feat(系统设置): 单点登录支持OAuth2.0

--story=1010427 --user=李玉号 【系统设置】单点登录支持OAuth2.0
https://www.tapd.cn/55049933/s/1294825
This commit is contained in:
shiziyuan9527 2022-11-10 16:28:07 +08:00 committed by 刘瑞斌
parent f88e2f69cb
commit 00fda9cbcf
8 changed files with 217 additions and 9 deletions

View File

@ -40,6 +40,14 @@ public class SSOController {
.build();
}
@GetMapping("callback/oauth2")
@MsAuditLog(module = OperLogModule.AUTH_TITLE, type = OperLogConstants.LOGIN, title = "登录")
public Rendering callbackOauth(@RequestParam("code") String code, @RequestParam("state") String authId, WebSession session, Locale locale) throws Exception {
Optional<SessionUser> sessionUser = ssoService.exchangeOauth2Token(code, authId, session, locale);
return Rendering.redirectTo("/#/?_token=" + CodingUtil.base64Encoding(session.getId()) + "&_csrf=" + sessionUser.get().getCsrfToken())
.build();
}
@GetMapping("/callback/cas/{authId}")
@MsAuditLog(module = OperLogModule.AUTH_TITLE, type = OperLogConstants.LOGIN, title = "登录")
public Rendering casCallback(@RequestParam("ticket") String ticket, @PathVariable("authId") String authId, WebSession session, Locale locale) throws Exception {

View File

@ -1,14 +1,12 @@
package io.metersphere.gateway.service;
import com.fasterxml.jackson.core.type.TypeReference;
import io.metersphere.base.domain.AuthSource;
import io.metersphere.base.domain.User;
import io.metersphere.commons.constants.SessionConstants;
import io.metersphere.commons.exception.MSException;
import io.metersphere.commons.user.SessionUser;
import io.metersphere.commons.utils.CodingUtil;
import io.metersphere.commons.utils.IOUtils;
import io.metersphere.commons.utils.JSON;
import io.metersphere.commons.utils.SessionUtils;
import io.metersphere.commons.utils.*;
import io.metersphere.i18n.Translator;
import io.metersphere.request.LoginRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
@ -43,9 +41,7 @@ import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.*;
import java.util.concurrent.TimeUnit;
@ -229,4 +225,120 @@ public class SSOService {
SessionUtils.kickOutUser(name);
stringRedisTemplate.delete(ticket);
}
public Optional<SessionUser> exchangeOauth2Token(String code, String authId, WebSession session, Locale locale) throws Exception {
AuthSource authSource = authSourceService.getAuthSource(authId);
Map<String, String> config = JSON.parseObject(authSource.getConfiguration(), new TypeReference<HashMap<String, String>>() {});
String url = config.get("tokenUrl")
+ "?client_id=" + config.get("clientId")
+ "&client_secret=" + config.get("secret")
+ "&redirect_uri=" + config.get("redirectUrl")
+ "&code=" + code
+ "&grant_type=authorization_code";
Map<String, String> resultObj = null;
try {
RestTemplate restTemplate = getRestTemplateIgnoreSSL();
HttpHeaders headers = new HttpHeaders();
headers.add(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE);
HttpEntity<String> param = new HttpEntity<>(headers);
ResponseEntity<String> response = restTemplate.postForEntity(url, param, String.class);
String content = response.getBody();
resultObj = JSON.parseObject(content, new TypeReference<HashMap<String, String>>() {});
} catch (Exception e) {
LogUtil.error("fail to get access_token", e);
MSException.throwException("fail to get access_token!");
}
String accessToken = resultObj.get("access_token");
if (StringUtils.isBlank(accessToken)) {
MSException.throwException("access_token is empty!");
}
return doOauth2Login(authSource, accessToken, session, locale);
}
private Optional<SessionUser> doOauth2Login(AuthSource authSource, String accessToken, WebSession session, Locale locale) throws Exception {
Map<String, String> oauth2Config = null;
Map<String, String> resultObj = null;
try {
oauth2Config = JSON.parseObject(authSource.getConfiguration(), new TypeReference<HashMap<String, String>>() {});
String userInfoUrl = oauth2Config.get("userInfoUrl");
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "Bearer " + accessToken);
RestTemplate restTemplate = getRestTemplateIgnoreSSL();
HttpEntity<MultiValueMap<String, String>> httpEntity = new HttpEntity<>(headers);
ResponseEntity<String> response = restTemplate.exchange(userInfoUrl, HttpMethod.GET, httpEntity, String.class);
resultObj = JSON.parseObject(response.getBody(), new TypeReference<HashMap<String, String>>() {});
} catch (Exception e) {
LogUtil.error("fail to get user info", e);
MSException.throwException("fail to get user info!");
}
String attrMapping = oauth2Config.get("mapping");
Map<String, String> mapping = this.getOauth2AttrMapping(attrMapping);
String userid = resultObj.get(mapping.get("userid"));
String username = resultObj.get(mapping.get("username"));
String email = resultObj.get(mapping.get("email"));
if (StringUtils.isBlank(userid)) {
MSException.throwException("userid is empty!");
}
if (StringUtils.isBlank(username)) {
username = userid;
}
if (!StringUtils.contains(email, "@")) {
email = null;
}
User u = userLoginService.selectUser(userid, email);
if (u == null) {
//
User user = new User();
user.setId(userid);
user.setName(username);
user.setEmail(email);
user.setSource(authSource.getType());
userLoginService.createOssUser(user);
} else {
if (StringUtils.equals(u.getEmail(), email) && !StringUtils.equals(u.getId(), userid)) {
MSException.throwException("email already exists!");
}
}
LoginRequest loginRequest = new LoginRequest();
loginRequest.setUsername(userid);
loginRequest.setPassword("nothing");
loginRequest.setAuthenticate(authSource.getType());
Optional<SessionUser> userOptional = userLoginService.login(loginRequest, session, locale);
session.getAttributes().put("authenticate", authSource.getType());
session.getAttributes().put("authId", authSource.getId());
return userOptional;
}
private Map<String, String> getOauth2AttrMapping(String mappingStr) {
Map<String, String> mapping = new HashMap<>();
try {
mapping = JSON.parseObject(mappingStr, new TypeReference<HashMap<String, String>>() {});
} catch (Exception e) {
LogUtil.error("get oauth2 mapping config error!", e);
MSException.throwException(Translator.get("oauth_mapping_config_error"));
}
String userid = mapping.get("userid");
if (StringUtils.isBlank(userid)) {
MSException.throwException(Translator.get("oauth_mapping_value_null") + ": userid");
}
String username = mapping.get("username");
if (StringUtils.isBlank(username)) {
MSException.throwException(Translator.get("oauth_mapping_value_null") + ": username");
}
String email = mapping.get("email");
if (StringUtils.isBlank(email)) {
MSException.throwException(Translator.get("oauth_mapping_value_null") + ": email");
}
return mapping;
}
}

View File

@ -47,6 +47,7 @@ public class UserLoginService {
switch (request.getAuthenticate()) {
case "OIDC":
case "CAS":
case "OAuth2":
userDTO = loginSsoMode(request.getUsername(), request.getAuthenticate());
break;
case "LDAP":

View File

@ -254,7 +254,7 @@ export default {
sessionStorage.setItem('redirectUrl', redirectUrl);
sessionStorage.setItem('lastUser', getCurrentUserId());
this.$router.push({ name: "login_redirect", path: redirectUrl || '/', query: this.otherQuery});
this.$router.push({name: "login_redirect", path: redirectUrl || '/', query: this.otherQuery});
},
doLogin() {
const userStore = useUserStore()
@ -310,6 +310,14 @@ export default {
url = config.authUrl + "?client_id=" + config.clientId + "&redirect_uri=" + redirectUrl +
"&response_type=code&scope=openid+profile+email&state=" + authId;
}
if (source.type === 'OAuth2') {
url = config.authUrl
+ "?client_id=" + config.clientId
+ "&scope=" + config.scope
+ "&response_type=code"
+ "&redirect_uri=" + redirectUrl
+ "&state=" + authId;
}
if (url) {
window.location.href = url;
}

View File

@ -181,6 +181,8 @@ login_fail_ou_error=Login failed, please check the user OU
login_fail_filter_error=Login failed, please check the user filter
check_ldap_mapping=Check LDAP attribute mapping
ldap_mapping_value_null=LDAP user attribute mapping field is empty
oauth_mapping_config_error=OAuth2 attribute mapping misconfiguration
oauth_mapping_value_null=OAuth2 user attribute mapping field is empty
#quota
quota_project_excess_ws_api=The total number of interface tests for a project cannot exceed the workspace quota
quota_project_excess_ws_performance=The total number of performance tests for a project cannot exceed the workspace quota

View File

@ -181,6 +181,8 @@ login_fail_ou_error=登录失败请检查用户OU
login_fail_filter_error=登录失败,请检查用户过滤器
check_ldap_mapping=检查LDAP属性映射
ldap_mapping_value_null=LDAP用户属性映射字段为空值
oauth_mapping_config_error=OAuth2属性映射配置错误
oauth_mapping_value_null=OAuth2用户属性映射字段为空值
#quota
quota_project_excess_ws_api=项目的接口测试数量总和不能超过工作空间的配额
quota_project_excess_ws_performance=项目的性能测试数量总和不能超过工作空间的配额

View File

@ -181,6 +181,8 @@ login_fail_ou_error=登錄失敗請檢查用戶OU
login_fail_filter_error=登錄失敗,請檢查用戶過濾器
check_ldap_mapping=檢查LDAP屬性映射
ldap_mapping_value_null=LDAP用戶屬性映射字段為空值
oauth_mapping_config_error=OAuth2屬性映射配置錯誤
oauth_mapping_value_null=OAuth2用戶屬性映射字段為空值
#quota
quota_project_excess_ws_api=項目的接口測試數量總和不能超過工作空間的配額
quota_project_excess_ws_performance=項目的性能測試數量總和不能超過工作空間的配額

View File

@ -17,6 +17,7 @@
<template v-slot="scope">
<span v-if="scope.row.type === 'CAS'">CAS</span>
<span v-if="scope.row.type === 'OIDC'">OIDC</span>
<span v-if="scope.row.type === 'OAuth2'">OAuth2</span>
</template>
</el-table-column>
<el-table-column prop="status" :label="$t('test_resource_pool.enable_disable')">
@ -74,6 +75,7 @@
@change="changeAuthType(form.type)">
<el-option key="CAS" value="CAS" label="CAS"/>
<el-option key="OIDC" value="OIDC" label="OIDC"/>
<el-option key="OAuth2" value="OAuth2" label="OAuth2"/>
</el-select>
</el-form-item>
@ -176,6 +178,76 @@
</el-col>
</el-row>
</div>
<div class="node-line" v-if="form.type === 'OAuth2'">
<el-row>
<el-col>
<el-form-item label="Auth Endpoint"
:rules="requiredRules">
<el-input v-model="form.configuration.authUrl"
placeholder="eg: http://example.com/login/oauth/authorize"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Token Endpoint"
:rules="requiredRules">
<el-input v-model="form.configuration.tokenUrl"
placeholder="eg: https://example.com/login/oauth/access_token"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Userinfo Endpoint"
:rules="requiredRules">
<el-input v-model="form.configuration.userInfoUrl"
placeholder="eg: https://example.com/user"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Redirect URL"
:rules="requiredRules">
<el-input v-model="form.configuration.redirectUrl"
placeholder="eg: http://<metersphere-endpoint>/sso/callback/oauth2"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Client ID"
:rules="requiredRules">
<el-input v-model="form.configuration.clientId" placeholder="eg: metersphere"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Secret"
:rules="requiredRules">
<el-input type="password" v-model="form.configuration.secret" show-password autocomplete="new-password"
placeholder="oauth2 client secret"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Scope" :rules="requiredRules">
<el-input v-model="form.configuration.scope"/>
</el-form-item>
</el-col>
</el-row>
<el-row>
<el-col>
<el-form-item label="Property Mapping" :rules="requiredRules">
<el-input v-model="form.configuration.mapping"
:placeholder="mappingTip"/>
</el-form-item>
</el-col>
</el-row>
</div>
</el-form>
<template v-slot:footer>
@ -211,6 +283,7 @@ export default {
dialogLoading: false,
dialogVisible: false,
infoList: [],
mappingTip: '{"userid": "uid", "username": "name", "email": "email"}',
queryPath: "authsource/list",
condition: {},
items: [],