teamcity-github-auth/src/main/java/org/jetbrains/teamcity/githubauth/GitHubOAuth.java at ec8d4d832e32e324af049d2189c9aa0d0111d195 · JetBrains/teamcity-github-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
/*
 * Copyright 2000-2020 JetBrains s.r.o.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.jetbrains.teamcity.githubauth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.intellij.openapi.diagnostic.Logger;
import jetbrains.buildServer.PluginTypes;
import jetbrains.buildServer.controllers.interceptors.auth.HttpAuthenticationResult;
import jetbrains.buildServer.controllers.interceptors.auth.HttpAuthenticationScheme;
import jetbrains.buildServer.controllers.interceptors.auth.util.HttpAuthUtil;
import jetbrains.buildServer.log.Loggers;
import jetbrains.buildServer.serverSide.auth.ServerPrincipal;
import jetbrains.buildServer.serverSide.oauth.OAuthConnectionDescriptor;
import jetbrains.buildServer.serverSide.oauth.github.GitHubConstants;
import jetbrains.buildServer.users.DuplicateUserAccountException;
import jetbrains.buildServer.users.PluginPropertyKey;
import jetbrains.buildServer.users.SUser;
import jetbrains.buildServer.users.UserSet;
import jetbrains.buildServer.util.StringUtil;
import jetbrains.buildServer.web.util.WebUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;

import static java.util.Collections.emptySet;
import static java.util.Collections.singletonMap;

public class GitHubOAuth implements HttpAuthenticationScheme {
    static final String PLUGIN_PATH_PREFIX = "/gitHubAuth";

    static final PluginPropertyKey GITHUB_USER_ID_PROPERTY_KEY = new PluginPropertyKey(PluginTypes.AUTH_PLUGIN_TYPE, "github-oauth", "userId");
    static final String DEFAULT_SCOPE = "user,public_repo,repo,repo:status,write:repo_hook";
    private static final String STATE_SESSION_ATTR_NAME = "teamcity.gitHubAuth.state";
    static final String TOKEN_REDIRECT_URL = "/oauth/github/accessToken.html";

    @NotNull
    private final GitHubOAuthClient gitHubOAuthClient;
    @NotNull
    private final TeamCityCoreFacade teamCityCore;
    @NotNull
    private volatile Logger logger = Logger.getInstance(Loggers.AUTH_CATEGORY + ".gitHubOAuth");

    public GitHubOAuth(@NotNull GitHubOAuthClient gitHubOAuthClient,
                       @NotNull TeamCityCoreFacade teamCityCore) {
        this.gitHubOAuthClient = gitHubOAuthClient;
        this.teamCityCore = teamCityCore;
        teamCityCore.registerAuthModule(this);
    }

    @NotNull
    public String getUserRedirect(HttpServletRequest request) {
        OAuthConnectionDescriptor connection = getSuitableConnection();
        HttpSession session = request.getSession();
        String state = StringUtil.generateUniqueHash();
        session.setAttribute(STATE_SESSION_ATTR_NAME, state);
        return gitHubOAuthClient.getUserRedirect(connection.getParameters().get(GitHubConstants.CLIENT_ID_PARAM), DEFAULT_SCOPE,
                buildRedirectUrl(), state);
    }

    @NotNull
    @Override
    public HttpAuthenticationResult processAuthenticationRequest(@NotNull HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull Map<String, String> properties) throws IOException {
        HttpAuthenticationResult result = validateRequest(request, response);
        if (result != null) return result;

        OAuthConnectionDescriptor connection = getSuitableConnection();
        GitHubTokenResponse token = gitHubOAuthClient.exchangeCodeToToken(request.getParameter("code"),
                connection.getParameters().get(GitHubConstants.CLIENT_ID_PARAM),
                connection.getParameters().get(GitHubConstants.CLIENT_SECRET_PARAM),
                buildRedirectUrl());
        logger.debug("GitHub token response: " + token.describe(false));

        if (token.error != null) {
            if ("incorrect_client_credentials".equals(token.error)) {
                logger.warn("GitHub login error: invalid Client ID or Client Secret parameters. " +
                        "Ensure that GitHub Connection parameters correspond to the GitHub application. Details: " + token.describe(false));
            } else {
                logger.warn("GitHub login error: " + token.describe(false));
            }
            return HttpAuthUtil.sendUnauthorized(request, response, "GitHub login error" +
                    (token.error_description != null ? ": " + token.error_description : " (see teamcity-auth.log for details)"), emptySet());
        }

        GitHubUser gitHubUser = gitHubOAuthClient.getUser(token.access_token);
        logger.debug("GitHub user obtained: " + gitHubUser.describe(false));

        UserSet<SUser> users = teamCityCore.findUserByPropertyValue(GITHUB_USER_ID_PROPERTY_KEY, gitHubUser.getId());
        Iterator<SUser> iterator = users.getUsers().iterator();
        if (iterator.hasNext()) {
            final SUser found = iterator.next();
            teamCityCore.rememberToken(connection, found, gitHubUser.getLogin(), token.access_token, token.scope);
            logger.debug("Corresponding TeamCity user found for the GitHub user '" + gitHubUser.describe(false) + "': " + found.describe(true));
            return authenticated(request, new ServerPrincipal(null, found.getUsername()));
        }

        try {
            SUser created = teamCityCore.createUser(gitHubUser.getLogin(), gitHubUser.getEmail(), gitHubUser.getName(), singletonMap(GITHUB_USER_ID_PROPERTY_KEY, gitHubUser.getId()));
            logger.debug("New TeamCity user created for the GitHub user '" + gitHubUser.describe(false) + "': " + created.describe(true));
            teamCityCore.rememberToken(connection, created, gitHubUser.getLogin(), token.access_token, token.scope);
            return authenticated(request, new ServerPrincipal(null, gitHubUser.getLogin()));
        } catch (DuplicateUserAccountException e) {
            logger.warn("GitHub login error: user with username '" + gitHubUser.getLogin() + "' already exist.");
            return HttpAuthUtil.sendUnauthorized(request, response, "User with username '" + gitHubUser.getLogin() + "' already exist", emptySet());
        }
    }

    @NotNull
    private HttpAuthenticationResult authenticated(HttpServletRequest request, ServerPrincipal principal) {
        return HttpAuthenticationResult.authenticated(principal, true).withRedirect(request.getContextPath() + "/overview.html");
    }

    @NotNull
    private String buildRedirectUrl() {
        return teamCityCore.getRootUrl() + TOKEN_REDIRECT_URL;
    }

    @Nullable
    private HttpAuthenticationResult validateRequest(HttpServletRequest request, HttpServletResponse response) throws IOException {
        if (!request.getRequestURI().endsWith("/oauth/github/accessToken.html")) {
            logger.debug("Skip GitHub authentication: path doesn't match " + request.getPathInfo());
            return HttpAuthenticationResult.notApplicable();
        }

        if (request.getParameter("error") != null) {
            logger.warn("GitHub login error: user was redirected with an 'error', URL: " + request.getRequestURI() + "?" + request.getQueryString());
            return HttpAuthUtil.sendUnauthorized(request, response, "GitHub login error: user was redirected with 'error' param.", emptySet());
        }

        if (Strings.isNullOrEmpty(request.getParameter("code"))) {
            logger.warn("GitHub login error: 'code' parameter is empty");
            return HttpAuthUtil.sendUnauthorized(request, response, "GitHub login error: 'code' parameter is empty", emptySet());
        }

        String state = request.getParameter("state");
        if (state == null) {
            logger.warn("Attempt to login using GitHub with empty 'state' parameter. Request: " + WebUtil.getRequestDump(request));
            return HttpAuthUtil.sendUnauthorized(request, response, "GitHub login error: 'state' parameter is empty", emptySet());
        }

        if (!state.equals(request.getSession().getAttribute(STATE_SESSION_ATTR_NAME))) {
            logger.warn("Attempt to login using GitHub with invalid 'state' parameter: " + state + ". Request: " + WebUtil.getRequestDump(request));
            return HttpAuthUtil.sendUnauthorized(request, response, "GitHub login error: 'state' parameter is invalid", emptySet());
        }
        return null;
    }

    @NotNull
    @Override
    public String getName() {
        return "github-oauth";
    }

    @NotNull
    @Override
    public String getDisplayName() {
        return "GitHub OAuth";
    }

    @NotNull
    @Override
    public String getDescription() {
        return "Allows authentication using GitHub account";
    }

    @Override
    public boolean isMultipleInstancesAllowed() {
        return false;
    }

    @NotNull
    @Override
    public Map<String, String> getDefaultProperties() {
        return Collections.emptyMap();
    }

    @Nullable
    @Override
    public String getEditPropertiesJspFilePath() {
        return GitHubAuthSettingsController.PATH;
    }

    @NotNull
    @Override
    public String describeProperties(@NotNull Map<String, String> properties) {
        return "";
    }

    @Nullable
    @Override
    public Collection<String> validate(@NotNull Map<String, String> properties) {
        if (tryFindSuitableConnection() == null) {
            return Collections.singleton("GitHub Authentication is inactive as GitHub.com Connection in the Root Project is not specified");
        }
        return null;
    }

    @Nullable
    public OAuthConnectionDescriptor tryFindSuitableConnection() {
        return teamCityCore.getRootProjectGitHubConnection();
    }

    @NotNull
    public OAuthConnectionDescriptor getSuitableConnection() {
        if (!isAuthModuleConfigured()) {
            throw new GitHubLoginException("Attempt to login via GitHub OAuth while corresponding auth module is not configured");
        }
        OAuthConnectionDescriptor found = tryFindSuitableConnection();
        if (found == null) {
            throw new GitHubLoginException("Attempt to login via GitHub OAuth while GitHub.com Connection in the Root Project is not configured");
        }
        return found;
    }

    public boolean isAuthModuleConfigured() {
        return teamCityCore.isAuthModuleConfigured(GitHubOAuth.class);
    }

    @VisibleForTesting
    void setLogger(@NotNull Logger logger) {
        this.logger = logger;
    }
}