Add per-domain OAuth (Google, GitHub) provider support

api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java

@@ -42,8 +42,19 @@ public interface UserOAuth2Authenticator extends Adapter {
      * Verifies the code provided by provider and fetches email
      * @return returns email
      */
-    String verifyCodeAndFetchEmail(String secretCode);
+    String verifySecretCodeAndFetchEmail(String secretCode);
 
+    /**
+     * Verifies if the logged in user is valid for a specific domain
+     * @return true if it's a valid user, otherwise false
+     */
+    boolean verifyUser(String email, String secretCode, Long domainId);
+
+    /**
+     * Verifies the secret code provided by provider and fetches email for a specific domain
+     * @return email for the specified domain
+     */
+    String verifySecretCodeAndFetchEmail(String secretCode, Long domainId);
 
     /**
      * Fetches email using the accessToken

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -19,6 +19,12 @@
 -- Schema upgrade from 4.22.1.0 to 4.23.0.0
 --;
 
+CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.oauth_provider', 'domain_id', 'bigint unsigned DEFAULT NULL COMMENT "NULL for global provider, domain ID for domain-specific" AFTER `redirect_uri`');
+CALL `cloud`.`IDEMPOTENT_ADD_FOREIGN_KEY`('cloud.oauth_provider', 'fk_oauth_provider__domain_id', '(`domain_id`)', '`domain`(`id`)');
+CALL `cloud`.`IDEMPOTENT_ADD_KEY`('i_oauth_provider__domain_id', 'cloud.oauth_provider', '(`domain_id`)');
+
+CALL `cloud`.`IDEMPOTENT_ADD_UNIQUE_KEY`('cloud.oauth_provider', 'uk_oauth_provider__provider_domain', '(`provider`, `domain_id`)');
+
 CREATE TABLE `cloud`.`backup_offering_details` (
     `id` bigint unsigned NOT NULL auto_increment,
     `backup_offering_id` bigint unsigned NOT NULL COMMENT 'Backup offering id',

framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java

@@ -269,6 +269,17 @@ public String toString() {
 
     private String _defaultValueIfEmpty = null;
 
+    private boolean _strictScope = false;
+
+    public boolean isStrictScope() {
+        return _strictScope;
+    }
+
+    public ConfigKey<T> withStrictScope() {
+        this._strictScope = true;
+        return this;
+    }
+
     public static void init(ConfigDepotImpl depot) {
         s_depot = depot;
     }
@@ -421,11 +432,18 @@ protected T valueInGlobalOrAvailableParentScope(Scope scope, Long id) {
     }
 
     public T valueInScope(Scope scope, Long id) {
+        return valueInScope(scope, id, false);
+    }
+
+    public T valueInScope(Scope scope, Long id, boolean strictScope) {
         if (id == null) {
-            return value();
+            return strictScope ? null : value();
         }
         String value = s_depot != null ? s_depot.getConfigStringValue(_name, scope, id) : null;
         if (value == null) {
+            if (strictScope) {
+                return null;
+            }
             return valueInGlobalOrAvailableParentScope(scope, id);
         }
         logger.trace("Scope({}) value for config ({}): {}", scope, _name, _value);

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/OAuth2AuthManager.java

@@ -18,6 +18,7 @@
 //
 package org.apache.cloudstack.oauth2;
 
+import com.cloud.domain.Domain;
 import com.cloud.utils.component.PluggableService;
 import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
 import org.apache.cloudstack.auth.UserOAuth2Authenticator;
@@ -27,10 +28,15 @@
 import org.apache.cloudstack.oauth2.vo.OauthProviderVO;
 
 import java.util.List;
+import java.util.Map;
 
 public interface OAuth2AuthManager extends PluggableAPIAuthenticator, PluggableService {
+    String GLOBAL_DOMAIN_FILTER = "-1";
+    Long GLOBAL_DOMAIN_ID = -1L;
+
     public static ConfigKey<Boolean> OAuth2IsPluginEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "oauth2.enabled", "false",
-            "Indicates whether OAuth plugin is enabled or not", false);
+            "Indicates whether OAuth plugin is enabled or not. This can be configured at domain level.", true, ConfigKey.Scope.Domain)
+            .withStrictScope();
     public static final ConfigKey<String> OAuth2Plugins = new ConfigKey<String>("Advanced", String.class, "oauth2.plugins", "google,github",
             "List of OAuth plugins", true);
     public static final ConfigKey<String> OAuth2PluginsExclude = new ConfigKey<String>("Advanced", String.class, "oauth2.plugins.exclude", "",
@@ -49,13 +55,30 @@ public interface OAuth2AuthManager extends PluggableAPIAuthenticator, PluggableS
      */
     UserOAuth2Authenticator getUserOAuth2AuthenticationProvider(final String providerName);
 
-    String verifyCodeAndFetchEmail(String code, String provider);
+    String verifySecretCodeAndFetchEmail(String code, String provider, Long domainId);
 
     OauthProviderVO registerOauthProvider(RegisterOAuthProviderCmd cmd);
 
-    List<OauthProviderVO> listOauthProviders(String provider, String uuid);
+    List<OauthProviderVO> listOauthProviders(String provider, String uuid, Long domainId);
 
     boolean deleteOauthProvider(Long id);
 
     OauthProviderVO updateOauthProvider(UpdateOAuthProviderCmd cmd);
+
+    Long resolveDomainId(Map<String, Object[]> params);
+
+    /**
+     * Resolves whether the OAuth plugin is enabled for the given domain scope.
+     * A null domain or the ROOT domain is treated as the global scope, since the
+     * ROOT domain has no domain-level override and inherits the global value;
+     * any other domain is checked strictly at its own domain scope (no inheritance).
+     * @param domainId domain id, or null for global
+     * @return true if OAuth is enabled for that scope
+     */
+    static boolean isPluginEnabledForDomain(Long domainId) {
+        if (domainId == null || domainId == Domain.ROOT_DOMAIN) {
+            return Boolean.TRUE.equals(OAuth2IsPluginEnabled.value());
+        }
+        return Boolean.TRUE.equals(OAuth2IsPluginEnabled.valueInScope(ConfigKey.Scope.Domain, domainId, true));
+    }
 }

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/OAuth2AuthManagerImpl.java

@@ -18,10 +18,13 @@
 //
 package org.apache.cloudstack.oauth2;
 
+import com.cloud.domain.Domain;
+import com.cloud.user.DomainService;
 import com.cloud.user.dao.UserDao;
 import com.cloud.utils.component.Manager;
 import com.cloud.utils.component.ManagerBase;
 import com.cloud.utils.exception.CloudRuntimeException;
+import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.auth.UserOAuth2Authenticator;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.config.Configurable;
@@ -35,12 +38,15 @@
 import org.apache.cloudstack.oauth2.vo.OauthProviderVO;
 import org.apache.commons.lang3.StringUtils;
 
+import org.apache.commons.lang3.ArrayUtils;
+
 import javax.inject.Inject;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 public class OAuth2AuthManagerImpl extends ManagerBase implements OAuth2AuthManager, Manager, Configurable {
     @Inject
@@ -49,6 +55,9 @@ public class OAuth2AuthManagerImpl extends ManagerBase implements OAuth2AuthMana
     @Inject
     protected OauthProviderDao _oauthProviderDao;
 
+    @Inject
+    private DomainService _domainService;
+
     protected static Map<String, UserOAuth2Authenticator> userOAuth2AuthenticationProvidersMap = new HashMap<>();
 
     private List<UserOAuth2Authenticator> userOAuth2AuthenticationProviders;
@@ -64,17 +73,13 @@ public List<Class<?>> getAuthCommands() {
 
     @Override
     public boolean start() {
-        if (isOAuthPluginEnabled()) {
-            logger.info("OAUTH plugin loaded");
-            initializeUserOAuth2AuthenticationProvidersMap();
-        } else {
-            logger.info("OAUTH plugin not enabled so not loading");
-        }
+        initializeUserOAuth2AuthenticationProvidersMap();
+        logger.info("OAUTH plugin loaded");
         return true;
     }
 
-    protected boolean isOAuthPluginEnabled() {
-        return OAuth2IsPluginEnabled.value();
+    protected boolean isOAuthPluginEnabled(Long domainId) {
+        return OAuth2AuthManager.isPluginEnabledForDomain(domainId);
     }
 
     @Override
@@ -125,9 +130,9 @@ protected void initializeUserOAuth2AuthenticationProvidersMap() {
     }
 
     @Override
-    public String verifyCodeAndFetchEmail(String code, String provider) {
+    public String verifySecretCodeAndFetchEmail(String code, String provider, Long domainId) {
         UserOAuth2Authenticator authenticator = getUserOAuth2AuthenticationProvider(provider);
-        String email = authenticator.verifyCodeAndFetchEmail(code);
+        String email = authenticator.verifySecretCodeAndFetchEmail(code, domainId);
 
         return email;
     }
@@ -139,25 +144,36 @@ public OauthProviderVO registerOauthProvider(RegisterOAuthProviderCmd cmd) {
         String clientId = StringUtils.trim(cmd.getClientId());
         String redirectUri = StringUtils.trim(cmd.getRedirectUri());
         String secretKey = StringUtils.trim(cmd.getSecretKey());
+        Long domainId = normalizeGlobalScope(resolveDomainIdFromIdOrPath(cmd.getDomainId(), cmd.getDomainPath()));
 
-        if (!isOAuthPluginEnabled()) {
+        if (!isOAuthPluginEnabled(domainId)) {
             throw new CloudRuntimeException("OAuth is not enabled, please enable to register");
         }
-        OauthProviderVO providerVO = _oauthProviderDao.findByProvider(provider);
+
+        // Check for existing provider with same name and domain
+        OauthProviderVO providerVO = _oauthProviderDao.findByProviderAndDomain(provider, domainId);
         if (providerVO != null) {
-            throw new CloudRuntimeException(String.format("Provider with the name %s is already registered", provider));
+            if (domainId == null) {
+                throw new CloudRuntimeException(String.format("Global provider with the name %s is already registered", provider));
+            } else {
+                throw new CloudRuntimeException(String.format("Provider with the name %s is already registered for domain %d", provider, domainId));
+            }
         }
 
-        return saveOauthProvider(provider, description, clientId, secretKey, redirectUri);
+        return saveOauthProvider(provider, description, clientId, secretKey, redirectUri, domainId);
     }
 
     @Override
-    public List<OauthProviderVO> listOauthProviders(String provider, String uuid) {
+    public List<OauthProviderVO> listOauthProviders(String provider, String uuid, Long domainId) {
         List<OauthProviderVO> providers;
         if (uuid != null) {
             providers = Collections.singletonList(_oauthProviderDao.findByUuid(uuid));
+        } else if (StringUtils.isNotBlank(provider) && domainId != null) {
+            providers = Collections.singletonList(_oauthProviderDao.findByProviderAndDomain(provider, domainId));
         } else if (StringUtils.isNotBlank(provider)) {
-            providers = Collections.singletonList(_oauthProviderDao.findByProvider(provider));
+            providers = Collections.singletonList(_oauthProviderDao.findByProviderAndDomain(provider, null));
+        } else if (domainId != null) {
+            providers = _oauthProviderDao.listByDomainIncludingGlobal(domainId);
         } else {
             providers = _oauthProviderDao.listAll();
         }
@@ -178,6 +194,30 @@ public OauthProviderVO updateOauthProvider(UpdateOAuthProviderCmd cmd) {
             throw new CloudRuntimeException("Provider with the given id is not there");
         }
 
+        Long targetDomainId = providerVO.getDomainId();
+        if (cmd.getDomainId() != null || StringUtils.isNotEmpty(cmd.getDomainPath())) {
+            Long resolved = resolveDomainIdFromIdOrPath(cmd.getDomainId(), cmd.getDomainPath());
+            if (resolved == null) {
+                throw new CloudRuntimeException("Unable to resolve the supplied domain. Provide a valid domain id or path.");
+            }
+            resolved = normalizeGlobalScope(resolved);
+            if (!Objects.equals(resolved, providerVO.getDomainId())) {
+                OauthProviderVO existing = _oauthProviderDao.findByProviderAndDomain(providerVO.getProvider(), resolved);
+                if (existing != null) {
+                    throw new CloudRuntimeException(String.format(
+                            "Provider with the name %s is already registered for domain %s", providerVO.getProvider(),
+                            resolved == null ? "ROOT (global)" : resolved));
+                }
+            }
+            targetDomainId = resolved;
+        }
+
+        if (Boolean.TRUE.equals(enabled) && !isOAuthPluginEnabled(targetDomainId)) {
+            throw new CloudRuntimeException(String.format(
+                    "OAuth plugin is not enabled %s. Enable oauth2.enabled at that scope before enabling this provider.",
+                    targetDomainId == null ? "globally" : "for this domain"));
+        }
+
         if (StringUtils.isNotEmpty(description)) {
             providerVO.setDescription(description);
         }
@@ -193,20 +233,22 @@ public OauthProviderVO updateOauthProvider(UpdateOAuthProviderCmd cmd) {
         if (enabled != null) {
             providerVO.setEnabled(enabled);
         }
+        providerVO.setDomainId(targetDomainId);
 
         _oauthProviderDao.update(id, providerVO);
 
         return _oauthProviderDao.findById(id);
     }
 
-    private OauthProviderVO saveOauthProvider(String provider, String description, String clientId, String secretKey, String redirectUri) {
+    private OauthProviderVO saveOauthProvider(String provider, String description, String clientId, String secretKey, String redirectUri, Long domainId) {
         final OauthProviderVO oauthProviderVO = new OauthProviderVO();
 
         oauthProviderVO.setProvider(provider);
         oauthProviderVO.setDescription(description);
         oauthProviderVO.setClientId(clientId);
         oauthProviderVO.setSecretKey(secretKey);
         oauthProviderVO.setRedirectUri(redirectUri);
+        oauthProviderVO.setDomainId(domainId);
         oauthProviderVO.setEnabled(true);
 
         _oauthProviderDao.persist(oauthProviderVO);
@@ -216,7 +258,66 @@ private OauthProviderVO saveOauthProvider(String provider, String description, S
 
     @Override
     public boolean deleteOauthProvider(Long id) {
-        return _oauthProviderDao.remove(id);
+        return _oauthProviderDao.expunge(id);
+    }
+
+    @Override
+    public Long resolveDomainId(Map<String, Object[]> params) {
+        final String[] domainIdArray = (String[])params.get(ApiConstants.DOMAIN_ID);
+        if (ArrayUtils.isNotEmpty(domainIdArray)) {
+            String domainUuid = domainIdArray[0];
+            if (GLOBAL_DOMAIN_FILTER.equals(domainUuid)) {
+                return GLOBAL_DOMAIN_ID;
+            }
+            Domain domain = _domainService.getDomain(domainUuid);
+            if (Objects.nonNull(domain)) {
+                return domain.getId();
+            }
+        }
+        final String[] domainArray = (String[])params.get(ApiConstants.DOMAIN);
+        if (ArrayUtils.isNotEmpty(domainArray)) {
+            String path = normalizeDomainPath(domainArray[0]);
+            if (StringUtils.isNotEmpty(path)) {
+                Domain domain = _domainService.findDomainByIdOrPath(null, path);
+                if (Objects.nonNull(domain)) {
+                    return domain.getId();
+                }
+            }
+        }
+        return null;
+    }
+
+    protected Long resolveDomainIdFromIdOrPath(Long domainId, String domainPath) {
+        if (domainId != null) {
+            return domainId;
+        }
+        String path = normalizeDomainPath(domainPath);
+        if (StringUtils.isNotEmpty(path)) {
+            Domain domain = _domainService.findDomainByIdOrPath(null, path);
+            if (Objects.nonNull(domain)) {
+                return domain.getId();
+            }
+        }
+        return null;
+    }
+
+    // The ROOT domain is the top of the tree, so a provider scoped to it is equivalent
+    // to a global provider; treat it as global so the global oauth2.enabled config applies.
+    protected Long normalizeGlobalScope(Long domainId) {
+        return (domainId != null && Domain.ROOT_DOMAIN == domainId) ? null : domainId;
+    }
+
+    protected String normalizeDomainPath(String path) {
+        if (StringUtils.isEmpty(path)) {
+            return null;
+        }
+        if (!path.startsWith("/")) {
+            path = "/" + path;
+        }
+        if (!path.endsWith("/")) {
+            path += "/";
+        }
+        return path;
     }
 
     @Override