Merge pull request #103 from timfeirg/master

support github oauth2 login

.gitignore

@@ -27,3 +27,4 @@ logfile.log
 db_repository/*
 upload/avatar/*
 tmp/*
+.ropeproject

app/__init__.py

@@ -1,7 +1,7 @@
 from werkzeug.contrib.fixers import ProxyFix
-from flask import Flask
-from flask.ext.login import LoginManager
-from flask.ext.sqlalchemy import SQLAlchemy
+from flask import Flask, request, session, redirect, url_for
+from flask_login import LoginManager
+from flask_sqlalchemy import SQLAlchemy
 
 app = Flask(__name__)
 app.config.from_object('config')
@@ -11,4 +11,42 @@ login_manager = LoginManager()
 login_manager.init_app(app)
 db = SQLAlchemy(app)
 
+def enable_github_oauth(GITHUB_ENABLE):
+    if not GITHUB_ENABLE:
+        return None, None
+    from flask_oauthlib.client import OAuth
+    oauth = OAuth(app)
+    github = oauth.remote_app(
+        'github',
+        consumer_key=app.config['GITHUB_OAUTH_KEY'],
+        consumer_secret=app.config['GITHUB_OAUTH_SECRET'],
+        request_token_params={'scope': app.config['GITHUB_OAUTH_SCOPE']},
+        base_url=app.config['GITHUB_OAUTH_URL'],
+        request_token_url=None,
+        access_token_method='POST',
+        access_token_url=app.config['GITHUB_OAUTH_TOKEN'],
+        authorize_url=app.config['GITHUB_OAUTH_AUTHORIZE']
+    )
+
+    @app.route('/user/authorized')
+    def authorized():
+        session['github_oauthredir'] = url_for('.authorized', _external=True)
+        resp = github.authorized_response()
+        if resp is None:
+            return 'Access denied: reason=%s error=%s' % (
+                request.args['error'],
+                request.args['error_description']
+            )
+        session['github_token'] = (resp['access_token'], '')
+        return redirect(url_for('.login'))
+
+    @github.tokengetter
+    def get_github_oauth_token():
+        return session.get('github_token')
+
+    return oauth, github
+
+oauth, github = enable_github_oauth(app.config.get('GITHUB_OAUTH_ENABLE'))
+
+
 from app import views, models

app/templates/login.html

@@ -58,7 +58,6 @@
       <div class="form-group">
         <input type="otptoken" class="form-control" placeholder="OTP Token" name="otptoken">
       </div>
-        
             {% if ldap_enabled and basic_enabled %}
                     <div class="form-group">
               <select class="form-control" name="auth_method">
@@ -99,6 +98,10 @@
         <!-- /.col -->
       </div>
     </form>
+    {% if github_enabled %}
+    <a href="{{ url_for('github_login') }}">Github oauth login</a>
+    {% endif %}
+    <br>
     {% if signup_enabled %}
     <a href="{{ url_for('register') }}" class="text-center">Create an account </a>
     {% endif %}

app/views.py

@@ -1,23 +1,23 @@
-import os
-import json
-import jinja2
-import traceback
-import pyqrcode
 import base64
-
-from functools import wraps
-from flask_login import login_user, logout_user, current_user, login_required
-from flask import Flask, g, request, make_response, jsonify, render_template, session, redirect, url_for, send_from_directory
-from werkzeug import secure_filename
-
-from lib import utils
-from app import app, login_manager
-from .models import User, Role, Domain, DomainUser, Record, Server, History, Anonymous, Setting, DomainSetting
-
-from io import BytesIO
+import json
+import os
+import traceback
 from distutils.util import strtobool
 from distutils.version import StrictVersion
-from optparse import Values
+from functools import wraps
+from io import BytesIO
+
+import jinja2
+import pyqrcode
+from flask import g, request, make_response, jsonify, render_template, session, redirect, url_for, send_from_directory, abort
+from flask_login import login_user, logout_user, current_user, login_required
+from werkzeug import secure_filename
+from werkzeug.security import gen_salt
+
+from .models import User, Domain, Record, Server, History, Anonymous, Setting, DomainSetting
+from app import app, login_manager, github
+from lib import utils
+
 
 jinja2.filters.FILTERS['display_record_name'] = utils.display_record_name
 jinja2.filters.FILTERS['display_master_name'] = utils.display_master_name
@@ -153,6 +153,12 @@ def register():
     else:
         return render_template('errors/404.html'), 404
 
+@app.route('/github/login')
+def github_login():
+    if not app.config.get('GITHUB_OAUTH_ENABLE'):
+        return abort(400)
+    return github.authorize(callback=url_for('authorized', _external=True))
+
 @app.route('/login', methods=['GET', 'POST'])
 @login_manager.unauthorized_handler
 def login():
@@ -161,24 +167,43 @@ def login():
     LOGIN_TITLE = app.config['LOGIN_TITLE'] if 'LOGIN_TITLE' in app.config.keys() else ''
     BASIC_ENABLED = app.config['BASIC_ENABLED']
     SIGNUP_ENABLED = app.config['SIGNUP_ENABLED']
+    GITHUB_ENABLE = app.config.get('GITHUB_OAUTH_ENABLE')
 
     if g.user is not None and current_user.is_authenticated:
         return redirect(url_for('dashboard'))
 
+    if 'github_token' in session:
+        me = github.get('user')
+        user_info = me.data
+        user = User.query.filter_by(username=user_info['name']).first()
+        if not user:
+            # create user
+            user = User(username=user_info['name'],
+                        plain_text_password=gen_salt(7),
+                        email=user_info['email'])
+            user.create_local_user()
+
+        session['user_id'] = user.id
+        login_user(user, remember = False)
+        return redirect(url_for('index'))
+
     if request.method == 'GET':
-        return render_template('login.html', ldap_enabled=LDAP_ENABLED, login_title=LOGIN_TITLE, basic_enabled=BASIC_ENABLED, signup_enabled=SIGNUP_ENABLED)
+        return render_template('login.html',
+                               github_enabled=GITHUB_ENABLE,
+                               ldap_enabled=LDAP_ENABLED, login_title=LOGIN_TITLE,
+                               basic_enabled=BASIC_ENABLED, signup_enabled=SIGNUP_ENABLED)
 
     # process login
     username = request.form['username']
     password = request.form['password']
-    otp_token = request.form['otptoken'] if 'otptoken' in request.form else None
-    auth_method = request.form['auth_method'] if 'auth_method' in request.form else 'LOCAL'
+    otp_token = request.form.get('otptoken')
+    auth_method = request.form.get('auth_method', 'LOCAL')
 
     # addition fields for registration case
-    firstname = request.form['firstname'] if 'firstname' in request.form else None
-    lastname = request.form['lastname'] if 'lastname' in request.form else None
-    email = request.form['email'] if 'email' in request.form else None
-    rpassword = request.form['rpassword'] if 'rpassword' in request.form else None
+    firstname = request.form.get('firstname')
+    lastname = request.form.get('lastname')
+    email = request.form.get('email')
+    rpassword = request.form.get('rpassword')
 
     if None in [firstname, lastname, email]:
         #login case
@@ -229,6 +254,8 @@ def login():
 
 @app.route('/logout')
 def logout():
+    session.pop('user_id', None)
+    session.pop('github_token', None)
     logout_user()
     return redirect(url_for('login'))
 

config_template.py

@@ -34,6 +34,15 @@ LDAP_SEARCH_BASE = 'ou=System Admins,ou=People,dc=duykhanh,dc=me'
 LDAP_USERNAMEFIELD = 'uid'
 LDAP_FILTER = '(objectClass=inetorgperson)'
 
+# Github Oauth
+GITHUB_OAUTH_ENABLE = False
+GITHUB_OAUTH_KEY = 'G0j1Q15aRsn36B3aD6nwKLiYbeirrUPU8nDd1wOC'
+GITHUB_OAUTH_SECRET = '0WYrKWePeBDkxlezzhFbDn1PBnCwEa0vCwVFvy6iLtgePlpT7WfUlAa9sZgm'
+GITHUB_OAUTH_SCOPE = 'email'
+GITHUB_OAUTH_URL = 'http://127.0.0.1:5000/api/v3/'
+GITHUB_OAUTH_TOKEN = 'http://127.0.0.1:5000/oauth/token'
+GITHUB_OAUTH_AUTHORIZE = 'http://127.0.0.1:5000/oauth/authorize'
+
 #Default Auth
 BASIC_ENABLED = True
 SIGNUP_ENABLED = True

requirements.txt

@@ -10,3 +10,4 @@ SQLAlchemy==1.0.9
 sqlalchemy-migrate==0.10.0
 onetimepass==1.0.1
 PyQRCode==1.2
+Flask-OAuthlib==0.9.3