FEATURE: Experimental support for group membership via google auth (#14835)

This commit introduces a new site setting "google_oauth2_hd_groups". If enabled, group information will be fetched from Google during authentication, and stored in the Discourse database. These 'associated groups' can be connected to a Discourse group via the "Membership" tab of the group preferences UI. 

The majority of the implementation is generic, so we will be able to add support to more authentication methods in the near future.

https://meta.discourse.org/t/managing-group-membership-via-authentication/175950

lib/auth/authenticator.rb

@@ -65,4 +65,9 @@ class Auth::Authenticator
   def revoke(user, skip_remote: false)
     raise NotImplementedError
   end
+
+  # provider has implemented user group membership (or equivalent) request
+  def provides_groups?
+    false
+  end
 end

lib/auth/google_oauth2_authenticator.rb

@@ -16,6 +16,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
   end
 
   def register_middleware(omniauth)
+    strategy_class = Auth::OmniAuthStrategies::DiscourseGoogleOauth2
     options = {
       setup: lambda { |env|
         strategy = env["omniauth.strategy"]
@@ -35,8 +36,25 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
         # the JWT can fail due to clock skew, so let's skip it completely.
         # https://github.com/zquestz/omniauth-google-oauth2/pull/392
         strategy.options[:skip_jwt] = true
+        strategy.options[:request_groups] = provides_groups?
+
+        if provides_groups?
+          strategy.options[:scope] = "#{strategy_class::DEFAULT_SCOPE},#{strategy_class::GROUPS_SCOPE}"
+        end
       }
     }
-    omniauth.provider :google_oauth2, options
+    omniauth.provider strategy_class, options
+  end
+
+  def after_authenticate(auth_token, existing_account: nil)
+    result = super
+    if provides_groups? && (groups = auth_token[:extra][:raw_groups])
+      result.associated_groups = groups.map { |group| group.slice(:id, :name) }
+    end
+    result
+  end
+
+  def provides_groups?
+    SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups
   end
 end

lib/auth/managed_authenticator.rb

@@ -113,14 +113,16 @@ class Auth::ManagedAuthenticator < Auth::Authenticator
     result
   end
 
-  def after_create_account(user, auth)
-    auth_token = auth[:extra_data]
+  def after_create_account(user, auth_result)
+    auth_token = auth_result[:extra_data]
     association = UserAssociatedAccount.find_or_initialize_by(provider_name: auth_token[:provider], provider_uid: auth_token[:uid])
     association.user = user
     association.save!
 
     retrieve_avatar(user, association.info["image"])
     retrieve_profile(user, association.info)
+
+    auth_result.apply_associated_attributes!
   end
 
   def find_user_by_email(auth_token)

lib/auth/omniauth_strategies/discourse_google_oauth2.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class Auth::OmniAuthStrategies
+  class DiscourseGoogleOauth2 < OmniAuth::Strategies::GoogleOauth2
+    GROUPS_SCOPE ||= "admin.directory.group.readonly"
+    GROUPS_DOMAIN ||= "admin.googleapis.com"
+    GROUPS_PATH ||= "/admin/directory/v1/groups"
+
+    def extra
+      hash = {}
+      hash[:raw_info] = raw_info
+      hash[:raw_groups] = raw_groups if options[:request_groups]
+      hash
+    end
+
+    def raw_groups
+      @raw_groups ||= begin
+        groups = []
+        page_token = nil
+        groups_url = "https://#{GROUPS_DOMAIN}#{GROUPS_PATH}"
+
+        loop do
+          params = {
+            userKey: uid
+          }
+          params[:pageToken] = page_token if page_token
+
+          response = access_token.get(groups_url, params: params, raise_errors: false)
+
+          if response.status == 200
+            response = response.parsed
+            groups.push(*response['groups'])
+            page_token = response['nextPageToken']
+            break if page_token.nil?
+          else
+            Rails.logger.error("[Discourse Google OAuth2] failed to retrieve groups for #{uid} - status #{response.status}")
+            break
+          end
+        end
+
+        groups
+      end
+    end
+  end
+end

lib/auth/result.rb

@@ -21,7 +21,8 @@ class Auth::Result
     :omniauth_disallow_totp,
     :failed,
     :failed_reason,
-    :failed_code
+    :failed_code,
+    :associated_groups
   ]
 
   attr_accessor *ATTRIBUTES
@@ -36,7 +37,8 @@ class Auth::Result
     :name,
     :authenticator_name,
     :extra_data,
-    :skip_email_validation
+    :skip_email_validation,
+    :associated_groups
   ]
 
   def [](key)
@@ -94,6 +96,29 @@ class Auth::Result
     change_made
   end
 
+  def apply_associated_attributes!
+    if authenticator&.provides_groups? && !associated_groups.nil?
+      associated_group_ids = []
+
+      associated_groups.uniq.each do |associated_group|
+        begin
+          associated_group = AssociatedGroup.find_or_create_by(
+            name: associated_group[:name],
+            provider_id: associated_group[:id],
+            provider_name: extra_data[:provider]
+          )
+        rescue ActiveRecord::RecordNotUnique
+          retry
+        end
+
+        associated_group_ids.push(associated_group.id)
+      end
+
+      user.update(associated_group_ids: associated_group_ids)
+      AssociatedGroup.where(id: associated_group_ids).update_all("last_used = CURRENT_TIMESTAMP")
+    end
+  end
+
   def can_edit_name
     !SiteSetting.auth_overrides_name
   end
@@ -167,6 +192,10 @@ class Auth::Result
     username || name || email
   end
 
+  def authenticator
+    @authenticator ||= Discourse.enabled_authenticators.find { |a| a.name == authenticator_name }
+  end
+
   def resolve_username
     if staged_user
       if !username.present? || UserNameSuggester.fix_username(username) == staged_user.username