Merge pull request #320 from blackav/319-implement-generic-oidc-plugin

319 implement generic OIDC plugin

bin/ej-jobs.c

@@ -1,6 +1,6 @@
 /* -*- mode: c; c-basic-offset: 4 -*- */
 
-/* Copyright (C) 2006-2023 Alexander Chernov <[email protected]> */
+/* Copyright (C) 2006-2024 Alexander Chernov <[email protected]> */
 
 /*
  * This program is free software; you can redistribute it and/or modify
@@ -194,6 +194,10 @@ struct AppState
  const struct auth_plugin_iface *auth_yandex_iface;
  void *auth_yandex_data;
 
+ // OIDC Auth plugin
+ const struct auth_plugin_iface *auth_oidc_iface;
+ void *auth_oidc_data;
+
  // Gitlab VCS plugin
  const struct vcs_plugin_iface *vcs_gitlab_iface;
  void *vcs_gitlab_data;
@@ -1733,6 +1737,51 @@ load_auth_yandex_plugin(struct AppState *as)
  return 0;
 }
 
+static int
+load_auth_oidc_plugin(struct AppState *as)
+{
+ struct xml_tree *oidc_cfg = ejudge_cfg_get_plugin_config(as->config, "auth", "oidc");
+ if (!oidc_cfg) return 0;
+
+ const struct common_loaded_plugin *oidc_plugin = plugin_load_external(NULL, "auth", "oidc", as->config);
+ if (!oidc_plugin) {
+ err("failed to load auth_oidc plugin");
+ return -1;
+ }
+
+ if (oidc_plugin->iface->b.size != sizeof(struct auth_plugin_iface)) {
+ err("auth_oidc plugin interface size mismatch");
+ return -1;
+ }
+
+ const struct auth_plugin_iface *auth_iface = (const struct auth_plugin_iface *) oidc_plugin->iface;
+ if (auth_iface->auth_version != AUTH_PLUGIN_IFACE_VERSION) {
+ err("auth_oidc plugin interface version mismatch");
+ return -1;
+ }
+
+ as->auth_oidc_iface = auth_iface;
+ as->auth_oidc_data = oidc_plugin->data;
+ as->auth_oidc_iface->set_set_command_handler(as->auth_oidc_data, add_handler_wrapper, as);
+
+ if (as->auth_oidc_iface->open(as->auth_oidc_data) < 0) {
+ err("auth_oidc plugin 'open' failed");
+ return -1;
+ }
+
+ if (as->auth_oidc_iface->check(as->auth_oidc_data) < 0) {
+ err("auth_oidc plugin 'check' failed");
+ return -1;
+ }
+
+ if (as->auth_oidc_iface->start_thread(as->auth_oidc_data) < 0) {
+ err("auth_oidc plugin 'start_thread' failed");
+ return -1;
+ }
+
+ return 0;
+}
+
 static int
 load_vcs_gitlab_plugin(struct AppState *as)
 {
@@ -1789,6 +1838,7 @@ load_plugins(struct AppState *as)
  if (load_auth_google_plugin(as) < 0) return -1;
  if (load_auth_vk_plugin(as) < 0) return -1;
  if (load_auth_yandex_plugin(as) < 0) return -1;
+ if (load_auth_oidc_plugin(as) < 0) return -1;
  if (load_vcs_gitlab_plugin(as) < 0) return -1;
 
  return 0;

configure

@@ -9033,7 +9033,7 @@ subdirs="$subdirs libdwarf"
 subdirs="$subdirs libbacktrace"
 
 
-ac_config_files="$ac_config_files Makefile extra/Makefile extra/captest/Makefile checkers/Makefile scripts/Makefile ejudge-config.v scripts/festival plugins/common-mysql/Makefile plugins/userlist-mysql/Makefile plugins/clardb-mysql/Makefile plugins/rundb-mysql/Makefile plugins/common-mongo/Makefile plugins/xuser-mongo/Makefile style/ejudge-upgrade-web cfront/Makefile reuse/Makefile csp/contests/Makefile csp/super-server/Makefile csp_header.make plugins/telegram/Makefile plugins/avatar-mongo/Makefile plugins/status-mongo/Makefile plugins/status-mysql/Makefile plugins/auth-google/Makefile plugins/auth-base/Makefile plugins/auth-vk/Makefile plugins/auth-fb/Makefile plugins/xuser-mysql/Makefile plugins/avatar-mysql/Makefile plugins/variant-mysql/Makefile plugins/storage-mysql/Makefile plugins/cache-mysql/Makefile plugins/submit-mysql/Makefile plugins/userprob-mysql/Makefile plugins/vcs-gitlab/Makefile plugins/auth-yandex/Makefile plugins/notify-redis/Makefile"
+ac_config_files="$ac_config_files Makefile extra/Makefile extra/captest/Makefile checkers/Makefile scripts/Makefile ejudge-config.v scripts/festival plugins/common-mysql/Makefile plugins/userlist-mysql/Makefile plugins/clardb-mysql/Makefile plugins/rundb-mysql/Makefile plugins/common-mongo/Makefile plugins/xuser-mongo/Makefile style/ejudge-upgrade-web cfront/Makefile reuse/Makefile csp/contests/Makefile csp/super-server/Makefile csp_header.make plugins/telegram/Makefile plugins/avatar-mongo/Makefile plugins/status-mongo/Makefile plugins/status-mysql/Makefile plugins/auth-google/Makefile plugins/auth-base/Makefile plugins/auth-vk/Makefile plugins/auth-fb/Makefile plugins/xuser-mysql/Makefile plugins/avatar-mysql/Makefile plugins/variant-mysql/Makefile plugins/storage-mysql/Makefile plugins/cache-mysql/Makefile plugins/submit-mysql/Makefile plugins/userprob-mysql/Makefile plugins/vcs-gitlab/Makefile plugins/auth-yandex/Makefile plugins/notify-redis/Makefile plugins/auth-oidc/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -9761,6 +9761,7 @@ do
  "plugins/vcs-gitlab/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/vcs-gitlab/Makefile" ;;
  "plugins/auth-yandex/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/auth-yandex/Makefile" ;;
  "plugins/notify-redis/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/notify-redis/Makefile" ;;
+ "plugins/auth-oidc/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/auth-oidc/Makefile" ;;
 
  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac

configure.ac

@@ -1,4 +1,4 @@
-dnl Copyright (C) 2004-2023 Alexander Chernov <[email protected]>
+dnl Copyright (C) 2004-2024 Alexander Chernov <[email protected]>
 
 AC_INIT([ejudge],[3])
 AC_PREREQ([2.71])
@@ -1453,7 +1453,7 @@ AC_CONFIG_SUBDIRS([libdwarf])
 
 AC_CONFIG_SUBDIRS([libbacktrace])
 
-AC_CONFIG_FILES([Makefile extra/Makefile extra/captest/Makefile checkers/Makefile scripts/Makefile ejudge-config.v scripts/festival plugins/common-mysql/Makefile plugins/userlist-mysql/Makefile plugins/clardb-mysql/Makefile plugins/rundb-mysql/Makefile plugins/common-mongo/Makefile plugins/xuser-mongo/Makefile style/ejudge-upgrade-web cfront/Makefile reuse/Makefile csp/contests/Makefile csp/super-server/Makefile csp_header.make plugins/telegram/Makefile plugins/avatar-mongo/Makefile plugins/status-mongo/Makefile plugins/status-mysql/Makefile plugins/auth-google/Makefile plugins/auth-base/Makefile plugins/auth-vk/Makefile plugins/auth-fb/Makefile plugins/xuser-mysql/Makefile plugins/avatar-mysql/Makefile plugins/variant-mysql/Makefile plugins/storage-mysql/Makefile plugins/cache-mysql/Makefile plugins/submit-mysql/Makefile plugins/userprob-mysql/Makefile plugins/vcs-gitlab/Makefile plugins/auth-yandex/Makefile plugins/notify-redis/Makefile])
+AC_CONFIG_FILES([Makefile extra/Makefile extra/captest/Makefile checkers/Makefile scripts/Makefile ejudge-config.v scripts/festival plugins/common-mysql/Makefile plugins/userlist-mysql/Makefile plugins/clardb-mysql/Makefile plugins/rundb-mysql/Makefile plugins/common-mongo/Makefile plugins/xuser-mongo/Makefile style/ejudge-upgrade-web cfront/Makefile reuse/Makefile csp/contests/Makefile csp/super-server/Makefile csp_header.make plugins/telegram/Makefile plugins/avatar-mongo/Makefile plugins/status-mongo/Makefile plugins/status-mysql/Makefile plugins/auth-google/Makefile plugins/auth-base/Makefile plugins/auth-vk/Makefile plugins/auth-fb/Makefile plugins/xuser-mysql/Makefile plugins/avatar-mysql/Makefile plugins/variant-mysql/Makefile plugins/storage-mysql/Makefile plugins/cache-mysql/Makefile plugins/submit-mysql/Makefile plugins/userprob-mysql/Makefile plugins/vcs-gitlab/Makefile plugins/auth-yandex/Makefile plugins/notify-redis/Makefile plugins/auth-oidc/Makefile])
 AC_OUTPUT
 
 #cp -p config.h include/reuse

csp/contests/reg_login_page.csp

@@ -118,6 +118,10 @@
  <s:param name="contest_id" value="phr->contest_id" />
  <s:param name="provider" value='"yandex"' />
 </s:url>
+<s:url name="LoginWithOIDCUrl" script="client" ac="'oauth-login-1'">
+ <s:param name="contest_id" value="phr->contest_id" />
+ <s:param name="provider" value='"oidc"' />
+</s:url>
 <p>
 <%
  if (oauth_is_available_num(phr->config, 1)) {
@@ -133,6 +137,11 @@
  if (oauth_is_available_num(phr->config, 3)) {
 %>
 <s:a url="LoginWithYandexUrl"><img src="<s:config name="style-prefix" />icons/yandex-logo.png" alt="yandex auth"></img></s:a>
+<%
+ }
+ if (oauth_is_available_num(phr->config, 4)) {
+%>
+<s:a url="LoginWithOIDCUrl"><img src="<s:config name="style-prefix" />icons/oidc-logo.svg" alt="OIDC auth" height="46px"></img></s:a>
 <%
  }
 %>

csp/contests/unpriv_login_page.csp

@@ -143,6 +143,10 @@
  <s:param name="contest_id" value="phr->contest_id" />
  <s:param name="provider" value='"yandex"' />
 </s:url>
+<s:url name="LoginWithOIDCUrl" ac="oauth-login-1">
+ <s:param name="contest_id" value="phr->contest_id" />
+ <s:param name="provider" value='"oidc"' />
+</s:url>
 <p>
 <%
  if (oauth_is_available_num(phr->config, 1)) {
@@ -158,6 +162,11 @@
  if (oauth_is_available_num(phr->config, 3)) {
 %>
 <s:a url="LoginWithYandexUrl"><img src="<s:config name="style-prefix" />icons/yandex-logo.png" alt="yandex auth"></img></s:a>
+<%
+ }
+ if (oauth_is_available_num(phr->config, 4)) {
+%>
+<s:a url="LoginWithOIDCUrl"><img src="<s:config name="style-prefix" />icons/oidc-logo.svg" alt="OIDC auth" height="46px"></img></s:a>
 <%
  }
 %>

csp/super-server/login_page.csp

@@ -55,6 +55,14 @@ is_configured(
  <s:param name="role" value='"admin"' />
  <s:param name="provider" value='"vk"' />
 </s:url>
+<s:url name="LoginWithYandexUrl" script="client" ac="'oauth-login-1'">
+ <s:param name="role" value='"admin"' />
+ <s:param name="provider" value='"yandex"' />
+</s:url>
+<s:url name="LoginWithOIDCUrl" script="client" ac="'oauth-login-1'">
+ <s:param name="role" value='"admin"' />
+ <s:param name="provider" value='"oidc"' />
+</s:url>
 <p>
 <%
  if (is_configured(phr->config, "google")) {
@@ -65,6 +73,16 @@ is_configured(
  if (is_configured(phr->config, "vk")) {
 %>
 <s:a url="LoginWithVKUrl"><img src="<s:config name="style-prefix" />icons/vk-logo.jpeg" alt="vk auth" width="46"></img></s:a>
+<%
+ }
+ if (is_configured(phr->config, "yandex")) {
+%>
+<s:a url="LoginWithYandexUrl"><img src="<s:config name="style-prefix" />icons/yandex-logo.png" alt="yandex auth"></img></s:a>
+<%
+ }
+ if (is_configured(phr->config, "oidc")) {
+%>
+<s:a url="LoginWithOIDCUrl"><img src="<s:config name="style-prefix" />icons/oidc-logo.svg" alt="OIDC auth" width="46"></img></s:a>
 <%
  }
 %>

lib/oauth.c

@@ -1,6 +1,6 @@
 /* -*- mode: c; c-basic-offset: 4 -*- */
 
-/* Copyright (C) 2021-2022 Alexander Chernov <[email protected]> */
+/* Copyright (C) 2021-2024 Alexander Chernov <[email protected]> */
 
 /*
  * This program is free software; you can redistribute it and/or modify
@@ -31,13 +31,14 @@ struct ProviderInfo
  int failed;
 };
 
-enum { PROVIDER_COUNT = 3 };
+enum { PROVIDER_COUNT = 4 };
 
 static struct ProviderInfo providers[PROVIDER_COUNT] =
 {
  { "google" },
  { "vk" },
  { "yandex" },
+ { "oidc" },
 };
 
 static oauth_set_command_handler_t oauth_set_command_handler_func = NULL;

main.unix.make

@@ -1,6 +1,6 @@
 # -*- Makefile -*-
 
-# Copyright (C) 2014-2023 Alexander Chernov <[email protected]> */
+# Copyright (C) 2014-2024 Alexander Chernov <[email protected]> */
 
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -224,6 +224,7 @@ subdirs_all:
  $(MAKE) -C plugins/telegram DESTDIR="${DESTDIR}" all
  $(MAKE) -C plugins/auth-base DESTDIR="${DESTDIR}" all
  $(MAKE) -C plugins/auth-google DESTDIR="${DESTDIR}" all
+ $(MAKE) -C plugins/auth-oidc DESTDIR="${DESTDIR}" all
  $(MAKE) -C plugins/auth-vk DESTDIR="${DESTDIR}" all
  $(MAKE) -C plugins/auth-yandex DESTDIR="${DESTDIR}" all
  $(MAKE) -C plugins/notify-redis DESTDIR="${DESTDIR}" all
@@ -307,6 +308,7 @@ install: local_install
  $(MAKE) -C plugins/telegram DESTDIR="${DESTDIR}" install
  $(MAKE) -C plugins/auth-base DESTDIR="${DESTDIR}" install
  $(MAKE) -C plugins/auth-google DESTDIR="${DESTDIR}" install
+ $(MAKE) -C plugins/auth-oidc DESTDIR="${DESTDIR}" install
  $(MAKE) -C plugins/auth-vk DESTDIR="${DESTDIR}" install
  $(MAKE) -C plugins/auth-yandex DESTDIR="${DESTDIR}" install
  $(MAKE) -C plugins/notify-redis DESTDIR="${DESTDIR}" install
@@ -519,6 +521,7 @@ subdir_clean:
  $(MAKE) -C plugins/telegram DESTDIR="${DESTDIR}" clean
  $(MAKE) -C plugins/auth-base DESTDIR="${DESTDIR}" clean
  $(MAKE) -C plugins/auth-google DESTDIR="${DESTDIR}" clean
+ $(MAKE) -C plugins/auth-oidc DESTDIR="${DESTDIR}" clean
  $(MAKE) -C plugins/auth-vk DESTDIR="${DESTDIR}" clean
  $(MAKE) -C plugins/auth-yandex DESTDIR="${DESTDIR}" clean
  $(MAKE) -C plugins/notify-redis DESTDIR="${DESTDIR}" clean
@@ -558,6 +561,7 @@ subdir_distclean :
  $(MAKE) -C plugins/telegram DESTDIR="${DESTDIR}" distclean
  $(MAKE) -C plugins/auth-base DESTDIR="${DESTDIR}" distclean
  $(MAKE) -C plugins/auth-google DESTDIR="${DESTDIR}" distclean
+ $(MAKE) -C plugins/auth-oidc DESTDIR="${DESTDIR}" distclean
  $(MAKE) -C plugins/auth-vk DESTDIR="${DESTDIR}" distclean
  $(MAKE) -C plugins/auth-yandex DESTDIR="${DESTDIR}" distclean
  $(MAKE) -C plugins/notify-redis DESTDIR="${DESTDIR}" distclean

plugins/auth-oidc/Makefile.in

@@ -0,0 +1,55 @@
+# -*- Makefile -*-
+# @configure_input@
+
+# Copyright (C) 2024 Alexander Chernov <[email protected]> */
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+bindir=@bindir@
+datarootdir=@datarootdir@
+datadir=@datadir@
+includedir=@includedir@
+libdir=@libdir@
+libexecdir=@libexecdir@
+
+EXPAT_DIR=@ac_cv_expat_root@
+EXPAT_INCL_OPT=@ac_cv_expat_include_opt@
+EXPAT_LIB_OPT=@ac_cv_expat_lib_opt@
+
+MYSQL_DIR=@ac_cv_mysql_root@
+MYSQL_INCL_OPT=@ac_cv_mysql_include_opt@
+MYSQL_LIB_OPT=@ac_cv_mysql_lib_opt@
+MYSQL_LIBS=@ac_cv_mysql_libs@
+
+WPTRSIGN=@ac_cv_gcc_wno_pointer_sign@ @ac_cv_gcc_wno_format_truncation@
+WERROR=@ac_cv_werror_flag@
+
+ifdef RELEASE
+CDEBUGFLAGS=-O2 -Wall -DNDEBUG -DRELEASE ${WERROR}
+else
+CDEBUGFLAGS=-g -Wall ${WERROR} -O
+endif
+ifdef STATIC
+CDEBUGFLAGS += -static
+endif
+CEXTRAFLAGS=
+LDEXTRAFLAGS=
+EXTRALIBS=
+CCOMPFLAGS=-D_GNU_SOURCE
+LDCOMPFLAGS=
+
+ifeq ($(MYSQL_LIBS),)
+include empty.make
+else
+include main.make
+endif