Add OAuth2 authentication support (#5253)

* feat(mg-gateway): add OAuth2 authentication support

- Add OAuth2 authentication configuration to GatewayConfiguration
- Implement OAuth2Authentication
- Update `SecurityFilter` and `UserRestful` to process OAuth2 request

Signed-off-by: kazutoiris <[email protected]>

* feat(mg-gateway): add OAuth configuration

- Add OAuth-related properties to `linkis-mg-gateway.properties`
- Include support for GitHub OAuth as an example

Signed-off-by: kazutoiris <[email protected]>

* style: reformat code

Signed-off-by: kazutoiris <[email protected]>

* feat(mg-gateway): add OAuth in frontend

- Add OAuth login option to the login page
- Implement OAuth callback route and component
- Add translations for OAuth login text

Signed-off-by: kazutoiris <[email protected]>

* docs: add OAuth authentication documentation

---------

Signed-off-by: kazutoiris <[email protected]>

Author: kazutoiris

docs/configuration/linkis-gateway-core.md

@@ -36,3 +36,11 @@
 |linkis-gateway-core|wds.linkis.gateway.this.schema|   | gateway.this.schema|
 |linkis-gateway-core|wds.linkis.web.enable.water.mark|true| web.enable.water.mark|
 |linkis-gateway-core|wds.linkis.entrance.name|   |linkis.entrance.name|
+|linkis-gateway-core|wds.linkis.gateway.conf.enable.oauth.auth| false  |wds.linkis.gateway.conf.enable.oauth.auth|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.authentication.url|  |wds.linkis.gateway.auth.oauth.authentication.url|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.exchange.url|  |wds.linkis.gateway.auth.oauth.exchange.url|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.validate.url|  |wds.linkis.gateway.auth.oauth.validate.url|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.validate.field|  |wds.linkis.gateway.auth.oauth.validate.field|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.client.id|  |wds.linkis.gateway.auth.oauth.client.id|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.client.secret|  |wds.linkis.gateway.auth.oauth.client.secret|
+|linkis-gateway-core|wds.linkis.gateway.auth.oauth.scope|  |wds.linkis.gateway.auth.oauth.scope|

linkis-dist/package/conf/linkis-mg-gateway.properties

@@ -30,6 +30,15 @@ wds.linkis.ldap.proxy.baseDN=
 wds.linkis.ldap.proxy.userNameFormat=
 wds.linkis.admin.user=hadoop
 #wds.linkis.admin.password=
+##OAuth
+wds.linkis.oauth.enable=false
+wds.linkis.oauth.url=https://github.com/login/oauth/authorize
+wds.linkis.gateway.auth.oauth.exchange.url=https://github.com/login/oauth/access_token
+wds.linkis.gateway.auth.oauth.validate.url=https://api.github.com/user
+wds.linkis.gateway.auth.oauth.validate.field=login
+wds.linkis.gateway.auth.oauth.client.id=YOUR_CLIENT_ID
+wds.linkis.gateway.auth.oauth.client.secret=YOUR_CLIENT_SECRET
+wds.linkis.gateway.auth.oauth.scope=user
 ##Spring
 spring.server.port=9001
 

linkis-spring-cloud-services/linkis-service-gateway/linkis-gateway-core/src/main/scala/org/apache/linkis/gateway/config/GatewayConfiguration.scala

@@ -42,6 +42,15 @@ object GatewayConfiguration {
   val TOKEN_AUTHENTICATION_SCAN_INTERVAL =
     CommonVars("wds.linkis.gateway.conf.token.auth.scan.interval", 1000 * 60 * 10)
 
+  val ENABLE_OAUTH_AUTHENTICATION = CommonVars("wds.linkis.gateway.conf.enable.oauth.auth", false)
+  val OAUTH_AUTHENTICATION_URL = CommonVars("wds.linkis.gateway.auth.oauth.authentication.url", "")
+  val OAUTH_EXCHANGE_URL = CommonVars("wds.linkis.gateway.auth.oauth.exchange.url", "")
+  val OAUTH_VALIDATE_URL = CommonVars("wds.linkis.gateway.auth.oauth.validate.url", "")
+  val OAUTH_VALIDATE_FIELD = CommonVars("wds.linkis.gateway.auth.oauth.validate.field", "")
+  val OAUTH_CLIENT_ID = CommonVars("wds.linkis.gateway.auth.oauth.client.id", "")
+  val OAUTH_CLIENT_SECRET = CommonVars("wds.linkis.gateway.auth.oauth.client.secret", "")
+  val OAUTH_SCOPE = CommonVars("wds.linkis.gateway.auth.oauth.scope", "")
+
   val PASS_AUTH_REQUEST_URI =
     CommonVars("wds.linkis.gateway.conf.url.pass.auth", "/dws/").getValue.split(",")
 

linkis-spring-cloud-services/linkis-service-gateway/linkis-gateway-core/src/main/scala/org/apache/linkis/gateway/security/SecurityFilter.scala

@@ -23,6 +23,7 @@ import org.apache.linkis.common.utils.{Logging, Utils}
 import org.apache.linkis.gateway.config.GatewayConfiguration
 import org.apache.linkis.gateway.config.GatewayConfiguration._
 import org.apache.linkis.gateway.http.GatewayContext
+import org.apache.linkis.gateway.security.oauth.OAuth2Authentication
 import org.apache.linkis.gateway.security.sso.SSOInterceptor
 import org.apache.linkis.gateway.security.token.TokenAuthentication
 import org.apache.linkis.server.{validateFailed, Message}
@@ -127,6 +128,8 @@ object SecurityFilter extends Logging {
       logger.info("No login needed for proxy uri: " + gatewayContext.getRequest.getRequestURI)
     } else if (TokenAuthentication.isTokenRequest(gatewayContext)) {
       TokenAuthentication.tokenAuth(gatewayContext)
+    } else if (OAuth2Authentication.isOAuth2Request(gatewayContext)) {
+      OAuth2Authentication.OAuth2Entry(gatewayContext)
     } else {
       val userName = Utils.tryCatch(GatewaySSOUtils.getLoginUser(gatewayContext)) {
         case n @ (_: NonLoginException | _: LoginExpireException) =>

linkis-spring-cloud-services/linkis-service-gateway/linkis-gateway-core/src/main/scala/org/apache/linkis/gateway/security/UserRestful.scala

@@ -20,6 +20,7 @@ package org.apache.linkis.gateway.security
 import org.apache.linkis.common.utils.{Logging, RSAUtils, Utils}
 import org.apache.linkis.gateway.config.GatewayConfiguration
 import org.apache.linkis.gateway.http.GatewayContext
+import org.apache.linkis.gateway.security.oauth.OAuth2Authentication
 import org.apache.linkis.gateway.security.sso.SSOInterceptor
 import org.apache.linkis.gateway.security.token.TokenAuthentication
 import org.apache.linkis.protocol.usercontrol.{
@@ -87,6 +88,20 @@ abstract class AbstractUserRestful extends UserRestful with Logging {
           TokenAuthentication.tokenAuth(gatewayContext, true)
           return
         }
+      case "oauth-login" =>
+        Utils.tryCatch {
+          val loginUser = GatewaySSOUtils.getLoginUsername(gatewayContext)
+          Message
+            .ok(loginUser + " already logged in, please log out before signing in(已经登录，请先退出再进行登录)！")
+            .data("userName", loginUser)
+        }(_ => {
+          OAuth2Authentication.OAuth2Auth(gatewayContext, true)
+          return
+        })
+      case "oauth-redirect" => {
+        OAuth2Authentication.OAuth2Redirect(gatewayContext)
+        return
+      }
       case "logout" => logout(gatewayContext)
       case "userInfo" => userInfo(gatewayContext)
       case "publicKey" => publicKey(gatewayContext)