Merge pull request #268 from seth-shi/feature/oauth-login

feat: 添加OAuth2.0认证支持

Author: heqingpan

Cargo.toml

@@ -124,6 +124,7 @@ ldap3 = { version="0.11", default-features = false, features = ["tls-rustls"] }
 reqwest = {version="0.11", default-features = false, features = ["stream", "rustls-tls", "json"]}
 rand = "0.8"
 serde_yml = "0.0.12"
+oauth2 = "4.4"
 
 [target.'cfg(any(target_os = "linux", target_os = "macos", target_os="windows"))'.dependencies]
 fs2 = "0.4.3"

README.md

@@ -207,6 +207,18 @@ helm install r-nacos rnacos/rnacos
 |RNACOS_LDAP_USER_ADMIN_GROUP|LDAP管理员角色包含的用户组(多个用逗号分隔，用户只要包含一个就是管理员)|空集合|admin_group1,admin_group2|0.6.19|
 |RNACOS_LDAP_USER_DEFAULT_ROLE|LDAP用户默认角色,支持的值有：访客:VISITOR,开发者:DEVELOPER,管理员:ADMIN|VISITOR|DEVELOPER|0.6.19|
 |RNACOS_MCP_HTTP_TIMEOUT_SECOND|MCP服务HTTP请求超时时间，单位为秒|30|60|0.7.3|
+|RNACOS_OAUTH2_ENABLE|是否启用OAuth2.0认证|false|true|x|
+|RNACOS_OAUTH2_CLIENT_ID|OAuth2.0客户端ID|空字符串|your_client_id|x|
+|RNACOS_OAUTH2_CLIENT_SECRET|OAuth2.0客户端密钥|空字符串|your_client_secret|x|
+|RNACOS_OAUTH2_REDIRECT_URI|OAuth2.0回调完整URI(只修改域名部分即可)|空字符串|http://localhost:10848/rnacos/p/login|x|
+|RNACOS_OAUTH2_AUTHORIZATION_URL|OAuth2.0授权端点完整URL|空字符串|https://oauth.example.com/oauth/authorize|x|
+|RNACOS_OAUTH2_TOKEN_URL|OAuth2.0 Token端点完整URL|空字符串|https://oauth.example.com/oauth/token|x|
+|RNACOS_OAUTH2_USERINFO_URL|OAuth2.0用户信息端点完整URL|空字符串|https://oauth.example.com/oauth/userinfo|x|
+|RNACOS_OAUTH2_SCOPES|OAuth2.0请求的权限范围|openid profile|openid profile email|x|
+|RNACOS_OAUTH2_USERNAME_CLAIM_NAME|OAuth2.0用户名claim字段名|username|username|x|
+|RNACOS_OAUTH2_NICKNAME_CLAIM_NAME|OAuth2.0昵称claim字段名|name|name|x|
+|RNACOS_OAUTH2_USER_DEFAULT_ROLE|OAuth2.0用户默认角色,支持的值有：访客:VISITOR,开发者:DEVELOPER,管理员:ADMIN|DEVELOPER|VISITOR|x|
+|RNACOS_OAUTH2_BUTTON|OAuth2.0登录按钮显示文本|OAuth2.0 登录|OAuth2.0 登录|x|
 
 启动配置方式可以参考： [运行参数说明](https://r-nacos.github.io/docs/notes/env_config/)
 
@@ -437,6 +449,8 @@ nacos_rust_client = "0.3.0"
 1. 支持管理用户列表
 2. 支持用户角色权限管理
 3. 支持用户密码重置
+4. 支持LDAP认证登录
+5. 支持OAuth2.0认证登录
 
 命名空间：
 

src/common/appdata.rs

@@ -10,6 +10,7 @@ use crate::namespace::NamespaceActor;
 use crate::naming::cluster::node_manage::{InnerNodeManage, NodeManage};
 use crate::naming::cluster::route::NamingRoute;
 use crate::naming::core::NamingActor;
+use crate::oauth2::core::OAuth2Manager;
 use crate::raft::cache::route::CacheRoute;
 use crate::raft::cache::CacheManager;
 use crate::raft::cluster::route::{ConfigRoute, RaftRequestRoute};
@@ -54,6 +55,7 @@ pub struct AppShareData {
     pub transfer_import_manager: Addr<TransferImportManager>,
     pub health_manager: Addr<HealthManager>,
     pub ldap_manager: Addr<LdapManager>,
+    pub oauth2_manager: Addr<OAuth2Manager>,
     pub sequence_db_manager: Addr<SequenceDbManager>,
     pub sequence_manager: Addr<SequenceManager>,
     pub mcp_manager: Addr<McpManager>,

src/common/mod.rs

@@ -1,5 +1,6 @@
 use crate::common::string_utils::StringUtils;
 use crate::ldap::model::LdapConfig;
+use crate::oauth2::model::OAuth2Config;
 use crate::user::permission;
 use crate::user::permission::UserRoleHelper;
 use std::collections::HashSet;
@@ -103,6 +104,19 @@ pub struct AppSysConfig {
     pub ldap_user_admin_groups: Arc<HashSet<String>>,
     pub ldap_user_default_role: Arc<String>,
     pub mcp_http_timeout: u64,
+    pub oauth2_enable: bool,
+    pub oauth2_server_url: Arc<String>,
+    pub oauth2_client_id: Arc<String>,
+    pub oauth2_client_secret: Arc<String>,
+    pub oauth2_authorization_url: Arc<String>,
+    pub oauth2_token_url: Arc<String>,
+    pub oauth2_userinfo_url: Arc<String>,
+    pub oauth2_redirect_uri: Arc<String>,
+    pub oauth2_scopes: Arc<String>,
+    pub oauth2_username_claim_name: Arc<String>,
+    pub oauth2_nickname_claim_name: Arc<String>,
+    pub oauth2_user_default_role: Arc<String>,
+    pub oauth2_button: Arc<String>,
 }
 
 impl AppSysConfig {
@@ -265,6 +279,62 @@ impl AppSysConfig {
             .unwrap_or("30".to_owned())
             .parse()
             .unwrap_or(30);
+        let oauth2_enable = std::env::var("RNACOS_OAUTH2_ENABLE")
+            .unwrap_or("false".to_owned())
+            .parse()
+            .unwrap_or(false);
+        let oauth2_server_url = std::env::var("RNACOS_OAUTH2_SERVER_URL")
+            .map(Arc::new)
+            .unwrap_or(constant::EMPTY_ARC_STRING.clone());
+        let oauth2_client_id = std::env::var("RNACOS_OAUTH2_CLIENT_ID")
+            .map(Arc::new)
+            .unwrap_or(constant::EMPTY_ARC_STRING.clone());
+        let oauth2_client_secret = std::env::var("RNACOS_OAUTH2_CLIENT_SECRET")
+            .map(Arc::new)
+            .unwrap_or(constant::EMPTY_ARC_STRING.clone());
+        // OAuth2 endpoints should be full URLs
+        let oauth2_authorization_url = std::env::var("RNACOS_OAUTH2_AUTHORIZATION_URL")
+            .map(Arc::new)
+            .unwrap_or_else(|_| {
+                let server_url = std::env::var("RNACOS_OAUTH2_SERVER_URL")
+                    .unwrap_or_default();
+                Arc::new(format!("{}/oauth/authorize", server_url))
+            });
+        let oauth2_token_url = std::env::var("RNACOS_OAUTH2_TOKEN_URL")
+            .map(Arc::new)
+            .unwrap_or_else(|_| {
+                let server_url = std::env::var("RNACOS_OAUTH2_SERVER_URL")
+                    .unwrap_or_default();
+                Arc::new(format!("{}/oauth/token", server_url))
+            });
+        let oauth2_userinfo_url = std::env::var("RNACOS_OAUTH2_USERINFO_URL")
+            .map(Arc::new)
+            .unwrap_or_else(|_| {
+                let server_url = std::env::var("RNACOS_OAUTH2_SERVER_URL")
+                    .unwrap_or_default();
+                Arc::new(format!("{}/oauth/userinfo", server_url))
+            });
+        let oauth2_redirect_uri = std::env::var("RNACOS_OAUTH2_REDIRECT_URI")
+            .map(Arc::new)
+            .unwrap_or(constant::EMPTY_ARC_STRING.clone());
+        let oauth2_scopes = std::env::var("RNACOS_OAUTH2_SCOPES")
+            .map(Arc::new)
+            .unwrap_or_else(|_| Arc::new("openid profile".to_string()));
+        let oauth2_username_claim_name = std::env::var("RNACOS_OAUTH2_USERNAME_CLAIM_NAME")
+            .map(Arc::new)
+            .unwrap_or_else(|_| Arc::new("username".to_string()));
+        let oauth2_nickname_claim_name = std::env::var("RNACOS_OAUTH2_NICKNAME_CLAIM_NAME")
+            .map(Arc::new)
+            .unwrap_or_else(|_| Arc::new("name".to_string()));
+        let oauth2_user_default_role = std::env::var("RNACOS_OAUTH2_USER_DEFAULT_ROLE")
+            .map(|v| {
+                let upper = v.to_uppercase();
+                UserRoleHelper::get_role_by_name(&upper, permission::USER_ROLE_DEVELOPER.clone())
+            })
+            .unwrap_or(permission::USER_ROLE_DEVELOPER.clone());
+        let oauth2_button = std::env::var("RNACOS_OAUTH2_BUTTON")
+            .map(Arc::new)
+            .unwrap_or_else(|_| Arc::new("OAuth2.0 登录".to_string()));
         Self {
             local_db_dir,
             config_db_file,
@@ -305,6 +375,19 @@ impl AppSysConfig {
             ldap_user_admin_groups,
             ldap_user_default_role,
             mcp_http_timeout,
+            oauth2_enable,
+            oauth2_server_url,
+            oauth2_client_id,
+            oauth2_client_secret,
+            oauth2_authorization_url,
+            oauth2_token_url,
+            oauth2_userinfo_url,
+            oauth2_redirect_uri,
+            oauth2_scopes,
+            oauth2_username_claim_name,
+            oauth2_nickname_claim_name,
+            oauth2_user_default_role,
+            oauth2_button,
         }
     }
 
@@ -352,6 +435,22 @@ impl AppSysConfig {
             ldap_user_default_role: self.ldap_user_default_role.clone(),
         })
     }
+
+    pub fn get_oauth2_config(&self) -> Arc<OAuth2Config> {
+        Arc::new(OAuth2Config {
+            oauth2_server_url: self.oauth2_server_url.clone(),
+            oauth2_client_id: self.oauth2_client_id.clone(),
+            oauth2_client_secret: self.oauth2_client_secret.clone(),
+            oauth2_authorization_url: self.oauth2_authorization_url.clone(),
+            oauth2_token_url: self.oauth2_token_url.clone(),
+            oauth2_userinfo_url: self.oauth2_userinfo_url.clone(),
+            oauth2_redirect_uri: self.oauth2_redirect_uri.clone(),
+            oauth2_scopes: self.oauth2_scopes.clone(),
+            oauth2_username_claim_name: self.oauth2_username_claim_name.clone(),
+            oauth2_nickname_claim_name: self.oauth2_nickname_claim_name.clone(),
+            oauth2_user_default_role: self.oauth2_user_default_role.clone(),
+        })
+    }
 }
 
 /**

src/console/api.rs

@@ -224,6 +224,8 @@ pub fn console_api_config_v2(config: &mut web::ServiceConfig) {
                 web::resource("/login/captcha").route(web::get().to(v2::login_api::gen_captcha)),
             )
             .service(web::resource("/login/logout").route(web::post().to(v2::login_api::logout)))
+            .service(web::resource("/login/config").route(web::get().to(login_api::get_login_config)))
+            .service(web::resource("/login/oauth2/login").route(web::post().to(v2::login_api::oauth2_callback)))
             .service(web::resource("/user/info").route(web::get().to(v2::user_api::get_user_info)))
             .service(
                 web::resource("/user/list").route(web::get().to(v2::user_api::get_user_page_list)),

src/console/login_api.rs

@@ -1,9 +1,11 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 
-use super::model::login_model::{LoginParam, LoginToken};
+use super::model::login_model::{LoginConfig, LoginParam, LoginToken};
 use crate::ldap::model::actor_model::{LdapMsgReq, LdapMsgResult};
 use crate::ldap::model::LdapUserParam;
+use crate::oauth2::model::actor_model::{OAuth2MsgReq, OAuth2MsgResult};
+use crate::oauth2::model::OAuth2UserParam;
 use crate::{
     common::{
         appdata::AppShareData,
@@ -17,12 +19,13 @@ use crate::{
     },
     user::{UserManagerReq, UserManagerResult},
 };
-use actix_web::http::header;
+use actix_web::http::{header, StatusCode};
 use actix_web::{
     cookie::Cookie,
     web::{self, Data},
     HttpRequest, HttpResponse, Responder,
 };
+use serde::Deserialize;
 use captcha::filters::{Grid, Noise};
 use captcha::Captcha;
 
@@ -82,7 +85,10 @@ pub async fn login(
                 }));
             }
         }
-        if !app.sys_config.ldap_enable && session.is_none() {
+        if !app.sys_config.ldap_enable
+            && !app.sys_config.oauth2_enable
+            && session.is_none()
+        {
             return HttpResponse::Ok().json(ApiResult::<()>::error(error_code, None));
         }
     } else {
@@ -107,6 +113,112 @@ pub async fn login(
     HttpResponse::Ok().json(ApiResult::<()>::error(error_code, None))
 }
 
+#[derive(Deserialize)]
+pub struct OAuth2CallbackQuery {
+    code: String,
+    state: Option<String>,
+}
+
+pub async fn oauth2_callback(
+    _request: HttpRequest,
+    app: Data<Arc<AppShareData>>,
+    param: web::Json<OAuth2CallbackQuery>,
+) -> HttpResponse {
+    if !app.sys_config.oauth2_enable {
+        return HttpResponse::Ok()
+            .status(StatusCode::NOT_FOUND)
+            .json(ApiResult::<()>::error(
+                "OAUTH2_NOT_ENABLED".to_owned(),
+                None,
+            ));
+    }
+
+    let limit_key = Arc::new(format!("USER_L#oauth2"));
+    if let Some(value) = login_limit(&app, &limit_key).await {
+        return value;
+    }
+
+    let res = app
+        .oauth2_manager
+        .send(OAuth2MsgReq::Authenticate(OAuth2UserParam {
+            code: param.code.clone(),
+            state: param.state.clone(),
+        }))
+        .await;
+
+    let session = match res {
+        Ok(Ok(OAuth2MsgResult::UserMeta(meta))) => {
+            Some(Arc::new(UserSession {
+                username: Arc::new(meta.user_name.clone()),
+                nickname: Some(meta.user_name),
+                roles: vec![meta.role],
+                namespace_privilege: meta.namespace_privilege,
+                extend_infos: HashMap::default(),
+                refresh_time: now_second_i32() as u32,
+            }))
+        }
+        Ok(Ok(OAuth2MsgResult::None)) => None,
+        Ok(Ok(OAuth2MsgResult::AuthorizeUrl(_))) => {
+            // This should not happen in callback
+            return HttpResponse::Ok().json(ApiResult::<()>::error(
+                "OAUTH2_AUTH_ERROR".to_owned(),
+                Some("Unexpected response type".to_owned()),
+            ));
+        }
+        Ok(Err(e)) => {
+            log::error!("OAuth2 authentication error: {}", e);
+            return HttpResponse::Ok().json(ApiResult::<()>::error(
+                "OAUTH2_AUTH_ERROR".to_owned(),
+                Some(e.to_string()),
+            ));
+        }
+        Err(e) => {
+            log::error!("OAuth2 manager error: {}", e);
+            return HttpResponse::Ok().json(ApiResult::<()>::error(
+                "SYSTEM_ERROR".to_owned(),
+                Some(e.to_string()),
+            ));
+        }
+    };
+
+    if let Some(session) = session {
+        if let Some(value) = apply_session(app, limit_key, session) {
+            return value;
+        }
+    }
+
+    HttpResponse::Ok().json(ApiResult::<()>::error(
+        "OAUTH2_AUTH_ERROR".to_owned(),
+        None,
+    ))
+}
+
+pub async fn get_login_config(app: Data<Arc<AppShareData>>) -> actix_web::Result<impl Responder> {
+    let mut oauth2_button = None;
+    let mut oauth2_authorize_url = None;
+
+    if app.sys_config.oauth2_enable && !app.sys_config.oauth2_button.is_empty() {
+        oauth2_button = Some(app.sys_config.oauth2_button.as_ref().clone());
+        
+        // Generate OAuth2 authorize URL
+        let res = app
+            .oauth2_manager
+            .send(OAuth2MsgReq::GetAuthorizeUrl)
+            .await;
+
+        if let Ok(Ok(OAuth2MsgResult::AuthorizeUrl(auth_url))) = res {
+            oauth2_authorize_url = Some(auth_url);
+        }
+    }
+
+    let config = LoginConfig {
+        oauth2_enable: app.sys_config.oauth2_enable,
+        oauth2_button,
+        oauth2_authorize_url,
+    };
+    Ok(HttpResponse::Ok().json(ApiResult::success(Some(config))))
+}
+
 fn apply_session(
     app: Data<Arc<AppShareData>>,
     limit_key: Arc<String>,

src/console/middle/login_middle.rs

@@ -25,6 +25,7 @@ lazy_static::lazy_static! {
         "/rnacos/p/login", "/rnacos/404",
         "/rnacos/api/console/login/login", "/rnacos/api/console/login/captcha",
         "/rnacos/api/console/v2/login/login", "/rnacos/api/console/v2/login/captcha",
+        "/rnacos/api/console/v2/login/config", "/rnacos/api/console/v2/login/oauth2/login",
     ];
     pub static ref STATIC_FILE_PATH: Regex= Regex::new(r"(?i).*\.(js|css|png|jpg|jpeg|bmp|svg)").unwrap();
     pub static ref API_PATH: Regex = Regex::new(r"(?i)/(api|nacos)/.*").unwrap();

src/console/model/login_model.rs

@@ -14,3 +14,11 @@ pub struct LoginParam {
 pub struct LoginToken {
     pub token: String,
 }
+
+#[derive(Debug, Default, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct LoginConfig {
+    pub oauth2_enable: bool,
+    pub oauth2_button: Option<String>,
+    pub oauth2_authorize_url: Option<String>,
+}

src/console/v2/login_api.rs

@@ -1 +1 @@
-pub use crate::console::login_api::{gen_captcha, login, logout};
+pub use crate::console::login_api::{gen_captcha, get_login_config, login, logout, oauth2_callback};

src/lib.rs

@@ -17,6 +17,7 @@ pub mod transfer;
 
 pub mod ldap;
 pub mod mcp;
+pub mod oauth2;
 pub mod sequence;
 
 pub use inner_mem_cache::TimeoutSet;