mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36370 Commits
59 Branches
Tree: d42e73cd8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd42e73cd8a'
${ noResults }
sonarqube/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java

GitLabIdentityProvider.java 6.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.gitlab;

  21. 

  22. import com.github.scribejava.core.builder.ServiceBuilder;

  23. import com.github.scribejava.core.model.OAuth2AccessToken;

  24. import com.github.scribejava.core.model.OAuthConstants;

  25. import com.github.scribejava.core.oauth.OAuth20Service;

  26. import com.google.common.annotations.VisibleForTesting;

  27. import java.io.IOException;

  28. import java.util.Collection;

  29. import java.util.List;

  30. import java.util.Set;

  31. import java.util.concurrent.ExecutionException;

  32. import java.util.stream.Stream;

  33. import javax.inject.Inject;

  34. import org.sonar.api.server.authentication.Display;

  35. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  36. import org.sonar.api.server.authentication.UnauthorizedException;

  37. import org.sonar.api.server.authentication.UserIdentity;

  38. import org.sonar.api.server.http.HttpRequest;

  39. 

  40. import static com.google.common.base.Preconditions.checkState;

  41. import static java.util.stream.Collectors.toSet;

  42. 

  43. public class GitLabIdentityProvider implements OAuth2IdentityProvider {

  44. 

  45.   public static final String KEY = "gitlab";

  46.   private final GitLabSettings gitLabSettings;

  47.   private final ScribeGitLabOauth2Api scribeApi;

  48.   private final GitLabRestClient gitLabRestClient;

  49.   private final ScribeFactory scribeFactory;

  50. 

  51.   @Inject

  52.   public GitLabIdentityProvider(GitLabSettings gitLabSettings, GitLabRestClient gitLabRestClient, ScribeGitLabOauth2Api scribeApi) {

  53.     this(gitLabSettings, gitLabRestClient, scribeApi, new ScribeFactory());

  54.   }

  55. 

  56.   @VisibleForTesting

  57.   GitLabIdentityProvider(GitLabSettings gitLabSettings, GitLabRestClient gitLabRestClient, ScribeGitLabOauth2Api scribeApi,

  58.     ScribeFactory scribeFactory) {

  59.     this.gitLabSettings = gitLabSettings;

  60.     this.scribeApi = scribeApi;

  61.     this.gitLabRestClient = gitLabRestClient;

  62.     this.scribeFactory = scribeFactory;

  63.   }

  64. 

  65.   @Override

  66.   public String getKey() {

  67.     return KEY;

  68.   }

  69. 

  70.   @Override

  71.   public String getName() {

  72.     return "GitLab";

  73.   }

  74. 

  75.   @Override

  76.   public Display getDisplay() {

  77.     return Display.builder()

  78.       .setIconPath("/images/alm/gitlab.svg")

  79.       .setBackgroundColor("#6a4fbb")

  80.       .build();

  81.   }

  82. 

  83.   @Override

  84.   public boolean isEnabled() {

  85.     return gitLabSettings.isEnabled();

  86.   }

  87. 

  88.   @Override

  89.   public boolean allowsUsersToSignUp() {

  90.     return gitLabSettings.allowUsersToSignUp();

  91.   }

  92. 

  93.   @Override

  94.   public void init(InitContext context) {

  95.     String state = context.generateCsrfState();

  96.     try (OAuth20Service scribe = scribeFactory.newScribe(gitLabSettings, context.getCallbackUrl(), scribeApi)) {

  97.       String url = scribe.getAuthorizationUrl(state);

  98.       context.redirectTo(url);

  99.     } catch (IOException e) {

  100.       throw new IllegalStateException(e);

  101.     }

  102.   }

  103. 

  104.   @Override

  105.   public void callback(CallbackContext context) {

  106.     try (OAuth20Service scribe = scribeFactory.newScribe(gitLabSettings, context.getCallbackUrl(), scribeApi)) {

  107.       onCallback(context, scribe);

  108.     } catch (IOException | ExecutionException e) {

  109.       throw new IllegalStateException(e);

  110.     } catch (InterruptedException e) {

  111.       Thread.currentThread().interrupt();

  112.       throw new IllegalStateException(e);

  113.     }

  114.   }

  115. 

  116.   private void onCallback(CallbackContext context, OAuth20Service scribe) throws InterruptedException, ExecutionException, IOException {

  117.     HttpRequest request = context.getHttpRequest();

  118.     String code = request.getParameter(OAuthConstants.CODE);

  119.     OAuth2AccessToken accessToken = scribe.getAccessToken(code);

  120.     GsonUser user = gitLabRestClient.getUser(scribe, accessToken);

  121. 

  122.     UserIdentity.Builder builder = UserIdentity.builder()

  123.       .setProviderId(Long.toString(user.getId()))

  124.       .setProviderLogin(user.getUsername())

  125.       .setName(user.getName())

  126.       .setEmail(user.getEmail());

  127. 

  128.     if (gitLabSettings.syncUserGroups()) {

  129.       Set<String> userGroups = getGroups(scribe, accessToken);

  130.       validateUserInAllowedGroups(userGroups, gitLabSettings.allowedGroups());

  131.       builder.setGroups(userGroups);

  132.     }

  133.     context.authenticate(builder.build());

  134.     context.redirectToRequestedPage();

  135.   }

  136. 

  137.   private void validateUserInAllowedGroups(Set<String> userGroups, Set<String> allowedGroups) {

  138.     if (gitLabSettings.allowedGroups().isEmpty()) {

  139.       return;

  140.     }

  141. 

  142.     boolean allowedUser = userGroups.stream()

  143.       .anyMatch(userGroup -> isAllowedGroup(userGroup, allowedGroups));

  144. 

  145.     if (!allowedUser) {

  146.       throw new UnauthorizedException("You are not allowed to authenticate");

  147.     }

  148.   }

  149. 

  150.   private static boolean isAllowedGroup(String group, Set<String> allowedGroups) {

  151.     return allowedGroups.stream().anyMatch(group::startsWith);

  152.   }

  153. 

  154.   private Set<String> getGroups(OAuth20Service scribe, OAuth2AccessToken accessToken) {

  155.     List<GsonGroup> groups = gitLabRestClient.getGroups(scribe, accessToken);

  156.     return Stream.of(groups)

  157.       .flatMap(Collection::stream)

  158.       .map(GsonGroup::getFullPath)

  159.       .collect(toSet());

  160.   }

  161. 

  162.   static class ScribeFactory {

  163. 

  164.     private static final String API_SCOPE = "api";

  165.     private static final String READ_USER_SCOPE = "read_user";

  166. 

  167.     OAuth20Service newScribe(GitLabSettings gitLabSettings, String callbackUrl, ScribeGitLabOauth2Api scribeApi) {

  168.       checkState(gitLabSettings.isEnabled(), "GitLab authentication is disabled");

  169.       return new ServiceBuilder(gitLabSettings.applicationId())

  170.         .apiSecret(gitLabSettings.secret())

  171.         .defaultScope(gitLabSettings.syncUserGroups() ? API_SCOPE : READ_USER_SCOPE)

  172.         .callback(callbackUrl)

  173.         .build(scribeApi);

  174.     }

  175.   }

  176. 

  177. }