpLogoutServlet {
+  private static final long serialVersionUID = 1L;
+
+  private final Provider<OAuthSession> oauthSession;
+
+  @Inject
+  OAuthLogoutServlet(AuthConfig authConfig,
+      DynamicItem<WebSession> webSession,
+      @CanonicalWebUrl @Nullable Provider<String> urlProvider,
+      AccountManager accountManager,
+      AuditService audit,
+      Provider<OAuthSession> oauthSession) {
+      super(authConfig, webSession, urlProvider, accountManager, audit);
+    this.oauthSession = oauthSession;
+  }
+
+  @Override
+  protected void doLogout(HttpServletRequest req, HttpServletResponse rsp)
+      throws IOException {
+    super.doLogout(req, rsp);
+    oauthSession.get().logout();
+  }
+}

gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthModule.java

@@ -0,0 +1,31 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd.auth.oauth;
+
+import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
+import com.google.gerrit.extensions.registration.DynamicMap;
+import com.google.inject.servlet.ServletModule;
+
+/** Servlets and support related to OAuth authentication. */
+public class OAuthModule extends ServletModule {
+
+  @Override
+  protected void configureServlets() {
+    filter("/login", "/login/*", "/oauth").through(OAuthWebFilter.class);
+    // This is needed to invalidate OAuth session during logout
+    serve("/logout").with(OAuthLogoutServlet.class);
+    DynamicMap.mapOf(binder(), OAuthServiceProvider.class);
+  }
+}

gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthSession.java

@@ -0,0 +1,178 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd.auth.oauth;
+
+import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
+
+import com.google.common.base.Strings;
+import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
+import com.google.gerrit.extensions.auth.oauth.OAuthToken;
+import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
+import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
+import com.google.gerrit.extensions.registration.DynamicItem;
+import com.google.gerrit.httpd.WebSession;
+import com.google.gerrit.server.account.AccountException;
+import com.google.gerrit.server.account.AccountManager;
+import com.google.gerrit.server.account.AuthResult;
+import com.google.inject.Inject;
+import com.google.inject.servlet.SessionScoped;
+
+import org.apache.commons.codec.binary.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@SessionScoped
+/* OAuth protocol implementation */
+class OAuthSession {
+  private static final Logger log = LoggerFactory.getLogger(OAuthSession.class);
+  private static final SecureRandom randomState = newRandomGenerator();
+  private final String state;
+  private final DynamicItem<WebSession> webSession;
+  private final AccountManager accountManager;
+  private OAuthServiceProvider serviceProvider;
+  private OAuthToken token;
+  private OAuthUserInfo user;
+  private String redirectUrl;
+
+  @Inject
+  OAuthSession(DynamicItem<WebSession> webSession,
+      AccountManager accountManager) {
+    this.state = generateRandomState();
+    this.webSession = webSession;
+    this.accountManager = accountManager;
+  }
+
+  boolean isLoggedIn() {
+    return token != null && user != null;
+  }
+
+  boolean isOAuthFinal(HttpServletRequest request) {
+    return Strings.emptyToNull(request.getParameter("code")) != null;
+  }
+
+  boolean login(HttpServletRequest request, HttpServletResponse response,
+      OAuthServiceProvider oauth) throws IOException {
+    if (isLoggedIn()) {
+      return true;
+    }
+
+    log.debug("Login " + this);
+
+    if (isOAuthFinal(request)) {
+      if (!checkState(request)) {
+        response.sendError(HttpServletResponse.SC_NOT_FOUND);
+        return false;
+      }
+
+      log.debug("Login-Retrieve-User " + this);
+      token = oauth.getAccessToken(null,
+          new OAuthVerifier(request.getParameter("code")));
+
+      user = oauth.getUserInfo(token);
+
+      if (isLoggedIn()) {
+        log.debug("Login-SUCCESS " + this);
+        authenticateAndRedirect(response);
+        return true;
+      } else {
+        response.sendError(SC_UNAUTHORIZED);
+        return false;
+      }
+    } else {
+      log.debug("Login-PHASE1 " + this);
+      redirectUrl = request.getRequestURI();
+      response.sendRedirect(oauth.getAuthorizationUrl(null) +
+          "&state=" + state);
+      return false;
+    }
+  }
+
+  private void authenticateAndRedirect(HttpServletResponse rsp)
+      throws IOException {
+    com.google.gerrit.server.account.AuthRequest areq =
+        new com.google.gerrit.server.account.AuthRequest(user.getExternalId());
+    areq.setUserName(user.getUserName());
+    areq.setEmailAddress(user.getEmailAddress());
+    areq.setDisplayName(user.getDisplayName());
+    AuthResult arsp;
+    try {
+      arsp = accountManager.authenticate(areq);
+    } catch (AccountException e) {
+      log.error("Unable to authenticate user \"" + user + "\"", e);
+      rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
+      return;
+    }
+
+    webSession.get().login(arsp, true);
+    String suffix = redirectUrl.substring(
+        OAuthWebFilter.GERRIT_LOGIN.length() + 1);
+    suffix = URLDecoder.decode(suffix, StandardCharsets.UTF_8.name());
+    rsp.sendRedirect(suffix);
+  }
+
+  void logout() {
+    token = null;
+    user = null;
+    redirectUrl = null;
+    serviceProvider = null;
+  }
+
+  private boolean checkState(ServletRequest request) {
+    String s = Strings.nullToEmpty(request.getParameter("state"));
+    if (!s.equals(state)) {
+      log.error("Illegal request state '" + s + "' on OAuthProtocol " + this);
+      return false;
+    }
+    return true;
+  }
+
+  private static SecureRandom newRandomGenerator() {
+    try {
+      return SecureRandom.getInstance("SHA1PRNG");
+    } catch (NoSuchAlgorithmException e) {
+      throw new IllegalArgumentException(
+          "No SecureRandom available for GitHub authentication", e);
+    }
+  }
+
+  private static String generateRandomState() {
+    byte[] state = new byte[32];
+    randomState.nextBytes(state);
+    return Base64.encodeBase64URLSafeString(state);
+  }
+
+  @Override
+  public String toString() {
+    return "OAuthSession [token=" + token + ", user=" + user + "]";
+  }
+
+  public void setServiceProvider(OAuthServiceProvider provider) {
+    this.serviceProvider = provider;
+  }
+
+  public OAuthServiceProvider getServiceProvider() {
+    return serviceProvider;
+  }
+}

gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java

@@ -0,0 +1,223 @@
+// Copyright (C) 2015 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.httpd.auth.oauth;
+
+import com.google.common.base.Objects;
+import com.google.common.base.Strings;
+import com.google.common.collect.Iterables;
+import com.google.gerrit.common.Nullable;
+import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
+import com.google.gerrit.extensions.registration.DynamicMap;
+import com.google.gerrit.httpd.HtmlDomUtil;
+import com.google.gerrit.httpd.LoginUrlToken;
+import com.google.gerrit.httpd.template.SiteHeaderFooter;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.config.CanonicalWebUrl;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+import java.util.Set;
+import java.util.SortedMap;
+import java.util.SortedSet;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+@Singleton
+/* OAuth web filter uses active OAuth session to perform OAuth requests */
+class OAuthWebFilter implements Filter {
+  static final String GERRIT_LOGIN = "/login";
+
+  private final Provider<String> urlProvider;
+  private final Provider<CurrentUser> currentUserProvider;
+  private final Provider<OAuthSession> oauthSessionProvider;
+  private final DynamicMap<OAuthServiceProvider> oauthServiceProviders;
+  private final SiteHeaderFooter header;
+  private OAuthServiceProvider ssoProvider;
+
+  @Inject
+  OAuthWebFilter(@CanonicalWebUrl @Nullable Provider<String> urlProvider,
+      Provider<CurrentUser> currentUserProvider,
+      DynamicMap<OAuthServiceProvider> oauthServiceProviders,
+      Provider<OAuthSession> oauthSessionProvider,
+      SiteHeaderFooter header) {
+    this.urlProvider = urlProvider;
+    this.currentUserProvider = currentUserProvider;
+    this.oauthServiceProviders = oauthServiceProviders;
+    this.oauthSessionProvider = oauthSessionProvider;
+    this.header = header;
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) throws ServletException {
+    pickSSOServiceProvider();
+  }
+
+  @Override
+  public void destroy() {
+  }
+
+  @Override
+  public void doFilter(ServletRequest request, ServletResponse response,
+      FilterChain chain) throws IOException, ServletException {
+    HttpServletRequest httpRequest = (HttpServletRequest) request;
+    HttpSession httpSession = ((HttpServletRequest) request).getSession(false);
+    if (currentUserProvider.get().isIdentifiedUser()) {
+      if (httpSession != null) {
+        httpSession.invalidate();
+      }
+      chain.doFilter(request, response);
+      return;
+    }
+
+    HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+    String provider = httpRequest.getParameter("provider");
+    OAuthSession oauthSession = oauthSessionProvider.get();
+    OAuthServiceProvider service = ssoProvider == null
+        ? oauthSession.getServiceProvider()
+        : ssoProvider;
+
+    if ((isGerritLogin(httpRequest)
+        || oauthSession.isOAuthFinal(httpRequest))
+        && !oauthSession.isLoggedIn()) {
+      if (service == null && Strings.isNullOrEmpty(provider)) {
+        selectProvider(httpRequest, httpResponse, null);
+        return;
+      } else {
+        if (service == null) {
+          service = findService(provider);
+        }
+        oauthSession.setServiceProvider(service);
+        oauthSession.login(httpRequest, httpResponse, service);
+      }
+    } else {
+      chain.doFilter(httpRequest, response);
+    }
+  }
+
+  private OAuthServiceProvider findService(String providerId)
+      throws ServletException {
+    Set<String> plugins = oauthServiceProviders.plugins();
+    for (String pluginName : plugins) {
+      Map<String, Provider<OAuthServiceProvider>> m =
+          oauthServiceProviders.byPlugin(pluginName);
+        for (Map.Entry<String, Provider<OAuthServiceProvider>> e
+            : m.entrySet()) {
+          if (providerId.equals(
+              String.format("%s_%s", pluginName, e.getKey()))) {
+            return e.getValue().get();
+          }
+        }
+    }
+    throw new ServletException("No provider found for: " + providerId);
+  }
+
+  private void selectProvider(HttpServletRequest req, HttpServletResponse res,
+      @Nullable String errorMessage)
+      throws IOException {
+    String self = req.getRequestURI();
+    String cancel = Objects.firstNonNull(
+        urlProvider != null ? urlProvider.get() : "/", "/");
+    cancel += LoginUrlToken.getToken(req);
+
+    Document doc = header.parse(OAuthWebFilter.class, "LoginForm.html");
+    HtmlDomUtil.find(doc, "hostName").setTextContent(req.getServerName());
+    HtmlDomUtil.find(doc, "login_form").setAttribute("action", self);
+    HtmlDomUtil.find(doc, "cancel_link").setAttribute("href", cancel);
+
+    Element emsg = HtmlDomUtil.find(doc, "error_message");
+    if (Strings.isNullOrEmpty(errorMessage)) {
+      emsg.getParentNode().removeChild(emsg);
+    } else {
+      emsg.setTextContent(errorMessage);
+    }
+
+    Element providers = HtmlDomUtil.find(doc, "providers");
+
+    Set<String> plugins = oauthServiceProviders.plugins();
+    for (String pluginName : plugins) {
+      Map<String, Provider<OAuthServiceProvider>> m =
+          oauthServiceProviders.byPlugin(pluginName);
+        for (Map.Entry<String, Provider<OAuthServiceProvider>> e
+            : m.entrySet()) {
+          addProvider(providers, pluginName, e.getKey(),
+              e.getValue().get().getName());
+        }
+    }
+
+    sendHtml(res, doc);
+  }
+
+  private static void addProvider(Element form, String pluginName,
+      String id, String serviceName) {
+    Element div = form.getOwnerDocument().createElement("div");
+    div.setAttribute("id", id);
+    Element hyperlink = form.getOwnerDocument().createElement("a");
+    hyperlink.setAttribute("href", String.format("?provider=%s_%s",
+        pluginName, id));
+    hyperlink.setTextContent(serviceName +
+        " (" + pluginName + " plugin)");
+    div.appendChild(hyperlink);
+    form.appendChild(div);
+  }
+
+  private static void sendHtml(HttpServletResponse res, Document doc)
+      throws IOException {
+    byte[] bin = HtmlDomUtil.toUTF8(doc);
+    res.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+    res.setContentType("text/html");
+    res.setCharacterEncoding(StandardCharsets.UTF_8.name());
+    res.setContentLength(bin.length);
+    try (ServletOutputStream out = res.getOutputStream()) {
+      out.write(bin);
+    }
+  }
+
+  private void pickSSOServiceProvider()
+      throws ServletException {
+    SortedSet<String> plugins = oauthServiceProviders.plugins();
+    if (plugins.isEmpty()) {
+      throw new ServletException(
+          "OAuth service provider wasn't installed");
+    }
+    if (plugins.size() == 1) {
+      SortedMap<String, Provider<OAuthServiceProvider>> services =
+          oauthServiceProviders.byPlugin(Iterables.getOnlyElement(plugins));
+      if (services.size() == 1) {
+        ssoProvider = Iterables.getOnlyElement(services.values()).get();
+      }
+    }
+  }
+
+  private static boolean isGerritLogin(HttpServletRequest request) {
+    return request.getRequestURI().indexOf(GERRIT_LOGIN) >= 0;
+  }
+}