generic: add ability to read generic OAuth config

mjcheetham · mjcheetham · commit 717b8225f431 · 2023-02-01T11:09:02.000-08:00
Teach the Generic host provider to read configuration for OAuth-based
authentication. These are largely parameters required for the
OAuth2Client to be constructed including Client ID/Secret, Redirect URI
and Scopes.
diff --git a/src/shared/Core.Tests/GenericOAuthConfigTests.cs b/src/shared/Core.Tests/GenericOAuthConfigTests.cs
@@ -0,0 +1,61 @@
+using System;
+using GitCredentialManager.Tests.Objects;
+using Xunit;
+
+namespace GitCredentialManager.Tests
+{
+    public class GenericOAuthConfigTests
+    {
+        [Fact]
+        public void GenericOAuthConfig_TryGet_Valid_ReturnsTrue()
+        {
+            var remoteUri = new Uri("https://example.com");
+            const string expectedClientId = "115845b0-77f8-4c06-a3dc-7d277381fad1";
+            const string expectedClientSecret = "4D35385D9F24";
+            const string expectedUserName = "TEST_USER";
+            const string authzEndpoint = "/oauth/authorize";
+            const string tokenEndpoint = "/oauth/token";
+            const string deviceEndpoint = "/oauth/device";
+            string[] expectedScopes = { "scope1", "scope2" };
+            var expectedRedirectUri = new Uri("http://localhost:12345");
+            var expectedAuthzEndpoint = new Uri(remoteUri, authzEndpoint);
+            var expectedTokenEndpoint = new Uri(remoteUri, tokenEndpoint);
+            var expectedDeviceEndpoint = new Uri(remoteUri, deviceEndpoint);
+
+            string GetKey(string name) => $"{Constants.GitConfiguration.Credential.SectionName}.https://example.com.{name}";
+
+            var trace = new NullTrace();
+            var settings = new TestSettings
+            {
+                GitConfiguration = new TestGitConfiguration
+                {
+                    Global =
+                    {
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthClientId)] = new[] { expectedClientId },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthClientSecret)] = new[] { expectedClientSecret },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthRedirectUri)] = new[] { expectedRedirectUri.ToString() },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthScopes)] = new[] { string.Join(' ', expectedScopes) },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthAuthzEndpoint)] = new[] { authzEndpoint },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthTokenEndpoint)] = new[] { tokenEndpoint },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthDeviceEndpoint)] = new[] { deviceEndpoint },
+                        [GetKey(Constants.GitConfiguration.Credential.OAuthDefaultUserName)] = new[] { expectedUserName },
+                    }
+                },
+                RemoteUri = remoteUri
+            };
+
+            bool result = GenericOAuthConfig.TryGet(trace, settings, remoteUri, out GenericOAuthConfig config);
+
+            Assert.True(result);
+            Assert.Equal(expectedClientId, config.ClientId);
+            Assert.Equal(expectedClientSecret, config.ClientSecret);
+            Assert.Equal(expectedRedirectUri, config.RedirectUri);
+            Assert.Equal(expectedScopes, config.Scopes);
+            Assert.Equal(expectedAuthzEndpoint, config.Endpoints.AuthorizationEndpoint);
+            Assert.Equal(expectedTokenEndpoint, config.Endpoints.TokenEndpoint);
+            Assert.Equal(expectedDeviceEndpoint, config.Endpoints.DeviceAuthorizationEndpoint);
+            Assert.Equal(expectedUserName, config.DefaultUserName);
+            Assert.True(config.UseAuthHeader);
+        }
+    }
+}
diff --git a/src/shared/Core/Constants.cs b/src/shared/Core/Constants.cs
@@ -89,6 +89,16 @@ public static class EnvironmentVariables
             public const string GcmAutoDetectTimeout  = "GCM_AUTODETECT_TIMEOUT";
             public const string GcmGuiPromptsEnabled  = "GCM_GUI_PROMPT";
             public const string GcmUiHelper           = "GCM_UI_HELPER";
+            public const string OAuthAuthenticationModes = "GCM_OAUTH_AUTHMODES";
+            public const string OAuthClientId            = "GCM_OAUTH_CLIENTID";
+            public const string OAuthClientSecret        = "GCM_OAUTH_CLIENTSECRET";
+            public const string OAuthRedirectUri         = "GCM_OAUTH_REDIRECTURI";
+            public const string OAuthScopes              = "GCM_OAUTH_SCOPES";
+            public const string OAuthAuthzEndpoint       = "GCM_OAUTH_AUTHORIZE_ENDPOINT";
+            public const string OAuthTokenEndpoint       = "GCM_OAUTH_TOKEN_ENDPOINT";
+            public const string OAuthDeviceEndpoint      = "GCM_OAUTH_DEVICE_ENDPOINT";
+            public const string OAuthClientAuthHeader    = "GCM_OAUTH_USE_CLIENT_AUTH_HEADER";
+            public const string OAuthDefaultUserName     = "GCM_OAUTH_DEFAULT_USERNAME";
         }
 
         public static class Http
@@ -125,6 +135,17 @@ public static class Credential
                 public const string AutoDetectTimeout = "autoDetectTimeout";
                 public const string GuiPromptsEnabled = "guiPrompt";
                 public const string UiHelper = "uiHelper";
+
+                public const string OAuthAuthenticationModes = "oauthAuthModes";
+                public const string OAuthClientId            = "oauthClientId";
+                public const string OAuthClientSecret        = "oauthClientSecret";
+                public const string OAuthRedirectUri         = "oauthRedirectUri";
+                public const string OAuthScopes              = "oauthScopes";
+                public const string OAuthAuthzEndpoint       = "oauthAuthorizeEndpoint";
+                public const string OAuthTokenEndpoint       = "oauthTokenEndpoint";
+                public const string OAuthDeviceEndpoint      = "oauthDeviceEndpoint";
+                public const string OAuthClientAuthHeader    = "oauthUseClientAuthHeader";
+                public const string OAuthDefaultUserName     = "oauthDefaultUserName";
             }
 
             public static class Http
diff --git a/src/shared/Core/GenericHostProvider.cs b/src/shared/Core/GenericHostProvider.cs
@@ -26,8 +26,6 @@ public GenericHostProvider(ICommandContext context,
             _winAuth = winAuth;
         }
 
-        #region HostProvider
-
         public override string Id => "generic";
 
         public override string Name => "Generic";
@@ -50,12 +48,29 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
 
             Uri uri = input.GetRemoteUri();
 
-            // Determine the if the host supports Windows Integration Authentication (WIA)
+            // Determine the if the host supports Windows Integration Authentication (WIA) or OAuth
             if (!StringComparer.OrdinalIgnoreCase.Equals(uri.Scheme, "http") &&
                 !StringComparer.OrdinalIgnoreCase.Equals(uri.Scheme, "https"))
             {
-                // Cannot check WIA support for non-HTTP based protocols
+                // Cannot check WIA or OAuth support for non-HTTP based protocols
+            }
+            // Check for an OAuth configuration for this remote
+            else if (GenericOAuthConfig.TryGet(Context.Trace, Context.Settings, uri, out GenericOAuthConfig oauthConfig))
+            {
+                Context.Trace.WriteLine($"Found generic OAuth configuration for '{uri}':");
+                Context.Trace.WriteLine($"\tAuthzEndpoint   = {oauthConfig.Endpoints.AuthorizationEndpoint}");
+                Context.Trace.WriteLine($"\tTokenEndpoint   = {oauthConfig.Endpoints.TokenEndpoint}");
+                Context.Trace.WriteLine($"\tDeviceEndpoint  = {oauthConfig.Endpoints.DeviceAuthorizationEndpoint}");
+                Context.Trace.WriteLine($"\tClientId        = {oauthConfig.ClientId}");
+                Context.Trace.WriteLine($"\tClientSecret    = {oauthConfig.ClientSecret}");
+                Context.Trace.WriteLine($"\tRedirectUri     = {oauthConfig.RedirectUri}");
+                Context.Trace.WriteLine($"\tScopes          = [{string.Join(", ", oauthConfig.Scopes)}]");
+                Context.Trace.WriteLine($"\tUseAuthHeader   = {oauthConfig.UseAuthHeader}");
+                Context.Trace.WriteLine($"\tDefaultUserName = {oauthConfig.DefaultUserName}");
+
+                throw new NotImplementedException();
             }
+            // Try detecting WIA for this remote, if permitted
             else if (IsWindowsAuthAllowed)
             {
                 if (PlatformUtils.IsWindows())
@@ -86,6 +101,7 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
                 Context.Trace.WriteLine("Windows Integrated Authentication detection has been disabled.");
             }
 
+            // Use basic authentication
             Context.Trace.WriteLine("Prompting for basic credentials...");
             return await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, input.UserName);
         }
@@ -120,7 +136,5 @@ protected override void ReleaseManagedResources()
             _winAuth.Dispose();
             base.ReleaseManagedResources();
         }
-
-        #endregion
     }
 }
diff --git a/src/shared/Core/GenericOAuthConfig.cs b/src/shared/Core/GenericOAuthConfig.cs
@@ -0,0 +1,138 @@
+using System;
+using GitCredentialManager.Authentication.OAuth;
+
+namespace GitCredentialManager
+{
+    public class GenericOAuthConfig
+    {
+        public static bool TryGet(ITrace trace, ISettings settings, Uri remoteUri, out GenericOAuthConfig config)
+        {
+            config = new GenericOAuthConfig();
+
+            if (!settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthAuthzEndpoint,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthAuthzEndpoint,
+                    out string authzEndpoint) ||
+                !Uri.TryCreate(remoteUri, authzEndpoint, out Uri authzEndpointUri))
+            {
+                trace.WriteLine($"Invalid OAuth configuration - missing/invalid authorize endpoint: {authzEndpoint}");
+                config = null;
+                return false;
+            }
+
+            if (!settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthTokenEndpoint,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthTokenEndpoint,
+                    out string tokenEndpoint) ||
+                !Uri.TryCreate(remoteUri, tokenEndpoint, out Uri tokenEndpointUri))
+            {
+                trace.WriteLine($"Invalid OAuth configuration - missing/invalid token endpoint: {tokenEndpoint}");
+                config = null;
+                return false;
+            }
+
+            // Device code endpoint is optional
+            Uri deviceEndpointUri = null;
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthDeviceEndpoint,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthDeviceEndpoint,
+                    out string deviceEndpoint))
+            {
+                if (!Uri.TryCreate(remoteUri, deviceEndpoint, out deviceEndpointUri))
+                {
+                    trace.WriteLine($"Invalid OAuth configuration - invalid device endpoint: {deviceEndpoint}");
+                }
+            }
+
+            config.Endpoints = new OAuth2ServerEndpoints(authzEndpointUri, tokenEndpointUri)
+            {
+                DeviceAuthorizationEndpoint = deviceEndpointUri
+            };
+
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthClientId,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthClientId,
+                    out string clientId))
+            {
+                config.ClientId = clientId;
+            }
+
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthClientSecret,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthClientSecret,
+                    out string clientSecret))
+            {
+                config.ClientSecret = clientSecret;
+            }
+
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthRedirectUri,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthRedirectUri,
+                    out string redirectUrl) &&
+                Uri.TryCreate(redirectUrl, UriKind.Absolute, out Uri redirectUri))
+            {
+                config.RedirectUri = redirectUri;
+            }
+            else
+            {
+                trace.WriteLine($"Invalid OAuth configuration - missing/invalid redirect URI: {redirectUrl}");
+                config = null;
+                return false;
+            }
+
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthScopes,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthScopes,
+                    out string scopesStr) && !string.IsNullOrWhiteSpace(scopesStr))
+            {
+                config.Scopes = scopesStr.Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
+            }
+            else
+            {
+                config.Scopes = Array.Empty<string>();
+            }
+
+            if (settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthClientAuthHeader,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthClientAuthHeader,
+                    out string useHeader))
+            {
+                config.UseAuthHeader = useHeader.IsTruthy();
+            }
+            else
+            {
+                // Default to true
+                config.UseAuthHeader = true;
+            }
+
+            config.DefaultUserName = settings.TryGetSetting(
+                Constants.EnvironmentVariables.OAuthDefaultUserName,
+                Constants.GitConfiguration.Credential.SectionName,
+                Constants.GitConfiguration.Credential.OAuthDefaultUserName,
+                out string userName)
+                ? userName
+                : "OAUTH_USER";
+
+            return true;
+        }
+
+
+        public OAuth2ServerEndpoints Endpoints { get; set; }
+        public string ClientId { get; set; }
+        public string ClientSecret { get; set; }
+        public Uri RedirectUri { get; set; }
+        public string[] Scopes { get; set; }
+        public bool UseAuthHeader { get; set; }
+        public string DefaultUserName { get; set; }
+
+        public bool SupportsDeviceCode => Endpoints.DeviceAuthorizationEndpoint != null;
+    }
+}
diff --git a/src/shared/TestInfrastructure/Objects/TestSettings.cs b/src/shared/TestInfrastructure/Objects/TestSettings.cs
@@ -58,6 +58,18 @@ public bool TryGetSetting(string envarName, string section, string property, out
                 return true;
             }
 
+            if (RemoteUri != null)
+            {
+                foreach (string scope in RemoteUri.GetGitConfigurationScopes())
+                {
+                    string key = $"{section}.{scope}.{property}";
+                    if (GitConfiguration?.TryGet(key, false, out value) ?? false)
+                    {
+                        return true;
+                    }
+                }
+            }
+
             if (GitConfiguration?.TryGet($"{section}.{property}", false, out value) ?? false)
             {
                 return true;
@@ -79,16 +91,26 @@ public IEnumerable<string> GetSettingValues(string envarName, string section, st
                 yield return envarValue;
             }
 
-            foreach (string scope in RemoteUri.GetGitConfigurationScopes())
+            IEnumerable<string> configValues;
+            if (RemoteUri != null)
             {
-                string key = $"{section}.{scope}.{property}";
-
-                IEnumerable<string> configValues = GitConfiguration.GetAll(key);
-                foreach (string value in configValues)
+                foreach (string scope in RemoteUri.GetGitConfigurationScopes())
                 {
-                    yield return value;
+                    string key = $"{section}.{scope}.{property}";
+
+                    configValues = GitConfiguration.GetAll(key);
+                    foreach (string value in configValues)
+                    {
+                        yield return value;
+                    }
                 }
             }
+
+            configValues = GitConfiguration.GetAll($"{section}.{property}");
+            foreach (string value in configValues)
+            {
+                yield return value;
+            }
         }
 
         public string RepositoryPath { get; set; }

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,6 @@ public GenericHostProvider(ICommandContext context,`
`26`	`26`	`_winAuth = winAuth;`
`27`	`27`	`}`
`28`	`28`
`29`		`- #region HostProvider`
`30`		`-`
`31`	`29`	`public override string Id => "generic";`
`32`	`30`
`33`	`31`	`public override string Name => "Generic";`
`@@ -50,12 +48,29 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i`
`50`	`48`
`51`	`49`	`Uri uri = input.GetRemoteUri();`
`52`	`50`
`53`		`- // Determine the if the host supports Windows Integration Authentication (WIA)`
	`51`	`+ // Determine the if the host supports Windows Integration Authentication (WIA) or OAuth`
`54`	`52`	`if (!StringComparer.OrdinalIgnoreCase.Equals(uri.Scheme, "http") &&`
`55`	`53`	`!StringComparer.OrdinalIgnoreCase.Equals(uri.Scheme, "https"))`
`56`	`54`	`{`
`57`		`- // Cannot check WIA support for non-HTTP based protocols`
	`55`	`+ // Cannot check WIA or OAuth support for non-HTTP based protocols`
	`56`	`+ }`
	`57`	`+ // Check for an OAuth configuration for this remote`
	`58`	`+ else if (GenericOAuthConfig.TryGet(Context.Trace, Context.Settings, uri, out GenericOAuthConfig oauthConfig))`
	`59`	`+ {`
	`60`	`+ Context.Trace.WriteLine($"Found generic OAuth configuration for '{uri}':");`
	`61`	`+ Context.Trace.WriteLine($"\tAuthzEndpoint = {oauthConfig.Endpoints.AuthorizationEndpoint}");`
	`62`	`+ Context.Trace.WriteLine($"\tTokenEndpoint = {oauthConfig.Endpoints.TokenEndpoint}");`
	`63`	`+ Context.Trace.WriteLine($"\tDeviceEndpoint = {oauthConfig.Endpoints.DeviceAuthorizationEndpoint}");`
	`64`	`+ Context.Trace.WriteLine($"\tClientId = {oauthConfig.ClientId}");`
	`65`	`+ Context.Trace.WriteLine($"\tClientSecret = {oauthConfig.ClientSecret}");`
	`66`	`+ Context.Trace.WriteLine($"\tRedirectUri = {oauthConfig.RedirectUri}");`
	`67`	`+ Context.Trace.WriteLine($"\tScopes = [{string.Join(", ", oauthConfig.Scopes)}]");`
	`68`	`+ Context.Trace.WriteLine($"\tUseAuthHeader = {oauthConfig.UseAuthHeader}");`
	`69`	`+ Context.Trace.WriteLine($"\tDefaultUserName = {oauthConfig.DefaultUserName}");`
	`70`	`+`
	`71`	`+ throw new NotImplementedException();`
`58`	`72`	`}`
	`73`	`+ // Try detecting WIA for this remote, if permitted`
`59`	`74`	`else if (IsWindowsAuthAllowed)`
`60`	`75`	`{`
`61`	`76`	`if (PlatformUtils.IsWindows())`
`@@ -86,6 +101,7 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i`
`86`	`101`	`Context.Trace.WriteLine("Windows Integrated Authentication detection has been disabled.");`
`87`	`102`	`}`
`88`	`103`
	`104`	`+ // Use basic authentication`
`89`	`105`	`Context.Trace.WriteLine("Prompting for basic credentials...");`
`90`	`106`	`return await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, input.UserName);`
`91`	`107`	`}`
`@@ -120,7 +136,5 @@ protected override void ReleaseManagedResources()`
`120`	`136`	`_winAuth.Dispose();`
`121`	`137`	`base.ReleaseManagedResources();`
`122`	`138`	`}`
`123`		`-`
`124`		`- #endregion`
`125`	`139`	`}`
`126`	`140`	`}`