generic: add OAuth support for browser & devicecode

Add OAuth support for the generic provider offering browser (authcode
grant) and device code (device auth grant) support. Device code
and mode selection is initially only offered for TTY users.

Author: mjcheetham

src/shared/Core.Tests/GenericHostProviderTests.cs

@@ -87,8 +87,9 @@ public async Task GenericHostProvider_CreateCredentialAsync_WiaNotAllowed_Return
                 .ReturnsAsync(basicCredential)
                 .Verifiable();
             var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            var oauthMock = new Mock<IOAuthAuthentication>();
 
-            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object);
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
 
             ICredential credential = await provider.GenerateCredentialAsync(input);
 
@@ -121,8 +122,9 @@ public async Task GenericHostProvider_CreateCredentialAsync_LegacyAuthorityBasic
                 .ReturnsAsync(basicCredential)
                 .Verifiable();
             var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            var oauthMock = new Mock<IOAuthAuthentication>();
 
-            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object);
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
 
             ICredential credential = await provider.GenerateCredentialAsync(input);
 
@@ -152,8 +154,9 @@ public async Task GenericHostProvider_CreateCredentialAsync_NonHttpProtocol_Retu
                 .ReturnsAsync(basicCredential)
                 .Verifiable();
             var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            var oauthMock = new Mock<IOAuthAuthentication>();
 
-            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object);
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
 
             ICredential credential = await provider.GenerateCredentialAsync(input);
 
@@ -199,8 +202,9 @@ private static async Task TestCreateCredentialAsync_ReturnsEmptyCredential(bool
             var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
             wiaAuthMock.Setup(x => x.GetIsSupportedAsync(It.IsAny<Uri>()))
                        .ReturnsAsync(wiaSupported);
+            var oauthMock = new Mock<IOAuthAuthentication>();
 
-            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object);
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
 
             ICredential credential = await provider.GenerateCredentialAsync(input);
 
@@ -230,8 +234,9 @@ private static async Task TestCreateCredentialAsync_ReturnsBasicCredential(bool
             var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
             wiaAuthMock.Setup(x => x.GetIsSupportedAsync(It.IsAny<Uri>()))
                        .ReturnsAsync(wiaSupported);
+            var oauthMock = new Mock<IOAuthAuthentication>();
 
-            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object);
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
 
             ICredential credential = await provider.GenerateCredentialAsync(input);
 

src/shared/Core/Authentication/OAuthAuthentication.cs

@@ -0,0 +1,123 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using GitCredentialManager.Authentication.OAuth;
+
+namespace GitCredentialManager.Authentication
+{
+    [Flags]
+    public enum OAuthAuthenticationModes
+    {
+        None        = 0,
+        Browser     = 1 << 0,
+        DeviceCode  = 1 << 1,
+
+        All = Browser | DeviceCode
+    }
+
+    public interface IOAuthAuthentication
+    {
+        Task<OAuthAuthenticationModes> GetAuthenticationModeAsync(string resource, OAuthAuthenticationModes modes);
+
+        Task<OAuth2TokenResult> GetTokenByBrowserAsync(OAuth2Client client, string[] scopes);
+
+        Task<OAuth2TokenResult> GetTokenByDeviceCodeAsync(OAuth2Client client, string[] scopes);
+    }
+
+    public class OAuthAuthentication : AuthenticationBase, IOAuthAuthentication
+    {
+        public OAuthAuthentication(ICommandContext context)
+            : base (context) { }
+
+        public async Task<OAuthAuthenticationModes> GetAuthenticationModeAsync(
+            string resource, OAuthAuthenticationModes modes)
+        {
+            EnsureArgument.NotNullOrWhiteSpace(resource, nameof(resource));
+
+            ThrowIfUserInteractionDisabled();
+
+            // Browser requires a desktop session!
+            if (!Context.SessionManager.IsDesktopSession)
+            {
+                modes &= ~OAuthAuthenticationModes.Browser;
+            }
+
+            // We need at least one mode!
+            if (modes == OAuthAuthenticationModes.None)
+            {
+                throw new ArgumentException(@$"Must specify at least one {nameof(OAuthAuthenticationModes)}", nameof(modes));
+            }
+
+            // If there is no mode choice to be made then just return that result
+            if (modes == OAuthAuthenticationModes.Browser ||
+                modes == OAuthAuthenticationModes.DeviceCode)
+            {
+                return modes;
+            }
+
+            ThrowIfTerminalPromptsDisabled();
+
+            switch (modes)
+            {
+                case OAuthAuthenticationModes.Browser:
+                    return OAuthAuthenticationModes.Browser;
+
+                case OAuthAuthenticationModes.DeviceCode:
+                    return OAuthAuthenticationModes.DeviceCode;
+
+                default:
+                    var menuTitle = $"Select an authentication method for '{resource}'";
+                    var menu = new TerminalMenu(Context.Terminal, menuTitle);
+
+                    TerminalMenuItem browserItem = null;
+                    TerminalMenuItem deviceItem = null;
+
+                    if ((modes & OAuthAuthenticationModes.Browser)    != 0) browserItem = menu.Add("Web browser");
+                    if ((modes & OAuthAuthenticationModes.DeviceCode) != 0) deviceItem  = menu.Add("Device code");
+
+                    // Default to the 'first' choice in the menu
+                    TerminalMenuItem choice = menu.Show(0);
+
+                    if (choice == browserItem) goto case OAuthAuthenticationModes.Browser;
+                    if (choice == deviceItem)  goto case OAuthAuthenticationModes.DeviceCode;
+
+                    throw new Exception();
+            }
+            
+        }
+
+        public async Task<OAuth2TokenResult> GetTokenByBrowserAsync(OAuth2Client client, string[] scopes)
+        {
+            ThrowIfUserInteractionDisabled();
+
+            // We require a desktop session to launch the user's default web browser
+            if (!Context.SessionManager.IsDesktopSession)
+            {
+                throw new InvalidOperationException("Browser authentication requires a desktop session");
+            }
+
+            var browserOptions = new OAuth2WebBrowserOptions();
+            var browser = new OAuth2SystemWebBrowser(Context.Environment, browserOptions);
+            var authCode = await client.GetAuthorizationCodeAsync(scopes, browser, CancellationToken.None);
+            return await client.GetTokenByAuthorizationCodeAsync(authCode, CancellationToken.None);
+        }
+
+        public async Task<OAuth2TokenResult> GetTokenByDeviceCodeAsync(OAuth2Client client, string[] scopes)
+        {
+            ThrowIfUserInteractionDisabled();
+
+            OAuth2DeviceCodeResult dcr = await client.GetDeviceCodeAsync(scopes, CancellationToken.None);
+
+            ThrowIfTerminalPromptsDisabled();
+
+            string deviceMessage = $"To complete authentication please visit {dcr.VerificationUri} and enter the following code:" +
+                                    Environment.NewLine +
+                                    dcr.UserCode;
+            Context.Terminal.WriteLine(deviceMessage);
+
+            return await client.GetTokenByDeviceCodeAsync(dcr, CancellationToken.None);
+        }
+    }
+}

src/shared/Core/GenericHostProvider.cs

@@ -1,29 +1,37 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Net.Http;
+using System.Threading;
 using System.Threading.Tasks;
 using GitCredentialManager.Authentication;
+using GitCredentialManager.Authentication.OAuth;
 
 namespace GitCredentialManager
 {
     public class GenericHostProvider : HostProvider
     {
         private readonly IBasicAuthentication _basicAuth;
         private readonly IWindowsIntegratedAuthentication _winAuth;
+        private readonly IOAuthAuthentication _oauth;
 
         public GenericHostProvider(ICommandContext context)
-            : this(context, new BasicAuthentication(context), new WindowsIntegratedAuthentication(context)) { }
+            : this(context, new BasicAuthentication(context), new WindowsIntegratedAuthentication(context),
+                new OAuthAuthentication(context)) { }
 
         public GenericHostProvider(ICommandContext context,
                                    IBasicAuthentication basicAuth,
-                                   IWindowsIntegratedAuthentication winAuth)
+                                   IWindowsIntegratedAuthentication winAuth,
+                                   IOAuthAuthentication oauth)
             : base(context)
         {
             EnsureArgument.NotNull(basicAuth, nameof(basicAuth));
             EnsureArgument.NotNull(winAuth, nameof(winAuth));
+            EnsureArgument.NotNull(oauth, nameof(oauth));
 
             _basicAuth = basicAuth;
             _winAuth = winAuth;
+            _oauth = oauth;
         }
 
         public override string Id => "generic";
@@ -68,7 +76,7 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
                 Context.Trace.WriteLine($"\tUseAuthHeader   = {oauthConfig.UseAuthHeader}");
                 Context.Trace.WriteLine($"\tDefaultUserName = {oauthConfig.DefaultUserName}");
 
-                throw new NotImplementedException();
+                return await GetOAuthAccessToken(uri, input.UserName, oauthConfig);
             }
             // Try detecting WIA for this remote, if permitted
             else if (IsWindowsAuthAllowed)
@@ -106,6 +114,65 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
             return await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, input.UserName);
         }
 
+        private async Task<ICredential> GetOAuthAccessToken(Uri remoteUri, string userName, GenericOAuthConfig config)
+        {
+            // TODO: Determined user info from a webcall? ID token? Need OIDC support
+            string oauthUser = userName ?? config.DefaultUserName;
+
+            var client = new OAuth2Client(
+                HttpClient,
+                config.Endpoints,
+                config.ClientId,
+                config.RedirectUri,
+                config.ClientSecret,
+                Context.Trace,
+                config.UseAuthHeader);
+
+            // Determine which interactive OAuth mode to use. Start by checking for mode preference in config
+            var supportedModes = OAuthAuthenticationModes.All;
+            if (Context.Settings.TryGetSetting(
+                    Constants.EnvironmentVariables.OAuthAuthenticationModes,
+                    Constants.GitConfiguration.Credential.SectionName,
+                    Constants.GitConfiguration.Credential.OAuthAuthenticationModes,
+                    out string authModesStr))
+            {
+                if (Enum.TryParse(authModesStr, true, out supportedModes) && supportedModes != OAuthAuthenticationModes.None)
+                {
+                    Context.Trace.WriteLine($"Supported authentication modes override present: {supportedModes}");
+                }
+                else
+                {
+                    Context.Trace.WriteLine($"Invalid value for supported authentication modes override setting: '{authModesStr}'");
+                }
+            }
+
+            // If the server doesn't support device code we need to remove it as an option here
+            if (!config.SupportsDeviceCode)
+            {
+                supportedModes &= ~OAuthAuthenticationModes.DeviceCode;
+            }
+
+            // Prompt the user to select a mode
+            OAuthAuthenticationModes mode = await _oauth.GetAuthenticationModeAsync(remoteUri.ToString(), supportedModes);
+
+            OAuth2TokenResult tokenResult;
+            switch (mode)
+            {
+                case OAuthAuthenticationModes.Browser:
+                    tokenResult = await _oauth.GetTokenByBrowserAsync(client, config.Scopes);
+                    break;
+
+                case OAuthAuthenticationModes.DeviceCode:
+                    tokenResult = await _oauth.GetTokenByDeviceCodeAsync(client, config.Scopes);
+                    break;
+
+                default:
+                    throw new Exception("No authentication mode selected!");
+            }
+
+            return new GitCredential(oauthUser, tokenResult.AccessToken);
+        }
+
         /// <summary>
         /// Check if the user permits checking for Windows Integrated Authentication.
         /// </summary>
@@ -131,9 +198,13 @@ private bool IsWindowsAuthAllowed
             }
         }
 
+        private HttpClient _httpClient;
+        private HttpClient HttpClient => _httpClient ?? (_httpClient = Context.HttpClientFactory.CreateClient());
+
         protected override void ReleaseManagedResources()
         {
             _winAuth.Dispose();
+            _httpClient?.Dispose();
             base.ReleaseManagedResources();
         }
     }