DavidFarago
diff --git a/‎barkeep_server.rb‎
Lines changed: 10 additions & 78 deletions b/‎barkeep_server.rb‎
Lines changed: 10 additions & 78 deletions
diff --git a/‎config/google-oauth2-credentials.json‎
Lines changed: 1 addition & 0 deletions b/‎config/google-oauth2-credentials.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎environment.rb‎
Lines changed: 4 additions & 1 deletion b/‎environment.rb‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/openid_provider.rb‎
Lines changed: 90 additions & 0 deletions b/‎lib/openid_provider.rb‎
Lines changed: 90 additions & 0 deletions
@@ -6,9 +6,6 @@
 require "methodchain"
 require "nokogiri"
 require "open-uri"
-require "openid"
-require "openid/extensions/ax"
-require "openid/store/filesystem"
 require "pinion"
 require "pinion/sinatra_helpers"
 require "redcarpet"
@@ -25,6 +22,7 @@
 require "lib/git_diff_utils"
 require "lib/keyboard_shortcuts"
 require "lib/meta_repo"
+require "lib/openid_provider"
 require "lib/pretty_date"
 require "lib/script_environment"
 require "lib/stats"
@@ -39,17 +37,12 @@
 require "resque_jobs/deliver_review_request_emails.rb"
 
 NODE_MODULES_BIN_PATH = "./node_modules/.bin"
-OPENID_AX_EMAIL_SCHEMA = "http://axschema.org/contact/email"
 UNAUTHENTICATED_ROUTES = ["/signin", "/signout", "/inspire", "/statusz", "/api/"]
 # NOTE(philc): Currently we let you see previews of individual commits and the code review stats without
-# being logged in, as a friendly UX. When we flesh out our auth model, we should intentionally make this
-# configurable.
+# being logged in, as a friendly UX. When we flesh out our authorization model, we should intentionally make
+# this configurable.
 UNAUTHENTICATED_PREVIEW_ROUTES = ["/commits/", "/stats"]
 
-
-# OPENID_PROVIDERS is a string env variable. It's a comma-separated list of OpenID providers.
-OPENID_PROVIDERS_ARRAY = OPENID_PROVIDERS.split(",")
-
 class BarkeepServer < Sinatra::Base
   attr_accessor :current_user
 
@@ -106,8 +99,6 @@ class BarkeepServer < Sinatra::Base
   # Session hijacking protection breaks Chrome sessions and offers little protection anyway
   set :protection, except: :session_hijacking
 
-  raise "You must have an OpenID provider defined in OPENID_PROVIDERS." if OPENID_PROVIDERS.empty?
-
   configure :development do
     STDOUT.sync = true # Flush any output right away when running via Foreman.
     enable :logging
@@ -145,6 +136,11 @@ class BarkeepServer < Sinatra::Base
     GitDiffUtils.setup(RedisManager.redis_instance)
   end
 
+  # Register the authentication provider specified by AUTHENTICATION_PROTOCOL.
+  AUTHENTICATION_PROVIDERS = {"openid" => OpenidProvider }
+  authentication_provider = AUTHENTICATION_PROVIDERS[AUTHENTICATION_PROTOCOL]
+  register authentication_provider
+
   helpers do
     def current_page_if_url(text) request.url.include?(text) ? "currentPage" : "" end
 
@@ -200,9 +196,7 @@ def ensure_required_params(*required_params)
 
       # Save url to return to it after login completes.
       session[:login_started_url] = request.url
-      redirect(OPENID_PROVIDERS_ARRAY.size == 1 ?
-         get_openid_login_redirect(OPENID_PROVIDERS_ARRAY.first) :
-        "/signin/select_openid_provider")
+      redirect authentication_provider::signin_url(request, session)
     end
   end
 
@@ -213,49 +207,7 @@ def ensure_required_params(*required_params)
   get "/signin" do
     session.clear
     session[:login_started_url] = request.referrer
-    redirect(OPENID_PROVIDERS_ARRAY.size == 1 ?
-       get_openid_login_redirect(OPENID_PROVIDERS_ARRAY.first) :
-      "/signin/select_openid_provider")
-  end
-
-  get "/signin/select_openid_provider" do
-    erb :select_openid_provider, :locals => { :openid_providers => OPENID_PROVIDERS_ARRAY }
-  end
-
-  # Users navigate to here from select_openid_provider.
-  # - provider_id: an integer indicating which provider from OPENID_PROVIDERS_ARRAY to use for authentication.
-  get "/signin/signin_using_openid_provider" do
-    provider = OPENID_PROVIDERS_ARRAY[params[:provider_id].to_i]
-    halt 400, "OpenID provider not found." unless provider
-    redirect get_openid_login_redirect(provider)
-  end
-
-  # Handle login complete from openid provider.
-  get "/signin/complete" do
-    @openid_consumer ||= OpenID::Consumer.new(session,
-        OpenID::Store::Filesystem.new(File.join(File.dirname(__FILE__), "/tmp/openid")))
-    openid_response = @openid_consumer.complete(params, request.url)
-    case openid_response.status
-    when OpenID::Consumer::FAILURE
-      "Sorry, we could not authenticate you with this identifier. #{openid_response.display_identifier}"
-    when OpenID::Consumer::SETUP_NEEDED then "Immediate request failed - Setup Needed"
-    when OpenID::Consumer::CANCEL then "Login cancelled."
-    when OpenID::Consumer::SUCCESS
-      ax_resp = OpenID::AX::FetchResponse.from_success_response(openid_response)
-      email = ax_resp["http://axschema.org/contact/email"][0]
-      if defined?(PERMITTED_USERS) && !PERMITTED_USERS.empty?
-        unless PERMITTED_USERS.split(",").map(&:strip).include?(email)
-          halt 401, "Your email #{email} is not authorized to login to Barkeep."
-        end
-      end
-      session[:email] = email
-      unless User.find(:email => email)
-        # If there are no admin users yet, make the first user to log in the first admin.
-        permission = User.find(:permission => "admin").nil? ? "admin" : "normal"
-        User.new(:email => email, :name => email, :permission => permission).save
-      end
-      redirect session[:login_started_url] || "/"
-    end
+    redirect authentication_provider::signin_url(request, session)
   end
 
   get "/signout" do
@@ -561,26 +513,6 @@ def ensure_required_params(*required_params)
 
   def logged_in?() current_user && !current_user.demo? end
 
-  # Construct redirect url to google openid.
-  def get_openid_login_redirect(openid_provider_url)
-    @openid_consumer ||= OpenID::Consumer.new(session,
-        OpenID::Store::Filesystem.new(File.join(File.dirname(__FILE__), "/tmp/openid")))
-    begin
-      service = OpenID::OpenIDServiceEndpoint.from_op_endpoint_url(openid_provider_url)
-      oidreq = @openid_consumer.begin_without_discovery(service, false)
-    rescue OpenID::DiscoveryFailure => why
-      "Could not contact #{OPENID_DISCOVERY_ENDPOINT}. #{why}"
-    else
-      ax_request = OpenID::AX::FetchRequest.new
-      # Information we require from the OpenID provider.
-      required_fields = ["http://axschema.org/contact/email"]
-      required_fields.each { |field| ax_request.add(OpenID::AX::AttrInfo.new(field, nil, true)) }
-      oidreq.add_extension(ax_request)
-      host = "#{request.scheme}://#{request.host_with_port}"
-      oidreq.redirect_url(host, "#{host}/signin/complete")
-    end
-  end
-
   def create_comment(repo_name, sha, filename, line_number_string, text)
     commit = MetaRepo.instance.db_commit(repo_name, sha)
     raise "No such commit." unless commit
 
@@ -0,0 +1 @@
+{"web":{"auth_uri":"https://accounts.google.com/o/oauth2/auth","client_secret":"sDBoi9tf0BX_jyhryXKB5HE8","token_uri":"https://accounts.google.com/o/oauth2/token","client_email":"344820527148-b0tdodatsbejl8oo952in70gaep1d87g@developer.gserviceaccount.com","redirect_uris":["http://localhost:8040/oauth2callback"],"client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/344820527148-b0tdodatsbejl8oo952in70gaep1d87g@developer.gserviceaccount.com","client_id":"344820527148-b0tdodatsbejl8oo952in70gaep1d87g.apps.googleusercontent.com","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","javascript_origins":["http://localhost:8040"]}}
@@ -22,14 +22,17 @@
 REDIS_DB = 0
 REDIS_DB_FOR_RESQUE = 1
 
+# Choose authentication protocol, currently only 'openid' is supported.
+AUTHENTICATION_PROTOCOL = "openid"
+
 # A comma-separate list of OpenID provider URLs for signing in your users.
 # If you provide more than one, users will receive a UI allowing to pick which service to use to authenticate.
 # Besides Google, another popular OpenID endpoint is https://me.yahoo.com
 OPENID_PROVIDERS = "https://www.google.com/accounts/o8/ud"
 
 # This is the read-only demo mode which is used in the Barkeep demo linked from getbarkeep.com.
 # Most production deployments will not want to enable the demo mode, but we want it while developing.
-ENABLE_READONLY_DEMO_MODE = true
+# ENABLE_READONLY_DEMO_MODE = true
 
 # If specified, this will be used as the session secret in development mode.
 # This prevents the session being cleared when sinatra reloads changes.
 
@@ -0,0 +1,90 @@
+require "bundler/setup"
+require "environment"
+require "openid"
+require "openid/extensions/ax"
+require "openid/store/filesystem"
+
+# Openid authentication provider. This Modukle is registered with sinatra if AUTHENTICATION_PROVIDERS is set
+# to 'openid', so authentication routes can be hosted here.
+module OpenidProvider
+  OPENID_AX_EMAIL_SCHEMA = "http://axschema.org/contact/email"
+
+  # OPENID_PROVIDERS is a string env variable. It's a comma-separated list of OpenID providers.
+  OPENID_PROVIDERS_ARRAY = OPENID_PROVIDERS.split(",")
+
+  # Construct redirect url to google openid.
+  def self.get_openid_login_redirect(openid_provider_url, request, session)
+    @openid_consumer ||= OpenID::Consumer.new(session,
+        OpenID::Store::Filesystem.new(File.join(File.dirname(__FILE__), "/tmp/openid")))
+    begin
+      service = OpenID::OpenIDServiceEndpoint.from_op_endpoint_url(openid_provider_url)
+      oidreq = @openid_consumer.begin_without_discovery(service, false)
+    rescue OpenID::DiscoveryFailure => why
+      "Could not contact #{OPENID_DISCOVERY_ENDPOINT}. #{why}"
+    else
+      ax_request = OpenID::AX::FetchRequest.new
+      # Information we require from the OpenID provider.
+      required_fields = ["http://axschema.org/contact/email"]
+      required_fields.each { |field| ax_request.add(OpenID::AX::AttrInfo.new(field, nil, true)) }
+      oidreq.add_extension(ax_request)
+      host = "#{request.scheme}://#{request.host_with_port}"
+      oidreq.redirect_url(host, "#{host}/signin/complete")
+    end
+  end
+
+  # Entry point for user signin. The user will be redirected to this url to start authentication. This
+  # provider is expected set session[:login_started_url] with the user's email set inside session[:email] when
+  # signin is complete, or show an error if signin fails.
+  def self.signin_url(request, session)
+    if OPENID_PROVIDERS_ARRAY.size == 1
+      get_openid_login_redirect(OPENID_PROVIDERS_ARRAY.first, request, session)
+    else
+      "/signin/select_openid_provider"
+    end
+  end
+
+  # Routes for authentication are defined here, and will be processed by Sinatra when this module is
+  # registered.
+  def self.registered(app)
+    # Users navigate to here from select_openid_provider.
+    # - provider_id: an integer indicating which provider from OPENID_PROVIDERS_ARRAY to use for authentication.
+    app.get "/signin/signin_using_openid_provider" do
+      provider = OPENID_PROVIDERS_ARRAY[params[:provider_id].to_i]
+      halt 400, "OpenID provider not found." unless provider
+      redirect OpenidProvider.get_openid_login_redirect(provider, request, session)
+    end
+
+    app.get "/signin/select_openid_provider" do
+      erb :select_openid_provider, :locals => { :openid_providers => OPENID_PROVIDERS_ARRAY }
+    end
+
+    # Handle login complete from openid provider.
+    app.get "/signin/complete" do
+      @openid_consumer ||= OpenID::Consumer.new(session,
+                                                OpenID::Store::Filesystem.new(
+                                                  File.join(File.dirname(__FILE__), "/tmp/openid")))
+      openid_response = @openid_consumer.complete(params, request.url)
+      case openid_response.status
+      when OpenID::Consumer::FAILURE
+        "Sorry, we could not authenticate you with this identifier. #{openid_response.display_identifier}"
+      when OpenID::Consumer::SETUP_NEEDED then "Immediate request failed - Setup Needed"
+      when OpenID::Consumer::CANCEL then "Login cancelled."
+      when OpenID::Consumer::SUCCESS
+        ax_resp = OpenID::AX::FetchResponse.from_success_response(openid_response)
+        email = ax_resp["http://axschema.org/contact/email"][0]
+        if defined?(PERMITTED_USERS) && !PERMITTED_USERS.empty?
+          unless PERMITTED_USERS.split(",").map(&:strip).include?(email)
+            halt 401, "Your email #{email} is not authorized to login to Barkeep."
+          end
+        end
+        session[:email] = email
+        unless User.find(:email => email)
+          # If there are no admin users yet, make the first user to log in the first admin.
+          permission = User.find(:permission => "admin").nil? ? "admin" : "normal"
+          User.new(:email => email, :name => email, :permission => permission).save
+        end
+        redirect session[:login_started_url] || "/"
+      end
+    end
+  end
+end
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"web":{"auth_uri":"https://accounts.google.com/o/oauth2/auth","client_secret":"sDBoi9tf0BX_jyhryXKB5HE8","token_uri":"https://accounts.google.com/o/oauth2/token","client_email":"344820527148-b0tdodatsbejl8oo952in70gaep1d87g@developer.gserviceaccount.com","redirect_uris":["http://localhost:8040/oauth2callback"],"client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/344820527148-b0tdodatsbejl8oo952in70gaep1d87g@developer.gserviceaccount.com","client_id":"344820527148-b0tdodatsbejl8oo952in70gaep1d87g.apps.googleusercontent.com","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","javascript_origins":["http://localhost:8040"]}}