FEATURE: Experimental support for group membership via google auth (#14835)

This commit introduces a new site setting "google_oauth2_hd_groups". If enabled, group information will be fetched from Google during authentication, and stored in the Discourse database. These 'associated groups' can be connected to a Discourse group via the "Membership" tab of the group preferences UI. 

The majority of the implementation is generic, so we will be able to add support to more authentication methods in the near future.

https://meta.discourse.org/t/managing-group-membership-via-authentication/175950

spec/components/auth/google_oauth2_authenticator_spec.rb

@@ -3,7 +3,6 @@
 require 'rails_helper'
 
 describe Auth::GoogleOAuth2Authenticator do
-
   it 'does not look up user unless email is verified' do
     # note, emails that come back from google via omniauth are always valid
     # this protects against future regressions
@@ -113,6 +112,61 @@ describe Auth::GoogleOAuth2Authenticator do
       expect(result.user).to eq(nil)
       expect(result.name).to eq("Jane Doe")
     end
+
+    context "provides groups" do
+      before do
+        SiteSetting.google_oauth2_hd = "domain.com"
+        group1 = OmniAuth::AuthHash.new(id: "12345", name: "group1")
+        group2 = OmniAuth::AuthHash.new(id: "67890", name: "group2")
+        @groups = [group1, group2]
+        @groups_hash = OmniAuth::AuthHash.new(
+          provider: "google_oauth2",
+          uid: "123456789",
+          info: {
+            first_name: "Jane",
+            last_name: "Doe",
+            name: "Jane Doe",
+            email: "jane.doe@the.google.com"
+          },
+          extra: {
+            raw_info: {
+              email: "jane.doe@the.google.com",
+              email_verified: true,
+              name: "Jane Doe"
+            },
+            raw_groups: @groups
+          }
+        )
+      end
+
+      context "enabled" do
+        before do
+          SiteSetting.google_oauth2_hd_groups = true
+        end
+
+        it "adds associated groups" do
+          result = described_class.new.after_authenticate(@groups_hash)
+          expect(result.associated_groups).to eq(@groups)
+        end
+
+        it "handles a blank groups array" do
+          @groups_hash[:extra][:raw_groups] = []
+          result = described_class.new.after_authenticate(@groups_hash)
+          expect(result.associated_groups).to eq([])
+        end
+      end
+
+      context "disabled" do
+        before do
+          SiteSetting.google_oauth2_hd_groups = false
+        end
+
+        it "doesnt add associated groups" do
+          result = described_class.new.after_authenticate(@groups_hash)
+          expect(result.associated_groups).to eq(nil)
+        end
+      end
+    end
   end
 
   context 'revoke' do

spec/components/auth/managed_authenticator_spec.rb

@@ -38,6 +38,12 @@ describe Auth::ManagedAuthenticator do
     )
   }
 
+  def create_auth_result(attrs)
+    auth_result = Auth::Result.new
+    attrs.each { |k, v| auth_result.send("#{k}=", v) }
+    auth_result
+  end
+
   describe 'after_authenticate' do
     it 'can match account from an existing association' do
       user = Fabricate(:user)
@@ -250,14 +256,14 @@ describe Auth::ManagedAuthenticator do
       let!(:association) { UserAssociatedAccount.create!(provider_name: 'myauth', provider_uid: "1234") }
 
       it "doesn't schedule with no image" do
-        expect { result = authenticator.after_create_account(user, extra_data: create_hash) }
+        expect { result = authenticator.after_create_account(user, create_auth_result(extra_data: create_hash)) }
           .to change { Jobs::DownloadAvatarFromUrl.jobs.count }.by(0)
       end
 
       it "schedules with image" do
         association.info["image"] = "https://some.domain/image.jpg"
         association.save!
-        expect { result = authenticator.after_create_account(user, extra_data: create_hash) }
+        expect { result = authenticator.after_create_account(user, create_auth_result(extra_data: create_hash)) }
           .to change { Jobs::DownloadAvatarFromUrl.jobs.count }.by(1)
       end
     end
@@ -267,14 +273,14 @@ describe Auth::ManagedAuthenticator do
       let!(:association) { UserAssociatedAccount.create!(provider_name: 'myauth', provider_uid: "1234") }
 
       it "doesn't explode without profile" do
-        authenticator.after_create_account(user, extra_data: create_hash)
+        authenticator.after_create_account(user, create_auth_result(extra_data: create_hash))
       end
 
       it "works with profile" do
         association.info["location"] = "DiscourseVille"
         association.info["description"] = "Online forum expert"
         association.save!
-        authenticator.after_create_account(user, extra_data: create_hash)
+        authenticator.after_create_account(user, create_auth_result(extra_data: create_hash))
         expect(user.user_profile.bio_raw).to eq("Online forum expert")
         expect(user.user_profile.location).to eq("DiscourseVille")
       end

spec/components/auth/omniauth_strategies/discourse_google_oauth2_spec.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Auth::OmniAuthStrategies::DiscourseGoogleOauth2 do
+  let(:response_hash) do
+    {
+      email: 'user@domain.com',
+      email_verified: true
+    }
+  end
+  let(:groups) do
+    [
+      {
+        id: "12345",
+        name: "group1"
+      },
+      {
+        id: "67890",
+        name: "group2"
+      }
+    ]
+  end
+  let(:uid) { "12345" }
+  let(:domain) { "domain.com" }
+
+  def build_response(body, code = 200)
+    [code, { 'Content-Type' => 'application/json' }, body.to_json]
+  end
+
+  def build_client(groups_response)
+    OAuth2::Client.new('abc', 'def') do |builder|
+      builder.request :url_encoded
+      builder.adapter :test do |stub|
+        stub.get('/oauth2/v3/userinfo') { build_response(response_hash) }
+        stub.get(described_class::GROUPS_PATH) { groups_response }
+      end
+    end
+  end
+
+  let(:successful_groups_client) do
+    build_client(
+      build_response(
+        groups: groups
+      )
+    )
+  end
+
+  let(:unsuccessful_groups_client) do
+    build_client(
+      build_response(
+        error: {
+          code: 403,
+          message: "Not Authorized to access this resource/api"
+        }
+      )
+    )
+  end
+
+  let(:successful_groups_token) do
+    OAuth2::AccessToken.from_hash(successful_groups_client, {})
+  end
+
+  let(:unsuccessful_groups_token) do
+    OAuth2::AccessToken.from_hash(unsuccessful_groups_client, {})
+  end
+
+  def app
+    lambda do |_env|
+      [200, {}, ["Hello."]]
+    end
+  end
+
+  def build_strategy(access_token)
+    strategy = described_class.new(app, 'appid', 'secret', @options)
+    strategy.stubs(:uid).returns(uid)
+    strategy.stubs(:access_token).returns(access_token)
+    strategy
+  end
+
+  before do
+    @options = {}
+    OmniAuth.config.test_mode = true
+  end
+
+  after do
+    OmniAuth.config.test_mode = false
+  end
+
+  context 'request_groups is true' do
+    before do
+      @options[:request_groups] = true
+    end
+
+    context 'groups request successful' do
+      before do
+        @strategy = build_strategy(successful_groups_token)
+      end
+
+      it 'should include users groups' do
+        expect(@strategy.extra[:raw_groups].map(&:symbolize_keys)).to eq(groups)
+      end
+    end
+
+    context 'groups request unsuccessful' do
+      before do
+        @strategy = build_strategy(unsuccessful_groups_token)
+      end
+
+      it 'users groups should be empty' do
+        expect(@strategy.extra[:raw_groups].empty?).to eq(true)
+      end
+    end
+  end
+
+  context 'request_groups is not true' do
+    before do
+      @options[:request_groups] = false
+      @strategy = build_strategy(successful_groups_token)
+    end
+
+    it 'should not include users groups' do
+      expect(@strategy.extra).not_to have_key(:raw_groups)
+    end
+  end
+end