Skip to content

Commit

Permalink
Fixing second batch of comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@feyruzb
feyruzb committed Feb 7, 2025
1 parent b9c8e27 commit b371ba0
Show file tree
Hide file tree
Showing 6 changed files with 90 additions and 91 deletions.
37 changes: 18 additions & 19 deletions docs/web/authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -342,42 +342,41 @@ CodeChecker also supports OAUTH-based authentication. The `authentication.method

Indicates if current provider is enabled (github, google, etc)

* `oauth_client_id`
* `client_id`

Contains client ID provided by the OAuth provider.

* `oauth_client_secret`
* `client_secret`

The client secret must be provided by the OAuth provider.

* `oauth_authorization_uri`
* `authorization_url`

This link in used for redirecting user for provider's authentication page

* `oauth_callback_url`
* `callback_url`

User will be redirected back to the provided link after login with returned data.
It should be constructed in that format `http://codechecker_path/login/OAuthLogin/provider` where `provider` is the the name of the provider of OAuth and should match existing `provider_name`.The `oauth_callback_url` should also match the callback url specified in the config of your provider on their webpage.
It should be constructed in that format `http://codechecker_path/login/OAuthLogin/provider` where `provider` is the the name of the provider of OAuth and should match existing `provider_name`.The `callback_url` should also match the callback url specified in the config of your provider on their webpage.

Example of correct link using github, google and microsoft
* http://localhost:8080/login/OAuthLogin/github
* http://localhost:8080/login/OAuthLogin/google
* http://localhost:8080/login/OAuthLogin/microsoft
* https://codechecker.gic.ericsson.se/login/OAuthLogin/github

* `oauth_token_uri`
* `token_url`

The URI to exchange the authorization code for an access token.

* `oauth_user_info_uri`
* `user_info_url`

The URI to fetch the authenticated user's information.

* `oauth_scope`
* `scope`

The scope of access requested from the OAuth provider.

* `oauth_user_info_mapping`
* `user_info_mapping`

A mapping of user info fields from the provider to local fields.

Expand All @@ -399,14 +398,14 @@ CodeChecker also supports OAUTH-based authentication. The `authentication.method
"providers": {
"example_provider": {
"enabled": false,
"oauth_client_id": "client id",
"oauth_client_secret": "client secret",
"oauth_authorization_uri": "https://accounts.google.com/o/oauth2/auth",
"oauth_callback_url": "http://localhost:8080/login/OAuthLogin/provider",
"oauth_token_uri": "https://accounts.google.com/o/oauth2/token",
"oauth_user_info_uri": "https://www.googleapis.com/oauth2/v1/userinfo",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"client_id": "client id",
"client_secret": "client secret",
"authorization_url": "https://accounts.google.com/o/oauth2/auth",
"callback_url": "http://localhost:8080/login/OAuthLogin/provider",
"token_url": "https://accounts.google.com/o/oauth2/token",
"user_info_url": "https://www.googleapis.com/oauth2/v1/userinfo",
"scope": "openid email profile",
"user_info_mapping": {
"username": "email",
"email": "email",
"fullname": "name"
Expand All @@ -423,7 +422,7 @@ CodeChecker also supports OAUTH-based authentication. The `authentication.method

#### OAuth Details per each provider <a name ="oauth-details-per-each-provider"></a>

* Important: 'oauth_callback_url' must always match with link specified in the
* Important: 'callback_url' must always match with link specified in the
Providers settings when issuing an access token.

* Important: At the time this code was written, GitHub doesn't support PKCE (Proof Key for Code Exchange).
Expand Down
36 changes: 18 additions & 18 deletions web/server/codechecker_server/api/authentication.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,21 +198,21 @@ def getOauthProviders(self):
def createLink(self, provider):
"""
Create a link what the user will be redirected to
login in specified provider.
login via specified provider.
And inserts state, code, pkce_verifier in oauth table.
"""
oauth_config = self.__manager.get_oauth_config(provider)
if not oauth_config.get('enabled'):
raise codechecker_api_shared.ttypes.RequestFailed(
codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
"OAuth authentication is not enabled.")
"OAuth authentication is not enabled for provider:", provider)

stored_state = generate_token()
client_id = oauth_config["oauth_client_id"]
client_secret = oauth_config["oauth_client_secret"]
scope = oauth_config["oauth_scope"]
authorization_uri = oauth_config["oauth_authorization_uri"]
callback_url = oauth_config["oauth_callback_url"]
client_id = oauth_config["client_id"]
client_secret = oauth_config["client_secret"]
scope = oauth_config["scope"]
authorization_url = oauth_config["authorization_url"]
callback_url = oauth_config["callback_url"]
# code verifier for PKCE
pkce_verifier = generate_token(48)

Expand All @@ -229,15 +229,15 @@ def createLink(self, provider):
# for requesting refresh token
if provider == "google":
url, state = session.create_authorization_url(
url=authorization_uri,
url=authorization_url,
state=stored_state,
code_verifier=pkce_verifier,
access_type='offline',
prompt='consent'
)
else:
url, state = session.create_authorization_url(
authorization_uri,
authorization_url,
state=stored_state,
code_verifier=pkce_verifier
)
Expand Down Expand Up @@ -318,13 +318,13 @@ def performLogin(self, auth_method, auth_string):
codechecker_api_shared.ttypes.ErrorCode.AUTH_DENIED,
"OAuth authentication is not enabled.")

client_id = oauth_config["oauth_client_id"]
client_secret = oauth_config["oauth_client_secret"]
scope = oauth_config["oauth_scope"]
authorization_uri = oauth_config["oauth_authorization_uri"]
token_url = oauth_config["oauth_token_uri"]
user_info_url = oauth_config["oauth_user_info_uri"]
callback_url = oauth_config["oauth_callback_url"]
client_id = oauth_config["client_id"]
client_secret = oauth_config["client_secret"]
scope = oauth_config["scope"]
authorization_url = oauth_config["authorization_url"]
token_url = oauth_config["token_url"]
user_info_url = oauth_config["user_info_url"]
callback_url = oauth_config["callback_url"]
allowed_users = oauth_config.get("allowed_users", [])
LOG.info("OAuth configuration loaded for provider: %s", provider)
session = None
Expand All @@ -347,7 +347,7 @@ def performLogin(self, auth_method, auth_string):
# no way to get the original session so recreate it

url_recreated = session.create_authorization_url(
authorization_uri,
authorization_url,
state=state_db,
code_verifier=code_verifier_db
)[0]
Expand Down Expand Up @@ -387,7 +387,7 @@ def performLogin(self, auth_method, auth_string):
try:
user_info = session.get(user_info_url).json()
username = user_info[
oauth_config["oauth_user_info_mapping"]["username"]]
oauth_config["user_info_mapping"]["username"]]
LOG.info("User info fetched, username: %s", username)
except Exception as ex:
LOG.error("User info fetch failed: %s", str(ex))
Expand Down
2 changes: 1 addition & 1 deletion web/server/codechecker_server/server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1127,7 +1127,7 @@ def check_callback_url_format(provider_name, callback_url):
# Iterate through the providers and
# checks the format of callback url
for provider_name, provider_data in oauth_config.items():
callback_url = provider_data.get('oauth_callback_url')
callback_url = provider_data.get('callback_url')
if not check_callback_url_format(provider_name, callback_url):
LOG.warning("The callback URL format is "
f"invalid for provider {provider_name}."
Expand Down
4 changes: 2 additions & 2 deletions web/server/codechecker_server/session_manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,9 +285,9 @@ def get_oauth_config(self, provider):
'method_oauth', {}).get("providers", {}).get(provider, {})

# turn off configuration if it is set to default values
if provider_cfg.get("oauth_client_secret",
if provider_cfg.get("client_secret",
"ExampleClientSecret") == "ExampleClientSecret" \
or provider_cfg.get("oauth_client_id",
or provider_cfg.get("client_id",
"ExampleClientID") == "ExampleClientID":
self.__auth_config["method_oauth"]["providers"][provider][
"enabled"] = False
Expand Down
48 changes: 24 additions & 24 deletions web/server/config/server_config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,14 @@
"providers" : {
"github" : {
"enabled" : false,
"oauth_client_id" : "ExampleClientID",
"oauth_client_secret": "ExampleClientSecret",
"oauth_authorization_uri": "https://github.com/login/oauth/authorize",
"oauth_callback_url": "http://codechecker_host/login/OAuthLogin/provider",
"oauth_token_uri": "https://github.com/login/oauth/access_token",
"oauth_user_info_uri": "https://api.github.com/user",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"client_id" : "ExampleClientID",
"client_secret": "ExampleClientSecret",
"authorization_url": "https://github.com/login/oauth/authorize",
"callback_url": "http://codechecker_host/login/OAuthLogin/provider",
"token_url": "https://github.com/login/oauth/access_token",
"user_info_url": "https://api.github.com/user",
"scope": "openid email profile",
"user_info_mapping": {
"username": "login"
},
"allowed_users": [
Expand All @@ -80,14 +80,14 @@
},
"google": {
"enabled" : false,
"oauth_client_id" : "ExampleClientID",
"oauth_client_secret" : "ExampleClientSecret",
"oauth_authorization_uri" : "https://accounts.google.com/o/oauth2/auth",
"oauth_callback_url" : "http://codechecker_host/login/OAuthLogin/provider",
"oauth_token_uri" : "https://accounts.google.com/o/oauth2/token",
"oauth_user_info_uri" : "https://www.googleapis.com/oauth2/v1/userinfo",
"oauth_scope" : "openid email profile",
"oauth_user_info_mapping" : {
"client_id" : "ExampleClientID",
"client_secret" : "ExampleClientSecret",
"authorization_url" : "https://accounts.google.com/o/oauth2/auth",
"callback_url" : "http://codechecker_host/login/OAuthLogin/provider",
"token_url" : "https://accounts.google.com/o/oauth2/token",
"user_info_url" : "https://www.googleapis.com/oauth2/v1/userinfo",
"scope" : "openid email profile",
"user_info_mapping" : {
"username" : "email"
},
"allowed_users": [
Expand All @@ -98,14 +98,14 @@
},
"microsoft": {
"enabled": false,
"oauth_client_id": "ExampleClientID",
"oauth_client_secret": "ExampleClientSecret",
"oauth_authorization_uri": "https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/authorize",
"oauth_callback_url": "http://codechecker_host/login/OAuthLogin/provider",
"oauth_token_uri": "https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token",
"oauth_user_info_uri": "https://graph.microsoft.com/v1.0/me",
"oauth_scope": "User.Read email profile openid",
"oauth_user_info_mapping": {
"client_id": "ExampleClientID",
"client_secret": "ExampleClientSecret",
"authorization_url": "https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/authorize",
"callback_url": "http://codechecker_host/login/OAuthLogin/provider",
"token_url": "https://login.microsoftonline.com/92e84ceb-fbfd-47ab-be52-080c6b87953f/oauth2/v2.0/token",
"user_info_url": "https://graph.microsoft.com/v1.0/me",
"scope": "User.Read email profile openid",
"user_info_mapping": {
"username": "mail"
},
"allowed_users": [
Expand Down
54 changes: 27 additions & 27 deletions web/tests/libtest/env.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,15 +363,15 @@ def enable_auth(workspace):
"providers": {
"github": {
"enabled": True,
"oauth_client_id": "1",
"oauth_client_secret": "1",
"oauth_authorization_uri": "http://localhost:3000/login",
"oauth_callback_url": "http://localhost:8080/login/" +
"OAuthLogin/github",
"oauth_token_uri": "http://localhost:3000/token",
"oauth_user_info_uri": "http://localhost:3000/get_user",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"client_id": "1",
"client_secret": "1",
"authorization_url": "http://localhost:3000/login",
"callback_url": "http://localhost:8080/login/" +
"OAuthLogin/github",
"token_url": "http://localhost:3000/token",
"user_info_url": "http://localhost:3000/get_user",
"scope": "openid email profile",
"user_info_mapping": {
"username": "login"
},
"allowed_users": [
Expand All @@ -380,15 +380,15 @@ def enable_auth(workspace):
},
"google": {
"enabled": True,
"oauth_client_id": "2",
"oauth_client_secret": "2",
"oauth_authorization_uri": "http://localhost:3000/login",
"oauth_callback_url": "http://localhost:8080/login/" +
"OAuthLogin/google",
"oauth_token_uri": "http://localhost:3000/token",
"oauth_user_info_uri": "http://localhost:3000/get_user",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"client_id": "2",
"client_secret": "2",
"authorization_url": "http://localhost:3000/login",
"callback_url": "http://localhost:8080/login/" +
"OAuthLogin/google",
"token_url": "http://localhost:3000/token",
"user_info_url": "http://localhost:3000/get_user",
"scope": "openid email profile",
"user_info_mapping": {
"username": "email"
},
"allowed_users": [
Expand All @@ -397,15 +397,15 @@ def enable_auth(workspace):
},
"dummy": {
"enabled": True,
"oauth_client_id": "3",
"oauth_client_secret": "3",
"oauth_authorization_uri": "http://localhost:3000/login",
"oauth_callback_url": "http://localhost:8080/login/" +
"OAuthLogin/dummy",
"oauth_token_uri": "http://localhost:3000/token",
"oauth_user_info_uri": "http://localhost:3000/get_user",
"oauth_scope": "openid email profile",
"oauth_user_info_mapping": {
"client_id": "3",
"client_secret": "3",
"authorization_url": "http://localhost:3000/login",
"callback_url": "http://localhost:8080/login/" +
"OAuthLogin/dummy",
"token_url": "http://localhost:3000/token",
"user_info_url": "http://localhost:3000/get_user",
"scope": "openid email profile",
"user_info_mapping": {
"username": "email"
},
"allowed_users": []
Expand Down

0 comments on commit b371ba0

Please sign in to comment.