Subject: [PATCH] Feature: move to modern authentication(OAuth 2.0) from IMAP #84 --- Index: .gitignore IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/.gitignore b/.gitignore --- a/.gitignore (revision 87972acede20e953e34edc18e246d583af860f8f) +++ b/.gitignore (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -50,3 +50,4 @@ /config/master.key /config/credentials.yml.enc +/config/email_oauth*.yml Index: Gemfile IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/Gemfile b/Gemfile --- a/Gemfile (revision 87972acede20e953e34edc18e246d583af860f8f) +++ b/Gemfile (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -21,6 +21,8 @@ gem 'net-imap', '~> 0.3.9' gem 'net-pop', '~> 0.1.2' gem 'net-smtp', '~> 0.3.3' +gem 'oauth2', '~> 2.0' +gem 'gmail_xoauth', '~> 0.4.3' gem 'rexml', require: false if Gem.ruby_version >= Gem::Version.new('3.0') # Windows does not include zoneinfo files, so bundle the tzinfo-data gem Index: lib/redmine/imap.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/lib/redmine/imap.rb b/lib/redmine/imap.rb --- a/lib/redmine/imap.rb (revision 87972acede20e953e34edc18e246d583af860f8f) +++ b/lib/redmine/imap.rb (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -16,7 +16,6 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - require 'net/imap' module Redmine @@ -28,12 +27,20 @@ ssl = !imap_options[:ssl].nil? starttls = !imap_options[:starttls].nil? folder = imap_options[:folder] || 'INBOX' + auth_type = imap_options[:auth_type] || 'LOGIN' imap = Net::IMAP.new(host, port, ssl) if starttls imap.starttls end - imap.login(imap_options[:username], imap_options[:password]) unless imap_options[:username].nil? + if auth_type == "XOAUTH2" + require 'gmail_xoauth' unless defined?(Net::IMAP::XOauth2Authenticator) && Net::IMAP::XOauth2Authenticator.class == Class + end + if auth_type == "LOGIN" + imap.login(imap_options[:username], imap_options[:password]) unless imap_options[:username].nil? + else + imap.authenticate(auth_type, imap_options[:username], imap_options[:password]) unless imap_options[:username].nil? + end imap.select(folder) imap.uid_search(['NOT', 'SEEN']).each do |uid| msg = imap.uid_fetch(uid,'RFC822')[0].attr['RFC822'] Index: lib/tasks/email_oauth.rake IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/lib/tasks/email_oauth.rake b/lib/tasks/email_oauth.rake new file mode 100644 --- /dev/null (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) +++ b/lib/tasks/email_oauth.rake (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -0,0 +1,109 @@ +# Redmine - project management software +# Copyright (C) 2006-2022 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require 'net/imap' +require 'oauth2' +require 'uri' +require 'cgi' + +require 'gmail_xoauth' unless defined?(Net::IMAP::XOauth2Authenticator) && Net::IMAP::XOauth2Authenticator.class == Class + +namespace :redmine do + namespace :email do + + # token_file = path and basename /app/redmine/config/email_token (email_token.yml and email_token_client.yml are created) + # client = Azure app Client ID + # secret = Azure app Secret key + # tenant = Azure app Tenant ID + + desc "Init Office 365 authorization" + task :o365_oauth2_init => :environment do + + token_file = ENV['token_file'] + client_id = ENV['client'] + client_secret = ENV['secret'] + tenant_id = ENV['tenant'] + + scope = [ + "offline_access", + "https://outlook.office.com/User.Read", + "https://outlook.office.com/IMAP.AccessAsUser.All", + "https://outlook.office.com/POP.AccessAsUser.All", + "https://outlook.office.com/SMTP.Send", + ] + + client_config = { + "tenant_id" => tenant_id, + "client_id" => client_id, + "client_secret" => client_secret, + "site" => 'https://login.microsoftonline.com', + "authorize_url" => "/#{tenant_id}/oauth2/v2.0/authorize", + "token_url" => "/#{tenant_id}/oauth2/v2.0/token" + } + + client = OAuth2::Client.new(client_config['client_id'], client_config['client_secret'], + site: client_config['site'], authorize_url: client_config['authorize_url'], token_url: client_config['token_url']) + + print("Go to URL: #{client.auth_code.authorize_url(scope: scope.join(" "))}\n") + print("Enter full URL after authorize:") + access_token = client.auth_code.get_token(CGI.parse(URI.parse(STDIN.gets.strip).query)["code"].first, client_id: client_id) + + File.write("#{token_file}.yml", access_token.to_hash.to_yaml) + File.write("#{token_file}_client.yml", client_config.to_yaml) + + puts "AUTH OK!" + end + + desc "Read emails from an IMAP server authorized via OAuth2" + task :receive_imap_oauth2 => :environment do + + token_file = ENV['token_file'] + + unless token_file && File.exist?("#{token_file}.yml") && File.exist?("#{token_file}_client.yml") + raise "token_file not defined or not exists" + end + + client_config = YAML.load_file("#{token_file}_client.yml") + client = OAuth2::Client.new(client_config['client_id'], client_config['client_secret'], + site: client_config['site'], authorize_url: client_config['authorize_url'], token_url: client_config['token_url']) + + access_token = OAuth2::AccessToken.from_hash(client, YAML.unsafe_load_file("#{token_file}.yml")) + + if access_token.expired? + access_token = access_token.refresh! + File.write("#{token_file}.yml", access_token.to_hash.to_yaml) + end + + imap_options = {:host => ENV['host'], + :port => ENV['port'], + :ssl => ENV['ssl'], + :starttls => ENV['starttls'], + :username => ENV['username'], + :password => access_token.token, + :auth_type => 'XOAUTH2', + :folder => ENV['folder'], + :move_on_success => ENV['move_on_success'], + :move_on_failure => ENV['move_on_failure']} + + Mailer.with_synched_deliveries do + Redmine::IMAP.check(imap_options, MailHandler.extract_options_from_env(ENV)) + end + end + + end + +end Index: test/unit/lib/redmine/imap_test.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/test/unit/lib/redmine/imap_test.rb b/test/unit/lib/redmine/imap_test.rb new file mode 100644 --- /dev/null (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) +++ b/test/unit/lib/redmine/imap_test.rb (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +require_relative '../../../test_helper' +require 'net/imap' + +class Redmine::IMAPTest < ActiveSupport::TestCase + def test_check_uses_login_by_default + imap = mock('imap') + Net::IMAP.expects(:new).with('127.0.0.1', '143', false).returns(imap) + imap.expects(:starttls).never + imap.expects(:login).with('user', 'secret') + imap.expects(:select).with('INBOX') + imap.expects(:uid_search).returns([]) + imap.expects(:expunge) + imap.expects(:logout) + imap.expects(:disconnect) + + Redmine::IMAP.check(:username => 'user', :password => 'secret') + end + + def test_check_uses_authenticate_when_auth_type_is_set + imap = mock('imap') + Net::IMAP.expects(:new).with('imap.example.com', '993', true).returns(imap) + imap.expects(:starttls) + imap.expects(:authenticate).with('XOAUTH2', 'user', 'token') + imap.expects(:select).with('INBOX') + imap.expects(:uid_search).returns([]) + imap.expects(:expunge) + imap.expects(:logout) + imap.expects(:disconnect) + + Redmine::IMAP.check(:host => 'imap.example.com', :port => '993', :ssl => true, + :starttls => true, :username => 'user', :password => 'token', + :auth_type => 'XOAUTH2') + end +end Index: test/unit/lib/tasks/email_oauth_test.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== diff --git a/test/unit/lib/tasks/email_oauth_test.rb b/test/unit/lib/tasks/email_oauth_test.rb new file mode 100644 --- /dev/null (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) +++ b/test/unit/lib/tasks/email_oauth_test.rb (revision e69e0e367e2936c62f525f1d3cc20628f76050b5) @@ -0,0 +1,73 @@ +require 'minitest/autorun' +require 'mocha/minitest' +require 'yaml' +require 'fileutils' +require 'tempfile' +require 'oauth2' + +class EmailOauthTokenRefreshTest < Minitest::Test + def setup + @dir = Dir.mktmpdir + @token_file = File.join(@dir, 'email_token') + File.write("#{@token_file}_client.yml", { + 'client_id' => 'id', + 'client_secret' => 'secret', + 'site' => 'site', + 'authorize_url' => 'auth', + 'token_url' => 'token' + }.to_yaml) + File.write("#{@token_file}.yml", { + 'access_token' => 'old', + 'refresh_token' => 'r', + 'expires_at' => Time.now.to_i - 3600 + }.to_yaml) + end + + def teardown + FileUtils.rm_rf(@dir) + end + + def run_refresh_logic + client_config = YAML.load_file("#{@token_file}_client.yml") + client = OAuth2::Client.new(client_config['client_id'], client_config['client_secret'], + site: client_config['site'], authorize_url: client_config['authorize_url'], token_url: client_config['token_url']) + access_token = OAuth2::AccessToken.from_hash(client, YAML.unsafe_load_file("#{@token_file}.yml")) + if access_token.expired? + access_token = access_token.refresh! + File.write("#{@token_file}.yml", access_token.to_hash.to_yaml) + end + end + + def test_expired_token_refreshes_and_writes_file + refreshed = stub('token', to_hash: { + 'access_token' => 'new', + 'refresh_token' => 'r', + 'expires_at' => Time.now.to_i + 3600 + }) + access_token = stub('token') + access_token.stubs(:expired?).returns(true) + access_token.stubs(:refresh!).returns(refreshed) + + OAuth2::Client.expects(:new).returns(:client) + OAuth2::AccessToken.expects(:from_hash).returns(access_token) + + run_refresh_logic + + data = YAML.safe_load(File.read("#{@token_file}.yml")) + assert_equal 'new', data['access_token'] + end + + def test_valid_token_is_not_refreshed + access_token = stub('token') + access_token.stubs(:expired?).returns(false) + + OAuth2::Client.expects(:new).returns(:client) + OAuth2::AccessToken.expects(:from_hash).returns(access_token) + access_token.expects(:refresh!).never + + run_refresh_logic + + data = YAML.safe_load(File.read("#{@token_file}.yml")) + assert_equal 'old', data['access_token'] + end +end