Oauth2 integration with CloudStack (#7996)

OAuth2, the industry-standard authorization or authentication framework, simplifies the process of
granting access to resources. CloudStack supports OAuth2 authentication wherein users can login into
CloudStack without using a username and password. Support for Google and Github providers has been added.
Other OAuth2 providers can be easily integrated with CloudStack using its plugin framework.

The login page will show provider options when the OAuth2 is enabled and corresponding providers are configured.

"OAuth configuration" sub-section is present under "Configuration" where admins can register the corresponding
OAuth providers.

Author: harikrishna-patnala

api/src/main/java/com/cloud/user/AccountService.java

@@ -70,6 +70,8 @@ User createUser(String userName, String password, String firstName, String lastN
 
     UserAccount getActiveUserAccount(String username, Long domainId);
 
+    List<UserAccount> getActiveUserAccountByEmail(String email, Long domainId);
+
     UserAccount updateUser(UpdateUserCmd updateUserCmd);
 
     Account getActiveAccountById(long accountId);

api/src/main/java/com/cloud/user/User.java

@@ -24,7 +24,7 @@ public interface User extends OwnedBy, InternalIdentity {
 
     // UNKNOWN and NATIVE can be used interchangeably
     public enum Source {
-        LDAP, SAML2, SAML2DISABLED, UNKNOWN, NATIVE
+        OAUTH2, LDAP, SAML2, SAML2DISABLED, UNKNOWN, NATIVE
     }
 
     public static final long UID_SYSTEM = 1;

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -594,6 +594,8 @@ public class ApiConstants {
     public static final String SERVICE_CAPABILITY_LIST = "servicecapabilitylist";
     public static final String CAN_CHOOSE_SERVICE_CAPABILITY = "canchooseservicecapability";
     public static final String PROVIDER = "provider";
+    public static final String OAUTH_PROVIDER = "oauthprovider";
+    public static final String OAUTH_SECRET_KEY = "secretkey";
     public static final String MANAGED = "managed";
     public static final String CAPACITY_BYTES = "capacitybytes";
     public static final String CAPACITY_IOPS = "capacityiops";
@@ -1056,6 +1058,9 @@ public class ApiConstants {
     public static final String VNF_CONFIGURE_MANAGEMENT = "vnfconfiguremanagement";
     public static final String VNF_CIDR_LIST = "vnfcidrlist";
 
+    public static final String CLIENT_ID = "clientid";
+    public static final String REDIRECT_URI = "redirecturi";
+
     /**
      * This enum specifies IO Drivers, each option controls specific policies on I/O.
      * Qemu guests support "threads" and "native" options Since 0.8.8 ; "io_uring" is supported Since 6.3.0 (QEMU 5.0).

api/src/main/java/org/apache/cloudstack/api/command/user/ssh/CreateSSHKeyPairCmd.java

@@ -95,5 +95,4 @@ public void execute() {
         response.setObjectName("keypair");
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/userdata/ListUserDataCmd.java

@@ -76,5 +76,4 @@ public void execute() {
         response.setResponseName(getCommandName());
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/api/command/user/userdata/RegisterUserDataCmd.java

@@ -142,5 +142,4 @@ public void execute() throws ResourceUnavailableException, InsufficientCapacityE
         response.setObjectName(ApiConstants.USER_DATA);
         setResponseObject(response);
     }
-
-    }
+}

api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java

@@ -0,0 +1,53 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.auth;
+
+import com.cloud.utils.component.Adapter;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+public interface UserOAuth2Authenticator extends Adapter {
+    /**
+     * Returns the unique name of the provider
+     * @return returns provider name
+     */
+    String getName();
+
+    /**
+     * Returns description about the OAuth2 provider plugin
+     * @return returns description
+     */
+    String getDescription();
+
+    /**
+     * Verifies if the logged in user is
+     * @return returns true if its valid user
+     */
+    boolean verifyUser(String email, String secretCode);
+
+    /**
+     * Verifies the code provided by provider and fetches email
+     * @return returns email
+     */
+    String verifyCodeAndFetchEmail(String secretCode);
+
+
+    /**
+     * Fetches email using the accessToken
+     * @return returns email
+     */
+    String getUserEmailAddress() throws CloudRuntimeException;
+}

client/pom.xml

@@ -161,6 +161,11 @@
             <artifactId>cloud-plugin-user-authenticator-md5</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.cloudstack</groupId>
+            <artifactId>cloud-plugin-user-authenticator-oauth2</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cloudstack</groupId>
             <artifactId>cloud-plugin-user-authenticator-pbkdf2</artifactId>

core/src/main/resources/META-INF/cloudstack/core/spring-core-registry-core-context.xml

@@ -33,7 +33,7 @@
         class="org.apache.cloudstack.spring.lifecycle.registry.ExtensionRegistry">
         <property name="orderConfigKey" value="user.authenticators.order" />
         <property name="excludeKey" value="user.authenticators.exclude" />
-        <property name="orderConfigDefault" value="PBKDF2,SHA256SALT,MD5,LDAP,SAML2,PLAINTEXT" />
+        <property name="orderConfigDefault" value="PBKDF2,SHA256SALT,MD5,LDAP,SAML2,PLAINTEXT,OAUTH2" />
     </bean>
 
     <bean id="userTwoFactorAuthenticatorsRegistry"
@@ -47,7 +47,7 @@
           class="org.apache.cloudstack.spring.lifecycle.registry.ExtensionRegistry">
         <property name="orderConfigKey" value="pluggableApi.authenticators.order" />
         <property name="excludeKey" value="pluggableApi.authenticators.exclude" />
-        <property name="orderConfigDefault" value="SAML2Auth" />
+        <property name="orderConfigDefault" value="SAML2Auth,OAUTH2Auth" />
     </bean>
 
     <bean id="userPasswordEncodersRegistry"

engine/schema/src/main/java/com/cloud/user/dao/UserAccountDao.java

@@ -27,6 +27,8 @@ public interface UserAccountDao extends GenericDao<UserAccountVO, Long> {
 
     UserAccount getUserAccount(String username, Long domainId);
 
+    List<UserAccountVO> getUserAccountByEmail(String email, Long domainId);
+
     boolean validateUsernameInDomain(String username, Long domainId);
 
     UserAccount getUserByApiKey(String apiKey);