github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 10:57:04 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Use service account credentials for fetching google hd groups (#18329)

Browse Source 
The previous implementation would attempt to fetch groups using the end-user's Google auth token. This only worked for admin accounts, or users with 'delegated' access to the `admin.directory.group.readonly` API.

This commit changes the approach to use a single 'service account' for fetching the groups. This removes the need to add permissions to all regular user accounts. I'll be updating the [meta docs](https://meta.discourse.org/t/226850) with instructions on setting up the service account.

This is technically a breaking change in behavior, but the existing implementation was marked experimental, and is currently unusable in production google workspace environments.
This commit is contained in:
David Taylor 2022-10-13 16:04:42 +01:00 committed by GitHub
parent 45f93ae75d
commit e0a6d12c55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 196 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/locales/server.en.yml
View File

@ -1732,7 +1732,9 @@ en:
google_oauth2_client_secret: "Client secret of your Google application."
google_oauth2_prompt: "An optional space-delimited list of string values that specifies whether the authorization server prompts the user for reauthentication and consent. See <a href='https://developers.google.com/identity/protocols/OpenIDConnect#prompt' target='_blank'>https://developers.google.com/identity/protocols/OpenIDConnect#prompt</a> for the possible values."
google_oauth2_hd: "An optional Google Apps Hosted domain that the sign-in will be limited to. See <a href='https://developers.google.com/identity/protocols/OpenIDConnect#hd-param' target='_blank'>https://developers.google.com/identity/protocols/OpenIDConnect#hd-param</a> for more details."
google_oauth2_hd_groups: "(experimental) Retrieve users' Google groups on the hosted domain on authentication. Retrieved Google groups can be used to grant automatic Discourse group membership (see group settings)."
google_oauth2_hd_groups: "(experimental) Retrieve users' Google groups on the hosted domain on authentication. Retrieved Google groups can be used to grant automatic Discourse group membership (see group settings). For more information see https://meta.discourse.org/t/226850"
google_oauth2_hd_groups_service_account_admin_email: "An email address belonging to a Google Workspace administrator account. Will be used with the service account credentials to fetch group information."
google_oauth2_hd_groups_service_account_json: "JSON formatted key information for the Service Account. Will be used to fetch group information."
enable_twitter_logins: "Enable Twitter authentication, requires twitter_consumer_key and twitter_consumer_secret. See <a href='https://meta.discourse.org/t/13395' target='_blank'>Configuring Twitter login (and rich embeds) for Discourse</a>."
twitter_consumer_key: "Consumer key for Twitter authentication, registered at <a href='https://developer.twitter.com/apps' target='_blank'>https://developer.twitter.com/apps</a>"
@ -2427,7 +2429,7 @@ en:
unicode_usernames_avatars: "The internal system avatars do not support Unicode usernames."
list_value_count: "The list must contain exactly %{count} values."
markdown_linkify_tlds: "You cannot include a value of '*'."
google_oauth2_hd_groups: "You must first set 'google oauth2 hd' before enabling this setting."
google_oauth2_hd_groups: "You must configure all 'google oauth2 hd' settings before enabling this setting."
search_tokenize_chinese_enabled: "You must disable 'search_tokenize_chinese' before enabling this setting."
search_tokenize_japanese_enabled: "You must disable 'search_tokenize_japanese' before enabling this setting."
discourse_connect_cannot_be_enabled_if_second_factor_enforced: "You cannot enable DiscourseConnect if 2FA is enforced."

5
config/site_settings.yml
View File

@ -429,6 +429,11 @@ login:
google_oauth2_hd_groups:
default: false
validator: GoogleOauth2HdGroupsValidator
google_oauth2_hd_groups_service_account_admin_email:
default: ""
google_oauth2_hd_groups_service_account_json:
default: ""
textarea: true
enable_twitter_logins:
default: false
twitter_consumer_key:

1
lib/auth.rb
View File

@ -6,7 +6,6 @@ require 'auth/auth_provider'
require 'auth/result'
require 'auth/authenticator'
require 'auth/managed_authenticator'
require 'auth/omniauth_strategies/discourse_google_oauth2'
require 'auth/facebook_authenticator'
require 'auth/github_authenticator'
require 'auth/twitter_authenticator'

97
lib/auth/google_oauth2_authenticator.rb
View File

@ -1,6 +1,11 @@
# frozen_string_literal: true
class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
GROUPS_SCOPE ||= "https://www.googleapis.com/auth/admin.directory.group.readonly"
GROUPS_DOMAIN ||= "admin.googleapis.com"
GROUPS_PATH ||= "/admin/directory/v1/groups"
OAUTH2_BASE_URL ||= "https://oauth2.googleapis.com"
def name
"google_oauth2"
end
@ -16,7 +21,6 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
end
def register_middleware(omniauth)
strategy_class = Auth::OmniAuthStrategies::DiscourseGoogleOauth2
options = {
setup: lambda { |env|
strategy = env["omniauth.strategy"]
@ -36,25 +40,96 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
# the JWT can fail due to clock skew, so let's skip it completely.
# https://github.com/zquestz/omniauth-google-oauth2/pull/392
strategy.options[:skip_jwt] = true
strategy.options[:request_groups] = provides_groups?
if provides_groups?
strategy.options[:scope] = "#{strategy_class::DEFAULT_SCOPE},#{strategy_class::GROUPS_SCOPE}"
end
}
}
omniauth.provider strategy_class, options
omniauth.provider :google_oauth2, options
end
def after_authenticate(auth_token, existing_account: nil)
result = super
if provides_groups? && (groups = auth_token[:extra][:raw_groups])
result.associated_groups = groups.map { |group| group.slice(:id, :name) }
groups = provides_groups? ? raw_groups(auth_token.uid) : nil
if groups
auth_token.extra[:raw_groups] = groups
end
result = super
if groups
result.associated_groups = groups.map { |group| group.with_indifferent_access.slice(:id, :name) }
end
result
end
def provides_groups?
SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups
SiteSetting.google_oauth2_hd.present? &&
SiteSetting.google_oauth2_hd_groups &&
SiteSetting.google_oauth2_hd_groups_service_account_admin_email.present? &&
SiteSetting.google_oauth2_hd_groups_service_account_json.present?
end
private
def raw_groups(uid)
groups = []
page_token = nil
groups_url = "https://#{GROUPS_DOMAIN}#{GROUPS_PATH}"
client = build_service_account_client
return if client.nil?
loop do
params = {
userKey: uid
}
params[:pageToken] = page_token if page_token
response = client.get(groups_url, params: params, raise_errors: false)
if response.status == 200
response = response.parsed
groups.push(*response['groups'])
page_token = response['nextPageToken']
break if page_token.nil?
else
Rails.logger.error("[Discourse Google OAuth2] failed to retrieve groups for #{uid} - status #{response.status}")
break
end
end
groups
end
def build_service_account_client
service_account_info = JSON.parse(SiteSetting.google_oauth2_hd_groups_service_account_json)
payload = {
iss: service_account_info["client_email"],
aud: "#{OAUTH2_BASE_URL}/token",
scope: GROUPS_SCOPE,
iat: Time.now.to_i,
exp: Time.now.to_i + 60,
sub: SiteSetting.google_oauth2_hd_groups_service_account_admin_email
}
headers = { "alg" => "RS256", "typ" => "JWT" }
key = OpenSSL::PKey::RSA.new(service_account_info["private_key"])
encoded_jwt = ::JWT.encode(payload, key, 'RS256', headers)
client = OAuth2::Client.new(
SiteSetting.google_oauth2_client_id,
SiteSetting.google_oauth2_client_secret,
site: OAUTH2_BASE_URL
)
token_response = client.request(:post, '/token', body: {
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
assertion: encoded_jwt
}, raise_errors: false)
if token_response.status != 200
Rails.logger.error("[Discourse Google OAuth2] failed to retrieve group fetch token - status #{token_response.status}")
return
end
OAuth2::AccessToken.from_hash(client, token_response.parsed)
end
end

45
lib/auth/omniauth_strategies/discourse_google_oauth2.rb
View File

@ -1,45 +0,0 @@
# frozen_string_literal: true
class Auth::OmniAuthStrategies
class DiscourseGoogleOauth2 < OmniAuth::Strategies::GoogleOauth2
GROUPS_SCOPE ||= "admin.directory.group.readonly"
GROUPS_DOMAIN ||= "admin.googleapis.com"
GROUPS_PATH ||= "/admin/directory/v1/groups"
def extra
hash = {}
hash[:raw_info] = raw_info
hash[:raw_groups] = raw_groups if options[:request_groups]
hash
end
def raw_groups
@raw_groups ||= begin
groups = []
page_token = nil
groups_url = "https://#{GROUPS_DOMAIN}#{GROUPS_PATH}"
loop do
params = {
userKey: uid
}
params[:pageToken] = page_token if page_token
response = access_token.get(groups_url, params: params, raise_errors: false)
if response.status == 200
response = response.parsed
groups.push(*response['groups'])
page_token = response['nextPageToken']
break if page_token.nil?
else
Rails.logger.error("[Discourse Google OAuth2] failed to retrieve groups for #{uid} - status #{response.status}")
break
end
end
groups
end
end
end
end

2
lib/validators/google_oauth2_hd_groups_validator.rb
View File

@ -6,7 +6,7 @@ class GoogleOauth2HdGroupsValidator
end
def valid_value?(value)
@valid = value == "f" || SiteSetting.google_oauth2_hd.present?
@valid = value == "f" || (SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups_service_account_admin_email.present? && SiteSetting.google_oauth2_hd_groups_service_account_json.present?)
end
def error_message

72
spec/lib/auth/google_oauth2_authenticator_spec.rb
View File

@ -117,7 +117,7 @@ RSpec.describe Auth::GoogleOAuth2Authenticator do
group1 = OmniAuth::AuthHash.new(id: "12345", name: "group1")
group2 = OmniAuth::AuthHash.new(id: "67890", name: "group2")
@groups = [group1, group2]
@groups_hash = OmniAuth::AuthHash.new(
@auth_hash = OmniAuth::AuthHash.new(
provider: "google_oauth2",
uid: "123456789",
info: {
@ -132,26 +132,86 @@ RSpec.describe Auth::GoogleOAuth2Authenticator do
email_verified: true,
name: "Jane Doe"
},
raw_groups: @groups
}
)
end
context "when enabled" do
let(:private_key) { OpenSSL::PKey::RSA.generate(2048) }
let(:group_response) {
{
groups: [
{
id: "12345",
name: "group1"
},
{
id: "67890",
name: "group2"
}
]
}
}
before do
SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "admin@example.com"
SiteSetting.google_oauth2_hd_groups_service_account_json = {
"private_key" => private_key.to_s,
"client_email": "discourse-group-sync@example.iam.gserviceaccount.com",
}.to_json
SiteSetting.google_oauth2_hd_groups = true
token = "abcde"
stub_request(:post, "https://oauth2.googleapis.com/token").to_return do |request|
jwt = Rack::Utils.parse_query(request.body)["assertion"]
decoded_token = JWT.decode(jwt, private_key.public_key, true, { algorithm: 'RS256' })
{
status: 200,
body: { "access_token" => token, "type" => "bearer" }.to_json,
headers: { "Content-Type" => "application/json" }
}
rescue JWT::VerificationError
{
status: 403,
body: "Invalid JWT"
}
end
stub_request(:get, "https://admin.googleapis.com/admin/directory/v1/groups?userKey=#{@auth_hash.uid}").
with(headers: { "Authorization" => "Bearer #{token}" }).
to_return do
{
status: 200,
body: group_response.to_json,
headers: {
"Content-Type" => "application/json"
}
}
end
end
it "adds associated groups" do
result = described_class.new.after_authenticate(@groups_hash)
result = described_class.new.after_authenticate(@auth_hash)
expect(result.associated_groups).to eq(@groups)
end
it "handles a blank groups array" do
@groups_hash[:extra][:raw_groups] = []
result = described_class.new.after_authenticate(@groups_hash)
group_response[:groups] = []
result = described_class.new.after_authenticate(@auth_hash)
expect(result.associated_groups).to eq([])
end
it "doesn't explode with invalid credentials" do
SiteSetting.google_oauth2_hd_groups_service_account_json = {
"private_key" => OpenSSL::PKey::RSA.generate(2048).to_s,
"client_email": "discourse-group-sync@example.iam.gserviceaccount.com",
}.to_json
result = described_class.new.after_authenticate(@auth_hash)
expect(result.associated_groups).to eq(nil)
end
end
context "when disabled" do
@ -160,7 +220,7 @@ RSpec.describe Auth::GoogleOAuth2Authenticator do
end
it "doesnt add associated groups" do
result = described_class.new.after_authenticate(@groups_hash)
result = described_class.new.after_authenticate(@auth_hash)
expect(result.associated_groups).to eq(nil)
end
end

124
spec/lib/auth/omniauth_strategies/discourse_google_oauth2_spec.rb
View File

@ -1,124 +0,0 @@
# frozen_string_literal: true
RSpec.describe Auth::OmniAuthStrategies::DiscourseGoogleOauth2 do
let(:response_hash) do
{
email: 'user@domain.com',
email_verified: true
}
end
let(:groups) do
[
{
id: "12345",
name: "group1"
},
{
id: "67890",
name: "group2"
}
]
end
let(:uid) { "12345" }
let(:domain) { "domain.com" }
def build_response(body, code = 200)
[code, { 'Content-Type' => 'application/json' }, body.to_json]
end
def build_client(groups_response)
OAuth2::Client.new('abc', 'def') do |builder|
builder.request :url_encoded
builder.adapter :test do |stub|
stub.get('/oauth2/v3/userinfo') { build_response(response_hash) }
stub.get(described_class::GROUPS_PATH) { groups_response }
end
end
end
let(:successful_groups_client) do
build_client(
build_response(
groups: groups
)
)
end
let(:unsuccessful_groups_client) do
build_client(
build_response(
error: {
code: 403,
message: "Not Authorized to access this resource/api"
}
)
)
end
let(:successful_groups_token) do
OAuth2::AccessToken.from_hash(successful_groups_client, {})
end
let(:unsuccessful_groups_token) do
OAuth2::AccessToken.from_hash(unsuccessful_groups_client, {})
end
def app
lambda do |_env|
[200, {}, ["Hello."]]
end
end
def build_strategy(access_token)
strategy = described_class.new(app, 'appid', 'secret', @options)
strategy.stubs(:uid).returns(uid)
strategy.stubs(:access_token).returns(access_token)
strategy
end
before do
@options = {}
OmniAuth.config.test_mode = true
end
after do
OmniAuth.config.test_mode = false
end
context 'when request_groups is true' do
before do
@options[:request_groups] = true
end
context 'when groups request successful' do
before do
@strategy = build_strategy(successful_groups_token)
end
it 'should include users groups' do
expect(@strategy.extra[:raw_groups].map(&:symbolize_keys)).to eq(groups)
end
end
context 'when groups request unsuccessful' do
before do
@strategy = build_strategy(unsuccessful_groups_token)
end
it 'users groups should be empty' do
expect(@strategy.extra[:raw_groups].empty?).to eq(true)
end
end
end
context 'when request_groups is not true' do
before do
@options[:request_groups] = false
@strategy = build_strategy(successful_groups_token)
end
it 'should not include users groups' do
expect(@strategy.extra).not_to have_key(:raw_groups)
end
end
end

2
spec/models/associated_group_spec.rb
View File

@ -14,6 +14,8 @@ RSpec.describe AssociatedGroup do
SiteSetting.enable_google_oauth2_logins = true
SiteSetting.google_oauth2_hd = 'domain.com'
SiteSetting.google_oauth2_hd_groups = false
SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "test@example.com"
SiteSetting.google_oauth2_hd_groups_service_account_json = "{}"
expect(described_class.has_provider?).to eq(false)
SiteSetting.google_oauth2_hd_groups = true

41
spec/requests/omniauth_callbacks_controller_spec.rb
View File

@ -786,9 +786,7 @@ RSpec.describe Users::OmniauthCallbacksController do
end
context "when groups are enabled" do
let(:strategy_class) { Auth::OmniAuthStrategies::DiscourseGoogleOauth2 }
let(:groups_url) { "#{strategy_class::GROUPS_DOMAIN}#{strategy_class::GROUPS_PATH}" }
let(:groups_scope) { strategy_class::DEFAULT_SCOPE + strategy_class::GROUPS_SCOPE }
let(:private_key) { OpenSSL::PKey::RSA.generate(2048) }
let(:group1) { { id: "12345", name: "group1" } }
let(:group2) { { id: "67890", name: "group2" } }
let(:uid) { "12345" }
@ -796,22 +794,50 @@ RSpec.describe Users::OmniauthCallbacksController do
let(:domain) { "mydomain.com" }
def mock_omniauth_for_groups(groups)
raw_groups = groups.map { |group| OmniAuth::AuthHash.new(group) }
mock_auth = OmniAuth.config.mock_auth[:google_oauth2]
mock_auth[:extra][:raw_groups] = raw_groups
OmniAuth.config.mock_auth[:google_oauth2] = mock_auth
Rails.application.env_config["omniauth.auth"] = mock_auth
SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "admin@example.com"
SiteSetting.google_oauth2_hd_groups_service_account_json = {
"private_key" => private_key.to_s,
"client_email": "discourse-group-sync@example.iam.gserviceaccount.com",
}.to_json
SiteSetting.google_oauth2_hd_groups = true
stub_request(:post, "https://oauth2.googleapis.com/token").to_return do |request|
jwt = Rack::Utils.parse_query(request.body)["assertion"]
decoded_token = JWT.decode(jwt, private_key.public_key, true, { algorithm: 'RS256' })
{
status: 200,
body: { "access_token" => token, "type" => "bearer" }.to_json,
headers: { "Content-Type" => "application/json" }
}
end
stub_request(:get, "https://admin.googleapis.com/admin/directory/v1/groups?userKey=#{mock_auth.uid}").
with(headers: { "Authorization" => "Bearer #{token}" }).
to_return do
{
status: 200,
body: { groups: groups }.to_json,
headers: {
"Content-Type" => "application/json"
}
}
end
end
before do
SiteSetting.google_oauth2_hd = domain
SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "test@example.com"
SiteSetting.google_oauth2_hd_groups_service_account_json = "{}"
SiteSetting.google_oauth2_hd_groups = true
end
it "updates associated groups" do
mock_omniauth_for_groups([group1, group2])
get "/auth/google_oauth2/callback.json", params: {
scope: groups_scope.split(' '),
code: 'abcde',
hd: domain
}
@ -829,7 +855,6 @@ RSpec.describe Users::OmniauthCallbacksController do
mock_omniauth_for_groups([group1])
get "/auth/google_oauth2/callback.json", params: {
scope: groups_scope.split(' '),
code: 'abcde',
hd: domain
}
@ -842,7 +867,6 @@ RSpec.describe Users::OmniauthCallbacksController do
mock_omniauth_for_groups([])
get "/auth/google_oauth2/callback.json", params: {
scope: groups_scope.split(' '),
code: 'abcde',
hd: domain
}
@ -858,7 +882,6 @@ RSpec.describe Users::OmniauthCallbacksController do
mock_omniauth_for_groups([])
get "/auth/google_oauth2/callback.json", params: {
scope: groups_scope.split(' '),
code: 'abcde',
hd: domain
}