Merge pull request Ericsson#4517 from feyruzb/feature/get-signum-as-username

dkrupp · web-flow · commit 9817539c1ac8 · 2025-04-10T14:12:34.000+02:00
integrated signum fetching and using it as optional username
diff --git a/docs/web/authentication.md b/docs/web/authentication.md
@@ -378,7 +378,11 @@ CodeChecker also supports OAuth-based authentication. The `authentication.method
 
       * `user_groups_url`
 
-          `Microsoft` specific field to request security groups that the user is member of.
+          `Microsoft`-specific field used to request security groups that the user is member of.
+
+      * `jwks_url`
+
+          `Microsoft`-specific field used to request public signing keys for decoding JWT tokens.
 
       * `scope`
 
@@ -391,33 +395,80 @@ CodeChecker also supports OAuth-based authentication. The `authentication.method
           * `username`
 
               Field for the username.
-          * `email`
 
-              Field for the email.
-          * `fullname`
+        The `username` field defines what value will be used as the user's unique identifier (i.e. their "username") depending on the OAuth provider.
 
-              Field for the fullname.
-~~~{.json}
-"method_oauth": {
+        Currently there are only 2 options for this:
+         * `username`
+         * `email`
+
+        Expected output for each provider:
+
+        `github`
+          * `username` - user's GitHub `login` will be user's identifier
+          * `email` - a request will be sent to fetch the primary email of account to be used as the user's identifier.
+            If it is hidden, an error will be thrown.
+
+        `google`
+          * Only supports `email`, and user's Gmail email will be considered his username.
+
+        `microsoft`
+          * `username` - Company's signum will be the user's identifier.
+          * `email` - an email associated with this Microsoft account will be used as user's identifier.
+
+    ### 🔧 Example: OAuth Configuration for GitHub
+    ~~~{.json}
+    "github": {
       "enabled": false,
-      "providers": {
-        "example_provider": {
-          "enabled": false,
-          "client_id": "client id",
-          "client_secret": "client secret",
-          "authorization_url": "https://accounts.google.com/o/oauth2/auth",
-          "callback_url": "http://localhost:8080/login/OAuthLogin/provider",
-          "token_url": "https://accounts.google.com/o/oauth2/token",
-          "user_info_url": "https://www.googleapis.com/oauth2/v1/userinfo",
-          "user_emails_url": "https://api.github.com/user/emails",
-          "scope": "openid email profile",
-          "user_info_mapping": {
-            "username": "email"
-          }
-        }
+      "client_id": "<ExampleClientID>",
+      "client_secret": "<ExampleClientSecret>",
+      "authorization_url": "https://github.com/login/oauth/authorize",
+      "callback_url": "https://<server_host>/login/OAuthLogin/github",
+      "token_url": "https://github.com/login/oauth/access_token",
+      "user_info_url": "https://api.github.com/user",
+      "user_emails_url": "https://api.github.com/user/emails",
+      "scope": "user:email",
+      "user_info_mapping": {
+        "username": "username"
       }
     }
-~~~
+    ~~~
+    ### 🔧 Example: OAuth Configuration for Google
+    ~~~{.json}
+    "google": {
+      "enabled": false,
+      "client_id": "<ExampleClientID>",
+      "client_secret": "<ExampleClientSecret>",
+      "authorization_url": "https://accounts.google.com/o/oauth2/auth",
+      "callback_url": "https://<server_host>/login/OAuthLogin/google",
+      "token_url": "https://accounts.google.com/o/oauth2/token",
+      "user_info_url": "https://www.googleapis.com/oauth2/v1/userinfo",
+      "scope": "openid email profile",
+      "user_info_mapping": {
+        "username": "email"
+      }
+    }
+    ~~~
+    ### 🔧 Example: OAuth Configuration for Microsoft
+    ~~~{.json}
+    "microsoft": {
+      "enabled": false,
+      "client_id": "<ExampleClientID>",
+      "client_secret": "<ExampleClientSecret>",
+      "authorization_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize",
+      "callback_url": "https://<server_host>/login/OAuthLogin/microsoft",
+      "token_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token",
+      "user_groups_url": "https://graph.microsoft.com/v1.0/me/memberOf",
+      "jwks_url": "https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys",
+      "user_info_url": "https://graph.microsoft.com/v1.0/me",
+      "scope": "User.Read email profile openid offline_access",
+      "user_info_mapping": {
+        "username": "email"
+      }
+    }
+    ~~~
+
+
 
 #### OAuth Details per each provider <a name ="oauth-details-per-each-provider"></a>
 
diff --git a/web/server/codechecker_server/api/authentication.py b/web/server/codechecker_server/api/authentication.py
@@ -13,6 +13,7 @@
 
 from authlib.integrations.requests_client import OAuth2Session
 from authlib.common.security import generate_token
+from authlib.jose import JsonWebToken
 
 from urllib.parse import urlparse, parse_qs
 
@@ -373,41 +374,70 @@ def performLogin(self, auth_method, auth_string):
                 # request group memberships for Microsoft
                 groups = []
                 if provider == 'microsoft':
-                    access_token = oauth_token['access_token']
+                    # decoding
+                    id_token = oauth_token['id_token']
+                    jwks_url = oauth_config["jwks_url"]
+
+                    jwks_response = oauth2_session.get(jwks_url)
+                    jwks_response.raise_for_status()
+                    jwks_fetched = jwks_response.json()
+
+                    jwt_decoder = JsonWebToken(['RS256'])
+                    claims = jwt_decoder.decode(id_token, key=jwks_fetched)
+                    claims.validate()
+
                     user_groups_url = oauth_config["user_groups_url"]
                     response = oauth2_session.get(user_groups_url).json()
+
                     for group in response["value"]:
                         if group.get("onPremisesSyncEnabled") and \
                                 group.get("securityEnabled"):
                             groups.append(group["displayName"])
-                username = user_info[
-                    oauth_config["user_info_mapping"]["username"]]
-                LOG.info("User info fetched, username: %s", username)
+
             except Exception as ex:
                 LOG.error("User info fetch failed: %s", str(ex))
                 raise codechecker_api_shared.ttypes.RequestFailed(
                     codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
                     "User info fetch failed.")
 
+            username_key = oauth_config.get(
+                "user_info_mapping", {}).get("username")
+
             # if the provider is github it fetches primary email
             # from another api endpoint to maintain username as email
             # consistency between GitHub and other providers
-            if provider == "github" and \
-                    "localhost" not in \
-                    user_info_url:
-                try:
-                    user_emails_url = oauth_config["user_emails_url"]
-                    for email in oauth2_session \
-                            .get(user_emails_url).json():
-                        if email['primary']:
-                            username = email['email']
-                            LOG.info("Primary email found: %s", username)
-                            break
-                except Exception as ex:
-                    LOG.error("Email fetch failed: %s", str(ex))
-                    raise codechecker_api_shared.ttypes.RequestFailed(
-                        codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
-                        "Email fetch failed.")
+            try:
+                if provider == "github":
+                    if username_key == "email":
+                        if "localhost" not in \
+                                user_info_url:
+                            user_emails_url = \
+                                oauth_config["user_emails_url"]
+                            for email in oauth2_session \
+                                    .get(user_emails_url).json():
+                                if email['primary']:
+                                    username = email['email']
+                                    LOG.info("Primary email found: %s",
+                                             username)
+                    else:
+                        username = user_info.get("login")
+                elif provider == "google":
+                    username = user_info.get("email")
+                elif provider == "microsoft":
+                    if username_key == "username":
+                        username = claims.get("Signum")
+                    else:
+                        username = user_info.get("mail")
+
+                LOG.debug(f"groups fetched for {username}, are: {groups}")
+
+                LOG.info("Username fetched, for username: %s", username)
+            except Exception as ex:
+                LOG.error("Username fetch failed: %s", str(ex))
+                raise codechecker_api_shared.ttypes.RequestFailed(
+                    codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
+                    "Username fetch failed, error: %s.", str(ex))
+
             try:
                 access_token = oauth_token['access_token']
                 refresh_token = oauth_token['refresh_token']
diff --git a/web/server/codechecker_server/session_manager.py b/web/server/codechecker_server/session_manager.py
@@ -710,6 +710,8 @@ def create_session_oauth(self, provider: str,
         if groups is None:
             groups = []
 
+        LOG.debug(f"groups assigned to oauth_session: {groups}")
+
         if not self.__is_method_enabled('oauth'):
             return False
 
diff --git a/web/server/config/server_config.json b/web/server/config/server_config.json
@@ -68,7 +68,7 @@
           "user_emails_url": "https://api.github.com/user/emails",
           "scope": "user:email",
           "user_info_mapping": {
-            "username": "login"
+            "username": "username"
           }
         },
         "google": {
@@ -92,10 +92,11 @@
           "callback_url": "https://<server_host>/login/OAuthLogin/microsoft",
           "token_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token",
           "user_groups_url" : "https://graph.microsoft.com/v1.0/me/memberOf",
+          "jwks_url": "https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys",
           "user_info_url": "https://graph.microsoft.com/v1.0/me",
           "scope": "User.Read email profile openid offline_access",
           "user_info_mapping": {
-            "username": "mail"
+            "username": "email"
           }
         }
       }

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@`
`68`	`68`	`"user_emails_url": "https://api.github.com/user/emails",`
`69`	`69`	`"scope": "user:email",`
`70`	`70`	`"user_info_mapping": {`
`71`		`- "username": "login"`
	`71`	`+ "username": "username"`
`72`	`72`	`}`
`73`	`73`	`},`
`74`	`74`	`"google": {`
`@@ -92,10 +92,11 @@`
`92`	`92`	`"callback_url": "https://<server_host>/login/OAuthLogin/microsoft",`
`93`	`93`	`"token_url": "https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token",`
`94`	`94`	`"user_groups_url" : "https://graph.microsoft.com/v1.0/me/memberOf",`
	`95`	`+ "jwks_url": "https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys",`
`95`	`96`	`"user_info_url": "https://graph.microsoft.com/v1.0/me",`
`96`	`97`	`"scope": "User.Read email profile openid offline_access",`
`97`	`98`	`"user_info_mapping": {`
`98`		`- "username": "mail"`
	`99`	`+ "username": "email"`
`99`	`100`	`}`
`100`	`101`	`}`
`101`	`102`	`}`