From c9c063643c20c253184d152fae5ed2dea8d5ed71 Mon Sep 17 00:00:00 2001
From: Brandon Long <blong@fiction.net>
Date: Mon, 11 Jun 2018 10:39:49 -0700
Subject: [PATCH] Initial support for OAUTHBEARER for IMAP.

Gmail supports RFC 7628 for using OAUTH with IMAP, and they really don't
like you using password based auth.  You can still enable "less secure
apps" and then generate an application specific password, but I figured it
was time to support it.

Being mutt, I punted on some of the "hard" work to an external script, ie
getting/refreshing the OAUTH tokens.  This avoids the issue of how do you
have a client-id and client-secret for an open source project, and the fact
that OAUTH discovery is still nascent, so you'd likely need separate things
for each of the providers.

At least for Gmail, you can use the oauth2.py script from Google's
gmail-oauth2-tools:
https://github.com/google/gmail-oauth2-tools/blob/master/python/oauth2.py

You'd need to get your own oauth client credentials for Gmail here:
https://console.developers.google.com/apis/credentials

Then, you'd use oauth2.py with --generate_oauth2_token to get a refresh
token, and configure mutt with:

set imap_authenticators="oauthbearer"
set imap_user="<email_address>"
set imap_pass=`/path/to/oauth2.py --quiet --user=<email_address>
--client_id=<client_id> --client_secret=<client_secret>
--refresh_token=<refresh_token>`

For this patch, I didn't add any new configuration, but I'm open to
suggestions on that.

The patch also only support SASL-IR to reduce round-trips to the server,
but it's certainly possible to change that if we think there are
OAUTHBEARER IMAP servers that don't support SASL-IR.  It also requires the
connection to be encrypted as the access token is re-usable for an hour or
so.  Again, Gmail only allows encrypted IMAP connections, not sure if any
OAUTHBEARER services allow non-encrypted.

Turns out that auth failure leaves you in SASL mode, so I have a hack to
issue a noop command on error.  Not sure if that's just OAUTHBEARER
oddness, or whether I should be using lower level mutt imap functions.
---
 Makefile.autosetup  |   2 +-
 imap/auth.c         |   2 +-
 imap/auth.h         |   1 +
 imap/auth_oauth.c   | 103 ++++++++++++++++++++++++++++++++++++++++++++
 imap/command.c      |  21 +++++++--
 imap/imap_private.h |  23 +++++-----
 6 files changed, 135 insertions(+), 17 deletions(-)
 create mode 100644 imap/auth_oauth.c

diff --git a/Makefile.autosetup b/Makefile.autosetup
index 0eb31b612..091fa92ef 100644
--- a/Makefile.autosetup
+++ b/Makefile.autosetup
@@ -155,7 +155,7 @@ ALLOBJS+=	$(LIBNCRYPTOBJS)
 # libimap
 LIBIMAP=	libimap.a
 LIBIMAPOBJS=	imap/auth.o imap/auth_anon.o imap/auth_cram.o \
-		imap/auth_login.o imap/auth_plain.o imap/browse.o \
+		imap/auth_login.o imap/auth_oauth.o imap/auth_plain.o imap/browse.o \
 		imap/command.o imap/imap.o imap/message.o imap/utf7.o \
 		imap/util.o
 @if USE_GSS
diff --git a/imap/auth.c b/imap/auth.c
index dbb167563..12aa88a21 100644
--- a/imap/auth.c
+++ b/imap/auth.c
@@ -53,7 +53,7 @@ static const struct ImapAuth imap_authenticators[] = {
 #ifndef USE_SASL
   { imap_auth_cram_md5, "cram-md5" },
 #endif
-  { imap_auth_login, "login" },
+  { imap_auth_login, "login" },       { imap_auth_oauth, "oauthbearer" },
 };
 
 /**
diff --git a/imap/auth.h b/imap/auth.h
index 58933435d..bdf9fb01e 100644
--- a/imap/auth.h
+++ b/imap/auth.h
@@ -63,5 +63,6 @@ enum ImapAuthRes imap_auth_gss(struct ImapData *idata, const char *method);
 #ifdef USE_SASL
 enum ImapAuthRes imap_auth_sasl(struct ImapData *idata, const char *method);
 #endif
+enum ImapAuthRes imap_auth_oauth(struct ImapData *idata, const char *method);
 
 #endif /* _IMAP_AUTH_H */
diff --git a/imap/auth_oauth.c b/imap/auth_oauth.c
new file mode 100644
index 000000000..f343d45ba
--- /dev/null
+++ b/imap/auth_oauth.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 1999-2001,2005 Brendan Cully <brendan@kublai.com>
+ * Copyright (C) 2018 Brandon Long <blong@fiction.net>
+ * 
+ *     This program is free software; you can redistribute it and/or modify
+ *     it under the terms of the GNU General Public License as published by
+ *     the Free Software Foundation; either version 2 of the License, or
+ *     (at your option) any later version.
+ * 
+ *     This program is distributed in the hope that it will be useful,
+ *     but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *     GNU General Public License for more details.
+ * 
+ *     You should have received a copy of the GNU General Public License
+ *     along with this program; if not, write to the Free Software
+ *     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+/* IMAP login/authentication code */
+
+#include "config.h"
+#include "imap_private.h"
+#include "mutt/mutt.h"
+#include "conn/conn.h"
+#include "mutt.h"
+#include "auth.h"
+#include "mutt_account.h"
+#include "mutt_logging.h"
+#include "mutt_socket.h"
+#include "muttlib.h"
+
+/* imap_auth_oauth: AUTH=OAUTHBEARER support. See RFC 7628 */
+enum ImapAuthRes imap_auth_oauth(struct ImapData *idata, const char *method)
+{
+  char *ibuf = NULL;
+  char *oauth_buf = NULL;
+  int len, ilen, oalen;
+  int rc;
+
+  /* For now, we only support SASL_IR also and over TLS */
+  if (!mutt_bit_isset(idata->capabilities, AUTH_OAUTHBEARER) ||
+      !mutt_bit_isset(idata->capabilities, SASL_IR) || !idata->conn->ssf)
+    return IMAP_AUTH_UNAVAIL;
+
+  mutt_message(_("Authenticating (OAUTHBEARER)..."));
+
+  /* get auth info */
+  if (mutt_account_getlogin(&idata->conn->account))
+    return IMAP_AUTH_FAILURE;
+
+  /* We get the access token from the "imap_pass" field */
+  if (mutt_account_getpass(&idata->conn->account))
+    return IMAP_AUTH_FAILURE;
+
+  /* Determine the length of the keyed message digest, add 50 for
+   * overhead.
+   */
+  oalen = mutt_str_strlen(idata->conn->account.user) +
+          mutt_str_strlen(idata->conn->account.host) +
+          mutt_str_strlen(idata->conn->account.pass) + 50;
+  oauth_buf = mutt_mem_malloc(oalen);
+
+  snprintf(oauth_buf, oalen, "n,a=%s,\001host=%s\001port=%d\001auth=Bearer %s\001\001",
+           idata->conn->account.user, idata->conn->account.host,
+           idata->conn->account.port, idata->conn->account.pass);
+
+  /* ibuf must be long enough to store the base64 encoding of
+   * oauth_buf, plus the additional debris.
+   */
+
+  ilen = mutt_str_strlen(oauth_buf) * 2 + 30;
+  ibuf = mutt_mem_malloc(ilen);
+  ibuf[0] = '\0';
+
+  mutt_str_strcat(ibuf, ilen, "AUTHENTICATE OAUTHBEARER ");
+  len = mutt_str_strlen(ibuf);
+
+  mutt_b64_encode(oauth_buf, mutt_str_strlen(oauth_buf), (ibuf + len), ilen - len);
+
+  /* This doesn't really contain a password, but the token is good for
+   * an hour, so suppress it anyways.
+   */
+  rc = imap_exec(idata, ibuf, IMAP_CMD_FAIL_OK | IMAP_CMD_PASS);
+
+  FREE(&oauth_buf);
+  FREE(&ibuf);
+
+  if (!rc)
+  {
+    mutt_clear_error();
+    return IMAP_AUTH_SUCCESS;
+  }
+
+  /* The error response was in SASL continuation, so "continue" the SASL
+   * to cause a failure and exit SASL input.
+   */
+  mutt_socket_send(idata->conn, "an noop\r\n");
+
+  mutt_error(_("OAUTHBEARER authentication failed."));
+  mutt_sleep(2);
+  return IMAP_AUTH_FAILURE;
+}
diff --git a/imap/command.c b/imap/command.c
index 6be9c0834..f29ad56bc 100644
--- a/imap/command.c
+++ b/imap/command.c
@@ -67,10 +67,23 @@ bool ImapServernoise; ///< Config: (imap) Display server warnings as error messa
  * @note Gmail documents one string but use another, so we support both.
  */
 static const char *const Capabilities[] = {
-  "IMAP4",     "IMAP4rev1",     "STATUS",      "ACL",
-  "NAMESPACE", "AUTH=CRAM-MD5", "AUTH=GSSAPI", "AUTH=ANONYMOUS",
-  "STARTTLS",  "LOGINDISABLED", "IDLE",        "SASL-IR",
-  "ENABLE",    "X-GM-EXT-1",    "X-GM-EXT1",   NULL,
+  "IMAP4",
+  "IMAP4rev1",
+  "STATUS",
+  "ACL",
+  "NAMESPACE",
+  "AUTH=CRAM-MD5",
+  "AUTH=GSSAPI",
+  "AUTH=ANONYMOUS",
+  "AUTH=OAUTHBEARER",
+  "STARTTLS",
+  "LOGINDISABLED",
+  "IDLE",
+  "SASL-IR",
+  "ENABLE",
+  "X-GM-EXT-1",
+  "X-GM-EXT1",
+  NULL,
 };
 
 /**
diff --git a/imap/imap_private.h b/imap/imap_private.h
index 8f68e971f..78691db83 100644
--- a/imap/imap_private.h
+++ b/imap/imap_private.h
@@ -124,17 +124,18 @@ enum ImapCaps
   IMAP4 = 0,
   IMAP4REV1,
   STATUS,
-  ACL,           /**< RFC2086: IMAP4 ACL extension */
-  NAMESPACE,     /**< RFC2342: IMAP4 Namespace */
-  ACRAM_MD5,     /**< RFC2195: CRAM-MD5 authentication */
-  AGSSAPI,       /**< RFC1731: GSSAPI authentication */
-  AUTH_ANON,     /**< AUTH=ANONYMOUS */
-  STARTTLS,      /**< RFC2595: STARTTLS */
-  LOGINDISABLED, /**<           LOGINDISABLED */
-  IDLE,          /**< RFC2177: IDLE */
-  SASL_IR,       /**< SASL initial response draft */
-  ENABLE,        /**< RFC5161 */
-  X_GM_EXT1,     /**< https://developers.google.com/gmail/imap/imap-extensions */
+  ACL,                   /**< RFC2086: IMAP4 ACL extension */
+  NAMESPACE,             /**< RFC2342: IMAP4 Namespace */
+  ACRAM_MD5,             /**< RFC2195: CRAM-MD5 authentication */
+  AGSSAPI,               /**< RFC1731: GSSAPI authentication */
+  AUTH_ANON,             /**< AUTH=ANONYMOUS */
+  AUTH_OAUTHBEARER,      /**< RFC7628: AUTH=OAUTHBEARER */
+  STARTTLS,              /**< RFC2595: STARTTLS */
+  LOGINDISABLED,         /**< RFC2595: LOGINDISABLED */
+  IDLE,                  /**< RFC2177: IDLE */
+  SASL_IR,               /**< SASL initial response draft */
+  ENABLE,                /**< RFC5161 */
+  X_GM_EXT1,             /**< https://developers.google.com/gmail/imap/imap-extensions */
   X_GM_ALT1 = X_GM_EXT1, /**< Alternative capability string */
 
   CAPMAX
-- 
2.40.0