Adding OAuth autentication support

Author: ikus060

Dockerfile

@@ -12,7 +12,7 @@ ENV RDIFFWEB_SERVER_HOST=0.0.0.0
 
 RUN set -x; \
   apt -y update && \
-  apt install -y --no-install-recommends librsync-dev python3-pyxattr python3-pylibacl && \
+  apt install -y --no-install-recommends librsync-dev python3-pylibacl python3-pyxattr && \
   rm -Rf /var/lib/apt/lists/*
 
 COPY . /src/

debian/control

@@ -24,11 +24,13 @@ Build-Depends:
  python3-jinja2,
  python3-ldap3,
  python3-nose,
+ python3-oauthlib,
  python3-parameterized,
  python3-pip,
  python3-psutil,
  python3-pytest, 
  python3-requests,
+ python3-requests-oauthlib,
  python3-responses,
  python3-selenium,
  python3-setuptools,

doc/configuration-ldap.md

@@ -37,22 +37,31 @@ The following settings are available for basic LDAP integration with Rdiffweb:
 | --ldap-base-dn (Required) | This setting specifies the DN of the branch of the directory where all searches should start from. For example: dc=my,dc=domain |
 | --ldap-bind-dn | This setting specifies the DN used to bind to the server when searching for entries. If not provided, Rdiffweb will use an anonymous bind. |
 | --ldap-bind-password | This setting specifies the password to use in conjunction with LdapBindDn. Note that the bind password is probably sensitive data and should be properly protected. You should only use the LdapBindDn and LdapBindPassword if you absolutely need them to search the directory. |
-| --ldap-add-missing-user | This setting enables the creation of users from LDAP when the credentials are valid. |
 | --ldap-username-attribute | This setting specifies the attribute to search for the username. If no attributes are provided, the default is to use uid. It's a good idea to choose an attribute that will be unique across all entries in the subtree you will be using. |
 | --ldap-user-filter | This setting specifies the search filter to limit LDAP lookup. If not provided, defaults to (objectClass=*), which searches for all objects in the tree. |
 
-## Attribute Configuration Settings
+## Create or update user from LDAP
 
-The following settings allow you to specify LDAP attributes for user display names, email addresses, and other attributes:
+When LDAP integration is enabled, the application can automatically create users in the internal database upon their first successful login. If this feature is disabled, users must be created manually before they can log in successfully.
+
+### Enabling automatic user creation
+
+To enable automatic user creation from LDAP, use the `--add-missing-user` option. When enabled, you can control how new users are created using additional configuration options.
+
+### Configuration options
+
+The following settings control user creation and attribute mapping from LDAP:
+
+| Option | Description | Example |
+| --- | --- | --- |
+| `--add-missing-user` | Enables automatic creation of users from LDAP when authentication is successful. | `--add-missing-user` |
+| `--add-user-default-role` | Specifies the default role assigned to users created from LDAP. Only effective when `--add-missing-user` is enabled. | `--add-user-default-role=user` |
+| `--add-user-default-userroot` | Specifies the default root directory for users created from LDAP. Supports LDAP attribute substitution using `{attribute}` syntax. Only effective when `--add-missing-user` is enabled. | `--add-user-default-userroot=/backups/{uid}/` |
+| `--ldap-fullname-attribute` | LDAP attribute containing the user's full display name. If not found or empty, the full name is constructed from first name and last name attributes. | `--ldap-fullname-attribute=displayName` |
+| `--ldap-firstname-attribute` | LDAP attribute containing the user's first name. Used as fallback when full name attribute is not available. | `--ldap-firstname-attribute=givenName` |
+| `--ldap-lastname-attribute` | LDAP attribute containing the user's last name. Used as fallback when full name attribute is not available. | `--ldap-lastname-attribute=sn` |
+| `--ldap-email-attribute` | LDAP attribute containing the user's email address. | `--ldap-email-attribute=userPrincipalName` |
 
-| Option | Description |
-| --- | --- |
-| --ldap-add-user-default-role | This setting specifies the default role used when creating users from LDAP. This parameter is only useful when --ldap-add-missing-user is enabled. |
-| --ldap-add-user-default-userroot | This setting specifies the default user root directory used when creating users from LDAP. LDAP attributes may be used to define the default location. For example: /backups/{uid[0]}/. This parameter is only useful when --ldap-add-missing-user is enabled. |
-| --ldap-fullname-attribute | This setting specifies the LDAP attribute for the user's display name. If fullname is blank, the full name is taken from the firstname and lastname. Common attributes for full names include 'cn' or 'displayName'. |
-| --ldap-firstname-attribute | This setting specifies the LDAP attribute for the user's first name. Used when the attribute configured for name does not exist. For example: givenName |
-| --ldap-lastname-attribute | This setting specifies the LDAP attribute for the user's last name. Used when the attribute configured for name does not exist. For example: sn |
-| --ldap-email-attribute | This setting specifies the LDAP attribute for the user's email address. For example: mail, email, userPrincipalName |
 
 ## Configure LDAP Group Access
 

doc/configuration-oauth.md

@@ -0,0 +1,99 @@
+# Configuring OAuth Integration in Rdiffweb
+
+This documentation guides you through configuring OAuth integration in Rdiffweb. OAuth is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. Rdiffweb is a web-based interface for managing file and directory backups. Integrating OAuth with Rdiffweb enables seamless authentication using external identity providers within your organization.
+
+This integration works with most OAuth/OpenID-compliant providers, including:
+
+- Google
+- GitLab
+- Auth0
+- and others
+
+## Basic Configuration Settings
+
+Open the Rdiffweb configuration file (`/etc/rdiffweb/rdw.conf`) and add the following lines:
+
+```ini
+oauth_client_id = <OAUTH_CLIENT_ID>
+oauth_client_secret = <OAUTH_CLIENT_SECRET>
+oauth_auth_url = <OAUTH_AUTH_URL>
+oauth_token_url = <OAUTH_TOKEN_URL>
+oauth_userinfo_url = <OAUTH_USERINFO_URL>
+oauth_scope = <OAUTH_SCOPE>
+```
+
+Replace the placeholders with the appropriate values from your OAuth provider.
+
+The following settings are available for OAuth integration with Rdiffweb:
+
+| Option                        | Description |
+|-------------------------------|-------------|
+| `--oauth-client-id` (Required)        | The client ID provided by your OAuth provider when you register your application. Example: `abc123-def456-ghi789` |
+| `--oauth-client-secret` (Required)    | The client secret provided by your OAuth provider. This is sensitive data and should be properly protected. |
+| `--oauth-auth-url` (Required)         | The authorization endpoint URL of your OAuth provider. Example: `https://accounts.google.com/o/oauth2/v2/auth` |
+| `--oauth-token-url` (Required)        | The token endpoint URL for obtaining access tokens. Example: `https://oauth2.googleapis.com/token` |
+| `--oauth-userinfo-url` (Required)     | The user information endpoint URL for retrieving user profile data. Example: `https://www.googleapis.com/oauth2/v2/userinfo` |
+| `--oauth-scope`                      | The OAuth scopes to request. Common scopes include `openid`, `profile`, and `email`. Multiple scopes should be space-separated. Default: `openid profile email` |
+
+## Creating or Updating Users from OAuth
+
+When OAuth integration is enabled, Rdiffweb can automatically create users in the internal database upon their first successful login. To use this feature, ensure you have a custom and trusted OAuth provider. If this feature is disabled, users must be created manually before they can log in.
+
+### Enabling Automatic User Creation
+
+To enable automatic user creation, use the `--add-missing-user` option. Additional options let you control the creation process.
+
+### Configuration Options
+
+The following settings control user creation and attribute mapping from OAuth claims:
+
+| Option | Description | Example |
+|--------|-------------|---------|
+| `--add-missing-user` | Enables automatic user creation upon successful OAuth authentication. | `--add-missing-user` |
+| `--add-user-default-role` | Specifies the default role for users created from OAuth. Only effective with `--add-missing-user` enabled. | `--add-user-default-role=user` |
+| `--add-user-default-userroot` | Specifies the default root directory for new users. Supports OAuth claim substitution via `{claim}` syntax. Only effective with `--add-missing-user`. | `--add-user-default-userroot=/backups/{sub}/` |
+| `--oauth-fullname-claim` | Specifies the OAuth claim for the user's full display name. If unavailable, constructs the name from first and last name claims. | `--oauth-fullname-claim=name` |
+| `--oauth-firstname-claim` | Specifies the OAuth claim for the user's first name (fallback). | `--oauth-firstname-claim=given_name` |
+| `--oauth-lastname-claim` | Specifies the OAuth claim for the user's last name (fallback). | `--oauth-lastname-claim=family_name` |
+| `--oauth-email-claim` | Specifies the OAuth claim for the user's email address. | `--oauth-email-claim=email` |
+| `--oauth-userkey-claim` | Specifies the OAuth claim to use as the username. Defaults to the email claim if unspecified. | `--oauth-userkey-claim=email` |
+| `--oauth-required-claim` | Requires a specific OAuth claim to have a defined value, formatted as `<claim> <value>`. | `--oauth-required-claim=email_verified true` |
+
+## Example OAuth Configurations
+
+### Private OAuth Provider with Automatic User Creation
+
+For private OAuth providers (e.g., Auth0), it is expected that your organization manages user accounts similarly to an LDAP directory. In this scenario, configure Rdiffweb to automatically create users upon first login.
+
+Ensure you have a unique claim to use as the account username (`oauth-userkey-claim`).
+
+```ini
+oauth-client-id = your-client-id
+oauth-client-secret = your-client-secret
+oauth-auth-url = https://changeme.us.auth0.com/authorize
+oauth-token-url = https://changeme.us.auth0.com/oauth/token
+oauth-userinfo-url = https://changeme.us.auth0.com/userinfo
+oauth-scope = openid profile email
+oauth-userkey-claim = preferred_username
+
+add-missing-user = True
+login-with-email = True
+```
+
+### Public OAuth with Email Verification
+
+If using a public provider such as Google Accounts, pre-populate all users allowed to access the application. Let them authenticate with their Google account. In this case, define `oauth-required-claim` like `email_verified true`, and set `oauth-userkey-claim` to `email` to associate accounts by email address.
+
+```ini
+oauth-client-id = your-client-id
+oauth-client-secret = your-client-secret
+oauth-auth-url = https://accounts.google.com/o/oauth2/v2/auth
+oauth-token-url = https://oauth2.googleapis.com/token
+oauth-userinfo-url = https://openidconnect.googleapis.com/v1/userinfo
+oauth-scope = openid profile email
+oauth-required-claim = email_verified true
+oauth-userkey-claim = email
+
+add-missing-user = False
+login-with-email = True
+```

doc/configuration.md

@@ -123,6 +123,17 @@ titlesonly: true
 configuration-ldap
 ```
 
+## Configure OAuth
+
+Rdiffweb may also integrate with OAuth provider to support user authentication.
+
+```{toctree}
+---
+titlesonly: true
+---
+configuration-oauth
+```
+
 ## Configure User Session
 
 A user session is a sequence of request and response transactions associated with a single user. The user session is the means to track each authenticated user.

pyproject.toml

@@ -39,6 +39,7 @@ dependencies = [
     "psutil>=2.1.1",
     "pytz",
     "requests",
+    "requests_oauthlib",
     "sqlalchemy>=1.4,<3",
     "WTForms>=2.2,<4",
     "zxcvbn>=4.4.27"

rdiffweb/controller/__init__.py

@@ -71,17 +71,22 @@ def flash(message, level='info'):
     """
     assert message
     assert level in ['info', 'error', 'warning', 'success']
-    assert hasattr(cherrypy, 'session'), 'flash message requires user session'
-    if 'flash' not in cherrypy.session:  # @UndefinedVariable
-        cherrypy.session['flash'] = []  # @UndefinedVariable
-    flash_message = FlashMessage(str(message), level)
-    cherrypy.session['flash'].append(flash_message)
+    session = cherrypy.serving.session
+    if 'flash' not in session:
+        session['flash'] = []
+    # Support Markup and string
+    if hasattr(message, '__html__'):
+        flash_message = FlashMessage(message, level)
+    else:
+        flash_message = FlashMessage(str(message), level)
+    session['flash'].append(flash_message)
 
 
 def get_flashed_messages():
-    if 'flash' in cherrypy.session:  # @UndefinedVariable
-        messages = cherrypy.session['flash']  # @UndefinedVariable
-        del cherrypy.session['flash']  # @UndefinedVariable
+    session = cherrypy.serving.session
+    if 'flash' in session:
+        messages = session['flash']
+        del session['flash']
         return messages
     return []
 
@@ -114,13 +119,14 @@ def _compile_template(self, template_name, **kwargs):
             "get_flashed_messages": get_flashed_messages,
             "cache_invalid": self._cache_invalid,
         }
-        if app.currentuser:
+        currentuser = getattr(cherrypy.request, 'currentuser', None)
+        if currentuser:
             parms.update(
                 {
-                    'username': app.currentuser.username,
-                    'fullname': app.currentuser.fullname,
-                    'is_admin': app.currentuser.is_admin,
-                    'is_maintainer': app.currentuser.is_maintainer,
+                    'username': currentuser.username,
+                    'fullname': currentuser.fullname,
+                    'is_admin': currentuser.is_admin,
+                    'is_maintainer': currentuser.is_maintainer,
                 }
             )
         elif getattr(cherrypy.serving.request, 'login', None):

rdiffweb/controller/api.py

@@ -43,16 +43,16 @@ def _checkpassword(realm, username, password):
             return True
         # Disable password authentication for MFA
         if userobj.mfa == UserObject.ENABLED_MFA:
-            cherrypy.tools.ratelimit.hit()
+            cherrypy.tools.ratelimit.increase_hit()
             return False
     # Otherwise validate username password
-    valid = any(cherrypy.engine.publish('login', username, password))
+    valid = cherrypy.tools.auth.login_with_credentials(username, password)
     if valid:
         # Store scope
         cherrypy.serving.request.scope = ['all']
         return True
     # When invalid, we need to increase the rate limit.
-    cherrypy.tools.ratelimit.hit()
+    cherrypy.tools.ratelimit.increase_hit()
     return False
 
 
@@ -61,7 +61,7 @@ def _checkpassword(realm, username, password):
 @cherrypy.tools.json_out(on=True)
 @cherrypy.tools.json_in(on=True, force=False)
 @cherrypy.tools.auth_basic(realm='rdiffweb', checkpassword=_checkpassword, priority=70)
-@cherrypy.tools.auth_form(on=False)
+@cherrypy.tools.auth(on=True, redirect=False)
 @cherrypy.tools.auth_mfa(on=False)
 @cherrypy.tools.i18n(on=False)
 @cherrypy.tools.ratelimit(scope='rdiffweb-api', hit=0, priority=69)

rdiffweb/controller/api_currentuser.py

@@ -19,7 +19,7 @@
 from wtforms.validators import Length, Optional, Regexp
 
 from rdiffweb.controller import Controller
-from rdiffweb.controller.form import CherryForm
+from rdiffweb.controller.formdb import DbForm
 from rdiffweb.controller.page_pref_sshkeys import ApiSshKeys
 from rdiffweb.controller.page_pref_tokens import ApiTokens
 from rdiffweb.controller.page_settings import ApiRepos
@@ -33,7 +33,7 @@
     from wtforms.fields.html5 import EmailField  # wtform <3
 
 
-class CurrentUserForm(CherryForm):
+class CurrentUserForm(DbForm):
     """
     Form used to validate input data for REST api request.
     """
@@ -76,7 +76,6 @@ def populate_obj(self, user):
         user.email = self.email.data
         user.lang = self.lang.data
         user.report_time_range = self.report_time_range.data
-        user.add()
 
 
 @cherrypy.expose
@@ -130,7 +129,7 @@ def get(self):
         - `encoding`: The encoding used for the repository.
 
         """
-        u = self.app.currentuser
+        u = cherrypy.serving.request.currentuser
         if u.refresh_repos():
             u.commit()
         return {
@@ -171,14 +170,11 @@ def post(self, **kwargs):
         Returns status 200 OK on success.
         """
         # Validate input data.
-        userobj = self.app.currentuser
+        userobj = cherrypy.serving.request.currentuser
         form = CurrentUserForm(obj=userobj, json=1)
         if not form.strict_validate():
             raise cherrypy.HTTPError(400, form.error_message)
         # Apply changes
-        try:
-            form.populate_obj(userobj)
-            userobj.commit()
-        except Exception as e:
-            userobj.rollback()
-            raise cherrypy.HTTPError(400, str(e))
+        if form.save_to_db(userobj):
+            return None
+        raise cherrypy.HTTPError(400, form.error_message)

rdiffweb/controller/dispatch.py

@@ -22,7 +22,7 @@
 
 import cherrypy
 
-import rdiffweb.tools.auth_form  # noqa
+import rdiffweb.tools.auth  # noqa
 import rdiffweb.tools.auth_mfa  # noqa
 import rdiffweb.tools.ratelimit  # noqa
 
@@ -33,7 +33,7 @@ def staticdir(path, doc=''):
     """
 
     @cherrypy.expose
-    @cherrypy.tools.auth_form(on=False)
+    @cherrypy.tools.auth(on=False)
     @cherrypy.tools.auth_mfa(on=False)
     @cherrypy.tools.ratelimit(on=False)
     @cherrypy.tools.sessions(on=False)
@@ -53,7 +53,7 @@ def staticfile(path, doc=''):
     """
 
     @cherrypy.expose
-    @cherrypy.tools.auth_form(on=False)
+    @cherrypy.tools.auth(on=False)
     @cherrypy.tools.auth_mfa(on=False)
     @cherrypy.tools.ratelimit(on=False)
     @cherrypy.tools.sessions(on=False)