Google Git
Sign in
gerrit / plugins / oauth / 31d9b6472c7f29b36cb26f6056cd07d9ba92c282 / . / src / main / java / com / googlesource / gerrit / plugins / oauth / AzureActiveDirectoryService.java
blob: 81dc53f003fcf3bc38db2d1952c7f409804f2067 [file] [log] [blame]
// Copyright (C) 2018 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.googlesource.gerrit.plugins.oauth;
import static com.google.gerrit.json.OutputFormat.JSON;
import com.github.scribejava.apis.MicrosoftAzureActiveDirectory20Api;
import com.github.scribejava.core.builder.ServiceBuilder;
import com.github.scribejava.core.exceptions.OAuthException;
import com.github.scribejava.core.model.OAuth2AccessToken;
import com.github.scribejava.core.model.OAuthRequest;
import com.github.scribejava.core.model.Response;
import com.github.scribejava.core.model.Verb;
import com.github.scribejava.core.oauth.OAuth20Service;
import com.google.common.base.CharMatcher;
import com.google.common.collect.ImmutableSet;
import com.google.gerrit.extensions.annotations.PluginName;
import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
import com.google.gerrit.extensions.auth.oauth.OAuthToken;
import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
import com.google.gerrit.server.config.CanonicalWebUrl;
import com.google.gerrit.server.config.PluginConfig;
import com.google.gerrit.server.config.PluginConfigFactory;
import com.google.gson.Gson;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.concurrent.ExecutionException;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Singleton
class AzureActiveDirectoryService implements OAuthServiceProvider {
private static final Logger log = LoggerFactory.getLogger(AzureActiveDirectoryService.class);
static final String CONFIG_SUFFIX_LEGACY = "-office365-oauth";
static final String CONFIG_SUFFIX = "-azure-oauth";
private static final String AZURE_PROVIDER_PREFIX = "azure-oauth:";
private static final String OFFICE365_PROVIDER_PREFIX = "office365-oauth:";
private static final String PROTECTED_RESOURCE_URL = "https://graph.microsoft.com/v1.0/me";
private static final String SCOPE =
"openid offline_access https://graph.microsoft.com/user.readbasic.all";
public static final String DEFAULT_TENANT = "organizations";
private static final ImmutableSet<String> TENANTS_WITHOUT_VALIDATION =
ImmutableSet.<String>builder().add(DEFAULT_TENANT).add("common").add("consumers").build();
private final OAuth20Service service;
private final Gson gson;
private final String canonicalWebUrl;
private final boolean useEmailAsUsername;
private final String tenant;
private final String clientId;
private String providerPrefix;
private final boolean linkOffice365Id;
@Inject
AzureActiveDirectoryService(
PluginConfigFactory cfgFactory,
@PluginName String pluginName,
@CanonicalWebUrl Provider<String> urlProvider) {
PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX);
providerPrefix = AZURE_PROVIDER_PREFIX;
// ?: Did we find the client_id with the CONFIG_SUFFIX
if (cfg.getString(InitOAuth.CLIENT_ID) == null) {
// -> No, we did not find the client_id in the azure config so we should try the old legacy
// office365 section
cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX_LEGACY);
// We must also use the new provider prefix
providerPrefix = OFFICE365_PROVIDER_PREFIX;
}
this.linkOffice365Id = cfg.getBoolean(InitOAuth.LINK_TO_EXISTING_OFFICE365_ACCOUNT, false);
this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/";
this.useEmailAsUsername = cfg.getBoolean(InitOAuth.USE_EMAIL_AS_USERNAME, false);
this.tenant = cfg.getString(InitOAuth.TENANT, DEFAULT_TENANT);
this.clientId = cfg.getString(InitOAuth.CLIENT_ID);
this.service =
new ServiceBuilder(cfg.getString(InitOAuth.CLIENT_ID))
.apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET))
.callback(canonicalWebUrl + "oauth")
.defaultScope(SCOPE)
.build(MicrosoftAzureActiveDirectory20Api.custom(tenant));
this.gson = JSON.newGson();
if (log.isDebugEnabled()) {
log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl);
log.debug("OAuth2: scope={}", SCOPE);
log.debug("OAuth2: useEmailAsUsername={}", useEmailAsUsername);
}
}
@Override
public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
// ?: Have we set a custom tenant and is this a tenant other than the one set in
// TENANTS_WITHOUT_VALIDATION
if (!TENANTS_WITHOUT_VALIDATION.contains(tenant)) {
// -> Yes, we are using a tenant that should be validated, so verify that is issued for the
// same one that we
// have set.
String tid = getTokenJson(token.getToken()).get("tid").getAsString();
// ?: Verify that this token has the same tenant as we are currently using
if (!tenant.equals(tid)) {
// -> No, this tenant does not equals the one in the token. So we should stop processing
log.warn(
String.format(
"The token was issued by the tenant [%s] while we are set to use [%s]",
tid, tenant));
// Return null so the user will be shown Unauthorized.
return null;
}
}
// Due to scribejava does not expose the id_token we need to do this a bit convoluted way to
// extract this our self
// see <a href="https://github.com/scribejava/scribejava/issues/968">Obtaining id_token from
// access_token</a> for
// the scribejava issue on this.
String rawToken = token.getRaw();
JsonObject jwtJson = gson.fromJson(rawToken, JsonObject.class);
String idTokenBase64 = jwtJson.get("id_token").getAsString();
String aud = getTokenJson(idTokenBase64).get("aud").getAsString();
// ?: Does this token have the same clientId set in the 'aud' part of the id_token as we are
// using.
// If not we should reject it
// see <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens">id
// tokens Payload claims></a>
// for information on the aud claim.
if (!clientId.equals(aud)) {
log.warn(
String.format(
"The id_token had aud [%s] while we expected it to be equal to the clientId [%s]",
aud, clientId));
// Return null so the user will be shown Unauthorized.
return null;
}
OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
OAuth2AccessToken t = new OAuth2AccessToken(token.getToken(), token.getRaw());
service.signRequest(t, request);
request.addHeader("Accept", "*/*");
JsonElement userJson = null;
try (Response response = service.execute(request)) {
if (response.getCode() != HttpServletResponse.SC_OK) {
throw new IOException(
String.format(
"Status %s (%s) for request %s",
response.getCode(), response.getBody(), request.getUrl()));
}
userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class);
if (log.isDebugEnabled()) {
log.debug("User info response: {}", response.getBody());
}
if (userJson.isJsonObject()) {
JsonObject jsonObject = userJson.getAsJsonObject();
JsonElement id = jsonObject.get("id");
if (id == null || id.isJsonNull()) {
throw new IOException("Response doesn't contain id field");
}
JsonElement email = jsonObject.get("mail");
JsonElement name = jsonObject.get("displayName");
String login = null;
if (useEmailAsUsername && !email.isJsonNull()) {
login = email.getAsString().split("@")[0];
}
return new OAuthUserInfo(
providerPrefix + id.getAsString() /*externalId*/,
login /*username*/,
email == null || email.isJsonNull() ? null : email.getAsString() /*email*/,
name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/,
linkOffice365Id ? OFFICE365_PROVIDER_PREFIX + id.getAsString() : null);
}
} catch (ExecutionException | InterruptedException e) {
throw new RuntimeException("Cannot retrieve user info resource", e);
}
throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson));
}
@Override
public OAuthToken getAccessToken(OAuthVerifier rv) {
try {
OAuth2AccessToken accessToken = service.getAccessToken(rv.getValue());
return new OAuthToken(
accessToken.getAccessToken(), accessToken.getTokenType(), accessToken.getRawResponse());
} catch (InterruptedException | ExecutionException | IOException e) {
String msg = "Cannot retrieve access token";
log.error(msg, e);
throw new RuntimeException(msg, e);
}
}
@Override
public String getAuthorizationUrl() {
String url = service.getAuthorizationUrl();
return url;
}
@Override
public String getVersion() {
return service.getVersion();
}
@Override
public String getName() {
return "Office365 OAuth2";
}
/** Get the {@link JsonObject} of a given token. */
private JsonObject getTokenJson(String tokenBase64) {
String[] tokenParts = tokenBase64.split("\\.");
if (tokenParts.length != 3) {
throw new OAuthException("Token does not contain expected number of parts");
}
// Extract the payload part from the JWT token (header.payload.signature) by retrieving
// tokenParts[1].
return gson.fromJson(
new String(Base64.getDecoder().decode(tokenParts[1]), StandardCharsets.UTF_8),
JsonObject.class);
}
}