Merge remote-tracking branch 'refs/remotes/origin/master'

* refs/remotes/origin/master:
  GoogleOAuthService: Use StringBuilder
  CasOAuthService: Format using google-java-format
  Make preferred_username optional for Keycloak
  Upgrade bazlets to latest version to build with 3.5.0.1 API
  Bump Bazel version to 4.2.0
  AzureActiveDirectoryService: Use UrlDecoder for base64 decoding
  Include jackson-core explicitly
  Rename Office365AuthService to AzureActiveDirectoryService
  Using MicrosoftAzureActiveDirectory20Api from scribejava-apis
  Validate the tokens issued from Azure
  Office365 OAuth: Add support for specifying a tenant
  GoogleOAuthService: Decode JWTs as UTF-8
  DexOAuthService: Decode JWTs as UTF-8
  Decode Keycloak JWTs as UTF-8
  Upgrade bazlets to latest stable-3.1 to build with 3.1.10 API
  Bump Bazel version to 3.7.0
  Upgrade bazlets to latest stable-3.0 to build with 3.0.13 API
  GithubApiUrlTest: Adapt to PluginConfig update change in master
  Bump Bazel version to 3.5.0
  Upgrade bazlets to latest master to build with 3.2.3 API
  Upgrade bazlets to latest stable-3.1 to build with 3.1.8 API
  Upgrade bazlets to latest stable-3.0 to build with 3.0.12 API
  Upgrade bazlets to latest stable-2.16 to build with 2.16.22 API
  Add support for Phabricator OAuth provider
  Bump Bazel version to 3.4.1
  LemonLDAP::NG: Remove getBearerSignature() override
  LemonLDAP::NG: Fix default scope name
  LemonLDAP::NG: Set username claim name in accordance with specs
  Office365OAuthService: Restore Accept header in user info request
  Upgrade bazlets to latest master to build with 3.2.2 API
  Upgrade bazlets to latest stable-3.1 to build with 3.1.7 API
  Upgrade bazlets to latest stable-3.0 to build with 3.0.11 API
  Remove the commented-out snapshot plugin api lines
  Adapt SNAPSHOT plugin api example to the 3.1 version
  Upgrade bazlets to latest stable-3.1
  Prepare for new gerrit_api snapshot version usage
  Upgrade bazlets to latest stable-3.0
  Upgrade bazlets to latest stable-3.0
  Upgrade bazlets to latest stable-2.16
  Upgrade bazlets to latest master to build with 3.2.1 API
  Upgrade bazlets to latest stable-3.1 to build with 3.1.6 API
  Upgrade bazlets to latest stable-3.0 to build with 3.0.10 API
  Upgrade bazlets to latest stable-2.16 to build with 2.16.21 API
  Upgrade bazlets to latest stable-2.15 to build with 2.15.19 API
  Upgrade bazlets to latest stable-2.14 to build with 2.14.21 API
  Prevent NPE in Cas service
  Upgrade bazlets to latest stable-2.16 to build with 2.16.20 API
  Fix bazlets using latest stable-3.1 to build with 3.1.5 API
  Upgrade bazlets to latest stable-3.1 to build with 3.1.5 API
  Upgrade bazlets to latest stable-3.0 to build with 3.0.9 API
  Upgrade bazlets to latest stable-2.16 to build with 2.16.19 API
  Upgrade bazlets to latest stable-2.16 to build with 2.16.18 API
  Bump Bazel version to 3.1.0
  Upgrade bazlets to latest master to build with 3.2.0-rc0 API
  Bump Bazel version to 3.0.0
  Ensure that LemonLDAP is configured on init
  Upgrade bazlets to latest master to build with 3.1.4 API
  Upgrade bazlets to latest stable-2.16 to build with 2.16.17 API
  Upgrade bazlets to latest stable-3.0 to build with 3.0.8 API

Change-Id: I285feedaa4d741d7c567d10376ea934456260c94

.bazelversion

@@ -1 +1 @@
-2.2.0
+4.2.0

BUILD

@@ -20,7 +20,9 @@ gerrit_plugin(
     resources = glob(["src/main/resources/**/*"]),
     deps = [
         "@commons-codec//jar:neverlink",
+        "@jackson-core//jar",
         "@jackson-databind//jar",
+        "@scribejava-apis//jar",
         "@scribejava-core//jar",
     ],
 )
@@ -31,6 +33,7 @@ junit_tests(
     tags = ["oauth"],
     deps = [
         ":gerrit-oauth-provider__plugin_test_deps",
+        "@scribejava-apis//jar",
         "@scribejava-core//jar",
     ],
 )

README.md

@@ -17,7 +17,8 @@ Supported OAuth providers:
 * [Google](https://developers.google.com/identity/protocols/OAuth2)
 * [Keycloak](http://www.keycloak.org/)
 * [LemonLDAP::NG](https://lemonldap-ng.org)
-* [Office365](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols)
+* [Azure (previously named Office365)](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols)
+* [Phabricator](https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/)
 
 See the [Wiki](https://github.com/davido/gerrit-oauth-provider/wiki) what it can do for you.
 

WORKSPACE

@@ -3,20 +3,10 @@ workspace(name = "com_github_davido_gerrit_oauth_provider")
 load("//:bazlets.bzl", "load_bazlets")
 
 load_bazlets(
-    commit = "2add9fecf8bec8634bddf354815bd0fa93f58dd5",
+    commit = "8fa44957c3b3b89ce1d96eba67441882c54503fc",
     #local_path = "/home/<user>/projects/bazlets",
 )
 
-# Snapshot Plugin API
-#load(
-#    "@com_googlesource_gerrit_bazlets//:gerrit_api_maven_local.bzl",
-#    "gerrit_api_maven_local",
-#)
-
-# Load snapshot Plugin API
-#gerrit_api_maven_local()
-
-# Release Plugin API
 load(
     "@com_googlesource_gerrit_bazlets//:gerrit_api.bzl",
     "gerrit_api",

external_plugin_deps.bzl

@@ -2,11 +2,17 @@ load("//tools/bzl:maven_jar.bzl", "maven_jar")
 
 def external_plugin_deps(omit_commons_codec = True):
     JACKSON_VERS = "2.10.2"
+    SCRIBEJAVA_VERS = "6.9.0"
     maven_jar(
         name = "scribejava-core",
-        artifact = "com.github.scribejava:scribejava-core:6.9.0",
+        artifact = "com.github.scribejava:scribejava-core:" + SCRIBEJAVA_VERS,
         sha1 = "ed761f450d8382f75787e8fee9ae52e7ec768747",
     )
+    maven_jar(
+        name = "scribejava-apis",
+        artifact = "com.github.scribejava:scribejava-apis:" + SCRIBEJAVA_VERS,
+        sha1 = "a374c7a36533e58e53b42b584a8b3751ab1e13c4",
+    )
     maven_jar(
         name = "jackson-annotations",
         artifact = "com.fasterxml.jackson.core:jackson-annotations:" + JACKSON_VERS,
@@ -20,6 +26,11 @@ def external_plugin_deps(omit_commons_codec = True):
             "@jackson-annotations//jar",
         ],
     )
+    maven_jar(
+        name = "jackson-core",
+        artifact = "com.fasterxml.jackson.core:jackson-core:" + JACKSON_VERS,
+        sha1 = "73d4322a6bda684f676a2b5fe918361c4e5c7cca",
+    )
     if not omit_commons_codec:
         maven_jar(
             name = "commons-codec",

src/main/java/com/googlesource/gerrit/plugins/oauth/AzureActiveDirectoryService.java

@@ -0,0 +1,242 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.oauth;
+
+import static com.google.gerrit.json.OutputFormat.JSON;
+
+import com.github.scribejava.apis.MicrosoftAzureActiveDirectory20Api;
+import com.github.scribejava.core.builder.ServiceBuilder;
+import com.github.scribejava.core.exceptions.OAuthException;
+import com.github.scribejava.core.model.OAuth2AccessToken;
+import com.github.scribejava.core.model.OAuthRequest;
+import com.github.scribejava.core.model.Response;
+import com.github.scribejava.core.model.Verb;
+import com.github.scribejava.core.oauth.OAuth20Service;
+import com.google.common.base.CharMatcher;
+import com.google.common.collect.ImmutableSet;
+import com.google.gerrit.extensions.annotations.PluginName;
+import com.google.gerrit.extensions.auth.oauth.OAuthServiceProvider;
+import com.google.gerrit.extensions.auth.oauth.OAuthToken;
+import com.google.gerrit.extensions.auth.oauth.OAuthUserInfo;
+import com.google.gerrit.extensions.auth.oauth.OAuthVerifier;
+import com.google.gerrit.server.config.CanonicalWebUrl;
+import com.google.gerrit.server.config.PluginConfig;
+import com.google.gerrit.server.config.PluginConfigFactory;
+import com.google.gson.Gson;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.google.inject.Singleton;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.concurrent.ExecutionException;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Singleton
+class AzureActiveDirectoryService implements OAuthServiceProvider {
+  private static final Logger log = LoggerFactory.getLogger(AzureActiveDirectoryService.class);
+  static final String CONFIG_SUFFIX_LEGACY = "-office365-oauth";
+  static final String CONFIG_SUFFIX = "-azure-oauth";
+  private static final String AZURE_PROVIDER_PREFIX = "azure-oauth:";
+  private static final String OFFICE365_PROVIDER_PREFIX = "office365-oauth:";
+  private static final String PROTECTED_RESOURCE_URL = "https://graph.microsoft.com/v1.0/me";
+  private static final String SCOPE =
+      "openid offline_access https://graph.microsoft.com/user.readbasic.all";
+  public static final String DEFAULT_TENANT = "organizations";
+  private static final ImmutableSet<String> TENANTS_WITHOUT_VALIDATION =
+      ImmutableSet.<String>builder().add(DEFAULT_TENANT).add("common").add("consumers").build();
+  private final OAuth20Service service;
+  private final Gson gson;
+  private final String canonicalWebUrl;
+  private final boolean useEmailAsUsername;
+  private final String tenant;
+  private final String clientId;
+  private String providerPrefix;
+  private final boolean linkOffice365Id;
+
+  @Inject
+  AzureActiveDirectoryService(
+      PluginConfigFactory cfgFactory,
+      @PluginName String pluginName,
+      @CanonicalWebUrl Provider<String> urlProvider) {
+    PluginConfig cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX);
+    providerPrefix = AZURE_PROVIDER_PREFIX;
+
+    // ?: Did we find the client_id with the CONFIG_SUFFIX
+    if (cfg.getString(InitOAuth.CLIENT_ID) == null) {
+      // -> No, we did not find the client_id in the azure config so we should try the old legacy
+      // office365 section
+      cfg = cfgFactory.getFromGerritConfig(pluginName + CONFIG_SUFFIX_LEGACY);
+      // We must also use the new provider prefix
+      providerPrefix = OFFICE365_PROVIDER_PREFIX;
+    }
+    this.linkOffice365Id = cfg.getBoolean(InitOAuth.LINK_TO_EXISTING_OFFICE365_ACCOUNT, false);
+    this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(urlProvider.get()) + "/";
+    this.useEmailAsUsername = cfg.getBoolean(InitOAuth.USE_EMAIL_AS_USERNAME, false);
+    this.tenant = cfg.getString(InitOAuth.TENANT, DEFAULT_TENANT);
+    this.clientId = cfg.getString(InitOAuth.CLIENT_ID);
+    this.service =
+        new ServiceBuilder(cfg.getString(InitOAuth.CLIENT_ID))
+            .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET))
+            .callback(canonicalWebUrl + "oauth")
+            .defaultScope(SCOPE)
+            .build(MicrosoftAzureActiveDirectory20Api.custom(tenant));
+    this.gson = JSON.newGson();
+    if (log.isDebugEnabled()) {
+      log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl);
+      log.debug("OAuth2: scope={}", SCOPE);
+      log.debug("OAuth2: useEmailAsUsername={}", useEmailAsUsername);
+    }
+  }
+
+  @Override
+  public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
+    // ?: Have we set a custom tenant and is this a tenant other than the one set in
+    // TENANTS_WITHOUT_VALIDATION
+    if (!TENANTS_WITHOUT_VALIDATION.contains(tenant)) {
+      // -> Yes, we are using a tenant that should be validated, so verify that is issued for the
+      // same one that we
+      // have set.
+      String tid = getTokenJson(token.getToken()).get("tid").getAsString();
+
+      // ?: Verify that this token has the same tenant as we are currently using
+      if (!tenant.equals(tid)) {
+        // -> No, this tenant does not equals the one in the token. So we should stop processing
+        log.warn(
+            String.format(
+                "The token was issued by the tenant [%s] while we are set to use [%s]",
+                tid, tenant));
+        // Return null so the user will be shown Unauthorized.
+        return null;
+      }
+    }
+
+    // Due to scribejava does not expose the id_token we need to do this a bit convoluted way to
+    // extract this our self
+    // see <a href="https://github.com/scribejava/scribejava/issues/968">Obtaining id_token from
+    // access_token</a> for
+    // the scribejava issue on this.
+    String rawToken = token.getRaw();
+    JsonObject jwtJson = gson.fromJson(rawToken, JsonObject.class);
+    String idTokenBase64 = jwtJson.get("id_token").getAsString();
+    String aud = getTokenJson(idTokenBase64).get("aud").getAsString();
+
+    // ?: Does this token have the same clientId set in the 'aud' part of the id_token as we are
+    // using.
+    // If not we should reject it
+    // see <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens">id
+    // tokens Payload claims></a>
+    // for information on the aud claim.
+    if (!clientId.equals(aud)) {
+      log.warn(
+          String.format(
+              "The id_token had aud [%s] while we expected it to be equal to the clientId [%s]",
+              aud, clientId));
+      // Return null so the user will be shown Unauthorized.
+      return null;
+    }
+
+    OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
+    OAuth2AccessToken t = new OAuth2AccessToken(token.getToken(), token.getRaw());
+    service.signRequest(t, request);
+    request.addHeader("Accept", "*/*");
+
+    JsonElement userJson = null;
+    try (Response response = service.execute(request)) {
+      if (response.getCode() != HttpServletResponse.SC_OK) {
+        throw new IOException(
+            String.format(
+                "Status %s (%s) for request %s",
+                response.getCode(), response.getBody(), request.getUrl()));
+      }
+      userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class);
+      if (log.isDebugEnabled()) {
+        log.debug("User info response: {}", response.getBody());
+      }
+      if (userJson.isJsonObject()) {
+        JsonObject jsonObject = userJson.getAsJsonObject();
+        JsonElement id = jsonObject.get("id");
+        if (id == null || id.isJsonNull()) {
+          throw new IOException("Response doesn't contain id field");
+        }
+        JsonElement email = jsonObject.get("mail");
+        JsonElement name = jsonObject.get("displayName");
+        String login = null;
+
+        if (useEmailAsUsername && !email.isJsonNull()) {
+          login = email.getAsString().split("@")[0];
+        }
+
+        return new OAuthUserInfo(
+            providerPrefix + id.getAsString() /*externalId*/,
+            login /*username*/,
+            email == null || email.isJsonNull() ? null : email.getAsString() /*email*/,
+            name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/,
+            linkOffice365Id ? OFFICE365_PROVIDER_PREFIX + id.getAsString() : null);
+      }
+    } catch (ExecutionException | InterruptedException e) {
+      throw new RuntimeException("Cannot retrieve user info resource", e);
+    }
+
+    throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson));
+  }
+
+  @Override
+  public OAuthToken getAccessToken(OAuthVerifier rv) {
+    try {
+      OAuth2AccessToken accessToken = service.getAccessToken(rv.getValue());
+      return new OAuthToken(
+          accessToken.getAccessToken(), accessToken.getTokenType(), accessToken.getRawResponse());
+    } catch (InterruptedException | ExecutionException | IOException e) {
+      String msg = "Cannot retrieve access token";
+      log.error(msg, e);
+      throw new RuntimeException(msg, e);
+    }
+  }
+
+  @Override
+  public String getAuthorizationUrl() {
+    String url = service.getAuthorizationUrl();
+    return url;
+  }
+
+  @Override
+  public String getVersion() {
+    return service.getVersion();
+  }
+
+  @Override
+  public String getName() {
+    return "Office365 OAuth2";
+  }
+
+  /** Get the {@link JsonObject} of a given token. */
+  private JsonObject getTokenJson(String tokenBase64) {
+    String[] tokenParts = tokenBase64.split("\\.");
+    if (tokenParts.length != 3) {
+      throw new OAuthException("Token does not contain expected number of parts");
+    }
+
+    // Extract the payload part from the JWT token (header.payload.signature) by retrieving
+    // tokenParts[1].
+    return gson.fromJson(
+        new String(Base64.getUrlDecoder().decode(tokenParts[1]), StandardCharsets.UTF_8),
+        JsonObject.class);
+  }
+}

src/main/java/com/googlesource/gerrit/plugins/oauth/CasOAuthService.java

@@ -14,6 +14,7 @@
 
 package com.googlesource.gerrit.plugins.oauth;
 
+import static com.google.common.base.Strings.nullToEmpty;
 import static com.google.gerrit.json.OutputFormat.JSON;
 
 import com.github.scribejava.core.builder.ServiceBuilder;
@@ -128,11 +129,17 @@ public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
           JsonObject obj = elem.getAsJsonObject();
 
           String property = getStringElement(obj, "email");
-          if (property != null) email = property;
+          if (property != null) {
+            email = property;
+          }
           property = getStringElement(obj, "name");
-          if (property != null) name = property;
+          if (property != null) {
+            name = property;
+          }
           property = getStringElement(obj, "login");
-          if (property != null) login = property;
+          if (property != null) {
+            login = property;
+          }
         }
       }
 
@@ -149,7 +156,9 @@ public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
 
   private String getStringElement(JsonObject o, String name) {
     JsonElement elem = o.get(name);
-    if (elem == null || elem.isJsonNull()) return null;
+    if (elem == null || elem.isJsonNull()) {
+      return null;
+    }
 
     return elem.getAsString();
   }
@@ -159,7 +168,9 @@ public OAuthToken getAccessToken(OAuthVerifier rv) {
     try {
       OAuth2AccessToken accessToken = service.getAccessToken(rv.getValue());
       return new OAuthToken(
-          accessToken.getAccessToken(), accessToken.getTokenType(), accessToken.getRawResponse());
+          accessToken.getAccessToken(),
+          nullToEmpty(accessToken.getTokenType()),
+          accessToken.getRawResponse());
     } catch (InterruptedException | ExecutionException | IOException e) {
       String msg = "Cannot retrieve access token";
       log.error(msg, e);