Integrate OAuth2 Provider

models/error.go

@@ -1366,3 +1366,26 @@ func IsErrReviewNotExist(err error) bool {
 func (err ErrReviewNotExist) Error() string {
 	return fmt.Sprintf("review does not exist [id: %d]", err.ID)
 }
+
+//  ________      _____          __  .__
+//  \_____  \    /  _  \  __ ___/  |_|  |__
+//   /   |   \  /  /_\  \|  |  \   __\  |  \
+//  /    |    \/    |    \  |  /|  | |   Y  \
+//  \_______  /\____|__  /____/ |__| |___|  /
+//          \/         \/                 \/
+
+// ErrOAuthClientIDInvalid will be thrown if client id cannot be found
+type ErrOAuthClientIDInvalid struct {
+	ClientID string
+}
+
+// IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist.
+func IsErrOauthClientIDInvalid(err error) bool {
+	_, ok := err.(ErrOAuthClientIDInvalid)
+	return ok
+}
+
+// Error returns the error message
+func (err ErrOAuthClientIDInvalid) Error() string {
+	return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID)
+}

models/models.go

@@ -125,6 +125,9 @@ func init() {
 		new(U2FRegistration),
 		new(TeamUnit),
 		new(Review),
+		new(OAuth2Application),
+		new(OAuth2AuthorizationCode),
+		new(OAuth2Grant),
 	)
 
 	gonicNames := []string{"SSL", "UID"}

models/oauth2_application.go

@@ -0,0 +1,193 @@
+package models
+
+import (
+	"net/url"
+
+	gouuid "github.com/satori/go.uuid"
+
+	"code.gitea.io/gitea/modules/util"
+	"github.com/Unknwon/com"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+// OAuth2Application represents an OAuth2 client (RFC 6749)
+type OAuth2Application struct {
+	ID   int64 `xorm:"pk autoincr"`
+	UID  int64 `xorm:"INDEX"`
+	User *User `xorm:"-"`
+
+	Name string
+
+	ClientID     string `xorm:"INDEX unique"`
+	ClientSecret string
+
+	RedirectURIs []string `xorm:"redirect_uris JSON TEXT"`
+
+	CreatedUnix util.TimeStamp `xorm:"INDEX created"`
+	UpdatedUnix util.TimeStamp `xorm:"INDEX updated"`
+}
+
+// TableName sets the table name to `oauth2_application`
+func (app *OAuth2Application) TableName() string {
+	return "oauth2_application"
+}
+
+// LoadUser will load User by UID
+func (app *OAuth2Application) LoadUser() (err error) {
+	app.User = new(User)
+	app.User, err = GetUserByID(app.UID)
+	return
+}
+
+// ContainsRedirectURI checks if redirectURI is allowed for app
+func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
+	return com.IsSliceContainsStr(app.RedirectURIs, redirectURI)
+}
+
+// GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database
+func (app *OAuth2Application) GenerateClientSecret() ([]byte, error) {
+	secret := gouuid.NewV4().Bytes()
+	hashedSecret, err := bcrypt.GenerateFromPassword(secret, bcrypt.DefaultCost)
+	if err != nil {
+		return nil, err
+	}
+	app.ClientSecret = string(hashedSecret)
+	return secret, nil
+}
+
+// ValidateClientSecret validates the given secret by the hash saved in database
+func (app *OAuth2Application) ValidateClientSecret(secret []byte) bool {
+	return bcrypt.CompareHashAndPassword([]byte(app.ClientSecret), secret) == nil
+}
+
+// GetGrantByUserID returns a OAuth2Grant by its user and application ID
+func (app *OAuth2Application) GetGrantByUserID(userID int64) (*OAuth2Grant, error) {
+	return app.getGrantByUserID(x, userID)
+}
+
+func (app *OAuth2Application) getGrantByUserID(e Engine, userID int64) (grant *OAuth2Grant, err error) {
+	grant = new(OAuth2Grant)
+	if has, err := e.Where("user_id = ? AND application_id", userID, app.ID).Get(grant); err != nil {
+		return nil, err
+	} else if !has {
+		return nil, nil
+	}
+	return grant, nil
+}
+
+// CreateGrant generates a grant for an user
+func (app *OAuth2Application) CreateGrant(userID int64) (*OAuth2Grant, error) {
+	return app.createGrant(x, userID)
+}
+
+func (app *OAuth2Application) createGrant(e Engine, userID int64) (*OAuth2Grant, error) {
+	grant := &OAuth2Grant{
+		ApplicationID: app.ID,
+		UserID:        userID,
+	}
+	_, err := e.Insert(grant)
+	if err != nil {
+		return nil, err
+	}
+	return grant, nil
+}
+
+// GetOAuth2ApplicationByClientID returns the oauth2 application with the given client_id. Returns an error if not found.
+func GetOAuth2ApplicationByClientID(clientID string) (app *OAuth2Application, err error) {
+	return getOAuth2ApplicationByClientID(x, clientID)
+}
+
+func getOAuth2ApplicationByClientID(e Engine, clientID string) (app *OAuth2Application, err error) {
+	app = new(OAuth2Application)
+	has, err := e.Where("client_id = ?", clientID).Get(app)
+	if !has {
+		return app, ErrOAuthClientIDInvalid{ClientID: clientID}
+	}
+	return
+}
+
+// CreateOAuth2Application inserts a new oauth2 application
+func CreateOAuth2Application(name string, userID int64) (*OAuth2Application, error) {
+	return createOAuth2Application(x, name, userID)
+}
+
+func createOAuth2Application(e Engine, name string, userID int64) (*OAuth2Application, error) {
+	secret := gouuid.NewV4().String()
+	app := &OAuth2Application{
+		UID:          userID,
+		Name:         name,
+		ClientID:     secret,
+		RedirectURIs: []string{"http://localhost:3000"},
+	}
+	if _, err := e.Insert(app); err != nil {
+		return nil, err
+	}
+	return app, nil
+}
+
+//////////////////////////////////////////////////////
+
+// OAuth2AuthorizationCode is a code to obtain an access token in combination with the client secret once. It has a limited lifetime.
+type OAuth2AuthorizationCode struct {
+	ID          int64        `xorm:"pk autoincr"`
+	Grant       *OAuth2Grant `xorm:"-"`
+	GrantID     int64
+	Code        string `xorm:"INDEX unique"`
+	RedirectURI string
+	Lifetime    util.TimeStamp
+}
+
+// TableName sets the table name to `oauth2_authorization_code`
+func (code *OAuth2AuthorizationCode) TableName() string {
+	return "oauth2_authorization_code"
+}
+
+// GenerateRedirectURI generates a redirect URI for a sucessfull authorization request. State will be used if not empty.
+func (code *OAuth2AuthorizationCode) GenerateRedirectURI(state string) (redirect *url.URL, err error) {
+	if redirect, err = url.Parse(code.RedirectURI); err != nil {
+		return
+	}
+	q := redirect.Query()
+	if state != "" {
+		q.Set("state", state)
+	}
+	q.Set("code", code.Code)
+	redirect.RawQuery = q.Encode()
+	return
+}
+
+//////////////////////////////////////////////////////
+
+// OAuth2Grant represents the permission of an user for a specifc application to access resources
+type OAuth2Grant struct {
+	ID            int64          `xorm:"pk autoincr"`
+	UserID        int64          `xorm:"INDEX unique(user_application)"`
+	ApplicationID int64          `xorm:"INDEX unique(user_application)"`
+	CreatedUnix   util.TimeStamp `xorm:"created"`
+	UpdatedUnix   util.TimeStamp `xorm:"updated"`
+}
+
+// TableName sets the table name to `oauth2_grant`
+func (grant *OAuth2Grant) TableName() string {
+	return "oauth2_grant"
+}
+
+// GenerateNewAuthorizationCode generates a new authroization code for a grant and saves it to the databse
+func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI string) (*OAuth2AuthorizationCode, error) {
+	return grant.generateNewAuthorizationCode(x, redirectURI)
+}
+
+func (grant *OAuth2Grant) generateNewAuthorizationCode(e Engine, redirectURI string) (*OAuth2AuthorizationCode, error) {
+	secret := gouuid.NewV4().String()
+	code := &OAuth2AuthorizationCode{
+		Grant:       grant,
+		GrantID:     grant.ID,
+		RedirectURI: redirectURI,
+		Code:        secret,
+	}
+	if _, err := e.Insert(code); err != nil {
+		return nil, err
+	}
+	return code, nil
+}

modules/auth/user_form.go

@@ -125,7 +125,7 @@ func (f *MustChangePasswordForm) Validate(ctx *macaron.Context, errs binding.Err
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
-// SignInForm form for signing in with user/password
+// AuthorizationForm form for signing in with user/password
 type SignInForm struct {
 	UserName string `binding:"Required;MaxSize(254)"`
 	Password string `binding:"Required;MaxSize(255)"`
@@ -137,6 +137,47 @@ func (f *SignInForm) Validate(ctx *macaron.Context, errs binding.Errors) binding
 	return validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// AuthorizationForm form for authorizing oauth2 clients
+type AuthorizationForm struct {
+	ResponseType string `binding:"Required;In(code)"`
+	ClientID     string `binding:"Required"`
+	RedirectURI  string
+	State        string
+}
+
+// Validate valideates the fields
+func (f *AuthorizationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
+// GrantApplicationForm form for authorizing oauth2 clients
+type GrantApplicationForm struct {
+	ClientID    string `binding:"Required"`
+	RedirectURI string
+	State       string
+}
+
+// Validate valideates the fields
+func (f *GrantApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
+// AccessTokenForm for issuing access tokens from authorization codes or refresh tokens
+type AccessTokenForm struct {
+	GrantType    string `binding:"Required;In(authorization_code,refresh_token)"`
+	ClientID     string `binding:"Required"`
+	ClientSecret string `binding:"Required"`
+	RedirectURI  string
+	// TODO Specify authentication code length to prevent against birthday attacks
+	Code         string
+	RefreshToken string
+}
+
+// Validate valideates the fields
+func (f *AccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
+	return validate(errs, ctx.Data, f, ctx.Locale)
+}
+
 //   __________________________________________.___ _______    ________  _________
 //  /   _____/\_   _____/\__    ___/\__    ___/|   |\      \  /  _____/ /   _____/
 //  \_____  \  |    __)_   |    |     |    |   |   |/   |   \/   \  ___ \_____  \

options/locale/locale_en-US.ini

@@ -243,6 +243,9 @@ openid_register_desc = The chosen OpenID URI is unknown. Associate it with a new
 openid_signin_desc = Enter your OpenID URI. For example: https://anne.me, bob.openid.org.cn or gnusocial.net/carry.
 disable_forgot_password_mail = Password reset is disabled. Please contact your site administrator.
 email_domain_blacklisted = You cannot register with your email address.
+authorize_application = Authorize application
+authorize_application_description = %s by %s would like permission to access your account.
+authroize_redirect_notice = You will be redirected to "%s" if you authrize this application.
 
 [mail]
 activate_account = Please activate your account

routers/routes/routes.go

@@ -231,6 +231,13 @@ func RegisterRoutes(m *macaron.Macaron) {
 		})
 	}, reqSignOut)
 
+	m.Group("/user/oauth2", func() {
+		m.Get("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth)
+		m.Post("/grant", bindIgnErr(auth.GrantApplicationForm{}), user.GrantApplicationOAuth)
+		m.Post("/authorize", bindIgnErr(auth.AuthorizationForm{}), user.AuthorizeOAuth)
+		m.Post("/access_token", bindIgnErr(auth.AccessTokenForm{}), reqSignIn, user.AccessTokenOAuth)
+	}, reqSignIn)
+
 	m.Group("/user/settings", func() {
 		m.Get("", userSetting.Profile)
 		m.Post("", bindIgnErr(auth.UpdateProfileForm{}), userSetting.ProfilePost)