Integrate OAuth2 Provider (#5378)

6 files changed, 197 insertions, 7 deletions

diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index f2530fa37c..4be358b737 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -7,6 +7,7 @@ package auth
 import (
 	"reflect"
 	"strings"
+	"time"
 
 	"github.com/Unknwon/com"
 	"github.com/go-macaron/binding"
@@ -44,7 +45,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
 			auHead := ctx.Req.Header.Get("Authorization")
 			if len(auHead) > 0 {
 				auths := strings.Fields(auHead)
-				if len(auths) == 2 && auths[0] == "token" {
+				if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
 					tokenSHA = auths[1]
 				}
 			}
@@ -52,6 +53,13 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
 
 		// Let's see if token is valid.
 		if len(tokenSHA) > 0 {
+			if strings.Contains(tokenSHA, ".") {
+				uid := checkOAuthAccessToken(tokenSHA)
+				if uid != 0 {
+					ctx.Data["IsApiToken"] = true
+				}
+				return uid
+			}
 			t, err := models.GetAccessTokenBySHA(tokenSHA)
 			if err != nil {
 				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
@@ -77,6 +85,29 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
 	return 0
 }
 
+func checkOAuthAccessToken(accessToken string) int64 {
+	// JWT tokens require a "."
+	if !strings.Contains(accessToken, ".") {
+		return 0
+	}
+	token, err := models.ParseOAuth2Token(accessToken)
+	if err != nil {
+		log.Trace("ParseOAuth2Token", err)
+		return 0
+	}
+	var grant *models.OAuth2Grant
+	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+		return 0
+	}
+	if token.Type != models.TypeAccessToken {
+		return 0
+	}
+	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
+		return 0
+	}
+	return grant.UserID
+}
+
 // SignedInUser returns the user object of signed user.
 // It returns a bool value to indicate whether user uses basic auth or not.
 func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) {
diff --git a/modules/auth/user_form.go b/modules/auth/user_form.go
index 3a4df8ea7d..be0f9bf1bf 100644
--- a/modules/auth/user_form.go
+++ b/modules/auth/user_form.go
@@ -137,6 +137,54 @@ func (f *SignInForm) Validate(ctx *macaron.Context, errs binding.Errors) binding
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// AuthorizationForm form for authorizing oauth2 clients
+type AuthorizationForm struct {
+	ResponseType string `binding:"Required;In(code)"`
+	ClientID     string `binding:"Required"`
+	RedirectURI  string
+	State        string
+
+	// PKCE support
+	CodeChallengeMethod string // S256, plain
+	CodeChallenge       string
+}
+
+// Validate valideates the fields
+func (f *AuthorizationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
+// GrantApplicationForm form for authorizing oauth2 clients
+type GrantApplicationForm struct {
+	ClientID    string `binding:"Required"`
+	RedirectURI string
+	State       string
+}
+
+// Validate valideates the fields
+func (f *GrantApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
+// AccessTokenForm for issuing access tokens from authorization codes or refresh tokens
+type AccessTokenForm struct {
+	GrantType    string
+	ClientID     string
+	ClientSecret string
+	RedirectURI  string
+	// TODO Specify authentication code length to prevent against birthday attacks
+	Code         string
+	RefreshToken string
+
+	// PKCE support
+	CodeVerifier string
+}
+
+// Validate valideates the fields
+func (f *AccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
 //   __________________________________________.___ _______    ________  _________
 //  /   _____/\_   _____/\__    ___/\__    ___/|   |\      \  /  _____/ /   _____/
 //  \_____  \  |    __)_   |    |     |    |   |   |/   |   \/   \  ___ \_____  \
@@ -258,6 +306,17 @@ func (f *NewAccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors)
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// EditOAuth2ApplicationForm form for editing oauth2 applications
+type EditOAuth2ApplicationForm struct {
+	Name        string `binding:"Required;MaxSize(255)" form:"application_name"`
+	RedirectURI string `binding:"Required" form:"redirect_uri"`
+}
+
+// Validate valideates the fields
+func (f *EditOAuth2ApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
 // TwoFactorAuthForm for logging in with 2FA token.
 type TwoFactorAuthForm struct {
 	Passcode string `binding:"Required"`
diff --git a/modules/generate/generate.go b/modules/generate/generate.go
index d0e7593013..304ad87f21 100644
--- a/modules/generate/generate.go
+++ b/modules/generate/generate.go
@@ -57,16 +57,14 @@ func NewInternalToken() (string, error) {
 	return internalToken, nil
 }
 
-// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
-func NewLfsJwtSecret() (string, error) {
+// NewJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
+func NewJwtSecret() (string, error) {
 	JWTSecretBytes := make([]byte, 32)
 	_, err := io.ReadFull(rand.Reader, JWTSecretBytes)
 	if err != nil {
 		return "", err
 	}
-
-	JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
-	return JWTSecretBase64, nil
+	return base64.RawURLEncoding.EncodeToString(JWTSecretBytes), nil
 }
 
 // NewSecretKey generate a new value intended to be used by SECRET_KEY.
diff --git a/modules/secret/secret.go b/modules/secret/secret.go
new file mode 100644
index 0000000000..d0e4deacb9
--- /dev/null
+++ b/modules/secret/secret.go
@@ -0,0 +1,33 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package secret
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+)
+
+// New creats a new secret
+func New() (string, error) {
+	return NewWithLength(32)
+}
+
+// NewWithLength creates a new secret for a given length
+func NewWithLength(length int64) (string, error) {
+	return randomString(length)
+}
+
+func randomBytes(len int64) ([]byte, error) {
+	b := make([]byte, len)
+	if _, err := rand.Read(b); err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
+func randomString(len int64) (string, error) {
+	b, err := randomBytes(len)
+	return base64.URLEncoding.EncodeToString(b), err
+}
diff --git a/modules/secret/secret_test.go b/modules/secret/secret_test.go
new file mode 100644
index 0000000000..c47201f2d7
--- /dev/null
+++ b/modules/secret/secret_test.go
@@ -0,0 +1,22 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package secret
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNew(t *testing.T) {
+	result, err := New()
+	assert.NoError(t, err)
+	assert.True(t, len(result) > 32)
+
+	result2, err := New()
+	assert.NoError(t, err)
+	// check if secrets
+	assert.NotEqual(t, result, result2)
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 4c016f3489..9a36ceb60e 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -560,6 +560,18 @@ var (
 		DefaultGitTreesPerPage: 1000,
 	}
 
+	OAuth2 = struct {
+		Enable                     bool
+		AccessTokenExpirationTime  int64
+		RefreshTokenExpirationTime int64
+		JWTSecretBytes             []byte `ini:"-"`
+		JWTSecretBase64            string `ini:"JWT_SECRET"`
+	}{
+		Enable:                     true,
+		AccessTokenExpirationTime:  3600,
+		RefreshTokenExpirationTime: 730,
+	}
+
 	U2F = struct {
 		AppID         string
 		TrustedFacets []string
@@ -922,7 +934,7 @@ func NewContext() {
 		n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
 
 		if err != nil || n != 32 {
-			LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
+			LFS.JWTSecretBase64, err = generate.NewJwtSecret()
 			if err != nil {
 				log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
 				return
@@ -949,6 +961,41 @@ func NewContext() {
 		}
 	}
 
+	if err = Cfg.Section("oauth2").MapTo(&OAuth2); err != nil {
+		log.Fatal(4, "Failed to OAuth2 settings: %v", err)
+		return
+	}
+
+	if OAuth2.Enable {
+		OAuth2.JWTSecretBytes = make([]byte, 32)
+		n, err := base64.RawURLEncoding.Decode(OAuth2.JWTSecretBytes, []byte(OAuth2.JWTSecretBase64))
+
+		if err != nil || n != 32 {
+			OAuth2.JWTSecretBase64, err = generate.NewJwtSecret()
+			if err != nil {
+				log.Fatal(4, "error generating JWT secret: %v", err)
+				return
+			}
+			cfg := ini.Empty()
+			if com.IsFile(CustomConf) {
+				if err := cfg.Append(CustomConf); err != nil {
+					log.Error(4, "failed to load custom conf %s: %v", CustomConf, err)
+					return
+				}
+			}
+			cfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
+
+			if err := os.MkdirAll(filepath.Dir(CustomConf), os.ModePerm); err != nil {
+				log.Fatal(4, "failed to create '%s': %v", CustomConf, err)
+				return
+			}
+			if err := cfg.SaveTo(CustomConf); err != nil {
+				log.Fatal(4, "error saving generating JWT secret to custom config: %v", err)
+				return
+			}
+		}
+	}
+
 	sec = Cfg.Section("security")
 	InstallLock = sec.Key("INSTALL_LOCK").MustBool(false)
 	SecretKey = sec.Key("SECRET_KEY").MustString("!#@FDEWREWR&*(")