From 05e09d910a34118406d7252d873696a47c80a3a6 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 18 Jun 2021 21:31:21 +0100 Subject: [PATCH 01/44] Rename auth.Auth auth.Method Signed-off-by: Andrew Thornton --- modules/context/api.go | 2 +- modules/context/context.go | 2 +- services/auth/auth.go | 6 +++--- services/auth/basic.go | 2 +- services/auth/group.go | 6 +++--- services/auth/interface.go | 4 ++-- services/auth/oauth2.go | 2 +- services/auth/reverseproxy.go | 2 +- services/auth/session.go | 2 +- services/auth/sspi_windows.go | 2 +- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/modules/context/api.go b/modules/context/api.go index 506824674522e..78d48e9169be5 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -218,7 +218,7 @@ func (ctx *APIContext) CheckForOTP() { } // APIAuth converts auth.Auth as a middleware -func APIAuth(authMethod auth.Auth) func(*APIContext) { +func APIAuth(authMethod auth.Method) func(*APIContext) { return func(ctx *APIContext) { // Get user from session if logged in. ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) diff --git a/modules/context/context.go b/modules/context/context.go index 7b3fd2899acd9..f1bc4f3ab2557 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -612,7 +612,7 @@ func getCsrfOpts() CsrfOptions { } // Auth converts auth.Auth as a middleware -func Auth(authMethod auth.Auth) func(*Context) { +func Auth(authMethod auth.Method) func(*Context) { return func(ctx *Context) { ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) if ctx.User != nil { diff --git a/services/auth/auth.go b/services/auth/auth.go index 5492a8b74ede3..1dedfbf779b58 100644 --- a/services/auth/auth.go +++ b/services/auth/auth.go @@ -27,7 +27,7 @@ import ( // // The Session plugin is expected to be executed second, in order to skip authentication // for users that have already signed in. -var authMethods = []Auth{ +var authMethods = []Method{ &OAuth2{}, &Basic{}, &Session{}, @@ -40,12 +40,12 @@ var ( ) // Methods returns the instances of all registered methods -func Methods() []Auth { +func Methods() []Method { return authMethods } // Register adds the specified instance to the list of available methods -func Register(method Auth) { +func Register(method Method) { authMethods = append(authMethods, method) } diff --git a/services/auth/basic.go b/services/auth/basic.go index 0bce4f1d067a2..5516eaffc810e 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -19,7 +19,7 @@ import ( // Ensure the struct implements the interface. var ( - _ Auth = &Basic{} + _ Method = &Basic{} ) // Basic implements the Auth interface and authenticates requests (API requests diff --git a/services/auth/group.go b/services/auth/group.go index b61949de7dea7..7e887cfa8b58e 100644 --- a/services/auth/group.go +++ b/services/auth/group.go @@ -12,16 +12,16 @@ import ( // Ensure the struct implements the interface. var ( - _ Auth = &Group{} + _ Method = &Group{} ) // Group implements the Auth interface with serval Auth. type Group struct { - methods []Auth + methods []Method } // NewGroup creates a new auth group -func NewGroup(methods ...Auth) *Group { +func NewGroup(methods ...Method) *Group { return &Group{ methods: methods, } diff --git a/services/auth/interface.go b/services/auth/interface.go index a305bdfc226c7..e75a84677c2b1 100644 --- a/services/auth/interface.go +++ b/services/auth/interface.go @@ -18,8 +18,8 @@ type DataStore middleware.DataStore // SessionStore represents a session store type SessionStore session.Store -// Auth represents an authentication method (plugin) for HTTP requests. -type Auth interface { +// Method represents an authentication method (plugin) for HTTP requests. +type Method interface { Name() string // Init should be called exactly once before using any of the other methods, diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index c6b98c144f0ef..e9f4c69e8886d 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -18,7 +18,7 @@ import ( // Ensure the struct implements the interface. var ( - _ Auth = &OAuth2{} + _ Method = &OAuth2{} ) // CheckOAuthAccessToken returns uid of user from oauth token diff --git a/services/auth/reverseproxy.go b/services/auth/reverseproxy.go index f958d28c9a664..90d830846e165 100644 --- a/services/auth/reverseproxy.go +++ b/services/auth/reverseproxy.go @@ -19,7 +19,7 @@ import ( // Ensure the struct implements the interface. var ( - _ Auth = &ReverseProxy{} + _ Method = &ReverseProxy{} ) // ReverseProxy implements the Auth interface, but actually relies on diff --git a/services/auth/session.go b/services/auth/session.go index 9f08f43363009..c3fcbc2bda67c 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -13,7 +13,7 @@ import ( // Ensure the struct implements the interface. var ( - _ Auth = &Session{} + _ Method = &Session{} ) // Session checks if there is a user uid stored in the session and returns the user diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go index d1289a76174b2..01243123081a5 100644 --- a/services/auth/sspi_windows.go +++ b/services/auth/sspi_windows.go @@ -32,7 +32,7 @@ var ( sspiAuth *websspi.Authenticator // Ensure the struct implements the interface. - _ Auth = &SSPI{} + _ Method = &SSPI{} ) // SSPI implements the SingleSignOn interface and authenticates requests From dcddf7dae31abc4e66d1808d6814947384d6f84c Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 18 Jun 2021 21:47:12 +0100 Subject: [PATCH 02/44] Move UserSignIn and ExternalLogin in to services Signed-off-by: Andrew Thornton --- models/login_source.go | 127 +++----------------------------------- services/auth/basic.go | 2 +- services/auth/signin.go | 133 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 141 insertions(+), 121 deletions(-) create mode 100644 services/auth/signin.go diff --git a/models/login_source.go b/models/login_source.go index 098b48a8cd5f4..42bc0f72b194c 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -376,6 +376,13 @@ func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) { // ActiveLoginSources returns all active sources of the specified type func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 1) + if loginType < 0 { + if err := x.Where("is_actived = ?", true).Find(&sources); err != nil { + return nil, err + } + return sources, nil + } + if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil { return nil, err } @@ -741,123 +748,3 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon } return user, CreateUser(user) } - -// ExternalUserLogin attempts a login using external source types. -func ExternalUserLogin(user *User, login, password string, source *LoginSource) (*User, error) { - if !source.IsActived { - return nil, ErrLoginSourceNotActived - } - - var err error - switch source.Type { - case LoginLDAP, LoginDLDAP: - user, err = LoginViaLDAP(user, login, password, source) - case LoginSMTP: - user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig)) - case LoginPAM: - user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig)) - default: - return nil, ErrUnsupportedLoginType - } - - if err != nil { - return nil, err - } - - // WARN: DON'T check user.IsActive, that will be checked on reqSign so that - // user could be hint to resend confirm email. - if user.ProhibitLogin { - return nil, ErrUserProhibitLogin{user.ID, user.Name} - } - - return user, nil -} - -// UserSignIn validates user name and password. -func UserSignIn(username, password string) (*User, error) { - var user *User - if strings.Contains(username, "@") { - user = &User{Email: strings.ToLower(strings.TrimSpace(username))} - // check same email - cnt, err := x.Count(user) - if err != nil { - return nil, err - } - if cnt > 1 { - return nil, ErrEmailAlreadyUsed{ - Email: user.Email, - } - } - } else { - trimmedUsername := strings.TrimSpace(username) - if len(trimmedUsername) == 0 { - return nil, ErrUserNotExist{0, username, 0} - } - - user = &User{LowerName: strings.ToLower(trimmedUsername)} - } - - hasUser, err := x.Get(user) - if err != nil { - return nil, err - } - - if hasUser { - switch user.LoginType { - case LoginNoType, LoginPlain, LoginOAuth2: - if user.IsPasswordSet() && user.ValidatePassword(password) { - - // Update password hash if server password hash algorithm have changed - if user.PasswdHashAlgo != setting.PasswordHashAlgo { - if err = user.SetPassword(password); err != nil { - return nil, err - } - if err = UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { - return nil, err - } - } - - // WARN: DON'T check user.IsActive, that will be checked on reqSign so that - // user could be hint to resend confirm email. - if user.ProhibitLogin { - return nil, ErrUserProhibitLogin{user.ID, user.Name} - } - - return user, nil - } - - return nil, ErrUserNotExist{user.ID, user.Name, 0} - - default: - var source LoginSource - hasSource, err := x.ID(user.LoginSource).Get(&source) - if err != nil { - return nil, err - } else if !hasSource { - return nil, ErrLoginSourceNotExist{user.LoginSource} - } - - return ExternalUserLogin(user, user.LoginName, password, &source) - } - } - - sources := make([]*LoginSource, 0, 5) - if err = x.Where("is_actived = ?", true).Find(&sources); err != nil { - return nil, err - } - - for _, source := range sources { - if source.IsOAuth2() || source.IsSSPI() { - // don't try to authenticate against OAuth2 and SSPI sources here - continue - } - authUser, err := ExternalUserLogin(nil, username, password, source) - if err == nil { - return authUser, nil - } - - log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) - } - - return nil, ErrUserNotExist{user.ID, user.Name, 0} -} diff --git a/services/auth/basic.go b/services/auth/basic.go index 5516eaffc810e..f0486f905c379 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -116,7 +116,7 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore } log.Trace("Basic Authorization: Attempting SignIn for %s", uname) - u, err := models.UserSignIn(uname, passwd) + u, err := UserSignIn(uname, passwd) if err != nil { if !models.IsErrUserNotExist(err) { log.Error("UserSignIn: %v", err) diff --git a/services/auth/signin.go b/services/auth/signin.go new file mode 100644 index 0000000000000..8a0c16eddfad8 --- /dev/null +++ b/services/auth/signin.go @@ -0,0 +1,133 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package auth + +import ( + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" +) + +// UserSignIn validates user name and password. +func UserSignIn(username, password string) (*models.User, error) { + var user *models.User + if strings.Contains(username, "@") { + user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))} + // check same email + cnt, err := models.Count(user) + if err != nil { + return nil, err + } + if cnt > 1 { + return nil, models.ErrEmailAlreadyUsed{ + Email: user.Email, + } + } + } else { + trimmedUsername := strings.TrimSpace(username) + if len(trimmedUsername) == 0 { + return nil, models.ErrUserNotExist{Name: username} + } + + user = &models.User{LowerName: strings.ToLower(trimmedUsername)} + } + + hasUser, err := models.GetUser(user) + if err != nil { + return nil, err + } + + if hasUser { + switch user.LoginType { + case models.LoginNoType, models.LoginPlain, models.LoginOAuth2: + if user.IsPasswordSet() && user.ValidatePassword(password) { + + // Update password hash if server password hash algorithm have changed + if user.PasswdHashAlgo != setting.PasswordHashAlgo { + if err = user.SetPassword(password); err != nil { + return nil, err + } + if err = models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { + return nil, err + } + } + + // WARN: DON'T check user.IsActive, that will be checked on reqSign so that + // user could be hint to resend confirm email. + if user.ProhibitLogin { + return nil, models.ErrUserProhibitLogin{ + UID: user.ID, + Name: user.Name, + } + } + + return user, nil + } + + return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} + + default: + source, err := models.GetLoginSourceByID(user.LoginSource) + if err != nil { + return nil, err + } + + return ExternalUserLogin(user, user.LoginName, password, source) + } + } + + sources, err := models.ActiveLoginSources(-1) + if err != nil { + return nil, err + } + + for _, source := range sources { + if source.IsOAuth2() || source.IsSSPI() { + // don't try to authenticate against OAuth2 and SSPI sources here + continue + } + authUser, err := ExternalUserLogin(nil, username, password, source) + if err == nil { + return authUser, nil + } + + log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) + } + + return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} +} + +// ExternalUserLogin attempts a login using external source types. +func ExternalUserLogin(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) { + if !source.IsActived { + return nil, models.ErrLoginSourceNotActived + } + + var err error + switch source.Type { + case models.LoginLDAP, models.LoginDLDAP: + user, err = models.LoginViaLDAP(user, login, password, source) + case models.LoginSMTP: + user, err = models.LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*models.SMTPConfig)) + case models.LoginPAM: + user, err = models.LoginViaPAM(user, login, password, source.ID, source.Cfg.(*models.PAMConfig)) + default: + return nil, models.ErrUnsupportedLoginType + } + + if err != nil { + return nil, err + } + + // WARN: DON'T check user.IsActive, that will be checked on reqSign so that + // user could be hint to resend confirm email. + if user.ProhibitLogin { + return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} + } + + return user, nil +} From 331797e081300bb45dd4fc3321d61112b248df8f Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 18 Jun 2021 23:04:32 +0100 Subject: [PATCH 03/44] Move Login functions out of models Signed-off-by: Andrew Thornton --- models/login_source.go | 275 +--------------------------- models/user.go | 16 +- models/user_test.go | 2 +- routers/web/admin/auths.go | 9 +- routers/web/user/auth.go | 5 +- routers/web/user/auth_openid.go | 3 +- routers/web/user/setting/account.go | 3 +- services/auth/ldap/login.go | 100 ++++++++++ services/auth/pam/login.go | 69 +++++++ services/auth/signin.go | 9 +- services/auth/smtp/auth.go | 81 ++++++++ services/auth/smtp/login.go | 78 ++++++++ 12 files changed, 357 insertions(+), 293 deletions(-) create mode 100644 services/auth/ldap/login.go create mode 100644 services/auth/pam/login.go create mode 100644 services/auth/smtp/auth.go create mode 100644 services/auth/smtp/login.go diff --git a/models/login_source.go b/models/login_source.go index 42bc0f72b194c..ab319f334c7f7 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -6,23 +6,15 @@ package models import ( - "crypto/tls" - "errors" "fmt" - "net/smtp" - "net/textproto" "strconv" - "strings" "code.gitea.io/gitea/modules/auth/ldap" "code.gitea.io/gitea/modules/auth/oauth2" - "code.gitea.io/gitea/modules/auth/pam" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" - "code.gitea.io/gitea/modules/util" - gouuid "github.com/google/uuid" jsoniter "github.com/json-iterator/go" "xorm.io/xorm" @@ -472,14 +464,8 @@ func CountLoginSources() int64 { return count } -// .____ ________ _____ __________ -// | | \______ \ / _ \\______ \ -// | | | | \ / /_\ \| ___/ -// | |___ | ` \/ | \ | -// |_______ \/_______ /\____|__ /____| -// \/ \/ \/ - -func composeFullName(firstname, surname, username string) string { +// ComposeFullName composes a firstname surname or username +func ComposeFullName(firstname, surname, username string) string { switch { case len(firstname) == 0 && len(surname) == 0: return username @@ -491,260 +477,3 @@ func composeFullName(firstname, surname, username string) string { return firstname + " " + surname } } - -// LoginViaLDAP queries if login/password is valid against the LDAP directory pool, -// and create a local user if success when enabled. -func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) { - sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP) - if sr == nil { - // User not in LDAP, do nothing - return nil, ErrUserNotExist{0, login, 0} - } - - isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0 - - // Update User admin flag if exist - if isExist, err := IsUserExist(0, sr.Username); err != nil { - return nil, err - } else if isExist { - if user == nil { - user, err = GetUserByName(sr.Username) - if err != nil { - return nil, err - } - } - if user != nil && !user.ProhibitLogin { - cols := make([]string, 0) - if len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin { - // Change existing admin flag only if AdminFilter option is set - user.IsAdmin = sr.IsAdmin - cols = append(cols, "is_admin") - } - if !user.IsAdmin && len(source.LDAP().RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted { - // Change existing restricted flag only if RestrictedFilter option is set - user.IsRestricted = sr.IsRestricted - cols = append(cols, "is_restricted") - } - if len(cols) > 0 { - err = UpdateUserCols(user, cols...) - if err != nil { - return nil, err - } - } - } - } - - if user != nil { - if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { - return user, RewriteAllPublicKeys() - } - - return user, nil - } - - // Fallback. - if len(sr.Username) == 0 { - sr.Username = login - } - - if len(sr.Mail) == 0 { - sr.Mail = fmt.Sprintf("%s@localhost", sr.Username) - } - - user = &User{ - LowerName: strings.ToLower(sr.Username), - Name: sr.Username, - FullName: composeFullName(sr.Name, sr.Surname, sr.Username), - Email: sr.Mail, - LoginType: source.Type, - LoginSource: source.ID, - LoginName: login, - IsActive: true, - IsAdmin: sr.IsAdmin, - IsRestricted: sr.IsRestricted, - } - - err := CreateUser(user) - - if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { - err = RewriteAllPublicKeys() - } - - return user, err -} - -// _________ __________________________ -// / _____/ / \__ ___/\______ \ -// \_____ \ / \ / \| | | ___/ -// / \/ Y \ | | | -// /_______ /\____|__ /____| |____| -// \/ \/ - -type smtpLoginAuth struct { - username, password string -} - -func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) { - return "LOGIN", []byte(auth.username), nil -} - -func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) { - if more { - switch string(fromServer) { - case "Username:": - return []byte(auth.username), nil - case "Password:": - return []byte(auth.password), nil - } - } - return nil, nil -} - -// SMTP authentication type names. -const ( - SMTPPlain = "PLAIN" - SMTPLogin = "LOGIN" -) - -// SMTPAuths contains available SMTP authentication type names. -var SMTPAuths = []string{SMTPPlain, SMTPLogin} - -// SMTPAuth performs an SMTP authentication. -func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error { - c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)) - if err != nil { - return err - } - defer c.Close() - - if err = c.Hello("gogs"); err != nil { - return err - } - - if cfg.TLS { - if ok, _ := c.Extension("STARTTLS"); ok { - if err = c.StartTLS(&tls.Config{ - InsecureSkipVerify: cfg.SkipVerify, - ServerName: cfg.Host, - }); err != nil { - return err - } - } else { - return errors.New("SMTP server unsupports TLS") - } - } - - if ok, _ := c.Extension("AUTH"); ok { - return c.Auth(a) - } - return ErrUnsupportedLoginType -} - -// LoginViaSMTP queries if login/password is valid against the SMTP, -// and create a local user if success when enabled. -func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) { - // Verify allowed domains. - if len(cfg.AllowedDomains) > 0 { - idx := strings.Index(login, "@") - if idx == -1 { - return nil, ErrUserNotExist{0, login, 0} - } else if !util.IsStringInSlice(login[idx+1:], strings.Split(cfg.AllowedDomains, ","), true) { - return nil, ErrUserNotExist{0, login, 0} - } - } - - var auth smtp.Auth - if cfg.Auth == SMTPPlain { - auth = smtp.PlainAuth("", login, password, cfg.Host) - } else if cfg.Auth == SMTPLogin { - auth = &smtpLoginAuth{login, password} - } else { - return nil, errors.New("Unsupported SMTP auth type") - } - - if err := SMTPAuth(auth, cfg); err != nil { - // Check standard error format first, - // then fallback to worse case. - tperr, ok := err.(*textproto.Error) - if (ok && tperr.Code == 535) || - strings.Contains(err.Error(), "Username and Password not accepted") { - return nil, ErrUserNotExist{0, login, 0} - } - return nil, err - } - - if user != nil { - return user, nil - } - - username := login - idx := strings.Index(login, "@") - if idx > -1 { - username = login[:idx] - } - - user = &User{ - LowerName: strings.ToLower(username), - Name: strings.ToLower(username), - Email: login, - Passwd: password, - LoginType: LoginSMTP, - LoginSource: sourceID, - LoginName: login, - IsActive: true, - } - return user, CreateUser(user) -} - -// __________ _____ _____ -// \______ \/ _ \ / \ -// | ___/ /_\ \ / \ / \ -// | | / | \/ Y \ -// |____| \____|__ /\____|__ / -// \/ \/ - -// LoginViaPAM queries if login/password is valid against the PAM, -// and create a local user if success when enabled. -func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) { - pamLogin, err := pam.Auth(cfg.ServiceName, login, password) - if err != nil { - if strings.Contains(err.Error(), "Authentication failure") { - return nil, ErrUserNotExist{0, login, 0} - } - return nil, err - } - - if user != nil { - return user, nil - } - - // Allow PAM sources with `@` in their name, like from Active Directory - username := pamLogin - email := pamLogin - idx := strings.Index(pamLogin, "@") - if idx > -1 { - username = pamLogin[:idx] - } - if ValidateEmail(email) != nil { - if cfg.EmailDomain != "" { - email = fmt.Sprintf("%s@%s", username, cfg.EmailDomain) - } else { - email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress) - } - if ValidateEmail(email) != nil { - email = gouuid.New().String() + "@localhost" - } - } - - user = &User{ - LowerName: strings.ToLower(username), - Name: username, - Email: email, - Passwd: password, - LoginType: LoginPAM, - LoginSource: sourceID, - LoginName: login, // This is what the user typed in - IsActive: true, - } - return user, CreateUser(user) -} diff --git a/models/user.go b/models/user.go index 5998341422197..9be5324d3042a 100644 --- a/models/user.go +++ b/models/user.go @@ -1658,8 +1658,8 @@ func deleteKeysMarkedForDeletion(keys []string) (bool, error) { return sshKeysNeedUpdate, nil } -// addLdapSSHPublicKeys add a users public keys. Returns true if there are changes. -func addLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { +// AddLdapSSHPublicKeys add a users public keys. Returns true if there are changes. +func AddLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { var sshKeysNeedUpdate bool for _, sshKey := range sshPublicKeys { var err error @@ -1696,8 +1696,8 @@ func addLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) boo return sshKeysNeedUpdate } -// synchronizeLdapSSHPublicKeys updates a users public keys. Returns true if there are changes. -func synchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { +// SynchronizeLdapSSHPublicKeys updates a users public keys. Returns true if there are changes. +func SynchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { var sshKeysNeedUpdate bool log.Trace("synchronizeLdapSSHPublicKeys[%s]: Handling LDAP Public SSH Key synchronization for user %s", s.Name, usr.Name) @@ -1739,7 +1739,7 @@ func synchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []str newLdapSSHKeys = append(newLdapSSHKeys, LDAPPublicSSHKey) } } - if addLdapSSHPublicKeys(usr, s, newLdapSSHKeys) { + if AddLdapSSHPublicKeys(usr, s, newLdapSSHKeys) { sshKeysNeedUpdate = true } @@ -1854,7 +1854,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { } } - fullName := composeFullName(su.Name, su.Surname, su.Username) + fullName := ComposeFullName(su.Name, su.Surname, su.Username) // If no existing user found, create one if usr == nil { log.Trace("SyncExternalUsers[%s]: Creating user %s", s.Name, su.Username) @@ -1878,7 +1878,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err) } else if isAttributeSSHPublicKeySet { log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", s.Name, usr.Name) - if addLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { + if AddLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { sshKeysNeedUpdate = true } } @@ -1886,7 +1886,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { existingUsers = append(existingUsers, usr.ID) // Synchronize SSH Public Key if that attribute is set - if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { + if isAttributeSSHPublicKeySet && SynchronizeLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { sshKeysNeedUpdate = true } diff --git a/models/user_test.go b/models/user_test.go index 39a1b3c989c05..8d95233c2e63f 100644 --- a/models/user_test.go +++ b/models/user_test.go @@ -451,7 +451,7 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOChCC7lf6Uo9n7BmZ6M8St19PZf4Tn59NriyboW2x/DZuYAz3ib for i, kase := range testCases { s.ID = int64(i) + 20 - addLdapSSHPublicKeys(user, s, []string{kase.keyString}) + AddLdapSSHPublicKeys(user, s, []string{kase.keyString}) keys, err := ListPublicLdapSSHKeys(user.ID, s.ID) assert.NoError(t, err) if err != nil { diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index a2f9ab0a5c326..7e316a96a7d79 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/services/auth/smtp" "code.gitea.io/gitea/services/forms" "xorm.io/xorm/convert" @@ -94,7 +95,7 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["is_sync_enabled"] = true ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols - ctx.Data["SMTPAuths"] = models.SMTPAuths + ctx.Data["SMTPAuths"] = smtp.Authenticators ctx.Data["OAuth2Providers"] = models.OAuth2Providers ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings @@ -218,7 +219,7 @@ func NewAuthSourcePost(ctx *context.Context) { ctx.Data["CurrentSecurityProtocol"] = models.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)] ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols - ctx.Data["SMTPAuths"] = models.SMTPAuths + ctx.Data["SMTPAuths"] = smtp.Authenticators ctx.Data["OAuth2Providers"] = models.OAuth2Providers ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings @@ -297,7 +298,7 @@ func EditAuthSource(ctx *context.Context) { ctx.Data["PageIsAdminAuthentications"] = true ctx.Data["SecurityProtocols"] = securityProtocols - ctx.Data["SMTPAuths"] = models.SMTPAuths + ctx.Data["SMTPAuths"] = smtp.Authenticators ctx.Data["OAuth2Providers"] = models.OAuth2Providers ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings @@ -322,7 +323,7 @@ func EditAuthSourcePost(ctx *context.Context) { ctx.Data["PageIsAdmin"] = true ctx.Data["PageIsAdminAuthentications"] = true - ctx.Data["SMTPAuths"] = models.SMTPAuths + ctx.Data["SMTPAuths"] = smtp.Authenticators ctx.Data["OAuth2Providers"] = models.OAuth2Providers ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 827b7cdef0651..9309a111cd463 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -27,6 +27,7 @@ import ( "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/routers/utils" + "code.gitea.io/gitea/services/auth" "code.gitea.io/gitea/services/externalaccount" "code.gitea.io/gitea/services/forms" "code.gitea.io/gitea/services/mailer" @@ -174,7 +175,7 @@ func SignInPost(ctx *context.Context) { } form := web.GetForm(ctx).(*forms.SignInForm) - u, err := models.UserSignIn(form.UserName, form.Password) + u, err := auth.UserSignIn(form.UserName, form.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form) @@ -901,7 +902,7 @@ func LinkAccountPostSignIn(ctx *context.Context) { return } - u, err := models.UserSignIn(signInForm.UserName, signInForm.Password) + u, err := auth.UserSignIn(signInForm.UserName, signInForm.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.Data["user_exists"] = true diff --git a/routers/web/user/auth_openid.go b/routers/web/user/auth_openid.go index 1a73a08c4862d..3e3da71ac538b 100644 --- a/routers/web/user/auth_openid.go +++ b/routers/web/user/auth_openid.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/modules/web/middleware" + "code.gitea.io/gitea/services/auth" "code.gitea.io/gitea/services/forms" ) @@ -290,7 +291,7 @@ func ConnectOpenIDPost(ctx *context.Context) { ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp ctx.Data["OpenID"] = oid - u, err := models.UserSignIn(form.UserName, form.Password) + u, err := auth.UserSignIn(form.UserName, form.Password) if err != nil { if models.IsErrUserNotExist(err) { ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form) diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go index 48ab37d9369e6..66688dbc730e6 100644 --- a/routers/web/user/setting/account.go +++ b/routers/web/user/setting/account.go @@ -18,6 +18,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web" + "code.gitea.io/gitea/services/auth" "code.gitea.io/gitea/services/forms" "code.gitea.io/gitea/services/mailer" ) @@ -227,7 +228,7 @@ func DeleteAccount(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("settings") ctx.Data["PageIsSettingsAccount"] = true - if _, err := models.UserSignIn(ctx.User.Name, ctx.Query("password")); err != nil { + if _, err := auth.UserSignIn(ctx.User.Name, ctx.Query("password")); err != nil { if models.IsErrUserNotExist(err) { loadAccountData(ctx) diff --git a/services/auth/ldap/login.go b/services/auth/ldap/login.go new file mode 100644 index 0000000000000..78c2ec18a2356 --- /dev/null +++ b/services/auth/ldap/login.go @@ -0,0 +1,100 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap + +import ( + "fmt" + "strings" + + "code.gitea.io/gitea/models" +) + +// .____ ________ _____ __________ +// | | \______ \ / _ \\______ \ +// | | | | \ / /_\ \| ___/ +// | |___ | ` \/ | \ | +// |_______ \/_______ /\____|__ /____| +// \/ \/ \/ + +// Login queries if login/password is valid against the LDAP directory pool, +// and create a local user if success when enabled. +func Login(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) { + sr := source.Cfg.(*models.LDAPConfig).SearchEntry(login, password, source.Type == models.LoginDLDAP) + if sr == nil { + // User not in LDAP, do nothing + return nil, models.ErrUserNotExist{Name: login} + } + + isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0 + + // Update User admin flag if exist + if isExist, err := models.IsUserExist(0, sr.Username); err != nil { + return nil, err + } else if isExist { + if user == nil { + user, err = models.GetUserByName(sr.Username) + if err != nil { + return nil, err + } + } + if user != nil && !user.ProhibitLogin { + cols := make([]string, 0) + if len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin { + // Change existing admin flag only if AdminFilter option is set + user.IsAdmin = sr.IsAdmin + cols = append(cols, "is_admin") + } + if !user.IsAdmin && len(source.LDAP().RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted { + // Change existing restricted flag only if RestrictedFilter option is set + user.IsRestricted = sr.IsRestricted + cols = append(cols, "is_restricted") + } + if len(cols) > 0 { + err = models.UpdateUserCols(user, cols...) + if err != nil { + return nil, err + } + } + } + } + + if user != nil { + if isAttributeSSHPublicKeySet && models.SynchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { + return user, models.RewriteAllPublicKeys() + } + + return user, nil + } + + // Fallback. + if len(sr.Username) == 0 { + sr.Username = login + } + + if len(sr.Mail) == 0 { + sr.Mail = fmt.Sprintf("%s@localhost", sr.Username) + } + + user = &models.User{ + LowerName: strings.ToLower(sr.Username), + Name: sr.Username, + FullName: models.ComposeFullName(sr.Name, sr.Surname, sr.Username), + Email: sr.Mail, + LoginType: source.Type, + LoginSource: source.ID, + LoginName: login, + IsActive: true, + IsAdmin: sr.IsAdmin, + IsRestricted: sr.IsRestricted, + } + + err := models.CreateUser(user) + + if err == nil && isAttributeSSHPublicKeySet && models.AddLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { + err = models.RewriteAllPublicKeys() + } + + return user, err +} diff --git a/services/auth/pam/login.go b/services/auth/pam/login.go new file mode 100644 index 0000000000000..601a724be9565 --- /dev/null +++ b/services/auth/pam/login.go @@ -0,0 +1,69 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package pam + +import ( + "fmt" + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/auth/pam" + "code.gitea.io/gitea/modules/setting" + + "github.com/google/uuid" +) + +// __________ _____ _____ +// \______ \/ _ \ / \ +// | ___/ /_\ \ / \ / \ +// | | / | \/ Y \ +// |____| \____|__ /\____|__ / +// \/ \/ + +// Login queries if login/password is valid against the PAM, +// and create a local user if success when enabled. +func Login(user *models.User, login, password string, sourceID int64, cfg *models.PAMConfig) (*models.User, error) { + pamLogin, err := pam.Auth(cfg.ServiceName, login, password) + if err != nil { + if strings.Contains(err.Error(), "Authentication failure") { + return nil, models.ErrUserNotExist{Name: login} + } + return nil, err + } + + if user != nil { + return user, nil + } + + // Allow PAM sources with `@` in their name, like from Active Directory + username := pamLogin + email := pamLogin + idx := strings.Index(pamLogin, "@") + if idx > -1 { + username = pamLogin[:idx] + } + if models.ValidateEmail(email) != nil { + if cfg.EmailDomain != "" { + email = fmt.Sprintf("%s@%s", username, cfg.EmailDomain) + } else { + email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress) + } + if models.ValidateEmail(email) != nil { + email = uuid.New().String() + "@localhost" + } + } + + user = &models.User{ + LowerName: strings.ToLower(username), + Name: username, + Email: email, + Passwd: password, + LoginType: models.LoginPAM, + LoginSource: sourceID, + LoginName: login, // This is what the user typed in + IsActive: true, + } + return user, models.CreateUser(user) +} diff --git a/services/auth/signin.go b/services/auth/signin.go index 8a0c16eddfad8..04abed4b8b568 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/services/auth/ldap" + "code.gitea.io/gitea/services/auth/pam" + "code.gitea.io/gitea/services/auth/smtp" ) // UserSignIn validates user name and password. @@ -110,11 +113,11 @@ func ExternalUserLogin(user *models.User, login, password string, source *models var err error switch source.Type { case models.LoginLDAP, models.LoginDLDAP: - user, err = models.LoginViaLDAP(user, login, password, source) + user, err = ldap.Login(user, login, password, source) case models.LoginSMTP: - user, err = models.LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*models.SMTPConfig)) + user, err = smtp.Login(user, login, password, source.ID, source.Cfg.(*models.SMTPConfig)) case models.LoginPAM: - user, err = models.LoginViaPAM(user, login, password, source.ID, source.Cfg.(*models.PAMConfig)) + user, err = pam.Login(user, login, password, source.ID, source.Cfg.(*models.PAMConfig)) default: return nil, models.ErrUnsupportedLoginType } diff --git a/services/auth/smtp/auth.go b/services/auth/smtp/auth.go new file mode 100644 index 0000000000000..a4a7c8ed38a08 --- /dev/null +++ b/services/auth/smtp/auth.go @@ -0,0 +1,81 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package smtp + +import ( + "crypto/tls" + "errors" + "fmt" + "net/smtp" + + "code.gitea.io/gitea/models" +) + +// _________ __________________________ +// / _____/ / \__ ___/\______ \ +// \_____ \ / \ / \| | | ___/ +// / \/ Y \ | | | +// /_______ /\____|__ /____| |____| +// \/ \/ + +type loginAuthenticator struct { + username, password string +} + +func (auth *loginAuthenticator) Start(server *smtp.ServerInfo) (string, []byte, error) { + return "LOGIN", []byte(auth.username), nil +} + +func (auth *loginAuthenticator) Next(fromServer []byte, more bool) ([]byte, error) { + if more { + switch string(fromServer) { + case "Username:": + return []byte(auth.username), nil + case "Password:": + return []byte(auth.password), nil + } + } + return nil, nil +} + +// SMTP authentication type names. +const ( + PlainAuthentication = "PLAIN" + LoginAuthentication = "LOGIN" +) + +// Authenticators contains available SMTP authentication type names. +var Authenticators = []string{PlainAuthentication, LoginAuthentication} + +// Authenticate performs an SMTP authentication. +func Authenticate(a smtp.Auth, cfg *models.SMTPConfig) error { + c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)) + if err != nil { + return err + } + defer c.Close() + + if err = c.Hello("gogs"); err != nil { + return err + } + + if cfg.TLS { + if ok, _ := c.Extension("STARTTLS"); ok { + if err = c.StartTLS(&tls.Config{ + InsecureSkipVerify: cfg.SkipVerify, + ServerName: cfg.Host, + }); err != nil { + return err + } + } else { + return errors.New("SMTP server unsupports TLS") + } + } + + if ok, _ := c.Extension("AUTH"); ok { + return c.Auth(a) + } + return models.ErrUnsupportedLoginType +} diff --git a/services/auth/smtp/login.go b/services/auth/smtp/login.go new file mode 100644 index 0000000000000..3248913deb90d --- /dev/null +++ b/services/auth/smtp/login.go @@ -0,0 +1,78 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package smtp + +import ( + "errors" + "net/smtp" + "net/textproto" + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/util" +) + +// _________ __________________________ +// / _____/ / \__ ___/\______ \ +// \_____ \ / \ / \| | | ___/ +// / \/ Y \ | | | +// /_______ /\____|__ /____| |____| +// \/ \/ + +// Login queries if login/password is valid against the SMTP, +// and create a local user if success when enabled. +func Login(user *models.User, login, password string, sourceID int64, cfg *models.SMTPConfig) (*models.User, error) { + // Verify allowed domains. + if len(cfg.AllowedDomains) > 0 { + idx := strings.Index(login, "@") + if idx == -1 { + return nil, models.ErrUserNotExist{Name: login} + } else if !util.IsStringInSlice(login[idx+1:], strings.Split(cfg.AllowedDomains, ","), true) { + return nil, models.ErrUserNotExist{Name: login} + } + } + + var auth smtp.Auth + if cfg.Auth == PlainAuthentication { + auth = smtp.PlainAuth("", login, password, cfg.Host) + } else if cfg.Auth == LoginAuthentication { + auth = &loginAuthenticator{login, password} + } else { + return nil, errors.New("Unsupported SMTP auth type") + } + + if err := Authenticate(auth, cfg); err != nil { + // Check standard error format first, + // then fallback to worse case. + tperr, ok := err.(*textproto.Error) + if (ok && tperr.Code == 535) || + strings.Contains(err.Error(), "Username and Password not accepted") { + return nil, models.ErrUserNotExist{Name: login} + } + return nil, err + } + + if user != nil { + return user, nil + } + + username := login + idx := strings.Index(login, "@") + if idx > -1 { + username = login[:idx] + } + + user = &models.User{ + LowerName: strings.ToLower(username), + Name: strings.ToLower(username), + Email: login, + Passwd: password, + LoginType: models.LoginSMTP, + LoginSource: sourceID, + LoginName: login, + IsActive: true, + } + return user, models.CreateUser(user) +} From d1d9e44974c6f0d91444db7af94220c21541e670 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 19 Jun 2021 08:22:41 +0100 Subject: [PATCH 04/44] actually lets make these sources Signed-off-by: Andrew Thornton --- services/auth/signin.go | 6 +++--- services/auth/{ => source}/ldap/login.go | 0 services/auth/{ => source}/pam/login.go | 0 services/auth/{ => source}/smtp/auth.go | 0 services/auth/{ => source}/smtp/login.go | 0 5 files changed, 3 insertions(+), 3 deletions(-) rename services/auth/{ => source}/ldap/login.go (100%) rename services/auth/{ => source}/pam/login.go (100%) rename services/auth/{ => source}/smtp/auth.go (100%) rename services/auth/{ => source}/smtp/login.go (100%) diff --git a/services/auth/signin.go b/services/auth/signin.go index 04abed4b8b568..b49761e3a60aa 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -10,9 +10,9 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" - "code.gitea.io/gitea/services/auth/ldap" - "code.gitea.io/gitea/services/auth/pam" - "code.gitea.io/gitea/services/auth/smtp" + "code.gitea.io/gitea/services/auth/source/ldap" + "code.gitea.io/gitea/services/auth/source/pam" + "code.gitea.io/gitea/services/auth/source/smtp" ) // UserSignIn validates user name and password. diff --git a/services/auth/ldap/login.go b/services/auth/source/ldap/login.go similarity index 100% rename from services/auth/ldap/login.go rename to services/auth/source/ldap/login.go diff --git a/services/auth/pam/login.go b/services/auth/source/pam/login.go similarity index 100% rename from services/auth/pam/login.go rename to services/auth/source/pam/login.go diff --git a/services/auth/smtp/auth.go b/services/auth/source/smtp/auth.go similarity index 100% rename from services/auth/smtp/auth.go rename to services/auth/source/smtp/auth.go diff --git a/services/auth/smtp/login.go b/services/auth/source/smtp/login.go similarity index 100% rename from services/auth/smtp/login.go rename to services/auth/source/smtp/login.go From d98bbbcd8531f42c6c109ca02abb0bb018aa2568 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 19 Jun 2021 13:04:31 +0100 Subject: [PATCH 05/44] Move SyncExternal to services/auth Signed-off-by: Andrew Thornton --- integrations/auth_ldap_test.go | 6 +- models/login_source.go | 14 -- models/ssh_key.go | 4 +- models/user.go | 263 ++++------------------------- models/user_test.go | 4 +- modules/cron/tasks_basic.go | 3 +- routers/web/admin/auths.go | 2 +- services/auth/source/ldap/login.go | 6 +- services/auth/source/ldap/sync.go | 190 +++++++++++++++++++++ services/auth/source/ldap/util.go | 19 +++ services/auth/sync.go | 44 +++++ 11 files changed, 303 insertions(+), 252 deletions(-) create mode 100644 services/auth/source/ldap/sync.go create mode 100644 services/auth/source/ldap/util.go create mode 100644 services/auth/sync.go diff --git a/integrations/auth_ldap_test.go b/integrations/auth_ldap_test.go index 4d82c092e7280..e714dbd1326c9 100644 --- a/integrations/auth_ldap_test.go +++ b/integrations/auth_ldap_test.go @@ -11,7 +11,7 @@ import ( "strings" "testing" - "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" "github.com/stretchr/testify/assert" "github.com/unknwon/i18n" @@ -151,7 +151,7 @@ func TestLDAPUserSync(t *testing.T) { } defer prepareTestEnv(t)() addAuthSourceLDAP(t, "") - models.SyncExternalUsers(context.Background(), true) + auth.SyncExternalUsers(context.Background(), true) session := loginUser(t, "user1") // Check if users exists @@ -216,7 +216,7 @@ func TestLDAPUserSSHKeySync(t *testing.T) { defer prepareTestEnv(t)() addAuthSourceLDAP(t, "sshPublicKey") - models.SyncExternalUsers(context.Background(), true) + auth.SyncExternalUsers(context.Background(), true) // Check if users has SSH keys synced for _, u := range gitLDAPUsers { diff --git a/models/login_source.go b/models/login_source.go index ab319f334c7f7..0ac24d680a571 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -463,17 +463,3 @@ func CountLoginSources() int64 { count, _ := x.Count(new(LoginSource)) return count } - -// ComposeFullName composes a firstname surname or username -func ComposeFullName(firstname, surname, username string) string { - switch { - case len(firstname) == 0 && len(surname) == 0: - return username - case len(firstname) == 0: - return surname - case len(surname) == 0: - return firstname - default: - return firstname + " " + surname - } -} diff --git a/models/ssh_key.go b/models/ssh_key.go index e35fc12e080a2..a51ee2f7a4a3d 100644 --- a/models/ssh_key.go +++ b/models/ssh_key.go @@ -635,8 +635,8 @@ func ListPublicKeys(uid int64, listOptions ListOptions) ([]*PublicKey, error) { return keys, sess.Find(&keys) } -// ListPublicLdapSSHKeys returns a list of synchronized public ldap ssh keys belongs to given user and login source. -func ListPublicLdapSSHKeys(uid, loginSourceID int64) ([]*PublicKey, error) { +// ListPublicKeysBySource returns a list of synchronized public keys for a given user and login source. +func ListPublicKeysBySource(uid, loginSourceID int64) ([]*PublicKey, error) { keys := make([]*PublicKey, 0, 5) return keys, x. Where("owner_id = ? AND login_source_id = ?", uid, loginSourceID). diff --git a/models/user.go b/models/user.go index 9be5324d3042a..e5d8f5fdaba19 100644 --- a/models/user.go +++ b/models/user.go @@ -1397,6 +1397,13 @@ func GetUserIDsByNames(names []string, ignoreNonExistent bool) ([]int64, error) return ids, nil } +// GetUsersBySource returns a list of Users for a login source +func GetUsersBySource(s *LoginSource) ([]*User, error) { + var users []*User + err := x.Where("login_type = ? AND login_source = ?", s.Type, s.ID).Find(&users) + return users, err +} + // UserCommit represents a commit with validation of user. type UserCommit struct { User *User @@ -1658,8 +1665,8 @@ func deleteKeysMarkedForDeletion(keys []string) (bool, error) { return sshKeysNeedUpdate, nil } -// AddLdapSSHPublicKeys add a users public keys. Returns true if there are changes. -func AddLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { +// AddPublicKeysBySource add a users public keys. Returns true if there are changes. +func AddPublicKeysBySource(usr *User, s *LoginSource, sshPublicKeys []string) bool { var sshKeysNeedUpdate bool for _, sshKey := range sshPublicKeys { var err error @@ -1680,82 +1687,82 @@ func AddLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) boo if _, err := AddPublicKey(usr.ID, sshKeyName, marshalled, s.ID); err != nil { if IsErrKeyAlreadyExist(err) { - log.Trace("addLdapSSHPublicKeys[%s]: LDAP Public SSH Key %s already exists for user", sshKeyName, usr.Name) + log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name) } else { - log.Error("addLdapSSHPublicKeys[%s]: Error adding LDAP Public SSH Key for user %s: %v", sshKeyName, usr.Name, err) + log.Error("AddPublicKeysBySource[%s]: Error adding Public SSH Key for user %s: %v", sshKeyName, usr.Name, err) } } else { - log.Trace("addLdapSSHPublicKeys[%s]: Added LDAP Public SSH Key for user %s", sshKeyName, usr.Name) + log.Trace("AddPublicKeysBySource[%s]: Added Public SSH Key for user %s", sshKeyName, usr.Name) sshKeysNeedUpdate = true } } if !found && err != nil { - log.Warn("addLdapSSHPublicKeys[%s]: Skipping invalid LDAP Public SSH Key for user %s: %v", s.Name, usr.Name, sshKey) + log.Warn("AddPublicKeysBySource[%s]: Skipping invalid Public SSH Key for user %s: %v", s.Name, usr.Name, sshKey) } } return sshKeysNeedUpdate } -// SynchronizeLdapSSHPublicKeys updates a users public keys. Returns true if there are changes. -func SynchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { +// SynchronizePublicKeys updates a users public keys. Returns true if there are changes. +func SynchronizePublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { var sshKeysNeedUpdate bool - log.Trace("synchronizeLdapSSHPublicKeys[%s]: Handling LDAP Public SSH Key synchronization for user %s", s.Name, usr.Name) + log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name) // Get Public Keys from DB with current LDAP source var giteaKeys []string - keys, err := ListPublicLdapSSHKeys(usr.ID, s.ID) + keys, err := ListPublicKeysBySource(usr.ID, s.ID) if err != nil { - log.Error("synchronizeLdapSSHPublicKeys[%s]: Error listing LDAP Public SSH Keys for user %s: %v", s.Name, usr.Name, err) + log.Error("synchronizePublicKeys[%s]: Error listing Public SSH Keys for user %s: %v", s.Name, usr.Name, err) } for _, v := range keys { giteaKeys = append(giteaKeys, v.OmitEmail()) } - // Get Public Keys from LDAP and skip duplicate keys - var ldapKeys []string + // Process the provided keys to remove duplicates and name part + var providedKeys []string for _, v := range sshPublicKeys { sshKeySplit := strings.Split(v, " ") if len(sshKeySplit) > 1 { - ldapKey := strings.Join(sshKeySplit[:2], " ") - if !util.ExistsInSlice(ldapKey, ldapKeys) { - ldapKeys = append(ldapKeys, ldapKey) + key := strings.Join(sshKeySplit[:2], " ") + if !util.ExistsInSlice(key, providedKeys) { + providedKeys = append(providedKeys, key) } } } // Check if Public Key sync is needed - if util.IsEqualSlice(giteaKeys, ldapKeys) { - log.Trace("synchronizeLdapSSHPublicKeys[%s]: LDAP Public Keys are already in sync for %s (LDAP:%v/DB:%v)", s.Name, usr.Name, len(ldapKeys), len(giteaKeys)) + if util.IsEqualSlice(giteaKeys, providedKeys) { + log.Trace("synchronizePublicKeys[%s]: Public Keys are already in sync for %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) return false } - log.Trace("synchronizeLdapSSHPublicKeys[%s]: LDAP Public Key needs update for user %s (LDAP:%v/DB:%v)", s.Name, usr.Name, len(ldapKeys), len(giteaKeys)) + log.Trace("synchronizePublicKeys[%s]: Public Key needs update for user %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) - // Add LDAP Public SSH Keys that doesn't already exist in DB - var newLdapSSHKeys []string - for _, LDAPPublicSSHKey := range ldapKeys { - if !util.ExistsInSlice(LDAPPublicSSHKey, giteaKeys) { - newLdapSSHKeys = append(newLdapSSHKeys, LDAPPublicSSHKey) + // Add new Public SSH Keys that doesn't already exist in DB + var newKeys []string + for _, key := range providedKeys { + if !util.ExistsInSlice(key, giteaKeys) { + newKeys = append(newKeys, key) } } - if AddLdapSSHPublicKeys(usr, s, newLdapSSHKeys) { + if AddPublicKeysBySource(usr, s, newKeys) { sshKeysNeedUpdate = true } - // Mark LDAP keys from DB that doesn't exist in LDAP for deletion + // Mark keys from DB that no longer exist in the source for deletion var giteaKeysToDelete []string for _, giteaKey := range giteaKeys { - if !util.ExistsInSlice(giteaKey, ldapKeys) { - log.Trace("synchronizeLdapSSHPublicKeys[%s]: Marking LDAP Public SSH Key for deletion for user %s: %v", s.Name, usr.Name, giteaKey) + if !util.ExistsInSlice(giteaKey, providedKeys) { + log.Trace("synchronizePublicKeys[%s]: Marking Public SSH Key for deletion for user %s: %v", s.Name, usr.Name, giteaKey) giteaKeysToDelete = append(giteaKeysToDelete, giteaKey) } } - // Delete LDAP keys from DB that doesn't exist in LDAP + // Delete keys from DB that no longer exist in the source needUpd, err := deleteKeysMarkedForDeletion(giteaKeysToDelete) if err != nil { - log.Error("synchronizeLdapSSHPublicKeys[%s]: Error deleting LDAP Public SSH Keys marked for deletion for user %s: %v", s.Name, usr.Name, err) + log.Error("synchronizePublicKeys[%s]: Error deleting Public Keys marked for deletion for user %s: %v", s.Name, usr.Name, err) } if needUpd { sshKeysNeedUpdate = true @@ -1764,202 +1771,6 @@ func SynchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, sshPublicKeys []str return sshKeysNeedUpdate } -// SyncExternalUsers is used to synchronize users with external authorization source -func SyncExternalUsers(ctx context.Context, updateExisting bool) error { - log.Trace("Doing: SyncExternalUsers") - - ls, err := LoginSources() - if err != nil { - log.Error("SyncExternalUsers: %v", err) - return err - } - - for _, s := range ls { - if !s.IsActived || !s.IsSyncEnabled { - continue - } - select { - case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled before update of %s", s.Name) - return ErrCancelledf("Before update of %s", s.Name) - default: - } - - if s.IsLDAP() { - log.Trace("Doing: SyncExternalUsers[%s]", s.Name) - - var existingUsers []int64 - isAttributeSSHPublicKeySet := len(strings.TrimSpace(s.LDAP().AttributeSSHPublicKey)) > 0 - var sshKeysNeedUpdate bool - - // Find all users with this login type - var users []*User - err = x.Where("login_type = ?", LoginLDAP). - And("login_source = ?", s.ID). - Find(&users) - if err != nil { - log.Error("SyncExternalUsers: %v", err) - return err - } - select { - case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled before update of %s", s.Name) - return ErrCancelledf("Before update of %s", s.Name) - default: - } - - sr, err := s.LDAP().SearchEntries() - if err != nil { - log.Error("SyncExternalUsers LDAP source failure [%s], skipped", s.Name) - continue - } - - if len(sr) == 0 { - if !s.LDAP().AllowDeactivateAll { - log.Error("LDAP search found no entries but did not report an error. Refusing to deactivate all users") - continue - } else { - log.Warn("LDAP search found no entries but did not report an error. All users will be deactivated as per settings") - } - } - - for _, su := range sr { - select { - case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", s.Name) - // Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed - if sshKeysNeedUpdate { - err = RewriteAllPublicKeys() - if err != nil { - log.Error("RewriteAllPublicKeys: %v", err) - } - } - return ErrCancelledf("During update of %s before completed update of users", s.Name) - default: - } - if len(su.Username) == 0 { - continue - } - - if len(su.Mail) == 0 { - su.Mail = fmt.Sprintf("%s@localhost", su.Username) - } - - var usr *User - // Search for existing user - for _, du := range users { - if du.LowerName == strings.ToLower(su.Username) { - usr = du - break - } - } - - fullName := ComposeFullName(su.Name, su.Surname, su.Username) - // If no existing user found, create one - if usr == nil { - log.Trace("SyncExternalUsers[%s]: Creating user %s", s.Name, su.Username) - - usr = &User{ - LowerName: strings.ToLower(su.Username), - Name: su.Username, - FullName: fullName, - LoginType: s.Type, - LoginSource: s.ID, - LoginName: su.Username, - Email: su.Mail, - IsAdmin: su.IsAdmin, - IsRestricted: su.IsRestricted, - IsActive: true, - } - - err = CreateUser(usr) - - if err != nil { - log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err) - } else if isAttributeSSHPublicKeySet { - log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", s.Name, usr.Name) - if AddLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { - sshKeysNeedUpdate = true - } - } - } else if updateExisting { - existingUsers = append(existingUsers, usr.ID) - - // Synchronize SSH Public Key if that attribute is set - if isAttributeSSHPublicKeySet && SynchronizeLdapSSHPublicKeys(usr, s, su.SSHPublicKey) { - sshKeysNeedUpdate = true - } - - // Check if user data has changed - if (len(s.LDAP().AdminFilter) > 0 && usr.IsAdmin != su.IsAdmin) || - (len(s.LDAP().RestrictedFilter) > 0 && usr.IsRestricted != su.IsRestricted) || - !strings.EqualFold(usr.Email, su.Mail) || - usr.FullName != fullName || - !usr.IsActive { - - log.Trace("SyncExternalUsers[%s]: Updating user %s", s.Name, usr.Name) - - usr.FullName = fullName - usr.Email = su.Mail - // Change existing admin flag only if AdminFilter option is set - if len(s.LDAP().AdminFilter) > 0 { - usr.IsAdmin = su.IsAdmin - } - // Change existing restricted flag only if RestrictedFilter option is set - if !usr.IsAdmin && len(s.LDAP().RestrictedFilter) > 0 { - usr.IsRestricted = su.IsRestricted - } - usr.IsActive = true - - err = UpdateUserCols(usr, "full_name", "email", "is_admin", "is_restricted", "is_active") - if err != nil { - log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", s.Name, usr.Name, err) - } - } - } - } - - // Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed - if sshKeysNeedUpdate { - err = RewriteAllPublicKeys() - if err != nil { - log.Error("RewriteAllPublicKeys: %v", err) - } - } - - select { - case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", s.Name) - return ErrCancelledf("During update of %s before delete users", s.Name) - default: - } - - // Deactivate users not present in LDAP - if updateExisting { - for _, usr := range users { - found := false - for _, uid := range existingUsers { - if usr.ID == uid { - found = true - break - } - } - if !found { - log.Trace("SyncExternalUsers[%s]: Deactivating user %s", s.Name, usr.Name) - - usr.IsActive = false - err = UpdateUserCols(usr, "is_active") - if err != nil { - log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", s.Name, usr.Name, err) - } - } - } - } - } - } - return nil -} - // IterateUser iterate users func IterateUser(f func(user *User) error) error { var start int diff --git a/models/user_test.go b/models/user_test.go index 8d95233c2e63f..316afe37683d7 100644 --- a/models/user_test.go +++ b/models/user_test.go @@ -451,8 +451,8 @@ ssh-dss AAAAB3NzaC1kc3MAAACBAOChCC7lf6Uo9n7BmZ6M8St19PZf4Tn59NriyboW2x/DZuYAz3ib for i, kase := range testCases { s.ID = int64(i) + 20 - AddLdapSSHPublicKeys(user, s, []string{kase.keyString}) - keys, err := ListPublicLdapSSHKeys(user.ID, s.ID) + AddPublicKeysBySource(user, s, []string{kase.keyString}) + keys, err := ListPublicKeysBySource(user.ID, s.ID) assert.NoError(t, err) if err != nil { continue diff --git a/modules/cron/tasks_basic.go b/modules/cron/tasks_basic.go index 391cda0f891f5..a148ab06327d0 100644 --- a/modules/cron/tasks_basic.go +++ b/modules/cron/tasks_basic.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/modules/migrations" repository_service "code.gitea.io/gitea/modules/repository" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/services/auth" mirror_service "code.gitea.io/gitea/services/mirror" ) @@ -80,7 +81,7 @@ func registerSyncExternalUsers() { UpdateExisting: true, }, func(ctx context.Context, _ *models.User, config Config) error { realConfig := config.(*UpdateExistingConfig) - return models.SyncExternalUsers(ctx, realConfig.UpdateExisting) + return auth.SyncExternalUsers(ctx, realConfig.UpdateExisting) }) } diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index 7e316a96a7d79..2c9f215d1d8db 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -20,7 +20,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" - "code.gitea.io/gitea/services/auth/smtp" + "code.gitea.io/gitea/services/auth/source/smtp" "code.gitea.io/gitea/services/forms" "xorm.io/xorm/convert" diff --git a/services/auth/source/ldap/login.go b/services/auth/source/ldap/login.go index 78c2ec18a2356..266e4f85cf155 100644 --- a/services/auth/source/ldap/login.go +++ b/services/auth/source/ldap/login.go @@ -61,7 +61,7 @@ func Login(user *models.User, login, password string, source *models.LoginSource } if user != nil { - if isAttributeSSHPublicKeySet && models.SynchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { + if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, source, sr.SSHPublicKey) { return user, models.RewriteAllPublicKeys() } @@ -80,7 +80,7 @@ func Login(user *models.User, login, password string, source *models.LoginSource user = &models.User{ LowerName: strings.ToLower(sr.Username), Name: sr.Username, - FullName: models.ComposeFullName(sr.Name, sr.Surname, sr.Username), + FullName: composeFullName(sr.Name, sr.Surname, sr.Username), Email: sr.Mail, LoginType: source.Type, LoginSource: source.ID, @@ -92,7 +92,7 @@ func Login(user *models.User, login, password string, source *models.LoginSource err := models.CreateUser(user) - if err == nil && isAttributeSSHPublicKeySet && models.AddLdapSSHPublicKeys(user, source, sr.SSHPublicKey) { + if err == nil && isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, source, sr.SSHPublicKey) { err = models.RewriteAllPublicKeys() } diff --git a/services/auth/source/ldap/sync.go b/services/auth/source/ldap/sync.go new file mode 100644 index 0000000000000..e102a8c2deb5f --- /dev/null +++ b/services/auth/source/ldap/sync.go @@ -0,0 +1,190 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap + +import ( + "context" + "fmt" + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" +) + +// .____ ________ _____ __________ +// | | \______ \ / _ \\______ \ +// | | | | \ / /_\ \| ___/ +// | |___ | ` \/ | \ | +// |_______ \/_______ /\____|__ /____| +// \/ \/ \/ + +func Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error { + log.Trace("Doing: SyncExternalUsers[%s]", s.Name) + + var existingUsers []int64 + isAttributeSSHPublicKeySet := len(strings.TrimSpace(s.LDAP().AttributeSSHPublicKey)) > 0 + var sshKeysNeedUpdate bool + + // Find all users with this login type - FIXME: Should this be an iterator? + users, err := models.GetUsersBySource(s) + if err != nil { + log.Error("SyncExternalUsers: %v", err) + return err + } + select { + case <-ctx.Done(): + log.Warn("SyncExternalUsers: Cancelled before update of %s", s.Name) + return models.ErrCancelledf("Before update of %s", s.Name) + default: + } + + sr, err := s.LDAP().SearchEntries() + if err != nil { + log.Error("SyncExternalUsers LDAP source failure [%s], skipped", s.Name) + return nil + } + + if len(sr) == 0 { + if !s.LDAP().AllowDeactivateAll { + log.Error("LDAP search found no entries but did not report an error. Refusing to deactivate all users") + return nil + } + log.Warn("LDAP search found no entries but did not report an error. All users will be deactivated as per settings") + } + + for _, su := range sr { + select { + case <-ctx.Done(): + log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", s.Name) + // Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed + if sshKeysNeedUpdate { + err = models.RewriteAllPublicKeys() + if err != nil { + log.Error("RewriteAllPublicKeys: %v", err) + } + } + return models.ErrCancelledf("During update of %s before completed update of users", s.Name) + default: + } + if len(su.Username) == 0 { + continue + } + + if len(su.Mail) == 0 { + su.Mail = fmt.Sprintf("%s@localhost", su.Username) + } + + var usr *models.User + // Search for existing user + for _, du := range users { + if du.LowerName == strings.ToLower(su.Username) { + usr = du + break + } + } + + fullName := composeFullName(su.Name, su.Surname, su.Username) + // If no existing user found, create one + if usr == nil { + log.Trace("SyncExternalUsers[%s]: Creating user %s", s.Name, su.Username) + + usr = &models.User{ + LowerName: strings.ToLower(su.Username), + Name: su.Username, + FullName: fullName, + LoginType: s.Type, + LoginSource: s.ID, + LoginName: su.Username, + Email: su.Mail, + IsAdmin: su.IsAdmin, + IsRestricted: su.IsRestricted, + IsActive: true, + } + + err = models.CreateUser(usr) + + if err != nil { + log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err) + } else if isAttributeSSHPublicKeySet { + log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", s.Name, usr.Name) + if models.AddPublicKeysBySource(usr, s, su.SSHPublicKey) { + sshKeysNeedUpdate = true + } + } + } else if updateExisting { + existingUsers = append(existingUsers, usr.ID) + + // Synchronize SSH Public Key if that attribute is set + if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(usr, s, su.SSHPublicKey) { + sshKeysNeedUpdate = true + } + + // Check if user data has changed + if (len(s.LDAP().AdminFilter) > 0 && usr.IsAdmin != su.IsAdmin) || + (len(s.LDAP().RestrictedFilter) > 0 && usr.IsRestricted != su.IsRestricted) || + !strings.EqualFold(usr.Email, su.Mail) || + usr.FullName != fullName || + !usr.IsActive { + + log.Trace("SyncExternalUsers[%s]: Updating user %s", s.Name, usr.Name) + + usr.FullName = fullName + usr.Email = su.Mail + // Change existing admin flag only if AdminFilter option is set + if len(s.LDAP().AdminFilter) > 0 { + usr.IsAdmin = su.IsAdmin + } + // Change existing restricted flag only if RestrictedFilter option is set + if !usr.IsAdmin && len(s.LDAP().RestrictedFilter) > 0 { + usr.IsRestricted = su.IsRestricted + } + usr.IsActive = true + + err = models.UpdateUserCols(usr, "full_name", "email", "is_admin", "is_restricted", "is_active") + if err != nil { + log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", s.Name, usr.Name, err) + } + } + } + } + + // Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed + if sshKeysNeedUpdate { + err = models.RewriteAllPublicKeys() + if err != nil { + log.Error("RewriteAllPublicKeys: %v", err) + } + } + + select { + case <-ctx.Done(): + log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", s.Name) + return models.ErrCancelledf("During update of %s before delete users", s.Name) + default: + } + + // Deactivate users not present in LDAP + if updateExisting { + for _, usr := range users { + found := false + for _, uid := range existingUsers { + if usr.ID == uid { + found = true + break + } + } + if !found { + log.Trace("SyncExternalUsers[%s]: Deactivating user %s", s.Name, usr.Name) + + usr.IsActive = false + err = models.UpdateUserCols(usr, "is_active") + if err != nil { + log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", s.Name, usr.Name, err) + } + } + } + } + return nil +} diff --git a/services/auth/source/ldap/util.go b/services/auth/source/ldap/util.go new file mode 100644 index 0000000000000..f27de37c87edb --- /dev/null +++ b/services/auth/source/ldap/util.go @@ -0,0 +1,19 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap + +// composeFullName composes a firstname surname or username +func composeFullName(firstname, surname, username string) string { + switch { + case len(firstname) == 0 && len(surname) == 0: + return username + case len(firstname) == 0: + return surname + case len(surname) == 0: + return firstname + default: + return firstname + " " + surname + } +} diff --git a/services/auth/sync.go b/services/auth/sync.go new file mode 100644 index 0000000000000..613c313f43eda --- /dev/null +++ b/services/auth/sync.go @@ -0,0 +1,44 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package auth + +import ( + "context" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/services/auth/source/ldap" +) + +// SyncExternalUsers is used to synchronize users with external authorization source +func SyncExternalUsers(ctx context.Context, updateExisting bool) error { + log.Trace("Doing: SyncExternalUsers") + + ls, err := models.LoginSources() + if err != nil { + log.Error("SyncExternalUsers: %v", err) + return err + } + + for _, s := range ls { + if !s.IsActived || !s.IsSyncEnabled { + continue + } + select { + case <-ctx.Done(): + log.Warn("SyncExternalUsers: Cancelled before update of %s", s.Name) + return models.ErrCancelledf("Before update of %s", s.Name) + default: + } + + if s.IsLDAP() { + err := ldap.Sync(ctx, updateExisting, s) + if err != nil { + return err + } + } + } + return nil +} From 1116a1fe9d7b6173245f27a5add1cfe2f5ee97ee Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 19 Jun 2021 13:15:54 +0100 Subject: [PATCH 06/44] Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton --- models/ssh_key.go | 1090 ++--------------------- models/ssh_key_authorized_keys.go | 218 +++++ models/ssh_key_authorized_principals.go | 142 +++ models/ssh_key_deploy.go | 299 +++++++ models/ssh_key_fingerprint.go | 97 ++ models/ssh_key_parse.go | 309 +++++++ models/ssh_key_principals.go | 125 +++ models/user.go | 138 --- 8 files changed, 1288 insertions(+), 1130 deletions(-) create mode 100644 models/ssh_key_authorized_keys.go create mode 100644 models/ssh_key_authorized_principals.go create mode 100644 models/ssh_key_deploy.go create mode 100644 models/ssh_key_fingerprint.go create mode 100644 models/ssh_key_parse.go create mode 100644 models/ssh_key_principals.go diff --git a/models/ssh_key.go b/models/ssh_key.go index a51ee2f7a4a3d..fd8fa660683d4 100644 --- a/models/ssh_key.go +++ b/models/ssh_key.go @@ -6,45 +6,18 @@ package models import ( - "bufio" - "crypto/rsa" - "crypto/x509" - "encoding/asn1" - "encoding/base64" - "encoding/binary" - "encoding/pem" - "errors" "fmt" - "io" - "io/ioutil" - "math/big" - "os" - "path/filepath" - "strconv" "strings" - "sync" "time" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/process" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" - "golang.org/x/crypto/ssh" - "xorm.io/builder" - "xorm.io/xorm" -) -const ( - tplCommentPrefix = `# gitea public key` - tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n" - - authorizedPrincipalsFile = "authorized_principals" + "xorm.io/builder" ) -var sshOpLocker sync.Mutex - // KeyType specifies the key type type KeyType int @@ -86,413 +59,10 @@ func (key *PublicKey) OmitEmail() string { } // AuthorizedString returns formatted public key string for authorized_keys file. +// +// TODO: Consider dropping this function func (key *PublicKey) AuthorizedString() string { - sb := &strings.Builder{} - _ = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sb, map[string]interface{}{ - "AppPath": util.ShellEscape(setting.AppPath), - "AppWorkPath": util.ShellEscape(setting.AppWorkPath), - "CustomConf": util.ShellEscape(setting.CustomConf), - "CustomPath": util.ShellEscape(setting.CustomPath), - "Key": key, - }) - - return fmt.Sprintf(tplPublicKey, util.ShellEscape(sb.String()), key.Content) -} - -func extractTypeFromBase64Key(key string) (string, error) { - b, err := base64.StdEncoding.DecodeString(key) - if err != nil || len(b) < 4 { - return "", fmt.Errorf("invalid key format: %v", err) - } - - keyLength := int(binary.BigEndian.Uint32(b)) - if len(b) < 4+keyLength { - return "", fmt.Errorf("invalid key format: not enough length %d", keyLength) - } - - return string(b[4 : 4+keyLength]), nil -} - -const ssh2keyStart = "---- BEGIN SSH2 PUBLIC KEY ----" - -// parseKeyString parses any key string in OpenSSH or SSH2 format to clean OpenSSH string (RFC4253). -func parseKeyString(content string) (string, error) { - // remove whitespace at start and end - content = strings.TrimSpace(content) - - var keyType, keyContent, keyComment string - - if strings.HasPrefix(content, ssh2keyStart) { - // Parse SSH2 file format. - - // Transform all legal line endings to a single "\n". - content = strings.NewReplacer("\r\n", "\n", "\r", "\n").Replace(content) - - lines := strings.Split(content, "\n") - continuationLine := false - - for _, line := range lines { - // Skip lines that: - // 1) are a continuation of the previous line, - // 2) contain ":" as that are comment lines - // 3) contain "-" as that are begin and end tags - if continuationLine || strings.ContainsAny(line, ":-") { - continuationLine = strings.HasSuffix(line, "\\") - } else { - keyContent += line - } - } - - t, err := extractTypeFromBase64Key(keyContent) - if err != nil { - return "", fmt.Errorf("extractTypeFromBase64Key: %v", err) - } - keyType = t - } else { - if strings.Contains(content, "-----BEGIN") { - // Convert PEM Keys to OpenSSH format - // Transform all legal line endings to a single "\n". - content = strings.NewReplacer("\r\n", "\n", "\r", "\n").Replace(content) - - block, _ := pem.Decode([]byte(content)) - if block == nil { - return "", fmt.Errorf("failed to parse PEM block containing the public key") - } - - pub, err := x509.ParsePKIXPublicKey(block.Bytes) - if err != nil { - var pk rsa.PublicKey - _, err2 := asn1.Unmarshal(block.Bytes, &pk) - if err2 != nil { - return "", fmt.Errorf("failed to parse DER encoded public key as either PKIX or PEM RSA Key: %v %v", err, err2) - } - pub = &pk - } - - sshKey, err := ssh.NewPublicKey(pub) - if err != nil { - return "", fmt.Errorf("unable to convert to ssh public key: %v", err) - } - content = string(ssh.MarshalAuthorizedKey(sshKey)) - } - // Parse OpenSSH format. - - // Remove all newlines - content = strings.NewReplacer("\r\n", "", "\n", "").Replace(content) - - parts := strings.SplitN(content, " ", 3) - switch len(parts) { - case 0: - return "", errors.New("empty key") - case 1: - keyContent = parts[0] - case 2: - keyType = parts[0] - keyContent = parts[1] - default: - keyType = parts[0] - keyContent = parts[1] - keyComment = parts[2] - } - - // If keyType is not given, extract it from content. If given, validate it. - t, err := extractTypeFromBase64Key(keyContent) - if err != nil { - return "", fmt.Errorf("extractTypeFromBase64Key: %v", err) - } - if len(keyType) == 0 { - keyType = t - } else if keyType != t { - return "", fmt.Errorf("key type and content does not match: %s - %s", keyType, t) - } - } - // Finally we need to check whether we can actually read the proposed key: - _, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyType + " " + keyContent + " " + keyComment)) - if err != nil { - return "", fmt.Errorf("invalid ssh public key: %v", err) - } - return keyType + " " + keyContent + " " + keyComment, nil -} - -// writeTmpKeyFile writes key content to a temporary file -// and returns the name of that file, along with any possible errors. -func writeTmpKeyFile(content string) (string, error) { - tmpFile, err := ioutil.TempFile(setting.SSH.KeyTestPath, "gitea_keytest") - if err != nil { - return "", fmt.Errorf("TempFile: %v", err) - } - defer tmpFile.Close() - - if _, err = tmpFile.WriteString(content); err != nil { - return "", fmt.Errorf("WriteString: %v", err) - } - return tmpFile.Name(), nil -} - -// SSHKeyGenParsePublicKey extracts key type and length using ssh-keygen. -func SSHKeyGenParsePublicKey(key string) (string, int, error) { - tmpName, err := writeTmpKeyFile(key) - if err != nil { - return "", 0, fmt.Errorf("writeTmpKeyFile: %v", err) - } - defer func() { - if err := util.Remove(tmpName); err != nil { - log.Warn("Unable to remove temporary key file: %s: Error: %v", tmpName, err) - } - }() - - stdout, stderr, err := process.GetManager().Exec("SSHKeyGenParsePublicKey", setting.SSH.KeygenPath, "-lf", tmpName) - if err != nil { - return "", 0, fmt.Errorf("fail to parse public key: %s - %s", err, stderr) - } - if strings.Contains(stdout, "is not a public key file") { - return "", 0, ErrKeyUnableVerify{stdout} - } - - fields := strings.Split(stdout, " ") - if len(fields) < 4 { - return "", 0, fmt.Errorf("invalid public key line: %s", stdout) - } - - keyType := strings.Trim(fields[len(fields)-1], "()\r\n") - length, err := strconv.ParseInt(fields[0], 10, 32) - if err != nil { - return "", 0, err - } - return strings.ToLower(keyType), int(length), nil -} - -// SSHNativeParsePublicKey extracts the key type and length using the golang SSH library. -func SSHNativeParsePublicKey(keyLine string) (string, int, error) { - fields := strings.Fields(keyLine) - if len(fields) < 2 { - return "", 0, fmt.Errorf("not enough fields in public key line: %s", keyLine) - } - - raw, err := base64.StdEncoding.DecodeString(fields[1]) - if err != nil { - return "", 0, err - } - - pkey, err := ssh.ParsePublicKey(raw) - if err != nil { - if strings.Contains(err.Error(), "ssh: unknown key algorithm") { - return "", 0, ErrKeyUnableVerify{err.Error()} - } - return "", 0, fmt.Errorf("ParsePublicKey: %v", err) - } - - // The ssh library can parse the key, so next we find out what key exactly we have. - switch pkey.Type() { - case ssh.KeyAlgoDSA: - rawPub := struct { - Name string - P, Q, G, Y *big.Int - }{} - if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil { - return "", 0, err - } - // as per https://bugzilla.mindrot.org/show_bug.cgi?id=1647 we should never - // see dsa keys != 1024 bit, but as it seems to work, we will not check here - return "dsa", rawPub.P.BitLen(), nil // use P as per crypto/dsa/dsa.go (is L) - case ssh.KeyAlgoRSA: - rawPub := struct { - Name string - E *big.Int - N *big.Int - }{} - if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil { - return "", 0, err - } - return "rsa", rawPub.N.BitLen(), nil // use N as per crypto/rsa/rsa.go (is bits) - case ssh.KeyAlgoECDSA256: - return "ecdsa", 256, nil - case ssh.KeyAlgoECDSA384: - return "ecdsa", 384, nil - case ssh.KeyAlgoECDSA521: - return "ecdsa", 521, nil - case ssh.KeyAlgoED25519: - return "ed25519", 256, nil - case ssh.KeyAlgoSKECDSA256: - return "ecdsa-sk", 256, nil - case ssh.KeyAlgoSKED25519: - return "ed25519-sk", 256, nil - } - return "", 0, fmt.Errorf("unsupported key length detection for type: %s", pkey.Type()) -} - -// CheckPublicKeyString checks if the given public key string is recognized by SSH. -// It returns the actual public key line on success. -func CheckPublicKeyString(content string) (_ string, err error) { - if setting.SSH.Disabled { - return "", ErrSSHDisabled{} - } - - content, err = parseKeyString(content) - if err != nil { - return "", err - } - - content = strings.TrimRight(content, "\n\r") - if strings.ContainsAny(content, "\n\r") { - return "", errors.New("only a single line with a single key please") - } - - // remove any unnecessary whitespace now - content = strings.TrimSpace(content) - - if !setting.SSH.MinimumKeySizeCheck { - return content, nil - } - - var ( - fnName string - keyType string - length int - ) - if setting.SSH.StartBuiltinServer { - fnName = "SSHNativeParsePublicKey" - keyType, length, err = SSHNativeParsePublicKey(content) - } else { - fnName = "SSHKeyGenParsePublicKey" - keyType, length, err = SSHKeyGenParsePublicKey(content) - } - if err != nil { - return "", fmt.Errorf("%s: %v", fnName, err) - } - log.Trace("Key info [native: %v]: %s-%d", setting.SSH.StartBuiltinServer, keyType, length) - - if minLen, found := setting.SSH.MinimumKeySizes[keyType]; found && length >= minLen { - return content, nil - } else if found && length < minLen { - return "", fmt.Errorf("key length is not enough: got %d, needs %d", length, minLen) - } - return "", fmt.Errorf("key type is not allowed: %s", keyType) -} - -// appendAuthorizedKeysToFile appends new SSH keys' content to authorized_keys file. -func appendAuthorizedKeysToFile(keys ...*PublicKey) error { - // Don't need to rewrite this file if builtin SSH server is enabled. - if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { - return nil - } - - sshOpLocker.Lock() - defer sshOpLocker.Unlock() - - if setting.SSH.RootPath != "" { - // First of ensure that the RootPath is present, and if not make it with 0700 permissions - // This of course doesn't guarantee that this is the right directory for authorized_keys - // but at least if it's supposed to be this directory and it doesn't exist and we're the - // right user it will at least be created properly. - err := os.MkdirAll(setting.SSH.RootPath, 0o700) - if err != nil { - log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) - return err - } - } - - fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") - f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o600) - if err != nil { - return err - } - defer f.Close() - - // Note: chmod command does not support in Windows. - if !setting.IsWindows { - fi, err := f.Stat() - if err != nil { - return err - } - - // .ssh directory should have mode 700, and authorized_keys file should have mode 600. - if fi.Mode().Perm() > 0o600 { - log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String()) - if err = f.Chmod(0o600); err != nil { - return err - } - } - } - - for _, key := range keys { - if key.Type == KeyTypePrincipal { - continue - } - if _, err = f.WriteString(key.AuthorizedString()); err != nil { - return err - } - } - return nil -} - -// checkKeyFingerprint only checks if key fingerprint has been used as public key, -// it is OK to use same key as deploy key for multiple repositories/users. -func checkKeyFingerprint(e Engine, fingerprint string) error { - has, err := e.Get(&PublicKey{ - Fingerprint: fingerprint, - }) - if err != nil { - return err - } else if has { - return ErrKeyAlreadyExist{0, fingerprint, ""} - } - return nil -} - -func calcFingerprintSSHKeygen(publicKeyContent string) (string, error) { - // Calculate fingerprint. - tmpPath, err := writeTmpKeyFile(publicKeyContent) - if err != nil { - return "", err - } - defer func() { - if err := util.Remove(tmpPath); err != nil { - log.Warn("Unable to remove temporary key file: %s: Error: %v", tmpPath, err) - } - }() - stdout, stderr, err := process.GetManager().Exec("AddPublicKey", "ssh-keygen", "-lf", tmpPath) - if err != nil { - if strings.Contains(stderr, "is not a public key file") { - return "", ErrKeyUnableVerify{stderr} - } - return "", fmt.Errorf("'ssh-keygen -lf %s' failed with error '%s': %s", tmpPath, err, stderr) - } else if len(stdout) < 2 { - return "", errors.New("not enough output for calculating fingerprint: " + stdout) - } - return strings.Split(stdout, " ")[1], nil -} - -func calcFingerprintNative(publicKeyContent string) (string, error) { - // Calculate fingerprint. - pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(publicKeyContent)) - if err != nil { - return "", err - } - return ssh.FingerprintSHA256(pk), nil -} - -func calcFingerprint(publicKeyContent string) (string, error) { - // Call the method based on configuration - var ( - fnName, fp string - err error - ) - if setting.SSH.StartBuiltinServer { - fnName = "calcFingerprintNative" - fp, err = calcFingerprintNative(publicKeyContent) - } else { - fnName = "calcFingerprintSSHKeygen" - fp, err = calcFingerprintSSHKeygen(publicKeyContent) - } - if err != nil { - if IsErrKeyUnableVerify(err) { - log.Info("%s", publicKeyContent) - return "", err - } - return "", fmt.Errorf("%s: %v", fnName, err) - } - return fp, nil + return AuthorizedStringForKey(key) } func addKey(e Engine, key *PublicKey) (err error) { @@ -782,603 +352,139 @@ func DeletePublicKey(doer *User, id int64) (err error) { return RewriteAllPublicKeys() } -// RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again. -// Note: x.Iterate does not get latest data after insert/delete, so we have to call this function -// outside any session scope independently. -func RewriteAllPublicKeys() error { - return rewriteAllPublicKeys(x) -} - -func rewriteAllPublicKeys(e Engine) error { - // Don't rewrite key if internal server - if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { - return nil - } - - sshOpLocker.Lock() - defer sshOpLocker.Unlock() - - if setting.SSH.RootPath != "" { - // First of ensure that the RootPath is present, and if not make it with 0700 permissions - // This of course doesn't guarantee that this is the right directory for authorized_keys - // but at least if it's supposed to be this directory and it doesn't exist and we're the - // right user it will at least be created properly. - err := os.MkdirAll(setting.SSH.RootPath, 0o700) - if err != nil { - log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) - return err - } - } - - fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") - tmpPath := fPath + ".tmp" - t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) - if err != nil { - return err - } - defer func() { - t.Close() - if err := util.Remove(tmpPath); err != nil { - log.Warn("Unable to remove temporary authorized keys file: %s: Error: %v", tmpPath, err) - } - }() - - if setting.SSH.AuthorizedKeysBackup { - isExist, err := util.IsExist(fPath) - if err != nil { - log.Error("Unable to check if %s exists. Error: %v", fPath, err) - return err - } - if isExist { - bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix()) - if err = util.CopyFile(fPath, bakPath); err != nil { - return err - } - } - } - - if err := regeneratePublicKeys(e, t); err != nil { - return err - } - - t.Close() - return os.Rename(tmpPath, fPath) -} - -// RegeneratePublicKeys regenerates the authorized_keys file -func RegeneratePublicKeys(t io.StringWriter) error { - return regeneratePublicKeys(x, t) -} - -func regeneratePublicKeys(e Engine, t io.StringWriter) error { - if err := e.Where("type != ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) { - _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString()) - return err - }); err != nil { - return err - } - - fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") - isExist, err := util.IsExist(fPath) - if err != nil { - log.Error("Unable to check if %s exists. Error: %v", fPath, err) - return err - } - if isExist { - f, err := os.Open(fPath) - if err != nil { - return err - } - scanner := bufio.NewScanner(f) - for scanner.Scan() { - line := scanner.Text() - if strings.HasPrefix(line, tplCommentPrefix) { - scanner.Scan() - continue - } - _, err = t.WriteString(line + "\n") - if err != nil { - f.Close() - return err - } - } - f.Close() - } - return nil -} - -// ________ .__ ____ __. -// \______ \ ____ ______ | | ____ ___.__.| |/ _|____ ___.__. -// | | \_/ __ \\____ \| | / _ < | || <_/ __ < | | -// | ` \ ___/| |_> > |_( <_> )___ || | \ ___/\___ | -// /_______ /\___ > __/|____/\____// ____||____|__ \___ > ____| -// \/ \/|__| \/ \/ \/\/ - -// DeployKey represents deploy key information and its relation with repository. -type DeployKey struct { - ID int64 `xorm:"pk autoincr"` - KeyID int64 `xorm:"UNIQUE(s) INDEX"` - RepoID int64 `xorm:"UNIQUE(s) INDEX"` - Name string - Fingerprint string - Content string `xorm:"-"` - - Mode AccessMode `xorm:"NOT NULL DEFAULT 1"` - - CreatedUnix timeutil.TimeStamp `xorm:"created"` - UpdatedUnix timeutil.TimeStamp `xorm:"updated"` - HasRecentActivity bool `xorm:"-"` - HasUsed bool `xorm:"-"` -} - -// AfterLoad is invoked from XORM after setting the values of all fields of this object. -func (key *DeployKey) AfterLoad() { - key.HasUsed = key.UpdatedUnix > key.CreatedUnix - key.HasRecentActivity = key.UpdatedUnix.AddDuration(7*24*time.Hour) > timeutil.TimeStampNow() -} - -// GetContent gets associated public key content. -func (key *DeployKey) GetContent() error { - pkey, err := GetPublicKeyByID(key.KeyID) - if err != nil { - return err - } - key.Content = pkey.Content - return nil -} - -// IsReadOnly checks if the key can only be used for read operations -func (key *DeployKey) IsReadOnly() bool { - return key.Mode == AccessModeRead -} - -func checkDeployKey(e Engine, keyID, repoID int64, name string) error { - // Note: We want error detail, not just true or false here. - has, err := e. - Where("key_id = ? AND repo_id = ?", keyID, repoID). - Get(new(DeployKey)) - if err != nil { - return err - } else if has { - return ErrDeployKeyAlreadyExist{keyID, repoID} - } - - has, err = e. - Where("repo_id = ? AND name = ?", repoID, name). - Get(new(DeployKey)) - if err != nil { - return err - } else if has { - return ErrDeployKeyNameAlreadyUsed{repoID, name} - } - - return nil -} - -// addDeployKey adds new key-repo relation. -func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string, mode AccessMode) (*DeployKey, error) { - if err := checkDeployKey(e, keyID, repoID, name); err != nil { - return nil, err - } - - key := &DeployKey{ - KeyID: keyID, - RepoID: repoID, - Name: name, - Fingerprint: fingerprint, - Mode: mode, - } - _, err := e.Insert(key) - return key, err -} - -// HasDeployKey returns true if public key is a deploy key of given repository. -func HasDeployKey(keyID, repoID int64) bool { - has, _ := x. - Where("key_id = ? AND repo_id = ?", keyID, repoID). - Get(new(DeployKey)) - return has -} - -// AddDeployKey add new deploy key to database and authorized_keys file. -func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey, error) { - fingerprint, err := calcFingerprint(content) - if err != nil { - return nil, err - } - - accessMode := AccessModeRead - if !readOnly { - accessMode = AccessModeWrite - } - - sess := x.NewSession() - defer sess.Close() - if err = sess.Begin(); err != nil { - return nil, err - } - - pkey := &PublicKey{ - Fingerprint: fingerprint, - } - has, err := sess.Get(pkey) - if err != nil { - return nil, err - } - - if has { - if pkey.Type != KeyTypeDeploy { - return nil, ErrKeyAlreadyExist{0, fingerprint, ""} - } - } else { - // First time use this deploy key. - pkey.Mode = accessMode - pkey.Type = KeyTypeDeploy - pkey.Content = content - pkey.Name = name - if err = addKey(sess, pkey); err != nil { - return nil, fmt.Errorf("addKey: %v", err) - } - } - - key, err := addDeployKey(sess, pkey.ID, repoID, name, pkey.Fingerprint, accessMode) - if err != nil { - return nil, err - } - - return key, sess.Commit() -} - -// GetDeployKeyByID returns deploy key by given ID. -func GetDeployKeyByID(id int64) (*DeployKey, error) { - return getDeployKeyByID(x, id) -} - -func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) { - key := new(DeployKey) - has, err := e.ID(id).Get(key) - if err != nil { - return nil, err - } else if !has { - return nil, ErrDeployKeyNotExist{id, 0, 0} - } - return key, nil -} - -// GetDeployKeyByRepo returns deploy key by given public key ID and repository ID. -func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) { - return getDeployKeyByRepo(x, keyID, repoID) -} - -func getDeployKeyByRepo(e Engine, keyID, repoID int64) (*DeployKey, error) { - key := &DeployKey{ - KeyID: keyID, - RepoID: repoID, - } - has, err := e.Get(key) - if err != nil { - return nil, err - } else if !has { - return nil, ErrDeployKeyNotExist{0, keyID, repoID} - } - return key, nil -} - -// UpdateDeployKeyCols updates deploy key information in the specified columns. -func UpdateDeployKeyCols(key *DeployKey, cols ...string) error { - _, err := x.ID(key.ID).Cols(cols...).Update(key) - return err -} - -// UpdateDeployKey updates deploy key information. -func UpdateDeployKey(key *DeployKey) error { - _, err := x.ID(key.ID).AllCols().Update(key) - return err -} - -// DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed. -func DeleteDeployKey(doer *User, id int64) error { +// deleteKeysMarkedForDeletion returns true if ssh keys needs update +func deleteKeysMarkedForDeletion(keys []string) (bool, error) { + // Start session sess := x.NewSession() defer sess.Close() if err := sess.Begin(); err != nil { - return err - } - if err := deleteDeployKey(sess, doer, id); err != nil { - return err - } - return sess.Commit() -} - -func deleteDeployKey(sess Engine, doer *User, id int64) error { - key, err := getDeployKeyByID(sess, id) - if err != nil { - if IsErrDeployKeyNotExist(err) { - return nil - } - return fmt.Errorf("GetDeployKeyByID: %v", err) + return false, err } - // Check if user has access to delete this key. - if !doer.IsAdmin { - repo, err := getRepositoryByID(sess, key.RepoID) - if err != nil { - return fmt.Errorf("GetRepositoryByID: %v", err) - } - has, err := isUserRepoAdmin(sess, repo, doer) + // Delete keys marked for deletion + var sshKeysNeedUpdate bool + for _, KeyToDelete := range keys { + key, err := searchPublicKeyByContentWithEngine(sess, KeyToDelete) if err != nil { - return fmt.Errorf("GetUserRepoPermission: %v", err) - } else if !has { - return ErrKeyAccessDenied{doer.ID, key.ID, "deploy"} - } - } - - if _, err = sess.ID(key.ID).Delete(new(DeployKey)); err != nil { - return fmt.Errorf("delete deploy key [%d]: %v", key.ID, err) - } - - // Check if this is the last reference to same key content. - has, err := sess. - Where("key_id = ?", key.KeyID). - Get(new(DeployKey)) - if err != nil { - return err - } else if !has { - if err = deletePublicKeys(sess, key.KeyID); err != nil { - return err + log.Error("SearchPublicKeyByContent: %v", err) + continue } - - // after deleted the public keys, should rewrite the public keys file - if err = rewriteAllPublicKeys(sess); err != nil { - return err + if err = deletePublicKeys(sess, key.ID); err != nil { + log.Error("deletePublicKeys: %v", err) + continue } + sshKeysNeedUpdate = true } - return nil -} - -// ListDeployKeys returns all deploy keys by given repository ID. -func ListDeployKeys(repoID int64, listOptions ListOptions) ([]*DeployKey, error) { - return listDeployKeys(x, repoID, listOptions) -} - -func listDeployKeys(e Engine, repoID int64, listOptions ListOptions) ([]*DeployKey, error) { - sess := e.Where("repo_id = ?", repoID) - if listOptions.Page != 0 { - sess = listOptions.setSessionPagination(sess) - - keys := make([]*DeployKey, 0, listOptions.PageSize) - return keys, sess.Find(&keys) - } - - keys := make([]*DeployKey, 0, 5) - return keys, sess.Find(&keys) -} - -// SearchDeployKeys returns a list of deploy keys matching the provided arguments. -func SearchDeployKeys(repoID, keyID int64, fingerprint string) ([]*DeployKey, error) { - keys := make([]*DeployKey, 0, 5) - cond := builder.NewCond() - if repoID != 0 { - cond = cond.And(builder.Eq{"repo_id": repoID}) - } - if keyID != 0 { - cond = cond.And(builder.Eq{"key_id": keyID}) - } - if fingerprint != "" { - cond = cond.And(builder.Eq{"fingerprint": fingerprint}) - } - return keys, x.Where(cond).Find(&keys) -} - -// __________ .__ .__ .__ -// \______ _______|__| ____ ____ |_____________ | | ______ -// | ___\_ __ | |/ \_/ ___\| \____ \__ \ | | / ___/ -// | | | | \| | | \ \___| | |_> / __ \| |__\___ \ -// |____| |__| |__|___| /\___ |__| __(____ |____/____ > -// \/ \/ |__| \/ \/ - -// AddPrincipalKey adds new principal to database and authorized_principals file. -func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*PublicKey, error) { - sess := x.NewSession() - defer sess.Close() - if err := sess.Begin(); err != nil { - return nil, err - } - - // Principals cannot be duplicated. - has, err := sess. - Where("content = ? AND type = ?", content, KeyTypePrincipal). - Get(new(PublicKey)) - if err != nil { - return nil, err - } else if has { - return nil, ErrKeyAlreadyExist{0, "", content} - } - - key := &PublicKey{ - OwnerID: ownerID, - Name: content, - Content: content, - Mode: AccessModeWrite, - Type: KeyTypePrincipal, - LoginSourceID: loginSourceID, - } - if err = addPrincipalKey(sess, key); err != nil { - return nil, fmt.Errorf("addKey: %v", err) - } - - if err = sess.Commit(); err != nil { - return nil, err - } - - sess.Close() - - return key, RewriteAllPrincipalKeys() -} - -func addPrincipalKey(e Engine, key *PublicKey) (err error) { - // Save Key representing a principal. - if _, err = e.Insert(key); err != nil { - return err + if err := sess.Commit(); err != nil { + return false, err } - return nil + return sshKeysNeedUpdate, nil } -// CheckPrincipalKeyString strips spaces and returns an error if the given principal contains newlines -func CheckPrincipalKeyString(user *User, content string) (_ string, err error) { - if setting.SSH.Disabled { - return "", ErrSSHDisabled{} - } - - content = strings.TrimSpace(content) - if strings.ContainsAny(content, "\r\n") { - return "", errors.New("only a single line with a single principal please") - } - - // check all the allowed principals, email, username or anything - // if any matches, return ok - for _, v := range setting.SSH.AuthorizedPrincipalsAllow { - switch v { - case "anything": - return content, nil - case "email": - emails, err := GetEmailAddresses(user.ID) +// AddPublicKeysBySource add a users public keys. Returns true if there are changes. +func AddPublicKeysBySource(usr *User, s *LoginSource, sshPublicKeys []string) bool { + var sshKeysNeedUpdate bool + for _, sshKey := range sshPublicKeys { + var err error + found := false + keys := []byte(sshKey) + loop: + for len(keys) > 0 && err == nil { + var out ssh.PublicKey + // We ignore options as they are not relevant to Gitea + out, _, _, keys, err = ssh.ParseAuthorizedKey(keys) if err != nil { - return "", err + break loop } - for _, email := range emails { - if !email.IsActivated { - continue - } - if content == email.Email { - return content, nil + found = true + marshalled := string(ssh.MarshalAuthorizedKey(out)) + marshalled = marshalled[:len(marshalled)-1] + sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out)) + + if _, err := AddPublicKey(usr.ID, sshKeyName, marshalled, s.ID); err != nil { + if IsErrKeyAlreadyExist(err) { + log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name) + } else { + log.Error("AddPublicKeysBySource[%s]: Error adding Public SSH Key for user %s: %v", sshKeyName, usr.Name, err) } + } else { + log.Trace("AddPublicKeysBySource[%s]: Added Public SSH Key for user %s", sshKeyName, usr.Name) + sshKeysNeedUpdate = true } - - case "username": - if content == user.Name { - return content, nil - } + } + if !found && err != nil { + log.Warn("AddPublicKeysBySource[%s]: Skipping invalid Public SSH Key for user %s: %v", s.Name, usr.Name, sshKey) } } - - return "", fmt.Errorf("didn't match allowed principals: %s", setting.SSH.AuthorizedPrincipalsAllow) + return sshKeysNeedUpdate } -// RewriteAllPrincipalKeys removes any authorized principal and rewrite all keys from database again. -// Note: x.Iterate does not get latest data after insert/delete, so we have to call this function -// outside any session scope independently. -func RewriteAllPrincipalKeys() error { - return rewriteAllPrincipalKeys(x) -} +// SynchronizePublicKeys updates a users public keys. Returns true if there are changes. +func SynchronizePublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { + var sshKeysNeedUpdate bool -func rewriteAllPrincipalKeys(e Engine) error { - // Don't rewrite key if internal server - if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedPrincipalsFile { - return nil - } - - sshOpLocker.Lock() - defer sshOpLocker.Unlock() + log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name) - if setting.SSH.RootPath != "" { - // First of ensure that the RootPath is present, and if not make it with 0700 permissions - // This of course doesn't guarantee that this is the right directory for authorized_keys - // but at least if it's supposed to be this directory and it doesn't exist and we're the - // right user it will at least be created properly. - err := os.MkdirAll(setting.SSH.RootPath, 0o700) - if err != nil { - log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) - return err - } + // Get Public Keys from DB with current LDAP source + var giteaKeys []string + keys, err := ListPublicKeysBySource(usr.ID, s.ID) + if err != nil { + log.Error("synchronizePublicKeys[%s]: Error listing Public SSH Keys for user %s: %v", s.Name, usr.Name, err) } - fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile) - tmpPath := fPath + ".tmp" - t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) - if err != nil { - return err + for _, v := range keys { + giteaKeys = append(giteaKeys, v.OmitEmail()) } - defer func() { - t.Close() - os.Remove(tmpPath) - }() - if setting.SSH.AuthorizedPrincipalsBackup { - isExist, err := util.IsExist(fPath) - if err != nil { - log.Error("Unable to check if %s exists. Error: %v", fPath, err) - return err - } - if isExist { - bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix()) - if err = util.CopyFile(fPath, bakPath); err != nil { - return err + // Process the provided keys to remove duplicates and name part + var providedKeys []string + for _, v := range sshPublicKeys { + sshKeySplit := strings.Split(v, " ") + if len(sshKeySplit) > 1 { + key := strings.Join(sshKeySplit[:2], " ") + if !util.ExistsInSlice(key, providedKeys) { + providedKeys = append(providedKeys, key) } } } - if err := regeneratePrincipalKeys(e, t); err != nil { - return err + // Check if Public Key sync is needed + if util.IsEqualSlice(giteaKeys, providedKeys) { + log.Trace("synchronizePublicKeys[%s]: Public Keys are already in sync for %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) + return false } + log.Trace("synchronizePublicKeys[%s]: Public Key needs update for user %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) - t.Close() - return os.Rename(tmpPath, fPath) -} - -// ListPrincipalKeys returns a list of principals belongs to given user. -func ListPrincipalKeys(uid int64, listOptions ListOptions) ([]*PublicKey, error) { - sess := x.Where("owner_id = ? AND type = ?", uid, KeyTypePrincipal) - if listOptions.Page != 0 { - sess = listOptions.setSessionPagination(sess) - - keys := make([]*PublicKey, 0, listOptions.PageSize) - return keys, sess.Find(&keys) + // Add new Public SSH Keys that doesn't already exist in DB + var newKeys []string + for _, key := range providedKeys { + if !util.ExistsInSlice(key, giteaKeys) { + newKeys = append(newKeys, key) + } + } + if AddPublicKeysBySource(usr, s, newKeys) { + sshKeysNeedUpdate = true } - keys := make([]*PublicKey, 0, 5) - return keys, sess.Find(&keys) -} - -// RegeneratePrincipalKeys regenerates the authorized_principals file -func RegeneratePrincipalKeys(t io.StringWriter) error { - return regeneratePrincipalKeys(x, t) -} - -func regeneratePrincipalKeys(e Engine, t io.StringWriter) error { - if err := e.Where("type = ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) { - _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString()) - return err - }); err != nil { - return err + // Mark keys from DB that no longer exist in the source for deletion + var giteaKeysToDelete []string + for _, giteaKey := range giteaKeys { + if !util.ExistsInSlice(giteaKey, providedKeys) { + log.Trace("synchronizePublicKeys[%s]: Marking Public SSH Key for deletion for user %s: %v", s.Name, usr.Name, giteaKey) + giteaKeysToDelete = append(giteaKeysToDelete, giteaKey) + } } - fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile) - isExist, err := util.IsExist(fPath) + // Delete keys from DB that no longer exist in the source + needUpd, err := deleteKeysMarkedForDeletion(giteaKeysToDelete) if err != nil { - log.Error("Unable to check if %s exists. Error: %v", fPath, err) - return err + log.Error("synchronizePublicKeys[%s]: Error deleting Public Keys marked for deletion for user %s: %v", s.Name, usr.Name, err) } - if isExist { - f, err := os.Open(fPath) - if err != nil { - return err - } - scanner := bufio.NewScanner(f) - for scanner.Scan() { - line := scanner.Text() - if strings.HasPrefix(line, tplCommentPrefix) { - scanner.Scan() - continue - } - _, err = t.WriteString(line + "\n") - if err != nil { - f.Close() - return err - } - } - f.Close() + if needUpd { + sshKeysNeedUpdate = true } - return nil + + return sshKeysNeedUpdate } diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go new file mode 100644 index 0000000000000..21da7507de921 --- /dev/null +++ b/models/ssh_key_authorized_keys.go @@ -0,0 +1,218 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "bufio" + "fmt" + "io" + "os" + "path/filepath" + "strings" + "sync" + "time" + + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/util" +) + +// _____ __ .__ .__ .___ +// / _ \ __ ___/ |_| |__ ___________|__|_______ ____ __| _/ +// / /_\ \| | \ __\ | \ / _ \_ __ \ \___ // __ \ / __ | +// / | \ | /| | | Y ( <_> ) | \/ |/ /\ ___// /_/ | +// \____|__ /____/ |__| |___| /\____/|__| |__/_____ \\___ >____ | +// \/ \/ \/ \/ \/ +// ____ __. +// | |/ _|____ ___.__. ______ +// | <_/ __ < | |/ ___/ +// | | \ ___/\___ |\___ \ +// |____|__ \___ > ____/____ > +// \/ \/\/ \/ +// +// This file contains functions for creating authorized_keys files +// +// There is a dependence on the database within RegeneratePublicKeys however most of these functions probably belong in a module + +const ( + tplCommentPrefix = `# gitea public key` + tplPublicKey = tplCommentPrefix + "\n" + `command=%s,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s` + "\n" +) + +var sshOpLocker sync.Mutex + +func AuthorizedStringForKey(key *PublicKey) string { + sb := &strings.Builder{} + _ = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sb, map[string]interface{}{ + "AppPath": util.ShellEscape(setting.AppPath), + "AppWorkPath": util.ShellEscape(setting.AppWorkPath), + "CustomConf": util.ShellEscape(setting.CustomConf), + "CustomPath": util.ShellEscape(setting.CustomPath), + "Key": key, + }) + + return fmt.Sprintf(tplPublicKey, util.ShellEscape(sb.String()), key.Content) +} + +// appendAuthorizedKeysToFile appends new SSH keys' content to authorized_keys file. +func appendAuthorizedKeysToFile(keys ...*PublicKey) error { + // Don't need to rewrite this file if builtin SSH server is enabled. + if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { + return nil + } + + sshOpLocker.Lock() + defer sshOpLocker.Unlock() + + if setting.SSH.RootPath != "" { + // First of ensure that the RootPath is present, and if not make it with 0700 permissions + // This of course doesn't guarantee that this is the right directory for authorized_keys + // but at least if it's supposed to be this directory and it doesn't exist and we're the + // right user it will at least be created properly. + err := os.MkdirAll(setting.SSH.RootPath, 0o700) + if err != nil { + log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) + return err + } + } + + fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") + f, err := os.OpenFile(fPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o600) + if err != nil { + return err + } + defer f.Close() + + // Note: chmod command does not support in Windows. + if !setting.IsWindows { + fi, err := f.Stat() + if err != nil { + return err + } + + // .ssh directory should have mode 700, and authorized_keys file should have mode 600. + if fi.Mode().Perm() > 0o600 { + log.Error("authorized_keys file has unusual permission flags: %s - setting to -rw-------", fi.Mode().Perm().String()) + if err = f.Chmod(0o600); err != nil { + return err + } + } + } + + for _, key := range keys { + if key.Type == KeyTypePrincipal { + continue + } + if _, err = f.WriteString(key.AuthorizedString()); err != nil { + return err + } + } + return nil +} + +// RewriteAllPublicKeys removes any authorized key and rewrite all keys from database again. +// Note: x.Iterate does not get latest data after insert/delete, so we have to call this function +// outside any session scope independently. +func RewriteAllPublicKeys() error { + return rewriteAllPublicKeys(x) +} + +func rewriteAllPublicKeys(e Engine) error { + // Don't rewrite key if internal server + if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedKeysFile { + return nil + } + + sshOpLocker.Lock() + defer sshOpLocker.Unlock() + + if setting.SSH.RootPath != "" { + // First of ensure that the RootPath is present, and if not make it with 0700 permissions + // This of course doesn't guarantee that this is the right directory for authorized_keys + // but at least if it's supposed to be this directory and it doesn't exist and we're the + // right user it will at least be created properly. + err := os.MkdirAll(setting.SSH.RootPath, 0o700) + if err != nil { + log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) + return err + } + } + + fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") + tmpPath := fPath + ".tmp" + t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) + if err != nil { + return err + } + defer func() { + t.Close() + if err := util.Remove(tmpPath); err != nil { + log.Warn("Unable to remove temporary authorized keys file: %s: Error: %v", tmpPath, err) + } + }() + + if setting.SSH.AuthorizedKeysBackup { + isExist, err := util.IsExist(fPath) + if err != nil { + log.Error("Unable to check if %s exists. Error: %v", fPath, err) + return err + } + if isExist { + bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix()) + if err = util.CopyFile(fPath, bakPath); err != nil { + return err + } + } + } + + if err := regeneratePublicKeys(e, t); err != nil { + return err + } + + t.Close() + return os.Rename(tmpPath, fPath) +} + +// RegeneratePublicKeys regenerates the authorized_keys file +func RegeneratePublicKeys(t io.StringWriter) error { + return regeneratePublicKeys(x, t) +} + +func regeneratePublicKeys(e Engine, t io.StringWriter) error { + if err := e.Where("type != ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) { + _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString()) + return err + }); err != nil { + return err + } + + fPath := filepath.Join(setting.SSH.RootPath, "authorized_keys") + isExist, err := util.IsExist(fPath) + if err != nil { + log.Error("Unable to check if %s exists. Error: %v", fPath, err) + return err + } + if isExist { + f, err := os.Open(fPath) + if err != nil { + return err + } + scanner := bufio.NewScanner(f) + for scanner.Scan() { + line := scanner.Text() + if strings.HasPrefix(line, tplCommentPrefix) { + scanner.Scan() + continue + } + _, err = t.WriteString(line + "\n") + if err != nil { + f.Close() + return err + } + } + f.Close() + } + return nil +} diff --git a/models/ssh_key_authorized_principals.go b/models/ssh_key_authorized_principals.go new file mode 100644 index 0000000000000..9a763a3484040 --- /dev/null +++ b/models/ssh_key_authorized_principals.go @@ -0,0 +1,142 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "bufio" + "fmt" + "io" + "os" + "path/filepath" + "strings" + "time" + + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/util" +) + +// _____ __ .__ .__ .___ +// / _ \ __ ___/ |_| |__ ___________|__|_______ ____ __| _/ +// / /_\ \| | \ __\ | \ / _ \_ __ \ \___ // __ \ / __ | +// / | \ | /| | | Y ( <_> ) | \/ |/ /\ ___// /_/ | +// \____|__ /____/ |__| |___| /\____/|__| |__/_____ \\___ >____ | +// \/ \/ \/ \/ \/ +// __________ .__ .__ .__ +// \______ _______|__| ____ ____ |_____________ | | ______ +// | ___\_ __ | |/ \_/ ___\| \____ \__ \ | | / ___/ +// | | | | \| | | \ \___| | |_> / __ \| |__\___ \ +// |____| |__| |__|___| /\___ |__| __(____ |____/____ > +// \/ \/ |__| \/ \/ +// +// This file contains functions for creating authorized_principals files +// +// There is a dependence on the database within RewriteAllPrincipalKeys & RegeneratePrincipalKeys +// The sshOpLocker is used from ssh_key_authorized_keys.go + +const authorizedPrincipalsFile = "authorized_principals" + +// RewriteAllPrincipalKeys removes any authorized principal and rewrite all keys from database again. +// Note: x.Iterate does not get latest data after insert/delete, so we have to call this function +// outside any session scope independently. +func RewriteAllPrincipalKeys() error { + return rewriteAllPrincipalKeys(x) +} + +func rewriteAllPrincipalKeys(e Engine) error { + // Don't rewrite key if internal server + if setting.SSH.StartBuiltinServer || !setting.SSH.CreateAuthorizedPrincipalsFile { + return nil + } + + sshOpLocker.Lock() + defer sshOpLocker.Unlock() + + if setting.SSH.RootPath != "" { + // First of ensure that the RootPath is present, and if not make it with 0700 permissions + // This of course doesn't guarantee that this is the right directory for authorized_keys + // but at least if it's supposed to be this directory and it doesn't exist and we're the + // right user it will at least be created properly. + err := os.MkdirAll(setting.SSH.RootPath, 0o700) + if err != nil { + log.Error("Unable to MkdirAll(%s): %v", setting.SSH.RootPath, err) + return err + } + } + + fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile) + tmpPath := fPath + ".tmp" + t, err := os.OpenFile(tmpPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) + if err != nil { + return err + } + defer func() { + t.Close() + os.Remove(tmpPath) + }() + + if setting.SSH.AuthorizedPrincipalsBackup { + isExist, err := util.IsExist(fPath) + if err != nil { + log.Error("Unable to check if %s exists. Error: %v", fPath, err) + return err + } + if isExist { + bakPath := fmt.Sprintf("%s_%d.gitea_bak", fPath, time.Now().Unix()) + if err = util.CopyFile(fPath, bakPath); err != nil { + return err + } + } + } + + if err := regeneratePrincipalKeys(e, t); err != nil { + return err + } + + t.Close() + return os.Rename(tmpPath, fPath) +} + +// RegeneratePrincipalKeys regenerates the authorized_principals file +func RegeneratePrincipalKeys(t io.StringWriter) error { + return regeneratePrincipalKeys(x, t) +} + +func regeneratePrincipalKeys(e Engine, t io.StringWriter) error { + if err := e.Where("type = ?", KeyTypePrincipal).Iterate(new(PublicKey), func(idx int, bean interface{}) (err error) { + _, err = t.WriteString((bean.(*PublicKey)).AuthorizedString()) + return err + }); err != nil { + return err + } + + fPath := filepath.Join(setting.SSH.RootPath, authorizedPrincipalsFile) + isExist, err := util.IsExist(fPath) + if err != nil { + log.Error("Unable to check if %s exists. Error: %v", fPath, err) + return err + } + if isExist { + f, err := os.Open(fPath) + if err != nil { + return err + } + scanner := bufio.NewScanner(f) + for scanner.Scan() { + line := scanner.Text() + if strings.HasPrefix(line, tplCommentPrefix) { + scanner.Scan() + continue + } + _, err = t.WriteString(line + "\n") + if err != nil { + f.Close() + return err + } + } + f.Close() + } + return nil +} diff --git a/models/ssh_key_deploy.go b/models/ssh_key_deploy.go new file mode 100644 index 0000000000000..3189bcf456a64 --- /dev/null +++ b/models/ssh_key_deploy.go @@ -0,0 +1,299 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "fmt" + "time" + + "code.gitea.io/gitea/modules/timeutil" + "xorm.io/builder" + "xorm.io/xorm" +) + +// ________ .__ ____ __. +// \______ \ ____ ______ | | ____ ___.__.| |/ _|____ ___.__. +// | | \_/ __ \\____ \| | / _ < | || <_/ __ < | | +// | ` \ ___/| |_> > |_( <_> )___ || | \ ___/\___ | +// /_______ /\___ > __/|____/\____// ____||____|__ \___ > ____| +// \/ \/|__| \/ \/ \/\/ +// +// This file contains functions specific to DeployKeys + +// DeployKey represents deploy key information and its relation with repository. +type DeployKey struct { + ID int64 `xorm:"pk autoincr"` + KeyID int64 `xorm:"UNIQUE(s) INDEX"` + RepoID int64 `xorm:"UNIQUE(s) INDEX"` + Name string + Fingerprint string + Content string `xorm:"-"` + + Mode AccessMode `xorm:"NOT NULL DEFAULT 1"` + + CreatedUnix timeutil.TimeStamp `xorm:"created"` + UpdatedUnix timeutil.TimeStamp `xorm:"updated"` + HasRecentActivity bool `xorm:"-"` + HasUsed bool `xorm:"-"` +} + +// AfterLoad is invoked from XORM after setting the values of all fields of this object. +func (key *DeployKey) AfterLoad() { + key.HasUsed = key.UpdatedUnix > key.CreatedUnix + key.HasRecentActivity = key.UpdatedUnix.AddDuration(7*24*time.Hour) > timeutil.TimeStampNow() +} + +// GetContent gets associated public key content. +func (key *DeployKey) GetContent() error { + pkey, err := GetPublicKeyByID(key.KeyID) + if err != nil { + return err + } + key.Content = pkey.Content + return nil +} + +// IsReadOnly checks if the key can only be used for read operations +func (key *DeployKey) IsReadOnly() bool { + return key.Mode == AccessModeRead +} + +func checkDeployKey(e Engine, keyID, repoID int64, name string) error { + // Note: We want error detail, not just true or false here. + has, err := e. + Where("key_id = ? AND repo_id = ?", keyID, repoID). + Get(new(DeployKey)) + if err != nil { + return err + } else if has { + return ErrDeployKeyAlreadyExist{keyID, repoID} + } + + has, err = e. + Where("repo_id = ? AND name = ?", repoID, name). + Get(new(DeployKey)) + if err != nil { + return err + } else if has { + return ErrDeployKeyNameAlreadyUsed{repoID, name} + } + + return nil +} + +// addDeployKey adds new key-repo relation. +func addDeployKey(e *xorm.Session, keyID, repoID int64, name, fingerprint string, mode AccessMode) (*DeployKey, error) { + if err := checkDeployKey(e, keyID, repoID, name); err != nil { + return nil, err + } + + key := &DeployKey{ + KeyID: keyID, + RepoID: repoID, + Name: name, + Fingerprint: fingerprint, + Mode: mode, + } + _, err := e.Insert(key) + return key, err +} + +// HasDeployKey returns true if public key is a deploy key of given repository. +func HasDeployKey(keyID, repoID int64) bool { + has, _ := x. + Where("key_id = ? AND repo_id = ?", keyID, repoID). + Get(new(DeployKey)) + return has +} + +// AddDeployKey add new deploy key to database and authorized_keys file. +func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey, error) { + fingerprint, err := calcFingerprint(content) + if err != nil { + return nil, err + } + + accessMode := AccessModeRead + if !readOnly { + accessMode = AccessModeWrite + } + + sess := x.NewSession() + defer sess.Close() + if err = sess.Begin(); err != nil { + return nil, err + } + + pkey := &PublicKey{ + Fingerprint: fingerprint, + } + has, err := sess.Get(pkey) + if err != nil { + return nil, err + } + + if has { + if pkey.Type != KeyTypeDeploy { + return nil, ErrKeyAlreadyExist{0, fingerprint, ""} + } + } else { + // First time use this deploy key. + pkey.Mode = accessMode + pkey.Type = KeyTypeDeploy + pkey.Content = content + pkey.Name = name + if err = addKey(sess, pkey); err != nil { + return nil, fmt.Errorf("addKey: %v", err) + } + } + + key, err := addDeployKey(sess, pkey.ID, repoID, name, pkey.Fingerprint, accessMode) + if err != nil { + return nil, err + } + + return key, sess.Commit() +} + +// GetDeployKeyByID returns deploy key by given ID. +func GetDeployKeyByID(id int64) (*DeployKey, error) { + return getDeployKeyByID(x, id) +} + +func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) { + key := new(DeployKey) + has, err := e.ID(id).Get(key) + if err != nil { + return nil, err + } else if !has { + return nil, ErrDeployKeyNotExist{id, 0, 0} + } + return key, nil +} + +// GetDeployKeyByRepo returns deploy key by given public key ID and repository ID. +func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) { + return getDeployKeyByRepo(x, keyID, repoID) +} + +func getDeployKeyByRepo(e Engine, keyID, repoID int64) (*DeployKey, error) { + key := &DeployKey{ + KeyID: keyID, + RepoID: repoID, + } + has, err := e.Get(key) + if err != nil { + return nil, err + } else if !has { + return nil, ErrDeployKeyNotExist{0, keyID, repoID} + } + return key, nil +} + +// UpdateDeployKeyCols updates deploy key information in the specified columns. +func UpdateDeployKeyCols(key *DeployKey, cols ...string) error { + _, err := x.ID(key.ID).Cols(cols...).Update(key) + return err +} + +// UpdateDeployKey updates deploy key information. +func UpdateDeployKey(key *DeployKey) error { + _, err := x.ID(key.ID).AllCols().Update(key) + return err +} + +// DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed. +func DeleteDeployKey(doer *User, id int64) error { + sess := x.NewSession() + defer sess.Close() + if err := sess.Begin(); err != nil { + return err + } + if err := deleteDeployKey(sess, doer, id); err != nil { + return err + } + return sess.Commit() +} + +func deleteDeployKey(sess Engine, doer *User, id int64) error { + key, err := getDeployKeyByID(sess, id) + if err != nil { + if IsErrDeployKeyNotExist(err) { + return nil + } + return fmt.Errorf("GetDeployKeyByID: %v", err) + } + + // Check if user has access to delete this key. + if !doer.IsAdmin { + repo, err := getRepositoryByID(sess, key.RepoID) + if err != nil { + return fmt.Errorf("GetRepositoryByID: %v", err) + } + has, err := isUserRepoAdmin(sess, repo, doer) + if err != nil { + return fmt.Errorf("GetUserRepoPermission: %v", err) + } else if !has { + return ErrKeyAccessDenied{doer.ID, key.ID, "deploy"} + } + } + + if _, err = sess.ID(key.ID).Delete(new(DeployKey)); err != nil { + return fmt.Errorf("delete deploy key [%d]: %v", key.ID, err) + } + + // Check if this is the last reference to same key content. + has, err := sess. + Where("key_id = ?", key.KeyID). + Get(new(DeployKey)) + if err != nil { + return err + } else if !has { + if err = deletePublicKeys(sess, key.KeyID); err != nil { + return err + } + + // after deleted the public keys, should rewrite the public keys file + if err = rewriteAllPublicKeys(sess); err != nil { + return err + } + } + + return nil +} + +// ListDeployKeys returns all deploy keys by given repository ID. +func ListDeployKeys(repoID int64, listOptions ListOptions) ([]*DeployKey, error) { + return listDeployKeys(x, repoID, listOptions) +} + +func listDeployKeys(e Engine, repoID int64, listOptions ListOptions) ([]*DeployKey, error) { + sess := e.Where("repo_id = ?", repoID) + if listOptions.Page != 0 { + sess = listOptions.setSessionPagination(sess) + + keys := make([]*DeployKey, 0, listOptions.PageSize) + return keys, sess.Find(&keys) + } + + keys := make([]*DeployKey, 0, 5) + return keys, sess.Find(&keys) +} + +// SearchDeployKeys returns a list of deploy keys matching the provided arguments. +func SearchDeployKeys(repoID, keyID int64, fingerprint string) ([]*DeployKey, error) { + keys := make([]*DeployKey, 0, 5) + cond := builder.NewCond() + if repoID != 0 { + cond = cond.And(builder.Eq{"repo_id": repoID}) + } + if keyID != 0 { + cond = cond.And(builder.Eq{"key_id": keyID}) + } + if fingerprint != "" { + cond = cond.And(builder.Eq{"fingerprint": fingerprint}) + } + return keys, x.Where(cond).Find(&keys) +} diff --git a/models/ssh_key_fingerprint.go b/models/ssh_key_fingerprint.go new file mode 100644 index 0000000000000..96cc7d9c484f1 --- /dev/null +++ b/models/ssh_key_fingerprint.go @@ -0,0 +1,97 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "errors" + "fmt" + "strings" + + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/process" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/util" + "golang.org/x/crypto/ssh" +) + +// ___________.__ .__ __ +// \_ _____/|__| ____ ____ ________________________|__| _____/ |_ +// | __) | |/ \ / ___\_/ __ \_ __ \____ \_ __ \ |/ \ __\ +// | \ | | | \/ /_/ > ___/| | \/ |_> > | \/ | | \ | +// \___ / |__|___| /\___ / \___ >__| | __/|__| |__|___| /__| +// \/ \//_____/ \/ |__| \/ +// +// This file contains functions for fingerprinting SSH keys +// +// The database is used in checkKeyFingerprint however most of these functions probably belong in a module + +// checkKeyFingerprint only checks if key fingerprint has been used as public key, +// it is OK to use same key as deploy key for multiple repositories/users. +func checkKeyFingerprint(e Engine, fingerprint string) error { + has, err := e.Get(&PublicKey{ + Fingerprint: fingerprint, + }) + if err != nil { + return err + } else if has { + return ErrKeyAlreadyExist{0, fingerprint, ""} + } + return nil +} + +func calcFingerprintSSHKeygen(publicKeyContent string) (string, error) { + // Calculate fingerprint. + tmpPath, err := writeTmpKeyFile(publicKeyContent) + if err != nil { + return "", err + } + defer func() { + if err := util.Remove(tmpPath); err != nil { + log.Warn("Unable to remove temporary key file: %s: Error: %v", tmpPath, err) + } + }() + stdout, stderr, err := process.GetManager().Exec("AddPublicKey", "ssh-keygen", "-lf", tmpPath) + if err != nil { + if strings.Contains(stderr, "is not a public key file") { + return "", ErrKeyUnableVerify{stderr} + } + return "", fmt.Errorf("'ssh-keygen -lf %s' failed with error '%s': %s", tmpPath, err, stderr) + } else if len(stdout) < 2 { + return "", errors.New("not enough output for calculating fingerprint: " + stdout) + } + return strings.Split(stdout, " ")[1], nil +} + +func calcFingerprintNative(publicKeyContent string) (string, error) { + // Calculate fingerprint. + pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(publicKeyContent)) + if err != nil { + return "", err + } + return ssh.FingerprintSHA256(pk), nil +} + +func calcFingerprint(publicKeyContent string) (string, error) { + // Call the method based on configuration + var ( + fnName, fp string + err error + ) + if setting.SSH.StartBuiltinServer { + fnName = "calcFingerprintNative" + fp, err = calcFingerprintNative(publicKeyContent) + } else { + fnName = "calcFingerprintSSHKeygen" + fp, err = calcFingerprintSSHKeygen(publicKeyContent) + } + if err != nil { + if IsErrKeyUnableVerify(err) { + log.Info("%s", publicKeyContent) + return "", err + } + return "", fmt.Errorf("%s: %v", fnName, err) + } + return fp, nil +} diff --git a/models/ssh_key_parse.go b/models/ssh_key_parse.go new file mode 100644 index 0000000000000..a86b7de02a8f8 --- /dev/null +++ b/models/ssh_key_parse.go @@ -0,0 +1,309 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "crypto/rsa" + "crypto/x509" + "encoding/asn1" + "encoding/base64" + "encoding/binary" + "encoding/pem" + "errors" + "fmt" + "io/ioutil" + "math/big" + "strconv" + "strings" + + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/process" + "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/util" + "golang.org/x/crypto/ssh" +) + +// ____ __. __________ +// | |/ _|____ ___.__. \______ \_____ _______ ______ ___________ +// | <_/ __ < | | | ___/\__ \\_ __ \/ ___// __ \_ __ \ +// | | \ ___/\___ | | | / __ \| | \/\___ \\ ___/| | \/ +// |____|__ \___ > ____| |____| (____ /__| /____ >\___ >__| +// \/ \/\/ \/ \/ \/ +// +// This file contains functiosn for parsing ssh-keys +// +// TODO: Consider if these functions belong in models - no other models function call them or are called by them +// They may belong in a service or a module + +const ssh2keyStart = "---- BEGIN SSH2 PUBLIC KEY ----" + +func extractTypeFromBase64Key(key string) (string, error) { + b, err := base64.StdEncoding.DecodeString(key) + if err != nil || len(b) < 4 { + return "", fmt.Errorf("invalid key format: %v", err) + } + + keyLength := int(binary.BigEndian.Uint32(b)) + if len(b) < 4+keyLength { + return "", fmt.Errorf("invalid key format: not enough length %d", keyLength) + } + + return string(b[4 : 4+keyLength]), nil +} + +// parseKeyString parses any key string in OpenSSH or SSH2 format to clean OpenSSH string (RFC4253). +func parseKeyString(content string) (string, error) { + // remove whitespace at start and end + content = strings.TrimSpace(content) + + var keyType, keyContent, keyComment string + + if strings.HasPrefix(content, ssh2keyStart) { + // Parse SSH2 file format. + + // Transform all legal line endings to a single "\n". + content = strings.NewReplacer("\r\n", "\n", "\r", "\n").Replace(content) + + lines := strings.Split(content, "\n") + continuationLine := false + + for _, line := range lines { + // Skip lines that: + // 1) are a continuation of the previous line, + // 2) contain ":" as that are comment lines + // 3) contain "-" as that are begin and end tags + if continuationLine || strings.ContainsAny(line, ":-") { + continuationLine = strings.HasSuffix(line, "\\") + } else { + keyContent += line + } + } + + t, err := extractTypeFromBase64Key(keyContent) + if err != nil { + return "", fmt.Errorf("extractTypeFromBase64Key: %v", err) + } + keyType = t + } else { + if strings.Contains(content, "-----BEGIN") { + // Convert PEM Keys to OpenSSH format + // Transform all legal line endings to a single "\n". + content = strings.NewReplacer("\r\n", "\n", "\r", "\n").Replace(content) + + block, _ := pem.Decode([]byte(content)) + if block == nil { + return "", fmt.Errorf("failed to parse PEM block containing the public key") + } + + pub, err := x509.ParsePKIXPublicKey(block.Bytes) + if err != nil { + var pk rsa.PublicKey + _, err2 := asn1.Unmarshal(block.Bytes, &pk) + if err2 != nil { + return "", fmt.Errorf("failed to parse DER encoded public key as either PKIX or PEM RSA Key: %v %v", err, err2) + } + pub = &pk + } + + sshKey, err := ssh.NewPublicKey(pub) + if err != nil { + return "", fmt.Errorf("unable to convert to ssh public key: %v", err) + } + content = string(ssh.MarshalAuthorizedKey(sshKey)) + } + // Parse OpenSSH format. + + // Remove all newlines + content = strings.NewReplacer("\r\n", "", "\n", "").Replace(content) + + parts := strings.SplitN(content, " ", 3) + switch len(parts) { + case 0: + return "", errors.New("empty key") + case 1: + keyContent = parts[0] + case 2: + keyType = parts[0] + keyContent = parts[1] + default: + keyType = parts[0] + keyContent = parts[1] + keyComment = parts[2] + } + + // If keyType is not given, extract it from content. If given, validate it. + t, err := extractTypeFromBase64Key(keyContent) + if err != nil { + return "", fmt.Errorf("extractTypeFromBase64Key: %v", err) + } + if len(keyType) == 0 { + keyType = t + } else if keyType != t { + return "", fmt.Errorf("key type and content does not match: %s - %s", keyType, t) + } + } + // Finally we need to check whether we can actually read the proposed key: + _, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyType + " " + keyContent + " " + keyComment)) + if err != nil { + return "", fmt.Errorf("invalid ssh public key: %v", err) + } + return keyType + " " + keyContent + " " + keyComment, nil +} + +// CheckPublicKeyString checks if the given public key string is recognized by SSH. +// It returns the actual public key line on success. +func CheckPublicKeyString(content string) (_ string, err error) { + if setting.SSH.Disabled { + return "", ErrSSHDisabled{} + } + + content, err = parseKeyString(content) + if err != nil { + return "", err + } + + content = strings.TrimRight(content, "\n\r") + if strings.ContainsAny(content, "\n\r") { + return "", errors.New("only a single line with a single key please") + } + + // remove any unnecessary whitespace now + content = strings.TrimSpace(content) + + if !setting.SSH.MinimumKeySizeCheck { + return content, nil + } + + var ( + fnName string + keyType string + length int + ) + if setting.SSH.StartBuiltinServer { + fnName = "SSHNativeParsePublicKey" + keyType, length, err = SSHNativeParsePublicKey(content) + } else { + fnName = "SSHKeyGenParsePublicKey" + keyType, length, err = SSHKeyGenParsePublicKey(content) + } + if err != nil { + return "", fmt.Errorf("%s: %v", fnName, err) + } + log.Trace("Key info [native: %v]: %s-%d", setting.SSH.StartBuiltinServer, keyType, length) + + if minLen, found := setting.SSH.MinimumKeySizes[keyType]; found && length >= minLen { + return content, nil + } else if found && length < minLen { + return "", fmt.Errorf("key length is not enough: got %d, needs %d", length, minLen) + } + return "", fmt.Errorf("key type is not allowed: %s", keyType) +} + +// SSHNativeParsePublicKey extracts the key type and length using the golang SSH library. +func SSHNativeParsePublicKey(keyLine string) (string, int, error) { + fields := strings.Fields(keyLine) + if len(fields) < 2 { + return "", 0, fmt.Errorf("not enough fields in public key line: %s", keyLine) + } + + raw, err := base64.StdEncoding.DecodeString(fields[1]) + if err != nil { + return "", 0, err + } + + pkey, err := ssh.ParsePublicKey(raw) + if err != nil { + if strings.Contains(err.Error(), "ssh: unknown key algorithm") { + return "", 0, ErrKeyUnableVerify{err.Error()} + } + return "", 0, fmt.Errorf("ParsePublicKey: %v", err) + } + + // The ssh library can parse the key, so next we find out what key exactly we have. + switch pkey.Type() { + case ssh.KeyAlgoDSA: + rawPub := struct { + Name string + P, Q, G, Y *big.Int + }{} + if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil { + return "", 0, err + } + // as per https://bugzilla.mindrot.org/show_bug.cgi?id=1647 we should never + // see dsa keys != 1024 bit, but as it seems to work, we will not check here + return "dsa", rawPub.P.BitLen(), nil // use P as per crypto/dsa/dsa.go (is L) + case ssh.KeyAlgoRSA: + rawPub := struct { + Name string + E *big.Int + N *big.Int + }{} + if err := ssh.Unmarshal(pkey.Marshal(), &rawPub); err != nil { + return "", 0, err + } + return "rsa", rawPub.N.BitLen(), nil // use N as per crypto/rsa/rsa.go (is bits) + case ssh.KeyAlgoECDSA256: + return "ecdsa", 256, nil + case ssh.KeyAlgoECDSA384: + return "ecdsa", 384, nil + case ssh.KeyAlgoECDSA521: + return "ecdsa", 521, nil + case ssh.KeyAlgoED25519: + return "ed25519", 256, nil + case ssh.KeyAlgoSKECDSA256: + return "ecdsa-sk", 256, nil + case ssh.KeyAlgoSKED25519: + return "ed25519-sk", 256, nil + } + return "", 0, fmt.Errorf("unsupported key length detection for type: %s", pkey.Type()) +} + +// writeTmpKeyFile writes key content to a temporary file +// and returns the name of that file, along with any possible errors. +func writeTmpKeyFile(content string) (string, error) { + tmpFile, err := ioutil.TempFile(setting.SSH.KeyTestPath, "gitea_keytest") + if err != nil { + return "", fmt.Errorf("TempFile: %v", err) + } + defer tmpFile.Close() + + if _, err = tmpFile.WriteString(content); err != nil { + return "", fmt.Errorf("WriteString: %v", err) + } + return tmpFile.Name(), nil +} + +// SSHKeyGenParsePublicKey extracts key type and length using ssh-keygen. +func SSHKeyGenParsePublicKey(key string) (string, int, error) { + tmpName, err := writeTmpKeyFile(key) + if err != nil { + return "", 0, fmt.Errorf("writeTmpKeyFile: %v", err) + } + defer func() { + if err := util.Remove(tmpName); err != nil { + log.Warn("Unable to remove temporary key file: %s: Error: %v", tmpName, err) + } + }() + + stdout, stderr, err := process.GetManager().Exec("SSHKeyGenParsePublicKey", setting.SSH.KeygenPath, "-lf", tmpName) + if err != nil { + return "", 0, fmt.Errorf("fail to parse public key: %s - %s", err, stderr) + } + if strings.Contains(stdout, "is not a public key file") { + return "", 0, ErrKeyUnableVerify{stdout} + } + + fields := strings.Split(stdout, " ") + if len(fields) < 4 { + return "", 0, fmt.Errorf("invalid public key line: %s", stdout) + } + + keyType := strings.Trim(fields[len(fields)-1], "()\r\n") + length, err := strconv.ParseInt(fields[0], 10, 32) + if err != nil { + return "", 0, err + } + return strings.ToLower(keyType), int(length), nil +} diff --git a/models/ssh_key_principals.go b/models/ssh_key_principals.go new file mode 100644 index 0000000000000..3459e43c8b042 --- /dev/null +++ b/models/ssh_key_principals.go @@ -0,0 +1,125 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import ( + "errors" + "fmt" + "strings" + + "code.gitea.io/gitea/modules/setting" +) + +// __________ .__ .__ .__ +// \______ _______|__| ____ ____ |_____________ | | ______ +// | ___\_ __ | |/ \_/ ___\| \____ \__ \ | | / ___/ +// | | | | \| | | \ \___| | |_> / __ \| |__\___ \ +// |____| |__| |__|___| /\___ |__| __(____ |____/____ > +// \/ \/ |__| \/ \/ +// +// This file contains functions related to principals + +// AddPrincipalKey adds new principal to database and authorized_principals file. +func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*PublicKey, error) { + sess := x.NewSession() + defer sess.Close() + if err := sess.Begin(); err != nil { + return nil, err + } + + // Principals cannot be duplicated. + has, err := sess. + Where("content = ? AND type = ?", content, KeyTypePrincipal). + Get(new(PublicKey)) + if err != nil { + return nil, err + } else if has { + return nil, ErrKeyAlreadyExist{0, "", content} + } + + key := &PublicKey{ + OwnerID: ownerID, + Name: content, + Content: content, + Mode: AccessModeWrite, + Type: KeyTypePrincipal, + LoginSourceID: loginSourceID, + } + if err = addPrincipalKey(sess, key); err != nil { + return nil, fmt.Errorf("addKey: %v", err) + } + + if err = sess.Commit(); err != nil { + return nil, err + } + + sess.Close() + + return key, RewriteAllPrincipalKeys() +} + +func addPrincipalKey(e Engine, key *PublicKey) (err error) { + // Save Key representing a principal. + if _, err = e.Insert(key); err != nil { + return err + } + + return nil +} + +// CheckPrincipalKeyString strips spaces and returns an error if the given principal contains newlines +func CheckPrincipalKeyString(user *User, content string) (_ string, err error) { + if setting.SSH.Disabled { + return "", ErrSSHDisabled{} + } + + content = strings.TrimSpace(content) + if strings.ContainsAny(content, "\r\n") { + return "", errors.New("only a single line with a single principal please") + } + + // check all the allowed principals, email, username or anything + // if any matches, return ok + for _, v := range setting.SSH.AuthorizedPrincipalsAllow { + switch v { + case "anything": + return content, nil + case "email": + emails, err := GetEmailAddresses(user.ID) + if err != nil { + return "", err + } + for _, email := range emails { + if !email.IsActivated { + continue + } + if content == email.Email { + return content, nil + } + } + + case "username": + if content == user.Name { + return content, nil + } + } + } + + return "", fmt.Errorf("didn't match allowed principals: %s", setting.SSH.AuthorizedPrincipalsAllow) +} + +// ListPrincipalKeys returns a list of principals belongs to given user. +func ListPrincipalKeys(uid int64, listOptions ListOptions) ([]*PublicKey, error) { + sess := x.Where("owner_id = ? AND type = ?", uid, KeyTypePrincipal) + if listOptions.Page != 0 { + sess = listOptions.setSessionPagination(sess) + + keys := make([]*PublicKey, 0, listOptions.PageSize) + return keys, sess.Find(&keys) + } + + keys := make([]*PublicKey, 0, 5) + return keys, sess.Find(&keys) +} diff --git a/models/user.go b/models/user.go index e5d8f5fdaba19..dc44c7d217f46 100644 --- a/models/user.go +++ b/models/user.go @@ -34,7 +34,6 @@ import ( "golang.org/x/crypto/bcrypt" "golang.org/x/crypto/pbkdf2" "golang.org/x/crypto/scrypt" - "golang.org/x/crypto/ssh" "xorm.io/builder" ) @@ -1634,143 +1633,6 @@ func GetWatchedRepos(userID int64, private bool, listOptions ListOptions) ([]*Re return repos, sess.Find(&repos) } -// deleteKeysMarkedForDeletion returns true if ssh keys needs update -func deleteKeysMarkedForDeletion(keys []string) (bool, error) { - // Start session - sess := x.NewSession() - defer sess.Close() - if err := sess.Begin(); err != nil { - return false, err - } - - // Delete keys marked for deletion - var sshKeysNeedUpdate bool - for _, KeyToDelete := range keys { - key, err := searchPublicKeyByContentWithEngine(sess, KeyToDelete) - if err != nil { - log.Error("SearchPublicKeyByContent: %v", err) - continue - } - if err = deletePublicKeys(sess, key.ID); err != nil { - log.Error("deletePublicKeys: %v", err) - continue - } - sshKeysNeedUpdate = true - } - - if err := sess.Commit(); err != nil { - return false, err - } - - return sshKeysNeedUpdate, nil -} - -// AddPublicKeysBySource add a users public keys. Returns true if there are changes. -func AddPublicKeysBySource(usr *User, s *LoginSource, sshPublicKeys []string) bool { - var sshKeysNeedUpdate bool - for _, sshKey := range sshPublicKeys { - var err error - found := false - keys := []byte(sshKey) - loop: - for len(keys) > 0 && err == nil { - var out ssh.PublicKey - // We ignore options as they are not relevant to Gitea - out, _, _, keys, err = ssh.ParseAuthorizedKey(keys) - if err != nil { - break loop - } - found = true - marshalled := string(ssh.MarshalAuthorizedKey(out)) - marshalled = marshalled[:len(marshalled)-1] - sshKeyName := fmt.Sprintf("%s-%s", s.Name, ssh.FingerprintSHA256(out)) - - if _, err := AddPublicKey(usr.ID, sshKeyName, marshalled, s.ID); err != nil { - if IsErrKeyAlreadyExist(err) { - log.Trace("AddPublicKeysBySource[%s]: Public SSH Key %s already exists for user", sshKeyName, usr.Name) - } else { - log.Error("AddPublicKeysBySource[%s]: Error adding Public SSH Key for user %s: %v", sshKeyName, usr.Name, err) - } - } else { - log.Trace("AddPublicKeysBySource[%s]: Added Public SSH Key for user %s", sshKeyName, usr.Name) - sshKeysNeedUpdate = true - } - } - if !found && err != nil { - log.Warn("AddPublicKeysBySource[%s]: Skipping invalid Public SSH Key for user %s: %v", s.Name, usr.Name, sshKey) - } - } - return sshKeysNeedUpdate -} - -// SynchronizePublicKeys updates a users public keys. Returns true if there are changes. -func SynchronizePublicKeys(usr *User, s *LoginSource, sshPublicKeys []string) bool { - var sshKeysNeedUpdate bool - - log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name) - - // Get Public Keys from DB with current LDAP source - var giteaKeys []string - keys, err := ListPublicKeysBySource(usr.ID, s.ID) - if err != nil { - log.Error("synchronizePublicKeys[%s]: Error listing Public SSH Keys for user %s: %v", s.Name, usr.Name, err) - } - - for _, v := range keys { - giteaKeys = append(giteaKeys, v.OmitEmail()) - } - - // Process the provided keys to remove duplicates and name part - var providedKeys []string - for _, v := range sshPublicKeys { - sshKeySplit := strings.Split(v, " ") - if len(sshKeySplit) > 1 { - key := strings.Join(sshKeySplit[:2], " ") - if !util.ExistsInSlice(key, providedKeys) { - providedKeys = append(providedKeys, key) - } - } - } - - // Check if Public Key sync is needed - if util.IsEqualSlice(giteaKeys, providedKeys) { - log.Trace("synchronizePublicKeys[%s]: Public Keys are already in sync for %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) - return false - } - log.Trace("synchronizePublicKeys[%s]: Public Key needs update for user %s (Source:%v/DB:%v)", s.Name, usr.Name, len(providedKeys), len(giteaKeys)) - - // Add new Public SSH Keys that doesn't already exist in DB - var newKeys []string - for _, key := range providedKeys { - if !util.ExistsInSlice(key, giteaKeys) { - newKeys = append(newKeys, key) - } - } - if AddPublicKeysBySource(usr, s, newKeys) { - sshKeysNeedUpdate = true - } - - // Mark keys from DB that no longer exist in the source for deletion - var giteaKeysToDelete []string - for _, giteaKey := range giteaKeys { - if !util.ExistsInSlice(giteaKey, providedKeys) { - log.Trace("synchronizePublicKeys[%s]: Marking Public SSH Key for deletion for user %s: %v", s.Name, usr.Name, giteaKey) - giteaKeysToDelete = append(giteaKeysToDelete, giteaKey) - } - } - - // Delete keys from DB that no longer exist in the source - needUpd, err := deleteKeysMarkedForDeletion(giteaKeysToDelete) - if err != nil { - log.Error("synchronizePublicKeys[%s]: Error deleting Public Keys marked for deletion for user %s: %v", s.Name, usr.Name, err) - } - if needUpd { - sshKeysNeedUpdate = true - } - - return sshKeysNeedUpdate -} - // IterateUser iterate users func IterateUser(f func(user *User) error) error { var start int From bb1ff63793b5288be76ea9e0d31cbc0527329074 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 19 Jun 2021 20:50:05 +0100 Subject: [PATCH 07/44] Extract out login-sources from models Signed-off-by: Andrew Thornton --- cmd/admin.go | 8 +- cmd/admin_auth_ldap.go | 17 +- cmd/admin_auth_ldap_test.go | 99 ++++--- models/login_source.go | 278 +++++------------- models/oauth2.go | 45 +-- models/ssh_key.go | 12 +- models/ssh_key_authorized_keys.go | 1 + modules/auth/ldap/ldap.go | 12 + routers/web/admin/auths.go | 36 ++- routers/web/user/auth.go | 7 +- routers/web/user/setting/security.go | 3 +- services/auth/interface.go | 11 + services/auth/signin.go | 109 +++---- services/auth/source/db/login.go | 38 +++ services/auth/source/ldap/source.go | 84 ++++++ .../ldap/{login.go => source_authenticate.go} | 27 +- .../source/ldap/{sync.go => source_sync.go} | 24 +- services/auth/source/oauth2/providers.go | 38 +++ services/auth/source/oauth2/source.go | 44 +++ .../auth/source/oauth2/source_register.go | 26 ++ services/auth/source/pam/source.go | 39 +++ .../pam/{login.go => source_authenticate.go} | 19 +- services/auth/source/smtp/auth.go | 10 +- services/auth/source/smtp/source.go | 58 ++++ .../smtp/{login.go => source_authenticate.go} | 27 +- services/auth/source/sspi/source.go | 42 +++ services/auth/sspi_windows.go | 11 +- services/auth/sync.go | 5 +- 28 files changed, 657 insertions(+), 473 deletions(-) create mode 100644 services/auth/source/db/login.go create mode 100644 services/auth/source/ldap/source.go rename services/auth/source/ldap/{login.go => source_authenticate.go} (67%) rename services/auth/source/ldap/{sync.go => source_sync.go} (86%) create mode 100644 services/auth/source/oauth2/providers.go create mode 100644 services/auth/source/oauth2/source.go create mode 100644 services/auth/source/oauth2/source_register.go create mode 100644 services/auth/source/pam/source.go rename services/auth/source/pam/{login.go => source_authenticate.go} (70%) create mode 100644 services/auth/source/smtp/source.go rename services/auth/source/smtp/{login.go => source_authenticate.go} (62%) create mode 100644 services/auth/source/sspi/source.go diff --git a/cmd/admin.go b/cmd/admin.go index f58a1f99607af..da04e181275d7 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -15,6 +15,8 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/auth/oauth2" + oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" + "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/graceful" "code.gitea.io/gitea/modules/log" @@ -597,7 +599,7 @@ func runRegenerateKeys(_ *cli.Context) error { return models.RewriteAllPublicKeys() } -func parseOAuth2Config(c *cli.Context) *models.OAuth2Config { +func parseOAuth2Config(c *cli.Context) *oauth2Service.Source { var customURLMapping *oauth2.CustomURLMapping if c.IsSet("use-custom-urls") { customURLMapping = &oauth2.CustomURLMapping{ @@ -609,7 +611,7 @@ func parseOAuth2Config(c *cli.Context) *models.OAuth2Config { } else { customURLMapping = nil } - return &models.OAuth2Config{ + return &oauth2Service.Source{ Provider: c.String("provider"), ClientID: c.String("key"), ClientSecret: c.String("secret"), @@ -646,7 +648,7 @@ func runUpdateOauth(c *cli.Context) error { return err } - oAuth2Config := source.OAuth2() + oAuth2Config := source.Cfg.(*oauth2Service.Source) if c.IsSet("name") { source.Name = c.String("name") diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index 5ab64ec7d53c5..aab26082e90b6 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -10,6 +10,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/auth/ldap" + ldapService "code.gitea.io/gitea/services/auth/source/ldap" "github.com/urfave/cli" ) @@ -180,7 +181,7 @@ func parseLoginSource(c *cli.Context, loginSource *models.LoginSource) { } // parseLdapConfig assigns values on config according to command line flags. -func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error { +func parseLdapConfig(c *cli.Context, config *ldapService.Source) error { if c.IsSet("name") { config.Source.Name = c.String("name") } @@ -251,7 +252,7 @@ func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error { // findLdapSecurityProtocolByName finds security protocol by its name ignoring case. // It returns the value of the security protocol and if it was found. func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) { - for i, n := range models.SecurityProtocolNames { + for i, n := range ldap.SecurityProtocolNames { if strings.EqualFold(name, n) { return i, true } @@ -291,7 +292,7 @@ func (a *authService) addLdapBindDn(c *cli.Context) error { loginSource := &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, // active by default - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Enabled: true, // always true }, @@ -299,7 +300,7 @@ func (a *authService) addLdapBindDn(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.LDAP()); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { return err } @@ -318,7 +319,7 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.LDAP()); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { return err } @@ -338,7 +339,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error { loginSource := &models.LoginSource{ Type: models.LoginDLDAP, IsActived: true, // active by default - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Enabled: true, // always true }, @@ -346,7 +347,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.LDAP()); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { return err } @@ -365,7 +366,7 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.LDAP()); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { return err } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index 87f4f789ab0ab..d051feee5bcd5 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/auth/ldap" + ldapService "code.gitea.io/gitea/services/auth/source/ldap" "github.com/stretchr/testify/assert" "github.com/urfave/cli" @@ -56,7 +57,7 @@ func TestAddLdapBindDn(t *testing.T) { Name: "ldap (via Bind DN) source full", IsActived: false, IsSyncEnabled: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (via Bind DN) source full", Host: "ldap-bind-server full", @@ -97,7 +98,7 @@ func TestAddLdapBindDn(t *testing.T) { Type: models.LoginLDAP, Name: "ldap (via Bind DN) source min", IsActived: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (via Bind DN) source min", Host: "ldap-bind-server min", @@ -279,7 +280,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source full", IsActived: false, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (simple auth) source full", Host: "ldap-simple-server full", @@ -317,7 +318,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source min", IsActived: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (simple auth) source min", Host: "ldap-simple-server min", @@ -518,7 +519,7 @@ func TestUpdateLdapBindDn(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Enabled: true, }, @@ -529,7 +530,7 @@ func TestUpdateLdapBindDn(t *testing.T) { Name: "ldap (via Bind DN) source full", IsActived: false, IsSyncEnabled: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (via Bind DN) source full", Host: "ldap-bind-server full", @@ -562,7 +563,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -577,7 +578,7 @@ func TestUpdateLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, Name: "ldap (via Bind DN) source", - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (via Bind DN) source", }, @@ -594,14 +595,14 @@ func TestUpdateLdapBindDn(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: false, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -615,7 +616,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ SecurityProtocol: ldap.SecurityProtocol(1), }, @@ -631,7 +632,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ SkipVerify: true, }, @@ -647,7 +648,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Host: "ldap-server", }, @@ -663,7 +664,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Port: 389, }, @@ -679,7 +680,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ UserBase: "ou=Users,dc=domain,dc=org", }, @@ -695,7 +696,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)", }, @@ -711,7 +712,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", }, @@ -727,7 +728,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeUsername: "uid", }, @@ -743,7 +744,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeName: "givenName", }, @@ -759,7 +760,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeSurname: "sn", }, @@ -775,7 +776,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeMail: "mail", }, @@ -791,7 +792,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributesInBind: true, }, @@ -807,7 +808,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeSSHPublicKey: "publickey", }, @@ -823,7 +824,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ BindDN: "cn=readonly,dc=domain,dc=org", }, @@ -839,7 +840,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ BindPassword: "secret", }, @@ -856,7 +857,7 @@ func TestUpdateLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, IsSyncEnabled: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -870,7 +871,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ SearchPageSize: 12, }, @@ -901,7 +902,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, existingLoginSource: &models.LoginSource{ Type: models.LoginOAuth2, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -933,7 +934,7 @@ func TestUpdateLdapBindDn(t *testing.T) { } return &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, nil @@ -997,7 +998,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source full", IsActived: false, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (simple auth) source full", Host: "ldap-simple-server full", @@ -1026,7 +1027,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -1041,7 +1042,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginDLDAP, Name: "ldap (simple auth) source", - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Name: "ldap (simple auth) source", }, @@ -1058,14 +1059,14 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginDLDAP, IsActived: true, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, IsActived: false, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -1079,7 +1080,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ SecurityProtocol: ldap.SecurityProtocol(2), }, @@ -1095,7 +1096,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ SkipVerify: true, }, @@ -1111,7 +1112,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Host: "ldap-server", }, @@ -1127,7 +1128,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Port: 987, }, @@ -1143,7 +1144,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ UserBase: "ou=Users,dc=domain,dc=org", }, @@ -1159,7 +1160,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ Filter: "(&(objectClass=posixAccount)(cn=%s))", }, @@ -1175,7 +1176,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", }, @@ -1191,7 +1192,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeUsername: "uid", }, @@ -1207,7 +1208,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeName: "givenName", }, @@ -1223,7 +1224,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeSurname: "sn", }, @@ -1239,7 +1240,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeMail: "mail", }, @@ -1255,7 +1256,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ AttributeSSHPublicKey: "publickey", }, @@ -1271,7 +1272,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{ UserDN: "cn=%s,ou=Users,dc=domain,dc=org", }, @@ -1302,7 +1303,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, existingLoginSource: &models.LoginSource{ Type: models.LoginPAM, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, @@ -1334,7 +1335,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { } return &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &models.LDAPConfig{ + Cfg: &ldapService.Source{ Source: &ldap.Source{}, }, }, nil diff --git a/models/login_source.go b/models/login_source.go index 0ac24d680a571..b7b734b4b72e1 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -6,16 +6,12 @@ package models import ( - "fmt" + "reflect" "strconv" - "code.gitea.io/gitea/modules/auth/ldap" "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/secret" - "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" - jsoniter "github.com/json-iterator/go" "xorm.io/xorm" "xorm.io/xorm/convert" @@ -36,6 +32,11 @@ const ( LoginSSPI // 7 ) +// String returns the string name of the LoginType +func (typ LoginType) String() string { + return LoginNames[typ] +} + // LoginNames contains the name of LoginType values. var LoginNames = map[LoginType]string{ LoginLDAP: "LDAP (via BindDN)", @@ -46,141 +47,42 @@ var LoginNames = map[LoginType]string{ LoginSSPI: "SPNEGO with SSPI", } -// SecurityProtocolNames contains the name of SecurityProtocol values. -var SecurityProtocolNames = map[ldap.SecurityProtocol]string{ - ldap.SecurityProtocolUnencrypted: "Unencrypted", - ldap.SecurityProtocolLDAPS: "LDAPS", - ldap.SecurityProtocolStartTLS: "StartTLS", +// LoginConfig represents login config as far as the db is concerned +type LoginConfig interface { + convert.Conversion } -// Ensure structs implemented interface. -var ( - _ convert.Conversion = &LDAPConfig{} - _ convert.Conversion = &SMTPConfig{} - _ convert.Conversion = &PAMConfig{} - _ convert.Conversion = &OAuth2Config{} - _ convert.Conversion = &SSPIConfig{} -) - -// LDAPConfig holds configuration for LDAP login source. -type LDAPConfig struct { - *ldap.Source +// SkipVerifiable configurations provide a IsSkipVerify to check if SkipVerify is set +type SkipVerifiable interface { + IsSkipVerify() bool } -// FromDB fills up a LDAPConfig from serialized format. -func (cfg *LDAPConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - err := json.Unmarshal(bs, &cfg) - if err != nil { - return err - } - if cfg.BindPasswordEncrypt != "" { - cfg.BindPassword, err = secret.DecryptSecret(setting.SecretKey, cfg.BindPasswordEncrypt) - cfg.BindPasswordEncrypt = "" - } - return err +// HasTLSer configurations provide a HasTLS to check if TLS can be enabled +type HasTLSer interface { + HasTLS() bool } -// ToDB exports a LDAPConfig to a serialized format. -func (cfg *LDAPConfig) ToDB() ([]byte, error) { - var err error - cfg.BindPasswordEncrypt, err = secret.EncryptSecret(setting.SecretKey, cfg.BindPassword) - if err != nil { - return nil, err - } - cfg.BindPassword = "" - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(cfg) -} - -// SecurityProtocolName returns the name of configured security -// protocol. -func (cfg *LDAPConfig) SecurityProtocolName() string { - return SecurityProtocolNames[cfg.SecurityProtocol] -} - -// SMTPConfig holds configuration for the SMTP login source. -type SMTPConfig struct { - Auth string - Host string - Port int - AllowedDomains string `xorm:"TEXT"` - TLS bool - SkipVerify bool +// UseTLSer configurations provide a HasTLS to check if TLS is enabled +type UseTLSer interface { + UseTLS() bool } -// FromDB fills up an SMTPConfig from serialized format. -func (cfg *SMTPConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, cfg) +// SSHKeyProvider configurations provide ProvidesSSHKeys to check if they provide SSHKeys +type SSHKeyProvider interface { + ProvidesSSHKeys() bool } -// ToDB exports an SMTPConfig to a serialized format. -func (cfg *SMTPConfig) ToDB() ([]byte, error) { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(cfg) +// RegisterableSource configurations provide RegisterSource which needs to be run on creation +type RegisterableSource interface { + RegisterSource(*LoginSource) error } -// PAMConfig holds configuration for the PAM login source. -type PAMConfig struct { - ServiceName string // pam service (e.g. system-auth) - EmailDomain string +// RegisterLoginTypeConfig register a config for a provided type +func RegisterLoginTypeConfig(typ LoginType, config LoginConfig) { + registeredLoginConfigs[typ] = config } -// FromDB fills up a PAMConfig from serialized format. -func (cfg *PAMConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) -} - -// ToDB exports a PAMConfig to a serialized format. -func (cfg *PAMConfig) ToDB() ([]byte, error) { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(cfg) -} - -// OAuth2Config holds configuration for the OAuth2 login source. -type OAuth2Config struct { - Provider string - ClientID string - ClientSecret string - OpenIDConnectAutoDiscoveryURL string - CustomURLMapping *oauth2.CustomURLMapping - IconURL string -} - -// FromDB fills up an OAuth2Config from serialized format. -func (cfg *OAuth2Config) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, cfg) -} - -// ToDB exports an SMTPConfig to a serialized format. -func (cfg *OAuth2Config) ToDB() ([]byte, error) { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(cfg) -} - -// SSPIConfig holds configuration for SSPI single sign-on. -type SSPIConfig struct { - AutoCreateUsers bool - AutoActivateUsers bool - StripDomainNames bool - SeparatorReplacement string - DefaultLanguage string -} - -// FromDB fills up an SSPIConfig from serialized format. -func (cfg *SSPIConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, cfg) -} - -// ToDB exports an SSPIConfig to a serialized format. -func (cfg *SSPIConfig) ToDB() ([]byte, error) { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(cfg) -} +var registeredLoginConfigs = map[LoginType]LoginConfig{} // LoginSource represents an external way for authorizing users. type LoginSource struct { @@ -211,19 +113,11 @@ func Cell2Int64(val xorm.Cell) int64 { // BeforeSet is invoked from XORM before setting the value of a field of this object. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { - switch LoginType(Cell2Int64(val)) { - case LoginLDAP, LoginDLDAP: - source.Cfg = new(LDAPConfig) - case LoginSMTP: - source.Cfg = new(SMTPConfig) - case LoginPAM: - source.Cfg = new(PAMConfig) - case LoginOAuth2: - source.Cfg = new(OAuth2Config) - case LoginSSPI: - source.Cfg = new(SSPIConfig) - default: - panic(fmt.Sprintf("unrecognized login source type: %v", *val)) + typ := LoginType(Cell2Int64(val)) + exemplar, ok := registeredLoginConfigs[typ] + if ok { + source.Cfg = reflect.New(reflect.TypeOf(exemplar)).Interface().(convert.Conversion) + return } } } @@ -265,59 +159,21 @@ func (source *LoginSource) IsSSPI() bool { // HasTLS returns true of this source supports TLS. func (source *LoginSource) HasTLS() bool { - return ((source.IsLDAP() || source.IsDLDAP()) && - source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) || - source.IsSMTP() + hasTLSer, ok := source.Cfg.(HasTLSer) + return ok && hasTLSer.HasTLS() } // UseTLS returns true of this source is configured to use TLS. func (source *LoginSource) UseTLS() bool { - switch source.Type { - case LoginLDAP, LoginDLDAP: - return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted - case LoginSMTP: - return source.SMTP().TLS - } - - return false + useTLSer, ok := source.Cfg.(UseTLSer) + return ok && useTLSer.UseTLS() } // SkipVerify returns true if this source is configured to skip SSL // verification. func (source *LoginSource) SkipVerify() bool { - switch source.Type { - case LoginLDAP, LoginDLDAP: - return source.LDAP().SkipVerify - case LoginSMTP: - return source.SMTP().SkipVerify - } - - return false -} - -// LDAP returns LDAPConfig for this source, if of LDAP type. -func (source *LoginSource) LDAP() *LDAPConfig { - return source.Cfg.(*LDAPConfig) -} - -// SMTP returns SMTPConfig for this source, if of SMTP type. -func (source *LoginSource) SMTP() *SMTPConfig { - return source.Cfg.(*SMTPConfig) -} - -// PAM returns PAMConfig for this source, if of PAM type. -func (source *LoginSource) PAM() *PAMConfig { - return source.Cfg.(*PAMConfig) -} - -// OAuth2 returns OAuth2Config for this source, if of OAuth2 type. -func (source *LoginSource) OAuth2() *OAuth2Config { - return source.Cfg.(*OAuth2Config) -} - -// SSPI returns SSPIConfig for this source, if of SSPI type. -func (source *LoginSource) SSPI() *SSPIConfig { - return source.Cfg.(*SSPIConfig) + skipVerifiable, ok := source.Cfg.(SkipVerifiable) + return ok && skipVerifiable.IsSkipVerify() } // CreateLoginSource inserts a LoginSource in the DB if not already @@ -335,16 +191,24 @@ func CreateLoginSource(source *LoginSource) error { } _, err = x.Insert(source) - if err == nil && source.IsOAuth2() && source.IsActived { - oAuth2Config := source.OAuth2() - err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping) - err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config) - if err != nil { - // remove the LoginSource in case of errors while registering OAuth2 providers - if _, err := x.Delete(source); err != nil { - log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err) - } - return err + if err != nil { + return err + } + + if !source.IsActived { + return nil + } + + registerableSource, ok := source.Cfg.(RegisterableSource) + if !ok { + return nil + } + + err = registerableSource.RegisterSource(source) + if err != nil { + // remove the LoginSource in case of errors while registering configuration + if _, err := x.Delete(source); err != nil { + log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err) } } return err @@ -419,16 +283,24 @@ func UpdateSource(source *LoginSource) error { } _, err := x.ID(source.ID).AllCols().Update(source) - if err == nil && source.IsOAuth2() && source.IsActived { - oAuth2Config := source.OAuth2() - err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping) - err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config) - if err != nil { - // restore original values since we cannot update the provider it self - if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil { - log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err) - } - return err + if err != nil { + return err + } + + if !source.IsActived { + return nil + } + + registerableSource, ok := source.Cfg.(RegisterableSource) + if !ok { + return nil + } + + err = registerableSource.RegisterSource(source) + if err != nil { + // restore original values since we cannot update the provider it self + if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil { + log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err) } } return err diff --git a/models/oauth2.go b/models/oauth2.go index 46da60e02dd65..e2e6f849bedcd 100644 --- a/models/oauth2.go +++ b/models/oauth2.go @@ -5,8 +5,6 @@ package models import ( - "sort" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/log" ) @@ -103,33 +101,6 @@ func GetActiveOAuth2LoginSourceByName(name string) (*LoginSource, error) { return loginSource, nil } -// GetActiveOAuth2Providers returns the map of configured active OAuth2 providers -// key is used as technical name (like in the callbackURL) -// values to display -func GetActiveOAuth2Providers() ([]string, map[string]OAuth2Provider, error) { - // Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type - - loginSources, err := GetActiveOAuth2ProviderLoginSources() - if err != nil { - return nil, nil, err - } - - var orderedKeys []string - providers := make(map[string]OAuth2Provider) - for _, source := range loginSources { - prov := OAuth2Providers[source.OAuth2().Provider] - if source.OAuth2().IconURL != "" { - prov.Image = source.OAuth2().IconURL - } - providers[source.Name] = prov - orderedKeys = append(orderedKeys, source.Name) - } - - sort.Strings(orderedKeys) - - return orderedKeys, providers, nil -} - // InitOAuth2 initialize the OAuth2 lib and register all active OAuth2 providers in the library func InitOAuth2() error { if err := oauth2.InitSigningKey(); err != nil { @@ -151,8 +122,11 @@ func ResetOAuth2() error { func initOAuth2LoginSources() error { loginSources, _ := GetActiveOAuth2ProviderLoginSources() for _, source := range loginSources { - oAuth2Config := source.OAuth2() - err := oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping) + registerableSource, ok := source.Cfg.(RegisterableSource) + if !ok { + continue + } + err := registerableSource.RegisterSource(source) if err != nil { log.Critical("Unable to register source: %s due to Error: %v. This source will be disabled.", source.Name, err) source.IsActived = false @@ -164,12 +138,3 @@ func initOAuth2LoginSources() error { } return nil } - -// wrapOpenIDConnectInitializeError is used to wrap the error but this cannot be done in modules/auth/oauth2 -// inside oauth2: import cycle not allowed models -> modules/auth/oauth2 -> models -func wrapOpenIDConnectInitializeError(err error, providerName string, oAuth2Config *OAuth2Config) error { - if err != nil && "openidConnect" == oAuth2Config.Provider { - err = ErrOpenIDConnectInitialize{ProviderName: providerName, OpenIDConnectAutoDiscoveryURL: oAuth2Config.OpenIDConnectAutoDiscoveryURL, Cause: err} - } - return err -} diff --git a/models/ssh_key.go b/models/ssh_key.go index fd8fa660683d4..6cda4f1658fb2 100644 --- a/models/ssh_key.go +++ b/models/ssh_key.go @@ -278,11 +278,7 @@ keyloop: } } - ldapSource := source.LDAP() - if ldapSource != nil && - source.IsSyncEnabled && - (source.Type == LoginLDAP || source.Type == LoginDLDAP) && - len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { + if sshKeyProvider, ok := source.Cfg.(SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { // Disable setting SSH keys for this user externals[i] = true } @@ -307,11 +303,7 @@ func PublicKeyIsExternallyManaged(id int64) (bool, error) { } return false, err } - ldapSource := source.LDAP() - if ldapSource != nil && - source.IsSyncEnabled && - (source.Type == LoginLDAP || source.Type == LoginDLDAP) && - len(strings.TrimSpace(ldapSource.AttributeSSHPublicKey)) > 0 { + if sshKeyProvider, ok := source.Cfg.(SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { // Disable setting SSH keys for this user return true, nil } diff --git a/models/ssh_key_authorized_keys.go b/models/ssh_key_authorized_keys.go index 21da7507de921..15cdbdb19edfb 100644 --- a/models/ssh_key_authorized_keys.go +++ b/models/ssh_key_authorized_keys.go @@ -43,6 +43,7 @@ const ( var sshOpLocker sync.Mutex +// AuthorizedStringForKey creates the authorized keys string appropriate for the provided key func AuthorizedStringForKey(key *PublicKey) string { sb := &strings.Builder{} _ = setting.SSH.AuthorizedKeysCommandTemplateTemplate.Execute(sb, map[string]interface{}{ diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go index 91ad33a60f3a4..321fbf805891a 100644 --- a/modules/auth/ldap/ldap.go +++ b/modules/auth/ldap/ldap.go @@ -27,6 +27,18 @@ const ( SecurityProtocolStartTLS ) +// String returns the name of the SecurityProtocol +func (s SecurityProtocol) String() string { + return SecurityProtocolNames[s] +} + +// SecurityProtocolNames contains the name of SecurityProtocol values. +var SecurityProtocolNames = map[SecurityProtocol]string{ + SecurityProtocolUnencrypted: "Unencrypted", + SecurityProtocolLDAPS: "LDAPS", + SecurityProtocolStartTLS: "StartTLS", +} + // Source Basic LDAP authentication service type Source struct { Name string // canonical name (ie. corporate.ad) diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index 2c9f215d1d8db..dd3036213ac6d 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -20,7 +20,11 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" + ldapService "code.gitea.io/gitea/services/auth/source/ldap" + oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" + pamService "code.gitea.io/gitea/services/auth/source/pam" "code.gitea.io/gitea/services/auth/source/smtp" + "code.gitea.io/gitea/services/auth/source/sspi" "code.gitea.io/gitea/services/forms" "xorm.io/xorm/convert" @@ -75,9 +79,9 @@ var ( }() securityProtocols = []dropdownItem{ - {models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted}, - {models.SecurityProtocolNames[ldap.SecurityProtocolLDAPS], ldap.SecurityProtocolLDAPS}, - {models.SecurityProtocolNames[ldap.SecurityProtocolStartTLS], ldap.SecurityProtocolStartTLS}, + {ldap.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted}, + {ldap.SecurityProtocolNames[ldap.SecurityProtocolLDAPS], ldap.SecurityProtocolLDAPS}, + {ldap.SecurityProtocolNames[ldap.SecurityProtocolStartTLS], ldap.SecurityProtocolStartTLS}, } ) @@ -89,7 +93,7 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["type"] = models.LoginLDAP ctx.Data["CurrentTypeName"] = models.LoginNames[models.LoginLDAP] - ctx.Data["CurrentSecurityProtocol"] = models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted] + ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted] ctx.Data["smtp_auth"] = "PLAIN" ctx.Data["is_active"] = true ctx.Data["is_sync_enabled"] = true @@ -114,12 +118,12 @@ func NewAuthSource(ctx *context.Context) { ctx.HTML(http.StatusOK, tplAuthNew) } -func parseLDAPConfig(form forms.AuthenticationForm) *models.LDAPConfig { +func parseLDAPConfig(form forms.AuthenticationForm) *ldapService.Source { var pageSize uint32 if form.UsePagedSearch { pageSize = uint32(form.SearchPageSize) } - return &models.LDAPConfig{ + return &ldapService.Source{ Source: &ldap.Source{ Name: form.Name, Host: form.Host, @@ -151,8 +155,8 @@ func parseLDAPConfig(form forms.AuthenticationForm) *models.LDAPConfig { } } -func parseSMTPConfig(form forms.AuthenticationForm) *models.SMTPConfig { - return &models.SMTPConfig{ +func parseSMTPConfig(form forms.AuthenticationForm) *smtp.Source { + return &smtp.Source{ Auth: form.SMTPAuth, Host: form.SMTPHost, Port: form.SMTPPort, @@ -162,7 +166,7 @@ func parseSMTPConfig(form forms.AuthenticationForm) *models.SMTPConfig { } } -func parseOAuth2Config(form forms.AuthenticationForm) *models.OAuth2Config { +func parseOAuth2Config(form forms.AuthenticationForm) *oauth2Service.Source { var customURLMapping *oauth2.CustomURLMapping if form.Oauth2UseCustomURL { customURLMapping = &oauth2.CustomURLMapping{ @@ -174,7 +178,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *models.OAuth2Config { } else { customURLMapping = nil } - return &models.OAuth2Config{ + return &oauth2Service.Source{ Provider: form.Oauth2Provider, ClientID: form.Oauth2Key, ClientSecret: form.Oauth2Secret, @@ -184,7 +188,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *models.OAuth2Config { } } -func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*models.SSPIConfig, error) { +func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi.Source, error) { if util.IsEmptyString(form.SSPISeparatorReplacement) { ctx.Data["Err_SSPISeparatorReplacement"] = true return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.require_error")) @@ -199,7 +203,7 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*mode return nil, errors.New(ctx.Tr("form.lang_select_error")) } - return &models.SSPIConfig{ + return &sspi.Source{ AutoCreateUsers: form.SSPIAutoCreateUsers, AutoActivateUsers: form.SSPIAutoActivateUsers, StripDomainNames: form.SSPIStripDomainNames, @@ -216,7 +220,7 @@ func NewAuthSourcePost(ctx *context.Context) { ctx.Data["PageIsAdminAuthentications"] = true ctx.Data["CurrentTypeName"] = models.LoginNames[models.LoginType(form.Type)] - ctx.Data["CurrentSecurityProtocol"] = models.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)] + ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)] ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators @@ -239,7 +243,7 @@ func NewAuthSourcePost(ctx *context.Context) { config = parseSMTPConfig(form) hasTLS = true case models.LoginPAM: - config = &models.PAMConfig{ + config = &pamService.Source{ ServiceName: form.PAMServiceName, EmailDomain: form.PAMEmailDomain, } @@ -311,7 +315,7 @@ func EditAuthSource(ctx *context.Context) { ctx.Data["HasTLS"] = source.HasTLS() if source.IsOAuth2() { - ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.OAuth2().Provider] + ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.Cfg.(*oauth2Service.Source).Provider] } ctx.HTML(http.StatusOK, tplAuthEdit) } @@ -347,7 +351,7 @@ func EditAuthSourcePost(ctx *context.Context) { case models.LoginSMTP: config = parseSMTPConfig(form) case models.LoginPAM: - config = &models.PAMConfig{ + config = &pamService.Source{ ServiceName: form.PAMServiceName, EmailDomain: form.PAMEmailDomain, } diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 9309a111cd463..5034347bb4178 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -28,6 +28,7 @@ import ( "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/routers/utils" "code.gitea.io/gitea/services/auth" + oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" "code.gitea.io/gitea/services/externalaccount" "code.gitea.io/gitea/services/forms" "code.gitea.io/gitea/services/mailer" @@ -136,7 +137,7 @@ func SignIn(ctx *context.Context) { return } - orderedOAuth2Names, oauth2Providers, err := models.GetActiveOAuth2Providers() + orderedOAuth2Names, oauth2Providers, err := oauth2Service.GetActiveOAuth2Providers() if err != nil { ctx.ServerError("UserSignIn", err) return @@ -156,7 +157,7 @@ func SignIn(ctx *context.Context) { func SignInPost(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("sign_in") - orderedOAuth2Names, oauth2Providers, err := models.GetActiveOAuth2Providers() + orderedOAuth2Names, oauth2Providers, err := oauth2Service.GetActiveOAuth2Providers() if err != nil { ctx.ServerError("UserSignIn", err) return @@ -632,7 +633,7 @@ func SignInOAuthCallback(ctx *context.Context) { } if len(missingFields) > 0 { log.Error("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields) - if loginSource.IsOAuth2() && loginSource.OAuth2().Provider == "openidConnect" { + if loginSource.IsOAuth2() && loginSource.Cfg.(*oauth2Service.Source).Provider == "openidConnect" { log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields") } err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields) diff --git a/routers/web/user/setting/security.go b/routers/web/user/setting/security.go index 7753c5c16179d..d1c61a9a4c4f2 100644 --- a/routers/web/user/setting/security.go +++ b/routers/web/user/setting/security.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/services/auth/source/oauth2" ) const ( @@ -92,7 +93,7 @@ func loadSecurityData(ctx *context.Context) { if loginSource, err := models.GetLoginSourceByID(externalAccount.LoginSourceID); err == nil { var providerDisplayName string if loginSource.IsOAuth2() { - providerTechnicalName := loginSource.OAuth2().Provider + providerTechnicalName := loginSource.Cfg.(*oauth2.Source).Provider providerDisplayName = models.OAuth2Providers[providerTechnicalName].DisplayName } else { providerDisplayName = loginSource.Name diff --git a/services/auth/interface.go b/services/auth/interface.go index e75a84677c2b1..0488a8b716356 100644 --- a/services/auth/interface.go +++ b/services/auth/interface.go @@ -5,6 +5,7 @@ package auth import ( + "context" "net/http" "code.gitea.io/gitea/models" @@ -37,3 +38,13 @@ type Method interface { // Returns nil if verification fails. Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User } + +// Authenticator represents a source of authentication +type Authenticator interface { + Authenticate(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) +} + +// SynchronizableSource represents a source that can synchronize users +type SynchronizableSource interface { + Sync(ctx context.Context, updateExisting bool, source *models.LoginSource) error +} diff --git a/services/auth/signin.go b/services/auth/signin.go index b49761e3a60aa..22529a4b9e5fa 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -9,10 +9,14 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/setting" - "code.gitea.io/gitea/services/auth/source/ldap" - "code.gitea.io/gitea/services/auth/source/pam" - "code.gitea.io/gitea/services/auth/source/smtp" + "code.gitea.io/gitea/services/auth/source/db" + + // Register the other sources + _ "code.gitea.io/gitea/services/auth/source/ldap" + _ "code.gitea.io/gitea/services/auth/source/oauth2" + _ "code.gitea.io/gitea/services/auth/source/pam" + _ "code.gitea.io/gitea/services/auth/source/smtp" + _ "code.gitea.io/gitea/services/auth/source/sspi" ) // UserSignIn validates user name and password. @@ -47,39 +51,35 @@ func UserSignIn(username, password string) (*models.User, error) { if hasUser { switch user.LoginType { case models.LoginNoType, models.LoginPlain, models.LoginOAuth2: - if user.IsPasswordSet() && user.ValidatePassword(password) { - - // Update password hash if server password hash algorithm have changed - if user.PasswdHashAlgo != setting.PasswordHashAlgo { - if err = user.SetPassword(password); err != nil { - return nil, err - } - if err = models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { - return nil, err - } - } - - // WARN: DON'T check user.IsActive, that will be checked on reqSign so that - // user could be hint to resend confirm email. - if user.ProhibitLogin { - return nil, models.ErrUserProhibitLogin{ - UID: user.ID, - Name: user.Name, - } - } - - return user, nil + return db.Authenticate(user, user.Name, password) + default: + source, err := models.GetLoginSourceByID(user.LoginSource) + if err != nil { + return nil, err } - return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} + if !source.IsActived { + return nil, models.ErrLoginSourceNotActived + } - default: - source, err := models.GetLoginSourceByID(user.LoginSource) + authenticator, ok := source.Cfg.(Authenticator) + if !ok { + return nil, models.ErrUnsupportedLoginType + + } + + user, err := authenticator.Authenticate(nil, username, password, source) if err != nil { return nil, err } - return ExternalUserLogin(user, user.LoginName, password, source) + // WARN: DON'T check user.IsActive, that will be checked on reqSign so that + // user could be hint to resend confirm email. + if user.ProhibitLogin { + return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} + } + + return user, nil } } @@ -89,13 +89,23 @@ func UserSignIn(username, password string) (*models.User, error) { } for _, source := range sources { - if source.IsOAuth2() || source.IsSSPI() { - // don't try to authenticate against OAuth2 and SSPI sources here + if !source.IsActived { + // don't try to authenticate non-active sources + continue + } + + authenticator, ok := source.Cfg.(Authenticator) + if !ok { continue } - authUser, err := ExternalUserLogin(nil, username, password, source) + + authUser, err := authenticator.Authenticate(nil, username, password, source) + if err == nil { - return authUser, nil + if !user.ProhibitLogin { + return authUser, nil + } + err = models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} } log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) @@ -103,34 +113,3 @@ func UserSignIn(username, password string) (*models.User, error) { return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} } - -// ExternalUserLogin attempts a login using external source types. -func ExternalUserLogin(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) { - if !source.IsActived { - return nil, models.ErrLoginSourceNotActived - } - - var err error - switch source.Type { - case models.LoginLDAP, models.LoginDLDAP: - user, err = ldap.Login(user, login, password, source) - case models.LoginSMTP: - user, err = smtp.Login(user, login, password, source.ID, source.Cfg.(*models.SMTPConfig)) - case models.LoginPAM: - user, err = pam.Login(user, login, password, source.ID, source.Cfg.(*models.PAMConfig)) - default: - return nil, models.ErrUnsupportedLoginType - } - - if err != nil { - return nil, err - } - - // WARN: DON'T check user.IsActive, that will be checked on reqSign so that - // user could be hint to resend confirm email. - if user.ProhibitLogin { - return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} - } - - return user, nil -} diff --git a/services/auth/source/db/login.go b/services/auth/source/db/login.go new file mode 100644 index 0000000000000..dc85fb2e89e57 --- /dev/null +++ b/services/auth/source/db/login.go @@ -0,0 +1,38 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package db + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/setting" +) + +// Authenticate authenticates the provided user against the DB +func Authenticate(user *models.User, login, password string) (*models.User, error) { + if !user.IsPasswordSet() || !user.ValidatePassword(password) { + return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} + } + + // Update password hash if server password hash algorithm have changed + if user.PasswdHashAlgo != setting.PasswordHashAlgo { + if err := user.SetPassword(password); err != nil { + return nil, err + } + if err := models.UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil { + return nil, err + } + } + + // WARN: DON'T check user.IsActive, that will be checked on reqSign so that + // user could be hint to resend confirm email. + if user.ProhibitLogin { + return nil, models.ErrUserProhibitLogin{ + UID: user.ID, + Name: user.Name, + } + } + + return user, nil +} diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go new file mode 100644 index 0000000000000..bf0c69154e41f --- /dev/null +++ b/services/auth/source/ldap/source.go @@ -0,0 +1,84 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap + +import ( + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/auth/ldap" + "code.gitea.io/gitea/modules/secret" + "code.gitea.io/gitea/modules/setting" + jsoniter "github.com/json-iterator/go" +) + +// .____ ________ _____ __________ +// | | \______ \ / _ \\______ \ +// | | | | \ / /_\ \| ___/ +// | |___ | ` \/ | \ | +// |_______ \/_______ /\____|__ /____| +// \/ \/ \/ + +// Source holds configuration for LDAP login source. +type Source struct { + *ldap.Source +} + +// FromDB fills up a LDAPConfig from serialized format. +func (source *Source) FromDB(bs []byte) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + err := json.Unmarshal(bs, &source) + if err != nil { + return err + } + if source.BindPasswordEncrypt != "" { + source.BindPassword, err = secret.DecryptSecret(setting.SecretKey, source.BindPasswordEncrypt) + source.BindPasswordEncrypt = "" + } + return err +} + +// ToDB exports a LDAPConfig to a serialized format. +func (source *Source) ToDB() ([]byte, error) { + var err error + source.BindPasswordEncrypt, err = secret.EncryptSecret(setting.SecretKey, source.BindPassword) + if err != nil { + return nil, err + } + source.BindPassword = "" + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Marshal(source) +} + +// SecurityProtocolName returns the name of configured security +// protocol. +func (source *Source) SecurityProtocolName() string { + return ldap.SecurityProtocolNames[source.SecurityProtocol] +} + +// IsSkipVerify returns if SkipVerify is set +func (source *Source) IsSkipVerify() bool { + return source.SkipVerify +} + +// HasTLS returns if HasTLS +func (source *Source) HasTLS() bool { + return source.SecurityProtocol > ldap.SecurityProtocolUnencrypted +} + +// UseTLS returns if UseTLS +func (source *Source) UseTLS() bool { + return source.SecurityProtocol != ldap.SecurityProtocolUnencrypted +} + +// ProvidesSSHKeys returns if this source provides SSH Keys +func (source *Source) ProvidesSSHKeys() bool { + return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginLDAP, &Source{}) + models.RegisterLoginTypeConfig(models.LoginDLDAP, &Source{}) +} diff --git a/services/auth/source/ldap/login.go b/services/auth/source/ldap/source_authenticate.go similarity index 67% rename from services/auth/source/ldap/login.go rename to services/auth/source/ldap/source_authenticate.go index 266e4f85cf155..29325c2e83226 100644 --- a/services/auth/source/ldap/login.go +++ b/services/auth/source/ldap/source_authenticate.go @@ -11,23 +11,16 @@ import ( "code.gitea.io/gitea/models" ) -// .____ ________ _____ __________ -// | | \______ \ / _ \\______ \ -// | | | | \ / /_\ \| ___/ -// | |___ | ` \/ | \ | -// |_______ \/_______ /\____|__ /____| -// \/ \/ \/ - -// Login queries if login/password is valid against the LDAP directory pool, +// Authenticate queries if login/password is valid against the LDAP directory pool, // and create a local user if success when enabled. -func Login(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) { - sr := source.Cfg.(*models.LDAPConfig).SearchEntry(login, password, source.Type == models.LoginDLDAP) +func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { + sr := source.SearchEntry(login, password, loginSource.Type == models.LoginDLDAP) if sr == nil { // User not in LDAP, do nothing return nil, models.ErrUserNotExist{Name: login} } - isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0 + isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 // Update User admin flag if exist if isExist, err := models.IsUserExist(0, sr.Username); err != nil { @@ -41,12 +34,12 @@ func Login(user *models.User, login, password string, source *models.LoginSource } if user != nil && !user.ProhibitLogin { cols := make([]string, 0) - if len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin { + if len(source.AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin { // Change existing admin flag only if AdminFilter option is set user.IsAdmin = sr.IsAdmin cols = append(cols, "is_admin") } - if !user.IsAdmin && len(source.LDAP().RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted { + if !user.IsAdmin && len(source.RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted { // Change existing restricted flag only if RestrictedFilter option is set user.IsRestricted = sr.IsRestricted cols = append(cols, "is_restricted") @@ -61,7 +54,7 @@ func Login(user *models.User, login, password string, source *models.LoginSource } if user != nil { - if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, source, sr.SSHPublicKey) { + if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, loginSource, sr.SSHPublicKey) { return user, models.RewriteAllPublicKeys() } @@ -82,8 +75,8 @@ func Login(user *models.User, login, password string, source *models.LoginSource Name: sr.Username, FullName: composeFullName(sr.Name, sr.Surname, sr.Username), Email: sr.Mail, - LoginType: source.Type, - LoginSource: source.ID, + LoginType: loginSource.Type, + LoginSource: loginSource.ID, LoginName: login, IsActive: true, IsAdmin: sr.IsAdmin, @@ -92,7 +85,7 @@ func Login(user *models.User, login, password string, source *models.LoginSource err := models.CreateUser(user) - if err == nil && isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, source, sr.SSHPublicKey) { + if err == nil && isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, loginSource, sr.SSHPublicKey) { err = models.RewriteAllPublicKeys() } diff --git a/services/auth/source/ldap/sync.go b/services/auth/source/ldap/source_sync.go similarity index 86% rename from services/auth/source/ldap/sync.go rename to services/auth/source/ldap/source_sync.go index e102a8c2deb5f..a91269bc09ea4 100644 --- a/services/auth/source/ldap/sync.go +++ b/services/auth/source/ldap/source_sync.go @@ -13,18 +13,12 @@ import ( "code.gitea.io/gitea/modules/log" ) -// .____ ________ _____ __________ -// | | \______ \ / _ \\______ \ -// | | | | \ / /_\ \| ___/ -// | |___ | ` \/ | \ | -// |_______ \/_______ /\____|__ /____| -// \/ \/ \/ - -func Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error { +// Sync causes this ldap source to synchronize its users with the db +func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error { log.Trace("Doing: SyncExternalUsers[%s]", s.Name) var existingUsers []int64 - isAttributeSSHPublicKeySet := len(strings.TrimSpace(s.LDAP().AttributeSSHPublicKey)) > 0 + isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 var sshKeysNeedUpdate bool // Find all users with this login type - FIXME: Should this be an iterator? @@ -40,14 +34,14 @@ func Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error default: } - sr, err := s.LDAP().SearchEntries() + sr, err := source.SearchEntries() if err != nil { log.Error("SyncExternalUsers LDAP source failure [%s], skipped", s.Name) return nil } if len(sr) == 0 { - if !s.LDAP().AllowDeactivateAll { + if !source.AllowDeactivateAll { log.Error("LDAP search found no entries but did not report an error. Refusing to deactivate all users") return nil } @@ -122,8 +116,8 @@ func Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error } // Check if user data has changed - if (len(s.LDAP().AdminFilter) > 0 && usr.IsAdmin != su.IsAdmin) || - (len(s.LDAP().RestrictedFilter) > 0 && usr.IsRestricted != su.IsRestricted) || + if (len(source.AdminFilter) > 0 && usr.IsAdmin != su.IsAdmin) || + (len(source.RestrictedFilter) > 0 && usr.IsRestricted != su.IsRestricted) || !strings.EqualFold(usr.Email, su.Mail) || usr.FullName != fullName || !usr.IsActive { @@ -133,11 +127,11 @@ func Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error usr.FullName = fullName usr.Email = su.Mail // Change existing admin flag only if AdminFilter option is set - if len(s.LDAP().AdminFilter) > 0 { + if len(source.AdminFilter) > 0 { usr.IsAdmin = su.IsAdmin } // Change existing restricted flag only if RestrictedFilter option is set - if !usr.IsAdmin && len(s.LDAP().RestrictedFilter) > 0 { + if !usr.IsAdmin && len(source.RestrictedFilter) > 0 { usr.IsRestricted = su.IsRestricted } usr.IsActive = true diff --git a/services/auth/source/oauth2/providers.go b/services/auth/source/oauth2/providers.go new file mode 100644 index 0000000000000..69340cd09567a --- /dev/null +++ b/services/auth/source/oauth2/providers.go @@ -0,0 +1,38 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "sort" + + "code.gitea.io/gitea/models" +) + +// GetActiveOAuth2Providers returns the map of configured active OAuth2 providers +// key is used as technical name (like in the callbackURL) +// values to display +func GetActiveOAuth2Providers() ([]string, map[string]models.OAuth2Provider, error) { + // Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type + + loginSources, err := models.GetActiveOAuth2ProviderLoginSources() + if err != nil { + return nil, nil, err + } + + var orderedKeys []string + providers := make(map[string]models.OAuth2Provider) + for _, source := range loginSources { + prov := models.OAuth2Providers[source.Cfg.(*Source).Provider] + if source.Cfg.(*Source).IconURL != "" { + prov.Image = source.Cfg.(*Source).IconURL + } + providers[source.Name] = prov + orderedKeys = append(orderedKeys, source.Name) + } + + sort.Strings(orderedKeys) + + return orderedKeys, providers, nil +} diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go new file mode 100644 index 0000000000000..81e899244a4c9 --- /dev/null +++ b/services/auth/source/oauth2/source.go @@ -0,0 +1,44 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/auth/oauth2" + jsoniter "github.com/json-iterator/go" +) + +// ________ _____ __ .__ ________ +// \_____ \ / _ \ __ ___/ |_| |__ \_____ \ +// / | \ / /_\ \| | \ __\ | \ / ____/ +// / | \/ | \ | /| | | Y \/ \ +// \_______ /\____|__ /____/ |__| |___| /\_______ \ +// \/ \/ \/ \/ + +// Source holds configuration for the OAuth2 login source. +type Source struct { + Provider string + ClientID string + ClientSecret string + OpenIDConnectAutoDiscoveryURL string + CustomURLMapping *oauth2.CustomURLMapping + IconURL string +} + +// FromDB fills up an OAuth2Config from serialized format. +func (source *Source) FromDB(bs []byte) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Unmarshal(bs, source) +} + +// ToDB exports an SMTPConfig to a serialized format. +func (source *Source) ToDB() ([]byte, error) { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Marshal(source) +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginOAuth2, &Source{}) +} diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go new file mode 100644 index 0000000000000..cc901c2f5de34 --- /dev/null +++ b/services/auth/source/oauth2/source_register.go @@ -0,0 +1,26 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/auth/oauth2" +) + +// RegisterSource causes an OAuth2 configuration to be registered +func (source *Source) RegisterSource(loginSource *models.LoginSource) error { + + err := oauth2.RegisterProvider(loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) + return wrapOpenIDConnectInitializeError(err, loginSource.Name, source) +} + +// wrapOpenIDConnectInitializeError is used to wrap the error but this cannot be done in modules/auth/oauth2 +// inside oauth2: import cycle not allowed models -> modules/auth/oauth2 -> models +func wrapOpenIDConnectInitializeError(err error, providerName string, oAuth2Config *Source) error { + if err != nil && oAuth2Config.Provider == "openidConnect" { + err = models.ErrOpenIDConnectInitialize{ProviderName: providerName, OpenIDConnectAutoDiscoveryURL: oAuth2Config.OpenIDConnectAutoDiscoveryURL, Cause: err} + } + return err +} diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go new file mode 100644 index 0000000000000..f6b098e562af3 --- /dev/null +++ b/services/auth/source/pam/source.go @@ -0,0 +1,39 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package pam + +import ( + "code.gitea.io/gitea/models" + jsoniter "github.com/json-iterator/go" +) + +// __________ _____ _____ +// \______ \/ _ \ / \ +// | ___/ /_\ \ / \ / \ +// | | / | \/ Y \ +// |____| \____|__ /\____|__ / +// \/ \/ + +// Source holds configuration for the PAM login source. +type Source struct { + ServiceName string // pam service (e.g. system-auth) + EmailDomain string +} + +// FromDB fills up a PAMConfig from serialized format. +func (source *Source) FromDB(bs []byte) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Unmarshal(bs, &source) +} + +// ToDB exports a PAMConfig to a serialized format. +func (source *Source) ToDB() ([]byte, error) { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Marshal(source) +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginPAM, &Source{}) +} diff --git a/services/auth/source/pam/login.go b/services/auth/source/pam/source_authenticate.go similarity index 70% rename from services/auth/source/pam/login.go rename to services/auth/source/pam/source_authenticate.go index 601a724be9565..ae8ce1fba44f5 100644 --- a/services/auth/source/pam/login.go +++ b/services/auth/source/pam/source_authenticate.go @@ -15,17 +15,10 @@ import ( "github.com/google/uuid" ) -// __________ _____ _____ -// \______ \/ _ \ / \ -// | ___/ /_\ \ / \ / \ -// | | / | \/ Y \ -// |____| \____|__ /\____|__ / -// \/ \/ - -// Login queries if login/password is valid against the PAM, +// Authenticate queries if login/password is valid against the PAM, // and create a local user if success when enabled. -func Login(user *models.User, login, password string, sourceID int64, cfg *models.PAMConfig) (*models.User, error) { - pamLogin, err := pam.Auth(cfg.ServiceName, login, password) +func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { + pamLogin, err := pam.Auth(source.ServiceName, login, password) if err != nil { if strings.Contains(err.Error(), "Authentication failure") { return nil, models.ErrUserNotExist{Name: login} @@ -45,8 +38,8 @@ func Login(user *models.User, login, password string, sourceID int64, cfg *model username = pamLogin[:idx] } if models.ValidateEmail(email) != nil { - if cfg.EmailDomain != "" { - email = fmt.Sprintf("%s@%s", username, cfg.EmailDomain) + if source.EmailDomain != "" { + email = fmt.Sprintf("%s@%s", username, source.EmailDomain) } else { email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress) } @@ -61,7 +54,7 @@ func Login(user *models.User, login, password string, sourceID int64, cfg *model Email: email, Passwd: password, LoginType: models.LoginPAM, - LoginSource: sourceID, + LoginSource: loginSource.ID, LoginName: login, // This is what the user typed in IsActive: true, } diff --git a/services/auth/source/smtp/auth.go b/services/auth/source/smtp/auth.go index a4a7c8ed38a08..8edf4fca15eb6 100644 --- a/services/auth/source/smtp/auth.go +++ b/services/auth/source/smtp/auth.go @@ -50,8 +50,8 @@ const ( var Authenticators = []string{PlainAuthentication, LoginAuthentication} // Authenticate performs an SMTP authentication. -func Authenticate(a smtp.Auth, cfg *models.SMTPConfig) error { - c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)) +func Authenticate(a smtp.Auth, source *Source) error { + c, err := smtp.Dial(fmt.Sprintf("%s:%d", source.Host, source.Port)) if err != nil { return err } @@ -61,11 +61,11 @@ func Authenticate(a smtp.Auth, cfg *models.SMTPConfig) error { return err } - if cfg.TLS { + if source.TLS { if ok, _ := c.Extension("STARTTLS"); ok { if err = c.StartTLS(&tls.Config{ - InsecureSkipVerify: cfg.SkipVerify, - ServerName: cfg.Host, + InsecureSkipVerify: source.SkipVerify, + ServerName: source.Host, }); err != nil { return err } diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go new file mode 100644 index 0000000000000..77f2b73cd9d99 --- /dev/null +++ b/services/auth/source/smtp/source.go @@ -0,0 +1,58 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package smtp + +import ( + "code.gitea.io/gitea/models" + jsoniter "github.com/json-iterator/go" +) + +// _________ __________________________ +// / _____/ / \__ ___/\______ \ +// \_____ \ / \ / \| | | ___/ +// / \/ Y \ | | | +// /_______ /\____|__ /____| |____| +// \/ \/ + +// Source holds configuration for the SMTP login source. +type Source struct { + Auth string + Host string + Port int + AllowedDomains string `xorm:"TEXT"` + TLS bool + SkipVerify bool +} + +// FromDB fills up an SMTPConfig from serialized format. +func (source *Source) FromDB(bs []byte) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Unmarshal(bs, source) +} + +// ToDB exports an SMTPConfig to a serialized format. +func (source *Source) ToDB() ([]byte, error) { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Marshal(source) +} + +// IsSkipVerify returns if SkipVerify is set +func (source *Source) IsSkipVerify() bool { + return source.SkipVerify +} + +// HasTLS returns true for SMTP +func (source *Source) HasTLS() bool { + return true +} + +// UseTLS returns if TLS is set +func (source *Source) UseTLS() bool { + return source.TLS +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginSMTP, &Source{}) +} diff --git a/services/auth/source/smtp/login.go b/services/auth/source/smtp/source_authenticate.go similarity index 62% rename from services/auth/source/smtp/login.go rename to services/auth/source/smtp/source_authenticate.go index 3248913deb90d..b29525d3f53c4 100644 --- a/services/auth/source/smtp/login.go +++ b/services/auth/source/smtp/source_authenticate.go @@ -14,36 +14,29 @@ import ( "code.gitea.io/gitea/modules/util" ) -// _________ __________________________ -// / _____/ / \__ ___/\______ \ -// \_____ \ / \ / \| | | ___/ -// / \/ Y \ | | | -// /_______ /\____|__ /____| |____| -// \/ \/ - -// Login queries if login/password is valid against the SMTP, -// and create a local user if success when enabled. -func Login(user *models.User, login, password string, sourceID int64, cfg *models.SMTPConfig) (*models.User, error) { +// Authenticate queries if the provided login/password is authenticates against the SMTP server +// Users will be autoregistered as required +func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { // Verify allowed domains. - if len(cfg.AllowedDomains) > 0 { + if len(source.AllowedDomains) > 0 { idx := strings.Index(login, "@") if idx == -1 { return nil, models.ErrUserNotExist{Name: login} - } else if !util.IsStringInSlice(login[idx+1:], strings.Split(cfg.AllowedDomains, ","), true) { + } else if !util.IsStringInSlice(login[idx+1:], strings.Split(source.AllowedDomains, ","), true) { return nil, models.ErrUserNotExist{Name: login} } } var auth smtp.Auth - if cfg.Auth == PlainAuthentication { - auth = smtp.PlainAuth("", login, password, cfg.Host) - } else if cfg.Auth == LoginAuthentication { + if source.Auth == PlainAuthentication { + auth = smtp.PlainAuth("", login, password, source.Host) + } else if source.Auth == LoginAuthentication { auth = &loginAuthenticator{login, password} } else { return nil, errors.New("Unsupported SMTP auth type") } - if err := Authenticate(auth, cfg); err != nil { + if err := Authenticate(auth, source); err != nil { // Check standard error format first, // then fallback to worse case. tperr, ok := err.(*textproto.Error) @@ -70,7 +63,7 @@ func Login(user *models.User, login, password string, sourceID int64, cfg *model Email: login, Passwd: password, LoginType: models.LoginSMTP, - LoginSource: sourceID, + LoginSource: loginSource.ID, LoginName: login, IsActive: true, } diff --git a/services/auth/source/sspi/source.go b/services/auth/source/sspi/source.go new file mode 100644 index 0000000000000..fe0ff143c7698 --- /dev/null +++ b/services/auth/source/sspi/source.go @@ -0,0 +1,42 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package sspi + +import ( + "code.gitea.io/gitea/models" + jsoniter "github.com/json-iterator/go" +) + +// _________ ___________________.___ +// / _____// _____/\______ \ | +// \_____ \ \_____ \ | ___/ | +// / \/ \ | | | | +// /_______ /_______ / |____| |___| +// \/ \/ + +// Source holds configuration for SSPI single sign-on. +type Source struct { + AutoCreateUsers bool + AutoActivateUsers bool + StripDomainNames bool + SeparatorReplacement string + DefaultLanguage string +} + +// FromDB fills up an SSPIConfig from serialized format. +func (cfg *Source) FromDB(bs []byte) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Unmarshal(bs, cfg) +} + +// ToDB exports an SSPIConfig to a serialized format. +func (cfg *Source) ToDB() ([]byte, error) { + json := jsoniter.ConfigCompatibleWithStandardLibrary + return json.Marshal(cfg) +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginSSPI, &Source{}) +} diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go index 01243123081a5..1d31ceaf9e1ce 100644 --- a/services/auth/sspi_windows.go +++ b/services/auth/sspi_windows.go @@ -15,6 +15,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" "code.gitea.io/gitea/modules/web/middleware" + "code.gitea.io/gitea/services/auth/source/sspi" gouuid "github.com/google/uuid" "github.com/quasoft/websspi" @@ -146,7 +147,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, } // getConfig retrieves the SSPI configuration from login sources -func (s *SSPI) getConfig() (*models.SSPIConfig, error) { +func (s *SSPI) getConfig() (*sspi.Source, error) { sources, err := models.ActiveLoginSources(models.LoginSSPI) if err != nil { return nil, err @@ -157,7 +158,7 @@ func (s *SSPI) getConfig() (*models.SSPIConfig, error) { if len(sources) > 1 { return nil, errors.New("more than one active login source of type SSPI found") } - return sources[0].SSPI(), nil + return sources[0].Cfg.(*sspi.Source), nil } func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) { @@ -177,7 +178,7 @@ func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) { // newUser creates a new user object for the purpose of automatic registration // and populates its name and email with the information present in request headers. -func (s *SSPI) newUser(username string, cfg *models.SSPIConfig) (*models.User, error) { +func (s *SSPI) newUser(username string, cfg *sspi.Source) (*models.User, error) { email := gouuid.New().String() + "@localhost.localdomain" user := &models.User{ Name: username, @@ -214,7 +215,7 @@ func stripDomainNames(username string) string { return username } -func replaceSeparators(username string, cfg *models.SSPIConfig) string { +func replaceSeparators(username string, cfg *sspi.Source) string { newSep := cfg.SeparatorReplacement username = strings.ReplaceAll(username, "\\", newSep) username = strings.ReplaceAll(username, "/", newSep) @@ -222,7 +223,7 @@ func replaceSeparators(username string, cfg *models.SSPIConfig) string { return username } -func sanitizeUsername(username string, cfg *models.SSPIConfig) string { +func sanitizeUsername(username string, cfg *sspi.Source) string { if len(username) == 0 { return "" } diff --git a/services/auth/sync.go b/services/auth/sync.go index 613c313f43eda..a976270464681 100644 --- a/services/auth/sync.go +++ b/services/auth/sync.go @@ -9,7 +9,6 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/services/auth/source/ldap" ) // SyncExternalUsers is used to synchronize users with external authorization source @@ -33,8 +32,8 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { default: } - if s.IsLDAP() { - err := ldap.Sync(ctx, updateExisting, s) + if syncable, ok := s.Cfg.(SynchronizableSource); ok { + err := syncable.Sync(ctx, updateExisting, s) if err != nil { return err } From dd346f17fd4a52655c939120f95ff8de0bd585cc Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 10:43:02 +0100 Subject: [PATCH 08/44] move modules/auth/ldap to services/auth/source/ldap Signed-off-by: Andrew Thornton --- cmd/admin_auth_ldap.go | 65 ++- cmd/admin_auth_ldap_test.go | 434 +++++++----------- routers/web/admin/auths.go | 61 ++- .../auth/source}/ldap/README.md | 0 .../auth/source/ldap/security_protocol.go | 27 ++ services/auth/source/ldap/source.go | 57 ++- .../auth/source/ldap/source_search.go | 55 --- 7 files changed, 303 insertions(+), 396 deletions(-) rename {modules/auth => services/auth/source}/ldap/README.md (100%) create mode 100644 services/auth/source/ldap/security_protocol.go rename modules/auth/ldap/ldap.go => services/auth/source/ldap/source_search.go (83%) diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index aab26082e90b6..6427add8ab42b 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -9,8 +9,7 @@ import ( "strings" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/ldap" - ldapService "code.gitea.io/gitea/services/auth/source/ldap" + "code.gitea.io/gitea/services/auth/source/ldap" "github.com/urfave/cli" ) @@ -181,70 +180,70 @@ func parseLoginSource(c *cli.Context, loginSource *models.LoginSource) { } // parseLdapConfig assigns values on config according to command line flags. -func parseLdapConfig(c *cli.Context, config *ldapService.Source) error { +func parseLdapConfig(c *cli.Context, config *ldap.Source) error { if c.IsSet("name") { - config.Source.Name = c.String("name") + config.Name = c.String("name") } if c.IsSet("host") { - config.Source.Host = c.String("host") + config.Host = c.String("host") } if c.IsSet("port") { - config.Source.Port = c.Int("port") + config.Port = c.Int("port") } if c.IsSet("security-protocol") { p, ok := findLdapSecurityProtocolByName(c.String("security-protocol")) if !ok { return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol")) } - config.Source.SecurityProtocol = p + config.SecurityProtocol = p } if c.IsSet("skip-tls-verify") { - config.Source.SkipVerify = c.Bool("skip-tls-verify") + config.SkipVerify = c.Bool("skip-tls-verify") } if c.IsSet("bind-dn") { - config.Source.BindDN = c.String("bind-dn") + config.BindDN = c.String("bind-dn") } if c.IsSet("user-dn") { - config.Source.UserDN = c.String("user-dn") + config.UserDN = c.String("user-dn") } if c.IsSet("bind-password") { - config.Source.BindPassword = c.String("bind-password") + config.BindPassword = c.String("bind-password") } if c.IsSet("user-search-base") { - config.Source.UserBase = c.String("user-search-base") + config.UserBase = c.String("user-search-base") } if c.IsSet("username-attribute") { - config.Source.AttributeUsername = c.String("username-attribute") + config.AttributeUsername = c.String("username-attribute") } if c.IsSet("firstname-attribute") { - config.Source.AttributeName = c.String("firstname-attribute") + config.AttributeName = c.String("firstname-attribute") } if c.IsSet("surname-attribute") { - config.Source.AttributeSurname = c.String("surname-attribute") + config.AttributeSurname = c.String("surname-attribute") } if c.IsSet("email-attribute") { - config.Source.AttributeMail = c.String("email-attribute") + config.AttributeMail = c.String("email-attribute") } if c.IsSet("attributes-in-bind") { - config.Source.AttributesInBind = c.Bool("attributes-in-bind") + config.AttributesInBind = c.Bool("attributes-in-bind") } if c.IsSet("public-ssh-key-attribute") { - config.Source.AttributeSSHPublicKey = c.String("public-ssh-key-attribute") + config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute") } if c.IsSet("page-size") { - config.Source.SearchPageSize = uint32(c.Uint("page-size")) + config.SearchPageSize = uint32(c.Uint("page-size")) } if c.IsSet("user-filter") { - config.Source.Filter = c.String("user-filter") + config.Filter = c.String("user-filter") } if c.IsSet("admin-filter") { - config.Source.AdminFilter = c.String("admin-filter") + config.AdminFilter = c.String("admin-filter") } if c.IsSet("restricted-filter") { - config.Source.RestrictedFilter = c.String("restricted-filter") + config.RestrictedFilter = c.String("restricted-filter") } if c.IsSet("allow-deactivate-all") { - config.Source.AllowDeactivateAll = c.Bool("allow-deactivate-all") + config.AllowDeactivateAll = c.Bool("allow-deactivate-all") } return nil } @@ -292,15 +291,13 @@ func (a *authService) addLdapBindDn(c *cli.Context) error { loginSource := &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, // active by default - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Enabled: true, // always true - }, + Cfg: &ldap.Source{ + Enabled: true, // always true }, } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { return err } @@ -319,7 +316,7 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { return err } @@ -339,15 +336,13 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error { loginSource := &models.LoginSource{ Type: models.LoginDLDAP, IsActived: true, // active by default - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Enabled: true, // always true - }, + Cfg: &ldap.Source{ + Enabled: true, // always true }, } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { return err } @@ -366,7 +361,7 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error { } parseLoginSource(c, loginSource) - if err := parseLdapConfig(c, loginSource.Cfg.(*ldapService.Source)); err != nil { + if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { return err } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index d051feee5bcd5..bcf4325f0601b 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -8,8 +8,7 @@ import ( "testing" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/ldap" - ldapService "code.gitea.io/gitea/services/auth/source/ldap" + "code.gitea.io/gitea/services/auth/source/ldap" "github.com/stretchr/testify/assert" "github.com/urfave/cli" @@ -57,28 +56,26 @@ func TestAddLdapBindDn(t *testing.T) { Name: "ldap (via Bind DN) source full", IsActived: false, IsSyncEnabled: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (via Bind DN) source full", - Host: "ldap-bind-server full", - Port: 9876, - SecurityProtocol: ldap.SecurityProtocol(1), - SkipVerify: true, - BindDN: "cn=readonly,dc=full-domain-bind,dc=org", - BindPassword: "secret-bind-full", - UserBase: "ou=Users,dc=full-domain-bind,dc=org", - AttributeUsername: "uid-bind full", - AttributeName: "givenName-bind full", - AttributeSurname: "sn-bind full", - AttributeMail: "mail-bind full", - AttributesInBind: true, - AttributeSSHPublicKey: "publickey-bind full", - SearchPageSize: 99, - Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", - RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", - Enabled: true, - }, + Cfg: &ldap.Source{ + Name: "ldap (via Bind DN) source full", + Host: "ldap-bind-server full", + Port: 9876, + SecurityProtocol: ldap.SecurityProtocol(1), + SkipVerify: true, + BindDN: "cn=readonly,dc=full-domain-bind,dc=org", + BindPassword: "secret-bind-full", + UserBase: "ou=Users,dc=full-domain-bind,dc=org", + AttributeUsername: "uid-bind full", + AttributeName: "givenName-bind full", + AttributeSurname: "sn-bind full", + AttributeMail: "mail-bind full", + AttributesInBind: true, + AttributeSSHPublicKey: "publickey-bind full", + SearchPageSize: 99, + Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", + Enabled: true, }, }, }, @@ -98,17 +95,15 @@ func TestAddLdapBindDn(t *testing.T) { Type: models.LoginLDAP, Name: "ldap (via Bind DN) source min", IsActived: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (via Bind DN) source min", - Host: "ldap-bind-server min", - Port: 1234, - SecurityProtocol: ldap.SecurityProtocol(0), - UserBase: "ou=Users,dc=min-domain-bind,dc=org", - AttributeMail: "mail-bind min", - Filter: "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)", - Enabled: true, - }, + Cfg: &ldap.Source{ + Name: "ldap (via Bind DN) source min", + Host: "ldap-bind-server min", + Port: 1234, + SecurityProtocol: ldap.SecurityProtocol(0), + UserBase: "ou=Users,dc=min-domain-bind,dc=org", + AttributeMail: "mail-bind min", + Filter: "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)", + Enabled: true, }, }, }, @@ -280,25 +275,23 @@ func TestAddLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source full", IsActived: false, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (simple auth) source full", - Host: "ldap-simple-server full", - Port: 987, - SecurityProtocol: ldap.SecurityProtocol(2), - SkipVerify: true, - UserDN: "cn=%s,ou=Users,dc=full-domain-simple,dc=org", - UserBase: "ou=Users,dc=full-domain-simple,dc=org", - AttributeUsername: "uid-simple full", - AttributeName: "givenName-simple full", - AttributeSurname: "sn-simple full", - AttributeMail: "mail-simple full", - AttributeSSHPublicKey: "publickey-simple full", - Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", - RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", - Enabled: true, - }, + Cfg: &ldap.Source{ + Name: "ldap (simple auth) source full", + Host: "ldap-simple-server full", + Port: 987, + SecurityProtocol: ldap.SecurityProtocol(2), + SkipVerify: true, + UserDN: "cn=%s,ou=Users,dc=full-domain-simple,dc=org", + UserBase: "ou=Users,dc=full-domain-simple,dc=org", + AttributeUsername: "uid-simple full", + AttributeName: "givenName-simple full", + AttributeSurname: "sn-simple full", + AttributeMail: "mail-simple full", + AttributeSSHPublicKey: "publickey-simple full", + Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", + Enabled: true, }, }, }, @@ -318,17 +311,15 @@ func TestAddLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source min", IsActived: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (simple auth) source min", - Host: "ldap-simple-server min", - Port: 123, - SecurityProtocol: ldap.SecurityProtocol(0), - UserDN: "cn=%s,ou=Users,dc=min-domain-simple,dc=org", - AttributeMail: "mail-simple min", - Filter: "(&(objectClass=posixAccount)(min-simple-cn=%s))", - Enabled: true, - }, + Cfg: &ldap.Source{ + Name: "ldap (simple auth) source min", + Host: "ldap-simple-server min", + Port: 123, + SecurityProtocol: ldap.SecurityProtocol(0), + UserDN: "cn=%s,ou=Users,dc=min-domain-simple,dc=org", + AttributeMail: "mail-simple min", + Filter: "(&(objectClass=posixAccount)(min-simple-cn=%s))", + Enabled: true, }, }, }, @@ -519,10 +510,8 @@ func TestUpdateLdapBindDn(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Enabled: true, - }, + Cfg: &ldap.Source{ + Enabled: true, }, }, loginSource: &models.LoginSource{ @@ -530,28 +519,26 @@ func TestUpdateLdapBindDn(t *testing.T) { Name: "ldap (via Bind DN) source full", IsActived: false, IsSyncEnabled: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (via Bind DN) source full", - Host: "ldap-bind-server full", - Port: 9876, - SecurityProtocol: ldap.SecurityProtocol(1), - SkipVerify: true, - BindDN: "cn=readonly,dc=full-domain-bind,dc=org", - BindPassword: "secret-bind-full", - UserBase: "ou=Users,dc=full-domain-bind,dc=org", - AttributeUsername: "uid-bind full", - AttributeName: "givenName-bind full", - AttributeSurname: "sn-bind full", - AttributeMail: "mail-bind full", - AttributesInBind: false, - AttributeSSHPublicKey: "publickey-bind full", - SearchPageSize: 99, - Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", - RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", - Enabled: true, - }, + Cfg: &ldap.Source{ + Name: "ldap (via Bind DN) source full", + Host: "ldap-bind-server full", + Port: 9876, + SecurityProtocol: ldap.SecurityProtocol(1), + SkipVerify: true, + BindDN: "cn=readonly,dc=full-domain-bind,dc=org", + BindPassword: "secret-bind-full", + UserBase: "ou=Users,dc=full-domain-bind,dc=org", + AttributeUsername: "uid-bind full", + AttributeName: "givenName-bind full", + AttributeSurname: "sn-bind full", + AttributeMail: "mail-bind full", + AttributesInBind: false, + AttributeSSHPublicKey: "publickey-bind full", + SearchPageSize: 99, + Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", + Enabled: true, }, }, }, @@ -563,9 +550,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, }, // case 2 @@ -578,10 +563,8 @@ func TestUpdateLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, Name: "ldap (via Bind DN) source", - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (via Bind DN) source", - }, + Cfg: &ldap.Source{ + Name: "ldap (via Bind DN) source", }, }, }, @@ -595,16 +578,12 @@ func TestUpdateLdapBindDn(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, IsActived: false, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, }, // case 4 @@ -616,10 +595,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - SecurityProtocol: ldap.SecurityProtocol(1), - }, + Cfg: &ldap.Source{ + SecurityProtocol: ldap.SecurityProtocol(1), }, }, }, @@ -632,10 +609,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - SkipVerify: true, - }, + Cfg: &ldap.Source{ + SkipVerify: true, }, }, }, @@ -648,10 +623,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Host: "ldap-server", - }, + Cfg: &ldap.Source{ + Host: "ldap-server", }, }, }, @@ -664,10 +637,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Port: 389, - }, + Cfg: &ldap.Source{ + Port: 389, }, }, }, @@ -680,10 +651,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - UserBase: "ou=Users,dc=domain,dc=org", - }, + Cfg: &ldap.Source{ + UserBase: "ou=Users,dc=domain,dc=org", }, }, }, @@ -696,10 +665,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)", - }, + Cfg: &ldap.Source{ + Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)", }, }, }, @@ -712,10 +679,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", - }, + Cfg: &ldap.Source{ + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", }, }, }, @@ -728,10 +693,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeUsername: "uid", - }, + Cfg: &ldap.Source{ + AttributeUsername: "uid", }, }, }, @@ -744,10 +707,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeName: "givenName", - }, + Cfg: &ldap.Source{ + AttributeName: "givenName", }, }, }, @@ -760,10 +721,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeSurname: "sn", - }, + Cfg: &ldap.Source{ + AttributeSurname: "sn", }, }, }, @@ -776,10 +735,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeMail: "mail", - }, + Cfg: &ldap.Source{ + AttributeMail: "mail", }, }, }, @@ -792,10 +749,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributesInBind: true, - }, + Cfg: &ldap.Source{ + AttributesInBind: true, }, }, }, @@ -808,10 +763,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeSSHPublicKey: "publickey", - }, + Cfg: &ldap.Source{ + AttributeSSHPublicKey: "publickey", }, }, }, @@ -824,10 +777,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - BindDN: "cn=readonly,dc=domain,dc=org", - }, + Cfg: &ldap.Source{ + BindDN: "cn=readonly,dc=domain,dc=org", }, }, }, @@ -840,10 +791,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - BindPassword: "secret", - }, + Cfg: &ldap.Source{ + BindPassword: "secret", }, }, }, @@ -857,9 +806,7 @@ func TestUpdateLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, IsSyncEnabled: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, }, // case 20 @@ -871,10 +818,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - SearchPageSize: 12, - }, + Cfg: &ldap.Source{ + SearchPageSize: 12, }, }, }, @@ -902,9 +847,7 @@ func TestUpdateLdapBindDn(t *testing.T) { }, existingLoginSource: &models.LoginSource{ Type: models.LoginOAuth2, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, errMsg: "Invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2", }, @@ -934,9 +877,7 @@ func TestUpdateLdapBindDn(t *testing.T) { } return &models.LoginSource{ Type: models.LoginLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, nil }, } @@ -998,24 +939,22 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { Type: models.LoginDLDAP, Name: "ldap (simple auth) source full", IsActived: false, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (simple auth) source full", - Host: "ldap-simple-server full", - Port: 987, - SecurityProtocol: ldap.SecurityProtocol(2), - SkipVerify: true, - UserDN: "cn=%s,ou=Users,dc=full-domain-simple,dc=org", - UserBase: "ou=Users,dc=full-domain-simple,dc=org", - AttributeUsername: "uid-simple full", - AttributeName: "givenName-simple full", - AttributeSurname: "sn-simple full", - AttributeMail: "mail-simple full", - AttributeSSHPublicKey: "publickey-simple full", - Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", - RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", - }, + Cfg: &ldap.Source{ + Name: "ldap (simple auth) source full", + Host: "ldap-simple-server full", + Port: 987, + SecurityProtocol: ldap.SecurityProtocol(2), + SkipVerify: true, + UserDN: "cn=%s,ou=Users,dc=full-domain-simple,dc=org", + UserBase: "ou=Users,dc=full-domain-simple,dc=org", + AttributeUsername: "uid-simple full", + AttributeName: "givenName-simple full", + AttributeSurname: "sn-simple full", + AttributeMail: "mail-simple full", + AttributeSSHPublicKey: "publickey-simple full", + Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", }, }, }, @@ -1027,9 +966,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, }, // case 2 @@ -1042,10 +979,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginDLDAP, Name: "ldap (simple auth) source", - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Name: "ldap (simple auth) source", - }, + Cfg: &ldap.Source{ + Name: "ldap (simple auth) source", }, }, }, @@ -1059,16 +994,12 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { existingLoginSource: &models.LoginSource{ Type: models.LoginDLDAP, IsActived: true, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, IsActived: false, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, }, // case 4 @@ -1080,10 +1011,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - SecurityProtocol: ldap.SecurityProtocol(2), - }, + Cfg: &ldap.Source{ + SecurityProtocol: ldap.SecurityProtocol(2), }, }, }, @@ -1096,10 +1025,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - SkipVerify: true, - }, + Cfg: &ldap.Source{ + SkipVerify: true, }, }, }, @@ -1112,10 +1039,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Host: "ldap-server", - }, + Cfg: &ldap.Source{ + Host: "ldap-server", }, }, }, @@ -1128,10 +1053,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Port: 987, - }, + Cfg: &ldap.Source{ + Port: 987, }, }, }, @@ -1144,10 +1067,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - UserBase: "ou=Users,dc=domain,dc=org", - }, + Cfg: &ldap.Source{ + UserBase: "ou=Users,dc=domain,dc=org", }, }, }, @@ -1160,10 +1081,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - Filter: "(&(objectClass=posixAccount)(cn=%s))", - }, + Cfg: &ldap.Source{ + Filter: "(&(objectClass=posixAccount)(cn=%s))", }, }, }, @@ -1176,10 +1095,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", - }, + Cfg: &ldap.Source{ + AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", }, }, }, @@ -1192,10 +1109,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeUsername: "uid", - }, + Cfg: &ldap.Source{ + AttributeUsername: "uid", }, }, }, @@ -1208,10 +1123,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeName: "givenName", - }, + Cfg: &ldap.Source{ + AttributeName: "givenName", }, }, }, @@ -1224,10 +1137,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeSurname: "sn", - }, + Cfg: &ldap.Source{ + AttributeSurname: "sn", }, }, }, @@ -1240,10 +1151,9 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeMail: "mail", - }, + Cfg: &ldap.Source{ + + AttributeMail: "mail", }, }, }, @@ -1256,10 +1166,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - AttributeSSHPublicKey: "publickey", - }, + Cfg: &ldap.Source{ + AttributeSSHPublicKey: "publickey", }, }, }, @@ -1272,10 +1180,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, loginSource: &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{ - UserDN: "cn=%s,ou=Users,dc=domain,dc=org", - }, + Cfg: &ldap.Source{ + UserDN: "cn=%s,ou=Users,dc=domain,dc=org", }, }, }, @@ -1303,9 +1209,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, existingLoginSource: &models.LoginSource{ Type: models.LoginPAM, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, errMsg: "Invalid authentication type. expected: LDAP (simple auth), actual: PAM", }, @@ -1335,9 +1239,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { } return &models.LoginSource{ Type: models.LoginDLDAP, - Cfg: &ldapService.Source{ - Source: &ldap.Source{}, - }, + Cfg: &ldap.Source{}, }, nil }, } diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index dd3036213ac6d..a8d3f7cd8801d 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -11,7 +11,6 @@ import ( "regexp" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/ldap" "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/auth/pam" "code.gitea.io/gitea/modules/base" @@ -20,7 +19,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" - ldapService "code.gitea.io/gitea/services/auth/source/ldap" + "code.gitea.io/gitea/services/auth/source/ldap" oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" pamService "code.gitea.io/gitea/services/auth/source/pam" "code.gitea.io/gitea/services/auth/source/smtp" @@ -118,40 +117,38 @@ func NewAuthSource(ctx *context.Context) { ctx.HTML(http.StatusOK, tplAuthNew) } -func parseLDAPConfig(form forms.AuthenticationForm) *ldapService.Source { +func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source { var pageSize uint32 if form.UsePagedSearch { pageSize = uint32(form.SearchPageSize) } - return &ldapService.Source{ - Source: &ldap.Source{ - Name: form.Name, - Host: form.Host, - Port: form.Port, - SecurityProtocol: ldap.SecurityProtocol(form.SecurityProtocol), - SkipVerify: form.SkipVerify, - BindDN: form.BindDN, - UserDN: form.UserDN, - BindPassword: form.BindPassword, - UserBase: form.UserBase, - AttributeUsername: form.AttributeUsername, - AttributeName: form.AttributeName, - AttributeSurname: form.AttributeSurname, - AttributeMail: form.AttributeMail, - AttributesInBind: form.AttributesInBind, - AttributeSSHPublicKey: form.AttributeSSHPublicKey, - SearchPageSize: pageSize, - Filter: form.Filter, - GroupsEnabled: form.GroupsEnabled, - GroupDN: form.GroupDN, - GroupFilter: form.GroupFilter, - GroupMemberUID: form.GroupMemberUID, - UserUID: form.UserUID, - AdminFilter: form.AdminFilter, - RestrictedFilter: form.RestrictedFilter, - AllowDeactivateAll: form.AllowDeactivateAll, - Enabled: true, - }, + return &ldap.Source{ + Name: form.Name, + Host: form.Host, + Port: form.Port, + SecurityProtocol: ldap.SecurityProtocol(form.SecurityProtocol), + SkipVerify: form.SkipVerify, + BindDN: form.BindDN, + UserDN: form.UserDN, + BindPassword: form.BindPassword, + UserBase: form.UserBase, + AttributeUsername: form.AttributeUsername, + AttributeName: form.AttributeName, + AttributeSurname: form.AttributeSurname, + AttributeMail: form.AttributeMail, + AttributesInBind: form.AttributesInBind, + AttributeSSHPublicKey: form.AttributeSSHPublicKey, + SearchPageSize: pageSize, + Filter: form.Filter, + GroupsEnabled: form.GroupsEnabled, + GroupDN: form.GroupDN, + GroupFilter: form.GroupFilter, + GroupMemberUID: form.GroupMemberUID, + UserUID: form.UserUID, + AdminFilter: form.AdminFilter, + RestrictedFilter: form.RestrictedFilter, + AllowDeactivateAll: form.AllowDeactivateAll, + Enabled: true, } } diff --git a/modules/auth/ldap/README.md b/services/auth/source/ldap/README.md similarity index 100% rename from modules/auth/ldap/README.md rename to services/auth/source/ldap/README.md diff --git a/services/auth/source/ldap/security_protocol.go b/services/auth/source/ldap/security_protocol.go new file mode 100644 index 0000000000000..47c9d30e5cfe0 --- /dev/null +++ b/services/auth/source/ldap/security_protocol.go @@ -0,0 +1,27 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap + +// SecurityProtocol protocol type +type SecurityProtocol int + +// Note: new type must be added at the end of list to maintain compatibility. +const ( + SecurityProtocolUnencrypted SecurityProtocol = iota + SecurityProtocolLDAPS + SecurityProtocolStartTLS +) + +// String returns the name of the SecurityProtocol +func (s SecurityProtocol) String() string { + return SecurityProtocolNames[s] +} + +// SecurityProtocolNames contains the name of SecurityProtocol values. +var SecurityProtocolNames = map[SecurityProtocol]string{ + SecurityProtocolUnencrypted: "Unencrypted", + SecurityProtocolLDAPS: "LDAPS", + SecurityProtocolStartTLS: "StartTLS", +} diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index bf0c69154e41f..fc6a62708fe56 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -8,7 +8,6 @@ import ( "strings" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/ldap" "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" jsoniter "github.com/json-iterator/go" @@ -21,15 +20,54 @@ import ( // |_______ \/_______ /\____|__ /____| // \/ \/ \/ -// Source holds configuration for LDAP login source. +// Package ldap provide functions & structure to query a LDAP ldap directory +// For now, it's mainly tested again an MS Active Directory service, see README.md for more information + +// Source Basic LDAP authentication service type Source struct { - *ldap.Source + Name string // canonical name (ie. corporate.ad) + Host string // LDAP host + Port int // port number + SecurityProtocol SecurityProtocol + SkipVerify bool + BindDN string // DN to bind with + BindPasswordEncrypt string // Encrypted Bind BN password + BindPassword string // Bind DN password + UserBase string // Base search path for users + UserDN string // Template for the DN of the user for simple auth + AttributeUsername string // Username attribute + AttributeName string // First name attribute + AttributeSurname string // Surname attribute + AttributeMail string // E-mail attribute + AttributesInBind bool // fetch attributes in bind context (not user) + AttributeSSHPublicKey string // LDAP SSH Public Key attribute + SearchPageSize uint32 // Search with paging page size + Filter string // Query filter to validate entry + AdminFilter string // Query filter to check if user is admin + RestrictedFilter string // Query filter to check if user is restricted + Enabled bool // if this source is disabled + AllowDeactivateAll bool // Allow an empty search response to deactivate all users from this source + GroupsEnabled bool // if the group checking is enabled + GroupDN string // Group Search Base + GroupFilter string // Group Name Filter + GroupMemberUID string // Group Attribute containing array of UserUID + UserUID string // User Attribute listed in Group +} + +// wrappedSource wraps the source to ensure that the FromDB/ToDB results are the same as previously +type wrappedSource struct { + Source *Source } // FromDB fills up a LDAPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { json := jsoniter.ConfigCompatibleWithStandardLibrary - err := json.Unmarshal(bs, &source) + + wrapped := &wrappedSource{ + Source: source, + } + + err := json.Unmarshal(bs, &wrapped) if err != nil { return err } @@ -49,13 +87,16 @@ func (source *Source) ToDB() ([]byte, error) { } source.BindPassword = "" json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Marshal(source) + wrapped := &wrappedSource{ + Source: source, + } + return json.Marshal(wrapped) } // SecurityProtocolName returns the name of configured security // protocol. func (source *Source) SecurityProtocolName() string { - return ldap.SecurityProtocolNames[source.SecurityProtocol] + return SecurityProtocolNames[source.SecurityProtocol] } // IsSkipVerify returns if SkipVerify is set @@ -65,12 +106,12 @@ func (source *Source) IsSkipVerify() bool { // HasTLS returns if HasTLS func (source *Source) HasTLS() bool { - return source.SecurityProtocol > ldap.SecurityProtocolUnencrypted + return source.SecurityProtocol > SecurityProtocolUnencrypted } // UseTLS returns if UseTLS func (source *Source) UseTLS() bool { - return source.SecurityProtocol != ldap.SecurityProtocolUnencrypted + return source.SecurityProtocol != SecurityProtocolUnencrypted } // ProvidesSSHKeys returns if this source provides SSH Keys diff --git a/modules/auth/ldap/ldap.go b/services/auth/source/ldap/source_search.go similarity index 83% rename from modules/auth/ldap/ldap.go rename to services/auth/source/ldap/source_search.go index 321fbf805891a..e99fc67901afd 100644 --- a/modules/auth/ldap/ldap.go +++ b/services/auth/source/ldap/source_search.go @@ -3,8 +3,6 @@ // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. -// Package ldap provide functions & structure to query a LDAP ldap directory -// For now, it's mainly tested again an MS Active Directory service, see README.md for more information package ldap import ( @@ -17,59 +15,6 @@ import ( "github.com/go-ldap/ldap/v3" ) -// SecurityProtocol protocol type -type SecurityProtocol int - -// Note: new type must be added at the end of list to maintain compatibility. -const ( - SecurityProtocolUnencrypted SecurityProtocol = iota - SecurityProtocolLDAPS - SecurityProtocolStartTLS -) - -// String returns the name of the SecurityProtocol -func (s SecurityProtocol) String() string { - return SecurityProtocolNames[s] -} - -// SecurityProtocolNames contains the name of SecurityProtocol values. -var SecurityProtocolNames = map[SecurityProtocol]string{ - SecurityProtocolUnencrypted: "Unencrypted", - SecurityProtocolLDAPS: "LDAPS", - SecurityProtocolStartTLS: "StartTLS", -} - -// Source Basic LDAP authentication service -type Source struct { - Name string // canonical name (ie. corporate.ad) - Host string // LDAP host - Port int // port number - SecurityProtocol SecurityProtocol - SkipVerify bool - BindDN string // DN to bind with - BindPasswordEncrypt string // Encrypted Bind BN password - BindPassword string // Bind DN password - UserBase string // Base search path for users - UserDN string // Template for the DN of the user for simple auth - AttributeUsername string // Username attribute - AttributeName string // First name attribute - AttributeSurname string // Surname attribute - AttributeMail string // E-mail attribute - AttributesInBind bool // fetch attributes in bind context (not user) - AttributeSSHPublicKey string // LDAP SSH Public Key attribute - SearchPageSize uint32 // Search with paging page size - Filter string // Query filter to validate entry - AdminFilter string // Query filter to check if user is admin - RestrictedFilter string // Query filter to check if user is restricted - Enabled bool // if this source is disabled - AllowDeactivateAll bool // Allow an empty search response to deactivate all users from this source - GroupsEnabled bool // if the group checking is enabled - GroupDN string // Group Search Base - GroupFilter string // Group Name Filter - GroupMemberUID string // Group Attribute containing array of UserUID - UserUID string // User Attribute listed in Group -} - // SearchResult : user data type SearchResult struct { Username string // Username From 70f542c462ea390e65a131a5b0e65a6f94afd6a2 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 11:02:22 +0100 Subject: [PATCH 09/44] fix reflection Signed-off-by: Andrew Thornton --- models/login_source.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/login_source.go b/models/login_source.go index b7b734b4b72e1..9ca6709661c3a 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -116,7 +116,7 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { typ := LoginType(Cell2Int64(val)) exemplar, ok := registeredLoginConfigs[typ] if ok { - source.Cfg = reflect.New(reflect.TypeOf(exemplar)).Interface().(convert.Conversion) + source.Cfg = reflect.New(reflect.ValueOf(exemplar).Elem().Type()).Interface().(convert.Conversion) return } } From 521f1831bfb3404e3c4b1fa812de9fadbf533247 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 11:15:41 +0100 Subject: [PATCH 10/44] handle non-pointer sources Signed-off-by: Andrew Thornton --- models/login_source.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/models/login_source.go b/models/login_source.go index 9ca6709661c3a..e7e45b4e99bed 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -115,10 +115,18 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { typ := LoginType(Cell2Int64(val)) exemplar, ok := registeredLoginConfigs[typ] - if ok { + if !ok { + return + } + + if reflect.TypeOf(exemplar).Kind() == reflect.Ptr { + // Pointer: source.Cfg = reflect.New(reflect.ValueOf(exemplar).Elem().Type()).Interface().(convert.Conversion) return } + + // Not pointer: + source.Cfg = reflect.New(reflect.TypeOf(exemplar)).Elem().Interface().(convert.Conversion) } } From 202c971d6e088ecb860ccb5df2f65a28f764fbfa Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 11:16:59 +0100 Subject: [PATCH 11/44] fix readme file Signed-off-by: Andrew Thornton --- services/auth/source/ldap/README.md | 77 ++++++++++++++--------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/services/auth/source/ldap/README.md b/services/auth/source/ldap/README.md index 76841f44aefd4..3a839fa3142a9 100644 --- a/services/auth/source/ldap/README.md +++ b/services/auth/source/ldap/README.md @@ -1,5 +1,4 @@ -Gitea LDAP Authentication Module -=============================== +# Gitea LDAP Authentication Module ## About @@ -30,94 +29,94 @@ section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP share the following fields: * Authorization Name **(required)** - * A name to assign to the new method of authorization. + * A name to assign to the new method of authorization. * Host **(required)** - * The address where the LDAP server can be reached. - * Example: mydomain.com + * The address where the LDAP server can be reached. + * Example: mydomain.com * Port **(required)** - * The port to use when connecting to the server. - * Example: 636 + * The port to use when connecting to the server. + * Example: 636 * Enable TLS Encryption (optional) - * Whether to use TLS when connecting to the LDAP server. + * Whether to use TLS when connecting to the LDAP server. * Admin Filter (optional) - * An LDAP filter specifying if a user should be given administrator + * An LDAP filter specifying if a user should be given administrator privileges. If a user accounts passes the filter, the user will be privileged as an administrator. - * Example: (objectClass=adminAccount) + * Example: (objectClass=adminAccount) * First name attribute (optional) - * The attribute of the user's LDAP record containing the user's first name. + * The attribute of the user's LDAP record containing the user's first name. This will be used to populate their account information. - * Example: givenName + * Example: givenName * Surname attribute (optional) - * The attribute of the user's LDAP record containing the user's surname This + * The attribute of the user's LDAP record containing the user's surname This will be used to populate their account information. - * Example: sn + * Example: sn * E-mail attribute **(required)** - * The attribute of the user's LDAP record containing the user's email + * The attribute of the user's LDAP record containing the user's email address. This will be used to populate their account information. - * Example: mail + * Example: mail **LDAP via BindDN** adds the following fields: * Bind DN (optional) - * The DN to bind to the LDAP server with when searching for the user. This + * The DN to bind to the LDAP server with when searching for the user. This may be left blank to perform an anonymous search. - * Example: cn=Search,dc=mydomain,dc=com + * Example: cn=Search,dc=mydomain,dc=com * Bind Password (optional) - * The password for the Bind DN specified above, if any. _Note: The password + * The password for the Bind DN specified above, if any. _Note: The password is stored in plaintext at the server. As such, ensure that your Bind DN has as few privileges as possible._ * User Search Base **(required)** - * The LDAP base at which user accounts will be searched for. - * Example: ou=Users,dc=mydomain,dc=com + * The LDAP base at which user accounts will be searched for. + * Example: ou=Users,dc=mydomain,dc=com * User Filter **(required)** - * An LDAP filter declaring how to find the user record that is attempting to + * An LDAP filter declaring how to find the user record that is attempting to authenticate. The '%s' matching parameter will be substituted with the user's username. - * Example: (&(objectClass=posixAccount)(uid=%s)) + * Example: (&(objectClass=posixAccount)(uid=%s)) **LDAP using simple auth** adds the following fields: * User DN **(required)** - * A template to use as the user's DN. The `%s` matching parameter will be + * A template to use as the user's DN. The `%s` matching parameter will be substituted with the user's username. - * Example: cn=%s,ou=Users,dc=mydomain,dc=com - * Example: uid=%s,ou=Users,dc=mydomain,dc=com + * Example: cn=%s,ou=Users,dc=mydomain,dc=com + * Example: uid=%s,ou=Users,dc=mydomain,dc=com * User Search Base (optional) - * The LDAP base at which user accounts will be searched for. - * Example: ou=Users,dc=mydomain,dc=com + * The LDAP base at which user accounts will be searched for. + * Example: ou=Users,dc=mydomain,dc=com * User Filter **(required)** - * An LDAP filter declaring when a user should be allowed to log in. The `%s` + * An LDAP filter declaring when a user should be allowed to log in. The `%s` matching parameter will be substituted with the user's username. - * Example: (&(objectClass=posixAccount)(cn=%s)) - * Example: (&(objectClass=posixAccount)(uid=%s)) + * Example: (&(objectClass=posixAccount)(cn=%s)) + * Example: (&(objectClass=posixAccount)(uid=%s)) **Verify group membership in LDAP** uses the following fields: * Group Search Base (optional) - * The LDAP DN used for groups. - * Example: ou=group,dc=mydomain,dc=com + * The LDAP DN used for groups. + * Example: ou=group,dc=mydomain,dc=com * Group Name Filter (optional) - * An LDAP filter declaring how to find valid groups in the above DN. - * Example: (|(cn=gitea_users)(cn=admins)) + * An LDAP filter declaring how to find valid groups in the above DN. + * Example: (|(cn=gitea_users)(cn=admins)) * User Attribute in Group (optional) - * Which user LDAP attribute is listed in the group. - * Example: uid + * Which user LDAP attribute is listed in the group. + * Example: uid * Group Attribute for User (optional) - * Which group LDAP attribute contains an array above user attribute names. - * Example: memberUid + * Which group LDAP attribute contains an array above user attribute names. + * Example: memberUid From 2dd721136cb7e856d7858badf0d605f03073f0e3 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 11:36:13 +0100 Subject: [PATCH 12/44] unregister Signed-off-by: Andrew Thornton --- models/login_source.go | 8 +++++--- services/auth/source/oauth2/source_register.go | 7 ++++++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/models/login_source.go b/models/login_source.go index e7e45b4e99bed..fa5b23fbedc3d 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -9,7 +9,6 @@ import ( "reflect" "strconv" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/timeutil" @@ -75,6 +74,7 @@ type SSHKeyProvider interface { // RegisterableSource configurations provide RegisterSource which needs to be run on creation type RegisterableSource interface { RegisterSource(*LoginSource) error + UnregisterSource(*LoginSource) error } // RegisterLoginTypeConfig register a config for a provided type @@ -330,8 +330,10 @@ func DeleteSource(source *LoginSource) error { return ErrLoginSourceInUse{source.ID} } - if source.IsOAuth2() { - oauth2.RemoveProvider(source.Name) + if registerableSource, ok := source.Cfg.(RegisterableSource); ok { + if err := registerableSource.UnregisterSource(source); err != nil { + return err + } } _, err = x.ID(source.ID).Delete(new(LoginSource)) diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go index cc901c2f5de34..538cdfd6c23b1 100644 --- a/services/auth/source/oauth2/source_register.go +++ b/services/auth/source/oauth2/source_register.go @@ -11,11 +11,16 @@ import ( // RegisterSource causes an OAuth2 configuration to be registered func (source *Source) RegisterSource(loginSource *models.LoginSource) error { - err := oauth2.RegisterProvider(loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) return wrapOpenIDConnectInitializeError(err, loginSource.Name, source) } +// UnregisterSource causes an OAuth2 configuration to be unregistered +func (source *Source) UnregisterSource(loginSource *models.LoginSource) error { + oauth2.RemoveProvider(loginSource.Name) + return nil +} + // wrapOpenIDConnectInitializeError is used to wrap the error but this cannot be done in modules/auth/oauth2 // inside oauth2: import cycle not allowed models -> modules/auth/oauth2 -> models func wrapOpenIDConnectInitializeError(err error, providerName string, oAuth2Config *Source) error { From 2a44869d9e1845389e756bab93cb1c69f7bf8f89 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 16:18:55 +0100 Subject: [PATCH 13/44] Remove modules/auth/oauth2 and begin clean up of oauth2 Signed-off-by: Andrew Thornton --- cmd/admin.go | 9 +- models/oauth2.go | 115 ------- models/oauth2_application.go | 77 ----- models/store.go | 16 + modules/auth/oauth2/oauth2.go | 299 ------------------ routers/init.go | 3 +- routers/web/admin/auths.go | 27 +- routers/web/user/auth.go | 10 +- routers/web/user/oauth.go | 14 +- routers/web/user/setting/security.go | 2 +- services/auth/oauth2.go | 5 +- services/auth/source/ldap/source.go | 1 + services/auth/source/oauth2/init.go | 83 +++++ .../auth/source}/oauth2/jwtsigningkey.go | 0 services/auth/source/oauth2/providers.go | 225 ++++++++++++- services/auth/source/oauth2/source.go | 4 +- .../auth/source/oauth2/source_authenticate.go | 43 +++ .../auth/source/oauth2/source_register.go | 5 +- services/auth/source/oauth2/token.go | 94 ++++++ services/auth/source/oauth2/urlmapping.go | 24 ++ services/auth/source/pam/source.go | 1 + services/auth/source/smtp/source.go | 1 + 22 files changed, 523 insertions(+), 535 deletions(-) create mode 100644 models/store.go delete mode 100644 modules/auth/oauth2/oauth2.go create mode 100644 services/auth/source/oauth2/init.go rename {modules/auth => services/auth/source}/oauth2/jwtsigningkey.go (100%) create mode 100644 services/auth/source/oauth2/source_authenticate.go create mode 100644 services/auth/source/oauth2/token.go create mode 100644 services/auth/source/oauth2/urlmapping.go diff --git a/cmd/admin.go b/cmd/admin.go index da04e181275d7..5a0da5cb8d97e 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -14,8 +14,7 @@ import ( "text/tabwriter" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" - oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" + "code.gitea.io/gitea/services/auth/source/oauth2" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/graceful" @@ -599,7 +598,7 @@ func runRegenerateKeys(_ *cli.Context) error { return models.RewriteAllPublicKeys() } -func parseOAuth2Config(c *cli.Context) *oauth2Service.Source { +func parseOAuth2Config(c *cli.Context) *oauth2.Source { var customURLMapping *oauth2.CustomURLMapping if c.IsSet("use-custom-urls") { customURLMapping = &oauth2.CustomURLMapping{ @@ -611,7 +610,7 @@ func parseOAuth2Config(c *cli.Context) *oauth2Service.Source { } else { customURLMapping = nil } - return &oauth2Service.Source{ + return &oauth2.Source{ Provider: c.String("provider"), ClientID: c.String("key"), ClientSecret: c.String("secret"), @@ -648,7 +647,7 @@ func runUpdateOauth(c *cli.Context) error { return err } - oAuth2Config := source.Cfg.(*oauth2Service.Source) + oAuth2Config := source.Cfg.(*oauth2.Source) if c.IsSet("name") { source.Name = c.String("name") diff --git a/models/oauth2.go b/models/oauth2.go index e2e6f849bedcd..ad5761e525aa5 100644 --- a/models/oauth2.go +++ b/models/oauth2.go @@ -4,83 +4,6 @@ package models -import ( - "code.gitea.io/gitea/modules/auth/oauth2" - "code.gitea.io/gitea/modules/log" -) - -// OAuth2Provider describes the display values of a single OAuth2 provider -type OAuth2Provider struct { - Name string - DisplayName string - Image string - CustomURLMapping *oauth2.CustomURLMapping -} - -// OAuth2Providers contains the map of registered OAuth2 providers in Gitea (based on goth) -// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider) -// value is used to store display data -var OAuth2Providers = map[string]OAuth2Provider{ - "bitbucket": {Name: "bitbucket", DisplayName: "Bitbucket", Image: "/assets/img/auth/bitbucket.png"}, - "dropbox": {Name: "dropbox", DisplayName: "Dropbox", Image: "/assets/img/auth/dropbox.png"}, - "facebook": {Name: "facebook", DisplayName: "Facebook", Image: "/assets/img/auth/facebook.png"}, - "github": { - Name: "github", DisplayName: "GitHub", Image: "/assets/img/auth/github.png", - CustomURLMapping: &oauth2.CustomURLMapping{ - TokenURL: oauth2.GetDefaultTokenURL("github"), - AuthURL: oauth2.GetDefaultAuthURL("github"), - ProfileURL: oauth2.GetDefaultProfileURL("github"), - EmailURL: oauth2.GetDefaultEmailURL("github"), - }, - }, - "gitlab": { - Name: "gitlab", DisplayName: "GitLab", Image: "/assets/img/auth/gitlab.png", - CustomURLMapping: &oauth2.CustomURLMapping{ - TokenURL: oauth2.GetDefaultTokenURL("gitlab"), - AuthURL: oauth2.GetDefaultAuthURL("gitlab"), - ProfileURL: oauth2.GetDefaultProfileURL("gitlab"), - }, - }, - "gplus": {Name: "gplus", DisplayName: "Google", Image: "/assets/img/auth/google.png"}, - "openidConnect": {Name: "openidConnect", DisplayName: "OpenID Connect", Image: "/assets/img/auth/openid_connect.svg"}, - "twitter": {Name: "twitter", DisplayName: "Twitter", Image: "/assets/img/auth/twitter.png"}, - "discord": {Name: "discord", DisplayName: "Discord", Image: "/assets/img/auth/discord.png"}, - "gitea": { - Name: "gitea", DisplayName: "Gitea", Image: "/assets/img/auth/gitea.png", - CustomURLMapping: &oauth2.CustomURLMapping{ - TokenURL: oauth2.GetDefaultTokenURL("gitea"), - AuthURL: oauth2.GetDefaultAuthURL("gitea"), - ProfileURL: oauth2.GetDefaultProfileURL("gitea"), - }, - }, - "nextcloud": { - Name: "nextcloud", DisplayName: "Nextcloud", Image: "/assets/img/auth/nextcloud.png", - CustomURLMapping: &oauth2.CustomURLMapping{ - TokenURL: oauth2.GetDefaultTokenURL("nextcloud"), - AuthURL: oauth2.GetDefaultAuthURL("nextcloud"), - ProfileURL: oauth2.GetDefaultProfileURL("nextcloud"), - }, - }, - "yandex": {Name: "yandex", DisplayName: "Yandex", Image: "/assets/img/auth/yandex.png"}, - "mastodon": { - Name: "mastodon", DisplayName: "Mastodon", Image: "/assets/img/auth/mastodon.png", - CustomURLMapping: &oauth2.CustomURLMapping{ - AuthURL: oauth2.GetDefaultAuthURL("mastodon"), - }, - }, -} - -// OAuth2DefaultCustomURLMappings contains the map of default URL's for OAuth2 providers that are allowed to have custom urls -// key is used to map the OAuth2Provider -// value is the mapping as defined for the OAuth2Provider -var OAuth2DefaultCustomURLMappings = map[string]*oauth2.CustomURLMapping{ - "github": OAuth2Providers["github"].CustomURLMapping, - "gitlab": OAuth2Providers["gitlab"].CustomURLMapping, - "gitea": OAuth2Providers["gitea"].CustomURLMapping, - "nextcloud": OAuth2Providers["nextcloud"].CustomURLMapping, - "mastodon": OAuth2Providers["mastodon"].CustomURLMapping, -} - // GetActiveOAuth2ProviderLoginSources returns all actived LoginOAuth2 sources func GetActiveOAuth2ProviderLoginSources() ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 1) @@ -100,41 +23,3 @@ func GetActiveOAuth2LoginSourceByName(name string) (*LoginSource, error) { return loginSource, nil } - -// InitOAuth2 initialize the OAuth2 lib and register all active OAuth2 providers in the library -func InitOAuth2() error { - if err := oauth2.InitSigningKey(); err != nil { - return err - } - if err := oauth2.Init(x); err != nil { - return err - } - return initOAuth2LoginSources() -} - -// ResetOAuth2 clears existing OAuth2 providers and loads them from DB -func ResetOAuth2() error { - oauth2.ClearProviders() - return initOAuth2LoginSources() -} - -// initOAuth2LoginSources is used to load and register all active OAuth2 providers -func initOAuth2LoginSources() error { - loginSources, _ := GetActiveOAuth2ProviderLoginSources() - for _, source := range loginSources { - registerableSource, ok := source.Cfg.(RegisterableSource) - if !ok { - continue - } - err := registerableSource.RegisterSource(source) - if err != nil { - log.Critical("Unable to register source: %s due to Error: %v. This source will be disabled.", source.Name, err) - source.IsActived = false - if err = UpdateSource(source); err != nil { - log.Critical("Unable to update source %s to disable it. Error: %v", err) - return err - } - } - } - return nil -} diff --git a/models/oauth2_application.go b/models/oauth2_application.go index 3509dba54e2f8..b2e12cc3732fe 100644 --- a/models/oauth2_application.go +++ b/models/oauth2_application.go @@ -10,14 +10,11 @@ import ( "fmt" "net/url" "strings" - "time" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" - "github.com/dgrijalva/jwt-go" uuid "github.com/google/uuid" "golang.org/x/crypto/bcrypt" "xorm.io/xorm" @@ -516,77 +513,3 @@ func revokeOAuth2Grant(e Engine, grantID, userID int64) error { _, err := e.Delete(&OAuth2Grant{ID: grantID, UserID: userID}) return err } - -////////////////////////////////////////////////////////////// - -// OAuth2TokenType represents the type of token for an oauth application -type OAuth2TokenType int - -const ( - // TypeAccessToken is a token with short lifetime to access the api - TypeAccessToken OAuth2TokenType = 0 - // TypeRefreshToken is token with long lifetime to refresh access tokens obtained by the client - TypeRefreshToken = iota -) - -// OAuth2Token represents a JWT token used to authenticate a client -type OAuth2Token struct { - GrantID int64 `json:"gnt"` - Type OAuth2TokenType `json:"tt"` - Counter int64 `json:"cnt,omitempty"` - jwt.StandardClaims -} - -// ParseOAuth2Token parses a singed jwt string -func ParseOAuth2Token(jwtToken string) (*OAuth2Token, error) { - parsedToken, err := jwt.ParseWithClaims(jwtToken, &OAuth2Token{}, func(token *jwt.Token) (interface{}, error) { - if token.Method == nil || token.Method.Alg() != oauth2.DefaultSigningKey.SigningMethod().Alg() { - return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"]) - } - return oauth2.DefaultSigningKey.VerifyKey(), nil - }) - if err != nil { - return nil, err - } - var token *OAuth2Token - var ok bool - if token, ok = parsedToken.Claims.(*OAuth2Token); !ok || !parsedToken.Valid { - return nil, fmt.Errorf("invalid token") - } - return token, nil -} - -// SignToken signs the token with the JWT secret -func (token *OAuth2Token) SignToken() (string, error) { - token.IssuedAt = time.Now().Unix() - jwtToken := jwt.NewWithClaims(oauth2.DefaultSigningKey.SigningMethod(), token) - oauth2.DefaultSigningKey.PreProcessToken(jwtToken) - return jwtToken.SignedString(oauth2.DefaultSigningKey.SignKey()) -} - -// OIDCToken represents an OpenID Connect id_token -type OIDCToken struct { - jwt.StandardClaims - Nonce string `json:"nonce,omitempty"` - - // Scope profile - Name string `json:"name,omitempty"` - PreferredUsername string `json:"preferred_username,omitempty"` - Profile string `json:"profile,omitempty"` - Picture string `json:"picture,omitempty"` - Website string `json:"website,omitempty"` - Locale string `json:"locale,omitempty"` - UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"` - - // Scope email - Email string `json:"email,omitempty"` - EmailVerified bool `json:"email_verified,omitempty"` -} - -// SignToken signs an id_token with the (symmetric) client secret key -func (token *OIDCToken) SignToken(signingKey oauth2.JWTSigningKey) (string, error) { - token.IssuedAt = time.Now().Unix() - jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token) - signingKey.PreProcessToken(jwtToken) - return jwtToken.SignedString(signingKey.SignKey()) -} diff --git a/models/store.go b/models/store.go new file mode 100644 index 0000000000000..e8eba28fb6151 --- /dev/null +++ b/models/store.go @@ -0,0 +1,16 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import "github.com/lafriks/xormstore" + +// CreateStore creates a xormstore for the provided table and key +func CreateStore(table, key string) (*xormstore.Store, error) { + store, err := xormstore.NewOptions(x, xormstore.Options{ + TableName: table, + }, []byte(key)) + + return store, err +} diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go deleted file mode 100644 index 5d152e0a5588a..0000000000000 --- a/modules/auth/oauth2/oauth2.go +++ /dev/null @@ -1,299 +0,0 @@ -// Copyright 2017 The Gitea Authors. All rights reserved. -// Use of this source code is governed by a MIT-style -// license that can be found in the LICENSE file. - -package oauth2 - -import ( - "net/http" - "net/url" - - "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/modules/setting" - - uuid "github.com/google/uuid" - "github.com/lafriks/xormstore" - "github.com/markbates/goth" - "github.com/markbates/goth/gothic" - "github.com/markbates/goth/providers/bitbucket" - "github.com/markbates/goth/providers/discord" - "github.com/markbates/goth/providers/dropbox" - "github.com/markbates/goth/providers/facebook" - "github.com/markbates/goth/providers/gitea" - "github.com/markbates/goth/providers/github" - "github.com/markbates/goth/providers/gitlab" - "github.com/markbates/goth/providers/google" - "github.com/markbates/goth/providers/mastodon" - "github.com/markbates/goth/providers/nextcloud" - "github.com/markbates/goth/providers/openidConnect" - "github.com/markbates/goth/providers/twitter" - "github.com/markbates/goth/providers/yandex" - "xorm.io/xorm" -) - -var ( - sessionUsersStoreKey = "gitea-oauth2-sessions" - providerHeaderKey = "gitea-oauth2-provider" -) - -// CustomURLMapping describes the urls values to use when customizing OAuth2 provider URLs -type CustomURLMapping struct { - AuthURL string - TokenURL string - ProfileURL string - EmailURL string -} - -// Init initialize the setup of the OAuth2 library -func Init(x *xorm.Engine) error { - store, err := xormstore.NewOptions(x, xormstore.Options{ - TableName: "oauth2_session", - }, []byte(sessionUsersStoreKey)) - - if err != nil { - return err - } - // according to the Goth lib: - // set the maxLength of the cookies stored on the disk to a larger number to prevent issues with: - // securecookie: the value is too long - // when using OpenID Connect , since this can contain a large amount of extra information in the id_token - - // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk - store.MaxLength(setting.OAuth2.MaxTokenLength) - gothic.Store = store - - gothic.SetState = func(req *http.Request) string { - return uuid.New().String() - } - - gothic.GetProviderName = func(req *http.Request) (string, error) { - return req.Header.Get(providerHeaderKey), nil - } - - return nil -} - -// Auth OAuth2 auth service -func Auth(provider string, request *http.Request, response http.ResponseWriter) error { - // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(providerHeaderKey, provider) - - // don't use the default gothic begin handler to prevent issues when some error occurs - // normally the gothic library will write some custom stuff to the response instead of our own nice error page - //gothic.BeginAuthHandler(response, request) - - url, err := gothic.GetAuthURL(response, request) - if err == nil { - http.Redirect(response, request, url, http.StatusTemporaryRedirect) - } - return err -} - -// ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url -// this will trigger a new authentication request, but because we save it in the session we can use that -func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, error) { - // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(providerHeaderKey, provider) - - user, err := gothic.CompleteUserAuth(response, request) - if err != nil { - return user, err - } - - return user, nil -} - -// RegisterProvider register a OAuth2 provider in goth lib -func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error { - provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping) - - if err == nil && provider != nil { - goth.UseProviders(provider) - } - - return err -} - -// RemoveProvider removes the given OAuth2 provider from the goth lib -func RemoveProvider(providerName string) { - delete(goth.GetProviders(), providerName) -} - -// ClearProviders clears all OAuth2 providers from the goth lib -func ClearProviders() { - goth.ClearProviders() -} - -// used to create different types of goth providers -func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) { - callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback" - - var provider goth.Provider - var err error - - switch providerType { - case "bitbucket": - provider = bitbucket.New(clientID, clientSecret, callbackURL, "account") - case "dropbox": - provider = dropbox.New(clientID, clientSecret, callbackURL) - case "facebook": - provider = facebook.New(clientID, clientSecret, callbackURL, "email") - case "github": - authURL := github.AuthURL - tokenURL := github.TokenURL - profileURL := github.ProfileURL - emailURL := github.EmailURL - if customURLMapping != nil { - if len(customURLMapping.AuthURL) > 0 { - authURL = customURLMapping.AuthURL - } - if len(customURLMapping.TokenURL) > 0 { - tokenURL = customURLMapping.TokenURL - } - if len(customURLMapping.ProfileURL) > 0 { - profileURL = customURLMapping.ProfileURL - } - if len(customURLMapping.EmailURL) > 0 { - emailURL = customURLMapping.EmailURL - } - } - scopes := []string{} - if setting.OAuth2Client.EnableAutoRegistration { - scopes = append(scopes, "user:email") - } - provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL, scopes...) - case "gitlab": - authURL := gitlab.AuthURL - tokenURL := gitlab.TokenURL - profileURL := gitlab.ProfileURL - if customURLMapping != nil { - if len(customURLMapping.AuthURL) > 0 { - authURL = customURLMapping.AuthURL - } - if len(customURLMapping.TokenURL) > 0 { - tokenURL = customURLMapping.TokenURL - } - if len(customURLMapping.ProfileURL) > 0 { - profileURL = customURLMapping.ProfileURL - } - } - provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user") - case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work - scopes := []string{"email"} - if setting.OAuth2Client.UpdateAvatar || setting.OAuth2Client.EnableAutoRegistration { - scopes = append(scopes, "profile") - } - provider = google.New(clientID, clientSecret, callbackURL, scopes...) - case "openidConnect": - if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil { - log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err) - } - case "twitter": - provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL) - case "discord": - provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail) - case "gitea": - authURL := gitea.AuthURL - tokenURL := gitea.TokenURL - profileURL := gitea.ProfileURL - if customURLMapping != nil { - if len(customURLMapping.AuthURL) > 0 { - authURL = customURLMapping.AuthURL - } - if len(customURLMapping.TokenURL) > 0 { - tokenURL = customURLMapping.TokenURL - } - if len(customURLMapping.ProfileURL) > 0 { - profileURL = customURLMapping.ProfileURL - } - } - provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL) - case "nextcloud": - authURL := nextcloud.AuthURL - tokenURL := nextcloud.TokenURL - profileURL := nextcloud.ProfileURL - if customURLMapping != nil { - if len(customURLMapping.AuthURL) > 0 { - authURL = customURLMapping.AuthURL - } - if len(customURLMapping.TokenURL) > 0 { - tokenURL = customURLMapping.TokenURL - } - if len(customURLMapping.ProfileURL) > 0 { - profileURL = customURLMapping.ProfileURL - } - } - provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL) - case "yandex": - // See https://tech.yandex.com/passport/doc/dg/reference/response-docpage/ - provider = yandex.New(clientID, clientSecret, callbackURL, "login:email", "login:info", "login:avatar") - case "mastodon": - instanceURL := mastodon.InstanceURL - if customURLMapping != nil && len(customURLMapping.AuthURL) > 0 { - instanceURL = customURLMapping.AuthURL - } - provider = mastodon.NewCustomisedURL(clientID, clientSecret, callbackURL, instanceURL) - } - - // always set the name if provider is created so we can support multiple setups of 1 provider - if err == nil && provider != nil { - provider.SetName(providerName) - } - - return provider, err -} - -// GetDefaultTokenURL return the default token url for the given provider -func GetDefaultTokenURL(provider string) string { - switch provider { - case "github": - return github.TokenURL - case "gitlab": - return gitlab.TokenURL - case "gitea": - return gitea.TokenURL - case "nextcloud": - return nextcloud.TokenURL - } - return "" -} - -// GetDefaultAuthURL return the default authorize url for the given provider -func GetDefaultAuthURL(provider string) string { - switch provider { - case "github": - return github.AuthURL - case "gitlab": - return gitlab.AuthURL - case "gitea": - return gitea.AuthURL - case "nextcloud": - return nextcloud.AuthURL - case "mastodon": - return mastodon.InstanceURL - } - return "" -} - -// GetDefaultProfileURL return the default profile url for the given provider -func GetDefaultProfileURL(provider string) string { - switch provider { - case "github": - return github.ProfileURL - case "gitlab": - return gitlab.ProfileURL - case "gitea": - return gitea.ProfileURL - case "nextcloud": - return nextcloud.ProfileURL - } - return "" -} - -// GetDefaultEmailURL return the default email url for the given provider -func GetDefaultEmailURL(provider string) string { - if provider == "github" { - return github.EmailURL - } - return "" -} diff --git a/routers/init.go b/routers/init.go index 4c28a953955ba..a238271e3a4d1 100644 --- a/routers/init.go +++ b/routers/init.go @@ -34,6 +34,7 @@ import ( "code.gitea.io/gitea/routers/private" web_routers "code.gitea.io/gitea/routers/web" "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/oauth2" "code.gitea.io/gitea/services/mailer" mirror_service "code.gitea.io/gitea/services/mirror" pull_service "code.gitea.io/gitea/services/pull" @@ -102,7 +103,7 @@ func GlobalInit(ctx context.Context) { log.Fatal("ORM engine initialization failed: %v", err) } - if err := models.InitOAuth2(); err != nil { + if err := oauth2.Init(); err != nil { log.Fatal("Failed to initialize OAuth2 support: %v", err) } diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index a8d3f7cd8801d..19c24ce251c3b 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -11,7 +11,6 @@ import ( "regexp" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/auth/pam" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" @@ -20,7 +19,7 @@ import ( "code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/services/auth/source/ldap" - oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" + "code.gitea.io/gitea/services/auth/source/oauth2" pamService "code.gitea.io/gitea/services/auth/source/pam" "code.gitea.io/gitea/services/auth/source/smtp" "code.gitea.io/gitea/services/auth/source/sspi" @@ -99,8 +98,8 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators - ctx.Data["OAuth2Providers"] = models.OAuth2Providers - ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings + ctx.Data["OAuth2Providers"] = oauth2.Providers + ctx.Data["OAuth2DefaultCustomURLMappings"] = oauth2.DefaultCustomURLMappings ctx.Data["SSPIAutoCreateUsers"] = true ctx.Data["SSPIAutoActivateUsers"] = true @@ -109,7 +108,7 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["SSPIDefaultLanguage"] = "" // only the first as default - for key := range models.OAuth2Providers { + for key := range oauth2.Providers { ctx.Data["oauth2_provider"] = key break } @@ -163,7 +162,7 @@ func parseSMTPConfig(form forms.AuthenticationForm) *smtp.Source { } } -func parseOAuth2Config(form forms.AuthenticationForm) *oauth2Service.Source { +func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source { var customURLMapping *oauth2.CustomURLMapping if form.Oauth2UseCustomURL { customURLMapping = &oauth2.CustomURLMapping{ @@ -175,7 +174,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2Service.Source { } else { customURLMapping = nil } - return &oauth2Service.Source{ + return &oauth2.Source{ Provider: form.Oauth2Provider, ClientID: form.Oauth2Key, ClientSecret: form.Oauth2Secret, @@ -221,8 +220,8 @@ func NewAuthSourcePost(ctx *context.Context) { ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators - ctx.Data["OAuth2Providers"] = models.OAuth2Providers - ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings + ctx.Data["OAuth2Providers"] = oauth2.Providers + ctx.Data["OAuth2DefaultCustomURLMappings"] = oauth2.DefaultCustomURLMappings ctx.Data["SSPIAutoCreateUsers"] = true ctx.Data["SSPIAutoActivateUsers"] = true @@ -300,8 +299,8 @@ func EditAuthSource(ctx *context.Context) { ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators - ctx.Data["OAuth2Providers"] = models.OAuth2Providers - ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings + ctx.Data["OAuth2Providers"] = oauth2.Providers + ctx.Data["OAuth2DefaultCustomURLMappings"] = oauth2.DefaultCustomURLMappings source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid")) if err != nil { @@ -312,7 +311,7 @@ func EditAuthSource(ctx *context.Context) { ctx.Data["HasTLS"] = source.HasTLS() if source.IsOAuth2() { - ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.Cfg.(*oauth2Service.Source).Provider] + ctx.Data["CurrentOAuth2Provider"] = oauth2.Providers[source.Cfg.(*oauth2.Source).Provider] } ctx.HTML(http.StatusOK, tplAuthEdit) } @@ -325,8 +324,8 @@ func EditAuthSourcePost(ctx *context.Context) { ctx.Data["PageIsAdminAuthentications"] = true ctx.Data["SMTPAuths"] = smtp.Authenticators - ctx.Data["OAuth2Providers"] = models.OAuth2Providers - ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings + ctx.Data["OAuth2Providers"] = oauth2.Providers + ctx.Data["OAuth2DefaultCustomURLMappings"] = oauth2.DefaultCustomURLMappings source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid")) if err != nil { diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 5034347bb4178..723424046b1e6 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -14,7 +14,6 @@ import ( "strings" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/eventsource" @@ -579,13 +578,13 @@ func SignInOAuth(ctx *context.Context) { return } - if err = oauth2.Auth(loginSource.Name, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2Service.Source).Authenticate(loginSource, ctx.Req, ctx.Resp); err != nil { if strings.Contains(err.Error(), "no provider for ") { - if err = models.ResetOAuth2(); err != nil { + if err = oauth2Service.ResetOAuth2(); err != nil { ctx.ServerError("SignIn", err) return } - if err = oauth2.Auth(loginSource.Name, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2Service.Source).Authenticate(loginSource, ctx.Req, ctx.Resp); err != nil { ctx.ServerError("SignIn", err) } return @@ -774,8 +773,7 @@ func handleOAuth2SignIn(ctx *context.Context, u *models.User, gothUser goth.User // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful // login the user func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) { - gothUser, err := oauth2.ProviderCallback(loginSource.Name, request, response) - + gothUser, err := loginSource.Cfg.(*oauth2Service.Source).ProviderCallback(loginSource, request, response) if err != nil { if err.Error() == "securecookie: the value is too long" { log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength) diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go index 72295b4447c28..7e108f6e7830d 100644 --- a/routers/web/user/oauth.go +++ b/routers/web/user/oauth.go @@ -13,7 +13,6 @@ import ( "strings" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/log" @@ -21,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web" "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/oauth2" "code.gitea.io/gitea/services/forms" "gitea.com/go-chi/binding" @@ -144,9 +144,9 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign } // generate access token to access the API expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime) - accessToken := &models.OAuth2Token{ + accessToken := &oauth2.Token{ GrantID: grant.ID, - Type: models.TypeAccessToken, + Type: oauth2.TypeAccessToken, StandardClaims: jwt.StandardClaims{ ExpiresAt: expirationDate.AsTime().Unix(), }, @@ -161,10 +161,10 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign // generate refresh token to request an access token after it expired later refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix() - refreshToken := &models.OAuth2Token{ + refreshToken := &oauth2.Token{ GrantID: grant.ID, Counter: grant.Counter, - Type: models.TypeRefreshToken, + Type: oauth2.TypeRefreshToken, StandardClaims: jwt.StandardClaims{ ExpiresAt: refreshExpirationDate, }, @@ -202,7 +202,7 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, signingKey oauth2.JWTSign } } - idToken := &models.OIDCToken{ + idToken := &oauth2.OIDCToken{ StandardClaims: jwt.StandardClaims{ ExpiresAt: expirationDate.AsTime().Unix(), Issuer: setting.AppURL, @@ -568,7 +568,7 @@ func AccessTokenOAuth(ctx *context.Context) { } func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, signingKey oauth2.JWTSigningKey) { - token, err := models.ParseOAuth2Token(form.RefreshToken) + token, err := oauth2.ParseToken(form.RefreshToken) if err != nil { handleAccessTokenError(ctx, AccessTokenError{ ErrorCode: AccessTokenErrorCodeUnauthorizedClient, diff --git a/routers/web/user/setting/security.go b/routers/web/user/setting/security.go index d1c61a9a4c4f2..dd5d2a20ccccc 100644 --- a/routers/web/user/setting/security.go +++ b/routers/web/user/setting/security.go @@ -94,7 +94,7 @@ func loadSecurityData(ctx *context.Context) { var providerDisplayName string if loginSource.IsOAuth2() { providerTechnicalName := loginSource.Cfg.(*oauth2.Source).Provider - providerDisplayName = models.OAuth2Providers[providerTechnicalName].DisplayName + providerDisplayName = oauth2.Providers[providerTechnicalName].DisplayName } else { providerDisplayName = loginSource.Name } diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index e9f4c69e8886d..b6b922de7a4d6 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -14,6 +14,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/web/middleware" + "code.gitea.io/gitea/services/auth/source/oauth2" ) // Ensure the struct implements the interface. @@ -27,7 +28,7 @@ func CheckOAuthAccessToken(accessToken string) int64 { if !strings.Contains(accessToken, ".") { return 0 } - token, err := models.ParseOAuth2Token(accessToken) + token, err := oauth2.ParseToken(accessToken) if err != nil { log.Trace("ParseOAuth2Token: %v", err) return 0 @@ -36,7 +37,7 @@ func CheckOAuthAccessToken(accessToken string) int64 { if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil { return 0 } - if token.Type != models.TypeAccessToken { + if token.Type != oauth2.TypeAccessToken { return 0 } if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() { diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index fc6a62708fe56..4fd218cbe949c 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -10,6 +10,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" + jsoniter "github.com/json-iterator/go" ) diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go new file mode 100644 index 0000000000000..15d16a623c80a --- /dev/null +++ b/services/auth/source/oauth2/init.go @@ -0,0 +1,83 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "net/http" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + + "github.com/google/uuid" + "github.com/markbates/goth/gothic" +) + +// SessionTableName is the table name that OAuth2 will use to store things +const SessionTableName = "oauth2_session" + +// UsersStoreKey is the key for the store +const UsersStoreKey = "gitea-oauth2-sessions" + +// ProviderHeaderKey is the HTTP header key +const ProviderHeaderKey = "gitea-oauth2-provider" + +// Init initializes the oauth source +func Init() error { + if err := InitSigningKey(); err != nil { + return err + } + + store, err := models.CreateStore(SessionTableName, UsersStoreKey) + if err != nil { + return err + } + + // according to the Goth lib: + // set the maxLength of the cookies stored on the disk to a larger number to prevent issues with: + // securecookie: the value is too long + // when using OpenID Connect , since this can contain a large amount of extra information in the id_token + + // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk + store.MaxLength(setting.OAuth2.MaxTokenLength) + gothic.Store = store + + gothic.SetState = func(req *http.Request) string { + return uuid.New().String() + } + + gothic.GetProviderName = func(req *http.Request) (string, error) { + return req.Header.Get(ProviderHeaderKey), nil + } + + return initOAuth2LoginSources() +} + +// ResetOAuth2 clears existing OAuth2 providers and loads them from DB +func ResetOAuth2() error { + ClearProviders() + return initOAuth2LoginSources() +} + +// initOAuth2LoginSources is used to load and register all active OAuth2 providers +func initOAuth2LoginSources() error { + loginSources, _ := models.GetActiveOAuth2ProviderLoginSources() + for _, source := range loginSources { + oauth2Source, ok := source.Cfg.(*Source) + if !ok { + continue + } + err := oauth2Source.RegisterSource(source) + if err != nil { + log.Critical("Unable to register source: %s due to Error: %v. This source will be disabled.", source.Name, err) + source.IsActived = false + if err = models.UpdateSource(source); err != nil { + log.Critical("Unable to update source %s to disable it. Error: %v", err) + return err + } + } + } + return nil +} diff --git a/modules/auth/oauth2/jwtsigningkey.go b/services/auth/source/oauth2/jwtsigningkey.go similarity index 100% rename from modules/auth/oauth2/jwtsigningkey.go rename to services/auth/source/oauth2/jwtsigningkey.go diff --git a/services/auth/source/oauth2/providers.go b/services/auth/source/oauth2/providers.go index 69340cd09567a..bf97f8002aa34 100644 --- a/services/auth/source/oauth2/providers.go +++ b/services/auth/source/oauth2/providers.go @@ -5,15 +5,94 @@ package oauth2 import ( + "net/url" "sort" "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/setting" + + "github.com/markbates/goth" + "github.com/markbates/goth/providers/bitbucket" + "github.com/markbates/goth/providers/discord" + "github.com/markbates/goth/providers/dropbox" + "github.com/markbates/goth/providers/facebook" + "github.com/markbates/goth/providers/gitea" + "github.com/markbates/goth/providers/github" + "github.com/markbates/goth/providers/gitlab" + "github.com/markbates/goth/providers/google" + "github.com/markbates/goth/providers/mastodon" + "github.com/markbates/goth/providers/nextcloud" + "github.com/markbates/goth/providers/openidConnect" + "github.com/markbates/goth/providers/twitter" + "github.com/markbates/goth/providers/yandex" ) +// Provider describes the display values of a single OAuth2 provider +type Provider struct { + Name string + DisplayName string + Image string + CustomURLMapping *CustomURLMapping +} + +// Providers contains the map of registered OAuth2 providers in Gitea (based on goth) +// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider) +// value is used to store display data +var Providers = map[string]Provider{ + "bitbucket": {Name: "bitbucket", DisplayName: "Bitbucket", Image: "/assets/img/auth/bitbucket.png"}, + "dropbox": {Name: "dropbox", DisplayName: "Dropbox", Image: "/assets/img/auth/dropbox.png"}, + "facebook": {Name: "facebook", DisplayName: "Facebook", Image: "/assets/img/auth/facebook.png"}, + "github": { + Name: "github", DisplayName: "GitHub", Image: "/assets/img/auth/github.png", + CustomURLMapping: &CustomURLMapping{ + TokenURL: github.TokenURL, + AuthURL: github.AuthURL, + ProfileURL: github.ProfileURL, + EmailURL: github.EmailURL, + }, + }, + "gitlab": { + Name: "gitlab", DisplayName: "GitLab", Image: "/assets/img/auth/gitlab.png", + CustomURLMapping: &CustomURLMapping{ + TokenURL: gitlab.TokenURL, + AuthURL: gitlab.AuthURL, + ProfileURL: gitlab.ProfileURL, + }, + }, + "gplus": {Name: "gplus", DisplayName: "Google", Image: "/assets/img/auth/google.png"}, + "openidConnect": {Name: "openidConnect", DisplayName: "OpenID Connect", Image: "/assets/img/auth/openid_connect.svg"}, + "twitter": {Name: "twitter", DisplayName: "Twitter", Image: "/assets/img/auth/twitter.png"}, + "discord": {Name: "discord", DisplayName: "Discord", Image: "/assets/img/auth/discord.png"}, + "gitea": { + Name: "gitea", DisplayName: "Gitea", Image: "/assets/img/auth/gitea.png", + CustomURLMapping: &CustomURLMapping{ + TokenURL: gitea.TokenURL, + AuthURL: gitea.AuthURL, + ProfileURL: gitea.ProfileURL, + }, + }, + "nextcloud": { + Name: "nextcloud", DisplayName: "Nextcloud", Image: "/assets/img/auth/nextcloud.png", + CustomURLMapping: &CustomURLMapping{ + TokenURL: nextcloud.TokenURL, + AuthURL: nextcloud.AuthURL, + ProfileURL: nextcloud.ProfileURL, + }, + }, + "yandex": {Name: "yandex", DisplayName: "Yandex", Image: "/assets/img/auth/yandex.png"}, + "mastodon": { + Name: "mastodon", DisplayName: "Mastodon", Image: "/assets/img/auth/mastodon.png", + CustomURLMapping: &CustomURLMapping{ + AuthURL: mastodon.InstanceURL, + }, + }, +} + // GetActiveOAuth2Providers returns the map of configured active OAuth2 providers // key is used as technical name (like in the callbackURL) // values to display -func GetActiveOAuth2Providers() ([]string, map[string]models.OAuth2Provider, error) { +func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) { // Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type loginSources, err := models.GetActiveOAuth2ProviderLoginSources() @@ -22,9 +101,9 @@ func GetActiveOAuth2Providers() ([]string, map[string]models.OAuth2Provider, err } var orderedKeys []string - providers := make(map[string]models.OAuth2Provider) + providers := make(map[string]Provider) for _, source := range loginSources { - prov := models.OAuth2Providers[source.Cfg.(*Source).Provider] + prov := Providers[source.Cfg.(*Source).Provider] if source.Cfg.(*Source).IconURL != "" { prov.Image = source.Cfg.(*Source).IconURL } @@ -36,3 +115,143 @@ func GetActiveOAuth2Providers() ([]string, map[string]models.OAuth2Provider, err return orderedKeys, providers, nil } + +// RegisterProvider register a OAuth2 provider in goth lib +func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error { + provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping) + + if err == nil && provider != nil { + goth.UseProviders(provider) + } + + return err +} + +// RemoveProvider removes the given OAuth2 provider from the goth lib +func RemoveProvider(providerName string) { + delete(goth.GetProviders(), providerName) +} + +// ClearProviders clears all OAuth2 providers from the goth lib +func ClearProviders() { + goth.ClearProviders() +} + +// used to create different types of goth providers +func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) { + callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback" + + var provider goth.Provider + var err error + + switch providerType { + case "bitbucket": + provider = bitbucket.New(clientID, clientSecret, callbackURL, "account") + case "dropbox": + provider = dropbox.New(clientID, clientSecret, callbackURL) + case "facebook": + provider = facebook.New(clientID, clientSecret, callbackURL, "email") + case "github": + authURL := github.AuthURL + tokenURL := github.TokenURL + profileURL := github.ProfileURL + emailURL := github.EmailURL + if customURLMapping != nil { + if len(customURLMapping.AuthURL) > 0 { + authURL = customURLMapping.AuthURL + } + if len(customURLMapping.TokenURL) > 0 { + tokenURL = customURLMapping.TokenURL + } + if len(customURLMapping.ProfileURL) > 0 { + profileURL = customURLMapping.ProfileURL + } + if len(customURLMapping.EmailURL) > 0 { + emailURL = customURLMapping.EmailURL + } + } + scopes := []string{} + if setting.OAuth2Client.EnableAutoRegistration { + scopes = append(scopes, "user:email") + } + provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL, scopes...) + case "gitlab": + authURL := gitlab.AuthURL + tokenURL := gitlab.TokenURL + profileURL := gitlab.ProfileURL + if customURLMapping != nil { + if len(customURLMapping.AuthURL) > 0 { + authURL = customURLMapping.AuthURL + } + if len(customURLMapping.TokenURL) > 0 { + tokenURL = customURLMapping.TokenURL + } + if len(customURLMapping.ProfileURL) > 0 { + profileURL = customURLMapping.ProfileURL + } + } + provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user") + case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work + scopes := []string{"email"} + if setting.OAuth2Client.UpdateAvatar || setting.OAuth2Client.EnableAutoRegistration { + scopes = append(scopes, "profile") + } + provider = google.New(clientID, clientSecret, callbackURL, scopes...) + case "openidConnect": + if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil { + log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err) + } + case "twitter": + provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL) + case "discord": + provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail) + case "gitea": + authURL := gitea.AuthURL + tokenURL := gitea.TokenURL + profileURL := gitea.ProfileURL + if customURLMapping != nil { + if len(customURLMapping.AuthURL) > 0 { + authURL = customURLMapping.AuthURL + } + if len(customURLMapping.TokenURL) > 0 { + tokenURL = customURLMapping.TokenURL + } + if len(customURLMapping.ProfileURL) > 0 { + profileURL = customURLMapping.ProfileURL + } + } + provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL) + case "nextcloud": + authURL := nextcloud.AuthURL + tokenURL := nextcloud.TokenURL + profileURL := nextcloud.ProfileURL + if customURLMapping != nil { + if len(customURLMapping.AuthURL) > 0 { + authURL = customURLMapping.AuthURL + } + if len(customURLMapping.TokenURL) > 0 { + tokenURL = customURLMapping.TokenURL + } + if len(customURLMapping.ProfileURL) > 0 { + profileURL = customURLMapping.ProfileURL + } + } + provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL) + case "yandex": + // See https://tech.yandex.com/passport/doc/dg/reference/response-docpage/ + provider = yandex.New(clientID, clientSecret, callbackURL, "login:email", "login:info", "login:avatar") + case "mastodon": + instanceURL := mastodon.InstanceURL + if customURLMapping != nil && len(customURLMapping.AuthURL) > 0 { + instanceURL = customURLMapping.AuthURL + } + provider = mastodon.NewCustomisedURL(clientID, clientSecret, callbackURL, instanceURL) + } + + // always set the name if provider is created so we can support multiple setups of 1 provider + if err == nil && provider != nil { + provider.SetName(providerName) + } + + return provider, err +} diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go index 81e899244a4c9..3a5c221c366d7 100644 --- a/services/auth/source/oauth2/source.go +++ b/services/auth/source/oauth2/source.go @@ -6,7 +6,7 @@ package oauth2 import ( "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" + jsoniter "github.com/json-iterator/go" ) @@ -23,7 +23,7 @@ type Source struct { ClientID string ClientSecret string OpenIDConnectAutoDiscoveryURL string - CustomURLMapping *oauth2.CustomURLMapping + CustomURLMapping *CustomURLMapping IconURL string } diff --git a/services/auth/source/oauth2/source_authenticate.go b/services/auth/source/oauth2/source_authenticate.go new file mode 100644 index 0000000000000..fa775d9d3d539 --- /dev/null +++ b/services/auth/source/oauth2/source_authenticate.go @@ -0,0 +1,43 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "net/http" + + "code.gitea.io/gitea/models" + "github.com/markbates/goth" + "github.com/markbates/goth/gothic" +) + +// Authenticate takes a provided loginSource and the request/response pair to authenticate against the provider +func (source *Source) Authenticate(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) error { + // not sure if goth is thread safe (?) when using multiple providers + request.Header.Set(ProviderHeaderKey, loginSource.Name) + + // don't use the default gothic begin handler to prevent issues when some error occurs + // normally the gothic library will write some custom stuff to the response instead of our own nice error page + //gothic.BeginAuthHandler(response, request) + + url, err := gothic.GetAuthURL(response, request) + if err == nil { + http.Redirect(response, request, url, http.StatusTemporaryRedirect) + } + return err +} + +// ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url +// this will trigger a new authentication request, but because we save it in the session we can use that +func (source *Source) ProviderCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (goth.User, error) { + // not sure if goth is thread safe (?) when using multiple providers + request.Header.Set(ProviderHeaderKey, loginSource.Name) + + user, err := gothic.CompleteUserAuth(response, request) + if err != nil { + return user, err + } + + return user, nil +} diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go index 538cdfd6c23b1..6df1abc63cb96 100644 --- a/services/auth/source/oauth2/source_register.go +++ b/services/auth/source/oauth2/source_register.go @@ -6,18 +6,17 @@ package oauth2 import ( "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/auth/oauth2" ) // RegisterSource causes an OAuth2 configuration to be registered func (source *Source) RegisterSource(loginSource *models.LoginSource) error { - err := oauth2.RegisterProvider(loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) + err := RegisterProvider(loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) return wrapOpenIDConnectInitializeError(err, loginSource.Name, source) } // UnregisterSource causes an OAuth2 configuration to be unregistered func (source *Source) UnregisterSource(loginSource *models.LoginSource) error { - oauth2.RemoveProvider(loginSource.Name) + RemoveProvider(loginSource.Name) return nil } diff --git a/services/auth/source/oauth2/token.go b/services/auth/source/oauth2/token.go new file mode 100644 index 0000000000000..e2ac8b9ca5dd1 --- /dev/null +++ b/services/auth/source/oauth2/token.go @@ -0,0 +1,94 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "fmt" + "time" + + "code.gitea.io/gitea/modules/timeutil" + "github.com/dgrijalva/jwt-go" +) + +// ___________ __ +// \__ ___/___ | | __ ____ ____ +// | | / _ \| |/ // __ \ / \ +// | |( <_> ) <\ ___/| | \ +// |____| \____/|__|_ \\___ >___| / +// \/ \/ \/ + +// Token represents an Oauth grant + +// TokenType represents the type of token for an oauth application +type TokenType int + +const ( + // TypeAccessToken is a token with short lifetime to access the api + TypeAccessToken TokenType = 0 + // TypeRefreshToken is token with long lifetime to refresh access tokens obtained by the client + TypeRefreshToken = iota +) + +// Token represents a JWT token used to authenticate a client +type Token struct { + GrantID int64 `json:"gnt"` + Type TokenType `json:"tt"` + Counter int64 `json:"cnt,omitempty"` + jwt.StandardClaims +} + +// ParseToken parses a singed jwt string +func ParseToken(jwtToken string) (*Token, error) { + parsedToken, err := jwt.ParseWithClaims(jwtToken, &Token{}, func(token *jwt.Token) (interface{}, error) { + if token.Method == nil || token.Method.Alg() != DefaultSigningKey.SigningMethod().Alg() { + return nil, fmt.Errorf("unexpected signing algo: %v", token.Header["alg"]) + } + return DefaultSigningKey.VerifyKey(), nil + }) + if err != nil { + return nil, err + } + var token *Token + var ok bool + if token, ok = parsedToken.Claims.(*Token); !ok || !parsedToken.Valid { + return nil, fmt.Errorf("invalid token") + } + return token, nil +} + +// SignToken signs the token with the JWT secret +func (token *Token) SignToken() (string, error) { + token.IssuedAt = time.Now().Unix() + jwtToken := jwt.NewWithClaims(DefaultSigningKey.SigningMethod(), token) + DefaultSigningKey.PreProcessToken(jwtToken) + return jwtToken.SignedString(DefaultSigningKey.SignKey()) +} + +// OIDCToken represents an OpenID Connect id_token +type OIDCToken struct { + jwt.StandardClaims + Nonce string `json:"nonce,omitempty"` + + // Scope profile + Name string `json:"name,omitempty"` + PreferredUsername string `json:"preferred_username,omitempty"` + Profile string `json:"profile,omitempty"` + Picture string `json:"picture,omitempty"` + Website string `json:"website,omitempty"` + Locale string `json:"locale,omitempty"` + UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"` + + // Scope email + Email string `json:"email,omitempty"` + EmailVerified bool `json:"email_verified,omitempty"` +} + +// SignToken signs an id_token with the (symmetric) client secret key +func (token *OIDCToken) SignToken(signingKey JWTSigningKey) (string, error) { + token.IssuedAt = time.Now().Unix() + jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token) + signingKey.PreProcessToken(jwtToken) + return jwtToken.SignedString(signingKey.SignKey()) +} diff --git a/services/auth/source/oauth2/urlmapping.go b/services/auth/source/oauth2/urlmapping.go new file mode 100644 index 0000000000000..68829fba2167f --- /dev/null +++ b/services/auth/source/oauth2/urlmapping.go @@ -0,0 +1,24 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +// CustomURLMapping describes the urls values to use when customizing OAuth2 provider URLs +type CustomURLMapping struct { + AuthURL string + TokenURL string + ProfileURL string + EmailURL string +} + +// DefaultCustomURLMappings contains the map of default URL's for OAuth2 providers that are allowed to have custom urls +// key is used to map the OAuth2Provider +// value is the mapping as defined for the OAuth2Provider +var DefaultCustomURLMappings = map[string]*CustomURLMapping{ + "github": Providers["github"].CustomURLMapping, + "gitlab": Providers["gitlab"].CustomURLMapping, + "gitea": Providers["gitea"].CustomURLMapping, + "nextcloud": Providers["nextcloud"].CustomURLMapping, + "mastodon": Providers["mastodon"].CustomURLMapping, +} diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go index f6b098e562af3..f47ea9fb18d07 100644 --- a/services/auth/source/pam/source.go +++ b/services/auth/source/pam/source.go @@ -6,6 +6,7 @@ package pam import ( "code.gitea.io/gitea/models" + jsoniter "github.com/json-iterator/go" ) diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go index 77f2b73cd9d99..b3aabe6f2793c 100644 --- a/services/auth/source/smtp/source.go +++ b/services/auth/source/smtp/source.go @@ -6,6 +6,7 @@ package smtp import ( "code.gitea.io/gitea/models" + jsoniter "github.com/json-iterator/go" ) From 743692a1b5df73fc1a7737aeff3f72c14582e0b5 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 17:20:17 +0100 Subject: [PATCH 14/44] fixup! Extract out login-sources from models --- services/auth/source/db/{login.go => authenticate.go} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename services/auth/source/db/{login.go => authenticate.go} (100%) diff --git a/services/auth/source/db/login.go b/services/auth/source/db/authenticate.go similarity index 100% rename from services/auth/source/db/login.go rename to services/auth/source/db/authenticate.go From 5ceec6653e23f1e98887205a3b143d039d642b58 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 17:20:52 +0100 Subject: [PATCH 15/44] fixup! Extract out login-sources from models --- services/auth/interface.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/auth/interface.go b/services/auth/interface.go index 0488a8b716356..41a28d1a7119a 100644 --- a/services/auth/interface.go +++ b/services/auth/interface.go @@ -39,8 +39,8 @@ type Method interface { Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User } -// Authenticator represents a source of authentication -type Authenticator interface { +// PasswordAuthenticator represents a source of authentication +type PasswordAuthenticator interface { Authenticate(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) } From 7c47d46a056d25cc87489a82b3c4ccbf37e2f164 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 17:21:36 +0100 Subject: [PATCH 16/44] fixup! Extract out login-sources from models --- services/auth/signin.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/auth/signin.go b/services/auth/signin.go index 22529a4b9e5fa..521b7c01d4dad 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -62,7 +62,7 @@ func UserSignIn(username, password string) (*models.User, error) { return nil, models.ErrLoginSourceNotActived } - authenticator, ok := source.Cfg.(Authenticator) + authenticator, ok := source.Cfg.(PasswordAuthenticator) if !ok { return nil, models.ErrUnsupportedLoginType @@ -94,7 +94,7 @@ func UserSignIn(username, password string) (*models.User, error) { continue } - authenticator, ok := source.Cfg.(Authenticator) + authenticator, ok := source.Cfg.(PasswordAuthenticator) if !ok { continue } From ee3871d9bc2de24927155a20d36d56543ece05e9 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 17:21:59 +0100 Subject: [PATCH 17/44] fixup! Remove modules/auth/oauth2 and begin clean up of oauth2 --- routers/web/user/auth.go | 16 ++++++++-------- .../auth/source/oauth2/source_authenticate.go | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 723424046b1e6..8210dc280a7c5 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -27,7 +27,7 @@ import ( "code.gitea.io/gitea/modules/web/middleware" "code.gitea.io/gitea/routers/utils" "code.gitea.io/gitea/services/auth" - oauth2Service "code.gitea.io/gitea/services/auth/source/oauth2" + "code.gitea.io/gitea/services/auth/source/oauth2" "code.gitea.io/gitea/services/externalaccount" "code.gitea.io/gitea/services/forms" "code.gitea.io/gitea/services/mailer" @@ -136,7 +136,7 @@ func SignIn(ctx *context.Context) { return } - orderedOAuth2Names, oauth2Providers, err := oauth2Service.GetActiveOAuth2Providers() + orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers() if err != nil { ctx.ServerError("UserSignIn", err) return @@ -156,7 +156,7 @@ func SignIn(ctx *context.Context) { func SignInPost(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("sign_in") - orderedOAuth2Names, oauth2Providers, err := oauth2Service.GetActiveOAuth2Providers() + orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers() if err != nil { ctx.ServerError("UserSignIn", err) return @@ -578,13 +578,13 @@ func SignInOAuth(ctx *context.Context) { return } - if err = loginSource.Cfg.(*oauth2Service.Source).Authenticate(loginSource, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(loginSource, ctx.Req, ctx.Resp); err != nil { if strings.Contains(err.Error(), "no provider for ") { - if err = oauth2Service.ResetOAuth2(); err != nil { + if err = oauth2.ResetOAuth2(); err != nil { ctx.ServerError("SignIn", err) return } - if err = loginSource.Cfg.(*oauth2Service.Source).Authenticate(loginSource, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(loginSource, ctx.Req, ctx.Resp); err != nil { ctx.ServerError("SignIn", err) } return @@ -632,7 +632,7 @@ func SignInOAuthCallback(ctx *context.Context) { } if len(missingFields) > 0 { log.Error("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields) - if loginSource.IsOAuth2() && loginSource.Cfg.(*oauth2Service.Source).Provider == "openidConnect" { + if loginSource.IsOAuth2() && loginSource.Cfg.(*oauth2.Source).Provider == "openidConnect" { log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields") } err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields) @@ -773,7 +773,7 @@ func handleOAuth2SignIn(ctx *context.Context, u *models.User, gothUser goth.User // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful // login the user func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) { - gothUser, err := loginSource.Cfg.(*oauth2Service.Source).ProviderCallback(loginSource, request, response) + gothUser, err := loginSource.Cfg.(*oauth2.Source).ProviderCallback(loginSource, request, response) if err != nil { if err.Error() == "securecookie: the value is too long" { log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength) diff --git a/services/auth/source/oauth2/source_authenticate.go b/services/auth/source/oauth2/source_authenticate.go index fa775d9d3d539..c08cdce1ecdc9 100644 --- a/services/auth/source/oauth2/source_authenticate.go +++ b/services/auth/source/oauth2/source_authenticate.go @@ -12,8 +12,8 @@ import ( "github.com/markbates/goth/gothic" ) -// Authenticate takes a provided loginSource and the request/response pair to authenticate against the provider -func (source *Source) Authenticate(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) error { +// ProviderAuthenticate takes a provided loginSource and the request/response pair to authenticate against the provider +func (source *Source) ProviderAuthenticate(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) error { // not sure if goth is thread safe (?) when using multiple providers request.Header.Set(ProviderHeaderKey, loginSource.Name) From 9b36de83920cb21201bdfc0bb631dbb7d8b5e6be Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 17:59:33 +0100 Subject: [PATCH 18/44] minor cleanups Signed-off-by: Andrew Thornton --- models/login_source.go | 29 ++++++++++--------- .../auth/source/oauth2/source_register.go | 6 ++-- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/models/login_source.go b/models/login_source.go index fa5b23fbedc3d..69d90849814a5 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -78,11 +78,22 @@ type RegisterableSource interface { } // RegisterLoginTypeConfig register a config for a provided type -func RegisterLoginTypeConfig(typ LoginType, config LoginConfig) { - registeredLoginConfigs[typ] = config +func RegisterLoginTypeConfig(typ LoginType, exemplar LoginConfig) { + if reflect.TypeOf(exemplar).Kind() == reflect.Ptr { + // Pointer: + registeredLoginConfigs[typ] = func() LoginConfig { + return reflect.New(reflect.ValueOf(exemplar).Elem().Type()).Interface().(LoginConfig) + } + return + } + + // Not a Pointer + registeredLoginConfigs[typ] = func() LoginConfig { + return reflect.New(reflect.TypeOf(exemplar)).Elem().Interface().(LoginConfig) + } } -var registeredLoginConfigs = map[LoginType]LoginConfig{} +var registeredLoginConfigs = map[LoginType]func() LoginConfig{} // LoginSource represents an external way for authorizing users. type LoginSource struct { @@ -114,19 +125,11 @@ func Cell2Int64(val xorm.Cell) int64 { func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { typ := LoginType(Cell2Int64(val)) - exemplar, ok := registeredLoginConfigs[typ] + constructor, ok := registeredLoginConfigs[typ] if !ok { return } - - if reflect.TypeOf(exemplar).Kind() == reflect.Ptr { - // Pointer: - source.Cfg = reflect.New(reflect.ValueOf(exemplar).Elem().Type()).Interface().(convert.Conversion) - return - } - - // Not pointer: - source.Cfg = reflect.New(reflect.TypeOf(exemplar)).Elem().Interface().(convert.Conversion) + source.Cfg = constructor() } } diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go index 6df1abc63cb96..0d346a51ae929 100644 --- a/services/auth/source/oauth2/source_register.go +++ b/services/auth/source/oauth2/source_register.go @@ -22,9 +22,9 @@ func (source *Source) UnregisterSource(loginSource *models.LoginSource) error { // wrapOpenIDConnectInitializeError is used to wrap the error but this cannot be done in modules/auth/oauth2 // inside oauth2: import cycle not allowed models -> modules/auth/oauth2 -> models -func wrapOpenIDConnectInitializeError(err error, providerName string, oAuth2Config *Source) error { - if err != nil && oAuth2Config.Provider == "openidConnect" { - err = models.ErrOpenIDConnectInitialize{ProviderName: providerName, OpenIDConnectAutoDiscoveryURL: oAuth2Config.OpenIDConnectAutoDiscoveryURL, Cause: err} +func wrapOpenIDConnectInitializeError(err error, providerName string, source *Source) error { + if err != nil && source.Provider == "openidConnect" { + err = models.ErrOpenIDConnectInitialize{ProviderName: providerName, OpenIDConnectAutoDiscoveryURL: source.OpenIDConnectAutoDiscoveryURL, Cause: err} } return err } From 8173d671f92cb53d0d15579dd461a78947270199 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 20 Jun 2021 19:53:42 +0100 Subject: [PATCH 19/44] Simplify login source functions Signed-off-by: Andrew Thornton --- models/login_source.go | 18 +++++--- routers/web/user/auth.go | 6 +-- services/auth/interface.go | 4 +- services/auth/signin.go | 4 +- .../auth/source/ldap/assert_interface_test.go | 24 +++++++++++ services/auth/source/ldap/source.go | 8 ++++ .../auth/source/ldap/source_authenticate.go | 12 +++--- services/auth/source/ldap/source_sync.go | 42 +++++++++---------- .../source/oauth2/assert_interface_test.go | 18 ++++++++ services/auth/source/oauth2/init.go | 2 +- services/auth/source/oauth2/source.go | 8 ++++ .../auth/source/oauth2/source_authenticate.go | 11 +++-- .../auth/source/oauth2/source_register.go | 10 ++--- .../auth/source/pam/assert_interface_test.go | 19 +++++++++ services/auth/source/pam/source.go | 8 ++++ .../auth/source/pam/source_authenticate.go | 4 +- .../auth/source/smtp/assert_interface_test.go | 22 ++++++++++ services/auth/source/smtp/source.go | 8 ++++ .../auth/source/smtp/source_authenticate.go | 4 +- .../auth/source/sspi/assert_interface_test.go | 16 +++++++ services/auth/sync.go | 2 +- 21 files changed, 194 insertions(+), 56 deletions(-) create mode 100644 services/auth/source/ldap/assert_interface_test.go create mode 100644 services/auth/source/oauth2/assert_interface_test.go create mode 100644 services/auth/source/pam/assert_interface_test.go create mode 100644 services/auth/source/smtp/assert_interface_test.go create mode 100644 services/auth/source/sspi/assert_interface_test.go diff --git a/models/login_source.go b/models/login_source.go index 69d90849814a5..c8dd160fcaa84 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -73,8 +73,13 @@ type SSHKeyProvider interface { // RegisterableSource configurations provide RegisterSource which needs to be run on creation type RegisterableSource interface { - RegisterSource(*LoginSource) error - UnregisterSource(*LoginSource) error + RegisterSource() error + UnregisterSource() error +} + +// LoginSourceSettable configurations can have their loginSource set on them +type LoginSourceSettable interface { + SetLoginSource(*LoginSource) } // RegisterLoginTypeConfig register a config for a provided type @@ -130,6 +135,9 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { return } source.Cfg = constructor() + if settable, ok := source.Cfg.(LoginSourceSettable); ok { + settable.SetLoginSource(source) + } } } @@ -215,7 +223,7 @@ func CreateLoginSource(source *LoginSource) error { return nil } - err = registerableSource.RegisterSource(source) + err = registerableSource.RegisterSource() if err != nil { // remove the LoginSource in case of errors while registering configuration if _, err := x.Delete(source); err != nil { @@ -307,7 +315,7 @@ func UpdateSource(source *LoginSource) error { return nil } - err = registerableSource.RegisterSource(source) + err = registerableSource.RegisterSource() if err != nil { // restore original values since we cannot update the provider it self if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil { @@ -334,7 +342,7 @@ func DeleteSource(source *LoginSource) error { } if registerableSource, ok := source.Cfg.(RegisterableSource); ok { - if err := registerableSource.UnregisterSource(source); err != nil { + if err := registerableSource.UnregisterSource(); err != nil { return err } } diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index 8210dc280a7c5..ebe5128754b57 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -578,13 +578,13 @@ func SignInOAuth(ctx *context.Context) { return } - if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(loginSource, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(ctx.Req, ctx.Resp); err != nil { if strings.Contains(err.Error(), "no provider for ") { if err = oauth2.ResetOAuth2(); err != nil { ctx.ServerError("SignIn", err) return } - if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(loginSource, ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(ctx.Req, ctx.Resp); err != nil { ctx.ServerError("SignIn", err) } return @@ -773,7 +773,7 @@ func handleOAuth2SignIn(ctx *context.Context, u *models.User, gothUser goth.User // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful // login the user func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) { - gothUser, err := loginSource.Cfg.(*oauth2.Source).ProviderCallback(loginSource, request, response) + gothUser, err := loginSource.Cfg.(*oauth2.Source).ProviderCallback(request, response) if err != nil { if err.Error() == "securecookie: the value is too long" { log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength) diff --git a/services/auth/interface.go b/services/auth/interface.go index 41a28d1a7119a..44effb1d0ae0f 100644 --- a/services/auth/interface.go +++ b/services/auth/interface.go @@ -41,10 +41,10 @@ type Method interface { // PasswordAuthenticator represents a source of authentication type PasswordAuthenticator interface { - Authenticate(user *models.User, login, password string, source *models.LoginSource) (*models.User, error) + Authenticate(user *models.User, login, password string) (*models.User, error) } // SynchronizableSource represents a source that can synchronize users type SynchronizableSource interface { - Sync(ctx context.Context, updateExisting bool, source *models.LoginSource) error + Sync(ctx context.Context, updateExisting bool) error } diff --git a/services/auth/signin.go b/services/auth/signin.go index 521b7c01d4dad..3a78136786805 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -68,7 +68,7 @@ func UserSignIn(username, password string) (*models.User, error) { } - user, err := authenticator.Authenticate(nil, username, password, source) + user, err := authenticator.Authenticate(nil, username, password) if err != nil { return nil, err } @@ -99,7 +99,7 @@ func UserSignIn(username, password string) (*models.User, error) { continue } - authUser, err := authenticator.Authenticate(nil, username, password, source) + authUser, err := authenticator.Authenticate(nil, username, password) if err == nil { if !user.ProhibitLogin { diff --git a/services/auth/source/ldap/assert_interface_test.go b/services/auth/source/ldap/assert_interface_test.go new file mode 100644 index 0000000000000..2b57ca0fa733b --- /dev/null +++ b/services/auth/source/ldap/assert_interface_test.go @@ -0,0 +1,24 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package ldap_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/ldap" +) + +type sourceInterface interface { + auth.PasswordAuthenticator + auth.SynchronizableSource + models.SSHKeyProvider + models.LoginConfig + models.SkipVerifiable + models.HasTLSer + models.UseTLSer + models.LoginSourceSettable +} + +var _ (sourceInterface) = &ldap.Source{} diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index 4fd218cbe949c..80ed3e75e6e51 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -53,6 +53,9 @@ type Source struct { GroupFilter string // Group Name Filter GroupMemberUID string // Group Attribute containing array of UserUID UserUID string // User Attribute listed in Group + + // reference to the loginSource + loginSource *models.LoginSource } // wrappedSource wraps the source to ensure that the FromDB/ToDB results are the same as previously @@ -120,6 +123,11 @@ func (source *Source) ProvidesSSHKeys() bool { return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 } +// SetLoginSource sets the related LoginSource +func (source *Source) SetLoginSource(loginSource *models.LoginSource) { + source.loginSource = loginSource +} + func init() { models.RegisterLoginTypeConfig(models.LoginLDAP, &Source{}) models.RegisterLoginTypeConfig(models.LoginDLDAP, &Source{}) diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go index 29325c2e83226..1d5e69539bc21 100644 --- a/services/auth/source/ldap/source_authenticate.go +++ b/services/auth/source/ldap/source_authenticate.go @@ -13,8 +13,8 @@ import ( // Authenticate queries if login/password is valid against the LDAP directory pool, // and create a local user if success when enabled. -func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { - sr := source.SearchEntry(login, password, loginSource.Type == models.LoginDLDAP) +func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) { + sr := source.SearchEntry(login, password, source.loginSource.Type == models.LoginDLDAP) if sr == nil { // User not in LDAP, do nothing return nil, models.ErrUserNotExist{Name: login} @@ -54,7 +54,7 @@ func (source *Source) Authenticate(user *models.User, login, password string, lo } if user != nil { - if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, loginSource, sr.SSHPublicKey) { + if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, source.loginSource, sr.SSHPublicKey) { return user, models.RewriteAllPublicKeys() } @@ -75,8 +75,8 @@ func (source *Source) Authenticate(user *models.User, login, password string, lo Name: sr.Username, FullName: composeFullName(sr.Name, sr.Surname, sr.Username), Email: sr.Mail, - LoginType: loginSource.Type, - LoginSource: loginSource.ID, + LoginType: source.loginSource.Type, + LoginSource: source.loginSource.ID, LoginName: login, IsActive: true, IsAdmin: sr.IsAdmin, @@ -85,7 +85,7 @@ func (source *Source) Authenticate(user *models.User, login, password string, lo err := models.CreateUser(user) - if err == nil && isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, loginSource, sr.SSHPublicKey) { + if err == nil && isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, source.loginSource, sr.SSHPublicKey) { err = models.RewriteAllPublicKeys() } diff --git a/services/auth/source/ldap/source_sync.go b/services/auth/source/ldap/source_sync.go index a91269bc09ea4..7e4088e571738 100644 --- a/services/auth/source/ldap/source_sync.go +++ b/services/auth/source/ldap/source_sync.go @@ -14,29 +14,29 @@ import ( ) // Sync causes this ldap source to synchronize its users with the db -func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.LoginSource) error { - log.Trace("Doing: SyncExternalUsers[%s]", s.Name) +func (source *Source) Sync(ctx context.Context, updateExisting bool) error { + log.Trace("Doing: SyncExternalUsers[%s]", source.loginSource.Name) var existingUsers []int64 isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 var sshKeysNeedUpdate bool // Find all users with this login type - FIXME: Should this be an iterator? - users, err := models.GetUsersBySource(s) + users, err := models.GetUsersBySource(source.loginSource) if err != nil { log.Error("SyncExternalUsers: %v", err) return err } select { case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled before update of %s", s.Name) - return models.ErrCancelledf("Before update of %s", s.Name) + log.Warn("SyncExternalUsers: Cancelled before update of %s", source.loginSource.Name) + return models.ErrCancelledf("Before update of %s", source.loginSource.Name) default: } sr, err := source.SearchEntries() if err != nil { - log.Error("SyncExternalUsers LDAP source failure [%s], skipped", s.Name) + log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.loginSource.Name) return nil } @@ -51,7 +51,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L for _, su := range sr { select { case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", s.Name) + log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.loginSource.Name) // Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed if sshKeysNeedUpdate { err = models.RewriteAllPublicKeys() @@ -59,7 +59,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L log.Error("RewriteAllPublicKeys: %v", err) } } - return models.ErrCancelledf("During update of %s before completed update of users", s.Name) + return models.ErrCancelledf("During update of %s before completed update of users", source.loginSource.Name) default: } if len(su.Username) == 0 { @@ -82,14 +82,14 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L fullName := composeFullName(su.Name, su.Surname, su.Username) // If no existing user found, create one if usr == nil { - log.Trace("SyncExternalUsers[%s]: Creating user %s", s.Name, su.Username) + log.Trace("SyncExternalUsers[%s]: Creating user %s", source.loginSource.Name, su.Username) usr = &models.User{ LowerName: strings.ToLower(su.Username), Name: su.Username, FullName: fullName, - LoginType: s.Type, - LoginSource: s.ID, + LoginType: source.loginSource.Type, + LoginSource: source.loginSource.ID, LoginName: su.Username, Email: su.Mail, IsAdmin: su.IsAdmin, @@ -100,10 +100,10 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L err = models.CreateUser(usr) if err != nil { - log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", s.Name, su.Username, err) + log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err) } else if isAttributeSSHPublicKeySet { - log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", s.Name, usr.Name) - if models.AddPublicKeysBySource(usr, s, su.SSHPublicKey) { + log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name) + if models.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) { sshKeysNeedUpdate = true } } @@ -111,7 +111,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L existingUsers = append(existingUsers, usr.ID) // Synchronize SSH Public Key if that attribute is set - if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(usr, s, su.SSHPublicKey) { + if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(usr, source.loginSource, su.SSHPublicKey) { sshKeysNeedUpdate = true } @@ -122,7 +122,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L usr.FullName != fullName || !usr.IsActive { - log.Trace("SyncExternalUsers[%s]: Updating user %s", s.Name, usr.Name) + log.Trace("SyncExternalUsers[%s]: Updating user %s", source.loginSource.Name, usr.Name) usr.FullName = fullName usr.Email = su.Mail @@ -138,7 +138,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L err = models.UpdateUserCols(usr, "full_name", "email", "is_admin", "is_restricted", "is_active") if err != nil { - log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", s.Name, usr.Name, err) + log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err) } } } @@ -154,8 +154,8 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L select { case <-ctx.Done(): - log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", s.Name) - return models.ErrCancelledf("During update of %s before delete users", s.Name) + log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.loginSource.Name) + return models.ErrCancelledf("During update of %s before delete users", source.loginSource.Name) default: } @@ -170,12 +170,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool, s *models.L } } if !found { - log.Trace("SyncExternalUsers[%s]: Deactivating user %s", s.Name, usr.Name) + log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.loginSource.Name, usr.Name) usr.IsActive = false err = models.UpdateUserCols(usr, "is_active") if err != nil { - log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", s.Name, usr.Name, err) + log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.loginSource.Name, usr.Name, err) } } } diff --git a/services/auth/source/oauth2/assert_interface_test.go b/services/auth/source/oauth2/assert_interface_test.go new file mode 100644 index 0000000000000..3ad18dbdb791a --- /dev/null +++ b/services/auth/source/oauth2/assert_interface_test.go @@ -0,0 +1,18 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth/source/oauth2" +) + +type sourceInterface interface { + models.LoginConfig + models.LoginSourceSettable + models.RegisterableSource +} + +var _ (sourceInterface) = &oauth2.Source{} diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go index 15d16a623c80a..f602e6725afb3 100644 --- a/services/auth/source/oauth2/init.go +++ b/services/auth/source/oauth2/init.go @@ -69,7 +69,7 @@ func initOAuth2LoginSources() error { if !ok { continue } - err := oauth2Source.RegisterSource(source) + err := oauth2Source.RegisterSource() if err != nil { log.Critical("Unable to register source: %s due to Error: %v. This source will be disabled.", source.Name, err) source.IsActived = false diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go index 3a5c221c366d7..7780b5cc42638 100644 --- a/services/auth/source/oauth2/source.go +++ b/services/auth/source/oauth2/source.go @@ -25,6 +25,9 @@ type Source struct { OpenIDConnectAutoDiscoveryURL string CustomURLMapping *CustomURLMapping IconURL string + + // reference to the loginSource + loginSource *models.LoginSource } // FromDB fills up an OAuth2Config from serialized format. @@ -39,6 +42,11 @@ func (source *Source) ToDB() ([]byte, error) { return json.Marshal(source) } +// SetLoginSource sets the related LoginSource +func (source *Source) SetLoginSource(loginSource *models.LoginSource) { + source.loginSource = loginSource +} + func init() { models.RegisterLoginTypeConfig(models.LoginOAuth2, &Source{}) } diff --git a/services/auth/source/oauth2/source_authenticate.go b/services/auth/source/oauth2/source_authenticate.go index c08cdce1ecdc9..7f56a922a3f14 100644 --- a/services/auth/source/oauth2/source_authenticate.go +++ b/services/auth/source/oauth2/source_authenticate.go @@ -7,15 +7,14 @@ package oauth2 import ( "net/http" - "code.gitea.io/gitea/models" "github.com/markbates/goth" "github.com/markbates/goth/gothic" ) -// ProviderAuthenticate takes a provided loginSource and the request/response pair to authenticate against the provider -func (source *Source) ProviderAuthenticate(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) error { +// ProviderAuthenticate redirects request/response pair to authenticate against the provider +func (source *Source) ProviderAuthenticate(request *http.Request, response http.ResponseWriter) error { // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(ProviderHeaderKey, loginSource.Name) + request.Header.Set(ProviderHeaderKey, source.loginSource.Name) // don't use the default gothic begin handler to prevent issues when some error occurs // normally the gothic library will write some custom stuff to the response instead of our own nice error page @@ -30,9 +29,9 @@ func (source *Source) ProviderAuthenticate(loginSource *models.LoginSource, requ // ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url // this will trigger a new authentication request, but because we save it in the session we can use that -func (source *Source) ProviderCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (goth.User, error) { +func (source *Source) ProviderCallback(request *http.Request, response http.ResponseWriter) (goth.User, error) { // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(ProviderHeaderKey, loginSource.Name) + request.Header.Set(ProviderHeaderKey, source.loginSource.Name) user, err := gothic.CompleteUserAuth(response, request) if err != nil { diff --git a/services/auth/source/oauth2/source_register.go b/services/auth/source/oauth2/source_register.go index 0d346a51ae929..b61cc3fe7948f 100644 --- a/services/auth/source/oauth2/source_register.go +++ b/services/auth/source/oauth2/source_register.go @@ -9,14 +9,14 @@ import ( ) // RegisterSource causes an OAuth2 configuration to be registered -func (source *Source) RegisterSource(loginSource *models.LoginSource) error { - err := RegisterProvider(loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) - return wrapOpenIDConnectInitializeError(err, loginSource.Name, source) +func (source *Source) RegisterSource() error { + err := RegisterProvider(source.loginSource.Name, source.Provider, source.ClientID, source.ClientSecret, source.OpenIDConnectAutoDiscoveryURL, source.CustomURLMapping) + return wrapOpenIDConnectInitializeError(err, source.loginSource.Name, source) } // UnregisterSource causes an OAuth2 configuration to be unregistered -func (source *Source) UnregisterSource(loginSource *models.LoginSource) error { - RemoveProvider(loginSource.Name) +func (source *Source) UnregisterSource() error { + RemoveProvider(source.loginSource.Name) return nil } diff --git a/services/auth/source/pam/assert_interface_test.go b/services/auth/source/pam/assert_interface_test.go new file mode 100644 index 0000000000000..e4371d282d570 --- /dev/null +++ b/services/auth/source/pam/assert_interface_test.go @@ -0,0 +1,19 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package pam_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/pam" +) + +type sourceInterface interface { + auth.PasswordAuthenticator + models.LoginConfig + models.LoginSourceSettable +} + +var _ (sourceInterface) = &pam.Source{} diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go index f47ea9fb18d07..124d61974af97 100644 --- a/services/auth/source/pam/source.go +++ b/services/auth/source/pam/source.go @@ -21,6 +21,9 @@ import ( type Source struct { ServiceName string // pam service (e.g. system-auth) EmailDomain string + + // reference to the loginSource + loginSource *models.LoginSource } // FromDB fills up a PAMConfig from serialized format. @@ -35,6 +38,11 @@ func (source *Source) ToDB() ([]byte, error) { return json.Marshal(source) } +// SetLoginSource sets the related LoginSource +func (source *Source) SetLoginSource(loginSource *models.LoginSource) { + source.loginSource = loginSource +} + func init() { models.RegisterLoginTypeConfig(models.LoginPAM, &Source{}) } diff --git a/services/auth/source/pam/source_authenticate.go b/services/auth/source/pam/source_authenticate.go index ae8ce1fba44f5..6ca06429041cf 100644 --- a/services/auth/source/pam/source_authenticate.go +++ b/services/auth/source/pam/source_authenticate.go @@ -17,7 +17,7 @@ import ( // Authenticate queries if login/password is valid against the PAM, // and create a local user if success when enabled. -func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { +func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) { pamLogin, err := pam.Auth(source.ServiceName, login, password) if err != nil { if strings.Contains(err.Error(), "Authentication failure") { @@ -54,7 +54,7 @@ func (source *Source) Authenticate(user *models.User, login, password string, lo Email: email, Passwd: password, LoginType: models.LoginPAM, - LoginSource: loginSource.ID, + LoginSource: source.loginSource.ID, LoginName: login, // This is what the user typed in IsActive: true, } diff --git a/services/auth/source/smtp/assert_interface_test.go b/services/auth/source/smtp/assert_interface_test.go new file mode 100644 index 0000000000000..261d0108f57c1 --- /dev/null +++ b/services/auth/source/smtp/assert_interface_test.go @@ -0,0 +1,22 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package smtp_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/smtp" +) + +type sourceInterface interface { + auth.PasswordAuthenticator + models.LoginConfig + models.SkipVerifiable + models.HasTLSer + models.UseTLSer + models.LoginSourceSettable +} + +var _ (sourceInterface) = &smtp.Source{} diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go index b3aabe6f2793c..104322dedc608 100644 --- a/services/auth/source/smtp/source.go +++ b/services/auth/source/smtp/source.go @@ -25,6 +25,9 @@ type Source struct { AllowedDomains string `xorm:"TEXT"` TLS bool SkipVerify bool + + // reference to the loginSource + loginSource *models.LoginSource } // FromDB fills up an SMTPConfig from serialized format. @@ -54,6 +57,11 @@ func (source *Source) UseTLS() bool { return source.TLS } +// SetLoginSource sets the related LoginSource +func (source *Source) SetLoginSource(loginSource *models.LoginSource) { + source.loginSource = loginSource +} + func init() { models.RegisterLoginTypeConfig(models.LoginSMTP, &Source{}) } diff --git a/services/auth/source/smtp/source_authenticate.go b/services/auth/source/smtp/source_authenticate.go index b29525d3f53c4..9bab86604bc7b 100644 --- a/services/auth/source/smtp/source_authenticate.go +++ b/services/auth/source/smtp/source_authenticate.go @@ -16,7 +16,7 @@ import ( // Authenticate queries if the provided login/password is authenticates against the SMTP server // Users will be autoregistered as required -func (source *Source) Authenticate(user *models.User, login, password string, loginSource *models.LoginSource) (*models.User, error) { +func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) { // Verify allowed domains. if len(source.AllowedDomains) > 0 { idx := strings.Index(login, "@") @@ -63,7 +63,7 @@ func (source *Source) Authenticate(user *models.User, login, password string, lo Email: login, Passwd: password, LoginType: models.LoginSMTP, - LoginSource: loginSource.ID, + LoginSource: source.loginSource.ID, LoginName: login, IsActive: true, } diff --git a/services/auth/source/sspi/assert_interface_test.go b/services/auth/source/sspi/assert_interface_test.go new file mode 100644 index 0000000000000..a958a3a4d31f1 --- /dev/null +++ b/services/auth/source/sspi/assert_interface_test.go @@ -0,0 +1,16 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package sspi_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth/source/sspi" +) + +type sourceInterface interface { + models.LoginConfig +} + +var _ (sourceInterface) = &sspi.Source{} diff --git a/services/auth/sync.go b/services/auth/sync.go index a976270464681..a608787aad891 100644 --- a/services/auth/sync.go +++ b/services/auth/sync.go @@ -33,7 +33,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { } if syncable, ok := s.Cfg.(SynchronizableSource); ok { - err := syncable.Sync(ctx, updateExisting, s) + err := syncable.Sync(ctx, updateExisting) if err != nil { return err } From 3747caced767aefe96d4fc21937ddba169726278 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:13:57 +0100 Subject: [PATCH 20/44] Despecialize db authentication and fix bug Signed-off-by: Andrew Thornton --- routers/web/user/auth.go | 6 +-- services/auth/signin.go | 52 ++++++++----------- .../auth/source/db/assert_interface_test.go | 18 +++++++ services/auth/source/db/authenticate.go | 4 ++ services/auth/source/db/source.go | 30 +++++++++++ .../source/oauth2/assert_interface_test.go | 2 + .../auth/source/oauth2/source_authenticate.go | 37 ++----------- services/auth/source/oauth2/source_callout.go | 42 +++++++++++++++ 8 files changed, 127 insertions(+), 64 deletions(-) create mode 100644 services/auth/source/db/assert_interface_test.go create mode 100644 services/auth/source/db/source.go create mode 100644 services/auth/source/oauth2/source_callout.go diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go index ebe5128754b57..eb0d05072d56d 100644 --- a/routers/web/user/auth.go +++ b/routers/web/user/auth.go @@ -578,13 +578,13 @@ func SignInOAuth(ctx *context.Context) { return } - if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil { if strings.Contains(err.Error(), "no provider for ") { if err = oauth2.ResetOAuth2(); err != nil { ctx.ServerError("SignIn", err) return } - if err = loginSource.Cfg.(*oauth2.Source).ProviderAuthenticate(ctx.Req, ctx.Resp); err != nil { + if err = loginSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil { ctx.ServerError("SignIn", err) } return @@ -773,7 +773,7 @@ func handleOAuth2SignIn(ctx *context.Context, u *models.User, gothUser goth.User // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful // login the user func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) { - gothUser, err := loginSource.Cfg.(*oauth2.Source).ProviderCallback(request, response) + gothUser, err := loginSource.Cfg.(*oauth2.Source).Callback(request, response) if err != nil { if err.Error() == "securecookie: the value is too long" { log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", loginSource.Name, setting.OAuth2.MaxTokenLength) diff --git a/services/auth/signin.go b/services/auth/signin.go index 3a78136786805..a0430274e06dc 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -9,9 +9,9 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" - "code.gitea.io/gitea/services/auth/source/db" - // Register the other sources + // Register the sources + _ "code.gitea.io/gitea/services/auth/source/db" _ "code.gitea.io/gitea/services/auth/source/ldap" _ "code.gitea.io/gitea/services/auth/source/oauth2" _ "code.gitea.io/gitea/services/auth/source/pam" @@ -49,38 +49,32 @@ func UserSignIn(username, password string) (*models.User, error) { } if hasUser { - switch user.LoginType { - case models.LoginNoType, models.LoginPlain, models.LoginOAuth2: - return db.Authenticate(user, user.Name, password) - default: - source, err := models.GetLoginSourceByID(user.LoginSource) - if err != nil { - return nil, err - } - - if !source.IsActived { - return nil, models.ErrLoginSourceNotActived - } - - authenticator, ok := source.Cfg.(PasswordAuthenticator) - if !ok { - return nil, models.ErrUnsupportedLoginType + source, err := models.GetLoginSourceByID(user.LoginSource) + if err != nil { + return nil, err + } - } + if !source.IsActived { + return nil, models.ErrLoginSourceNotActived + } - user, err := authenticator.Authenticate(nil, username, password) - if err != nil { - return nil, err - } + authenticator, ok := source.Cfg.(PasswordAuthenticator) + if !ok { + return nil, models.ErrUnsupportedLoginType + } - // WARN: DON'T check user.IsActive, that will be checked on reqSign so that - // user could be hint to resend confirm email. - if user.ProhibitLogin { - return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} - } + user, err := authenticator.Authenticate(user, username, password) + if err != nil { + return nil, err + } - return user, nil + // WARN: DON'T check user.IsActive, that will be checked on reqSign so that + // user could be hint to resend confirm email. + if user.ProhibitLogin { + return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} } + + return user, nil } sources, err := models.ActiveLoginSources(-1) diff --git a/services/auth/source/db/assert_interface_test.go b/services/auth/source/db/assert_interface_test.go new file mode 100644 index 0000000000000..09346669c944c --- /dev/null +++ b/services/auth/source/db/assert_interface_test.go @@ -0,0 +1,18 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package db_test + +import ( + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" + "code.gitea.io/gitea/services/auth/source/db" +) + +type sourceInterface interface { + auth.PasswordAuthenticator + models.LoginConfig +} + +var _ (sourceInterface) = &db.Source{} diff --git a/services/auth/source/db/authenticate.go b/services/auth/source/db/authenticate.go index dc85fb2e89e57..e73ab15d2835e 100644 --- a/services/auth/source/db/authenticate.go +++ b/services/auth/source/db/authenticate.go @@ -11,6 +11,10 @@ import ( // Authenticate authenticates the provided user against the DB func Authenticate(user *models.User, login, password string) (*models.User, error) { + if user == nil { + return nil, models.ErrUserNotExist{Name: login} + } + if !user.IsPasswordSet() || !user.ValidatePassword(password) { return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} } diff --git a/services/auth/source/db/source.go b/services/auth/source/db/source.go new file mode 100644 index 0000000000000..1d7942cbc966f --- /dev/null +++ b/services/auth/source/db/source.go @@ -0,0 +1,30 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package db + +import "code.gitea.io/gitea/models" + +type Source struct{} + +// FromDB fills up an OAuth2Config from serialized format. +func (source *Source) FromDB(bs []byte) error { + return nil +} + +// ToDB exports an SMTPConfig to a serialized format. +func (source *Source) ToDB() ([]byte, error) { + return nil, nil +} + +// Authenticate queries if login/password is valid against the PAM, +// and create a local user if success when enabled. +func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) { + return Authenticate(user, login, password) +} + +func init() { + models.RegisterLoginTypeConfig(models.LoginNoType, &Source{}) + models.RegisterLoginTypeConfig(models.LoginPlain, &Source{}) +} diff --git a/services/auth/source/oauth2/assert_interface_test.go b/services/auth/source/oauth2/assert_interface_test.go index 3ad18dbdb791a..b527ec9881bc8 100644 --- a/services/auth/source/oauth2/assert_interface_test.go +++ b/services/auth/source/oauth2/assert_interface_test.go @@ -6,6 +6,7 @@ package oauth2_test import ( "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth" "code.gitea.io/gitea/services/auth/source/oauth2" ) @@ -13,6 +14,7 @@ type sourceInterface interface { models.LoginConfig models.LoginSourceSettable models.RegisterableSource + auth.PasswordAuthenticator } var _ (sourceInterface) = &oauth2.Source{} diff --git a/services/auth/source/oauth2/source_authenticate.go b/services/auth/source/oauth2/source_authenticate.go index 7f56a922a3f14..2e39f245dff07 100644 --- a/services/auth/source/oauth2/source_authenticate.go +++ b/services/auth/source/oauth2/source_authenticate.go @@ -5,38 +5,11 @@ package oauth2 import ( - "net/http" - - "github.com/markbates/goth" - "github.com/markbates/goth/gothic" + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/services/auth/source/db" ) -// ProviderAuthenticate redirects request/response pair to authenticate against the provider -func (source *Source) ProviderAuthenticate(request *http.Request, response http.ResponseWriter) error { - // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(ProviderHeaderKey, source.loginSource.Name) - - // don't use the default gothic begin handler to prevent issues when some error occurs - // normally the gothic library will write some custom stuff to the response instead of our own nice error page - //gothic.BeginAuthHandler(response, request) - - url, err := gothic.GetAuthURL(response, request) - if err == nil { - http.Redirect(response, request, url, http.StatusTemporaryRedirect) - } - return err -} - -// ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url -// this will trigger a new authentication request, but because we save it in the session we can use that -func (source *Source) ProviderCallback(request *http.Request, response http.ResponseWriter) (goth.User, error) { - // not sure if goth is thread safe (?) when using multiple providers - request.Header.Set(ProviderHeaderKey, source.loginSource.Name) - - user, err := gothic.CompleteUserAuth(response, request) - if err != nil { - return user, err - } - - return user, nil +// Authenticate falls back to the db authenticator +func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) { + return db.Authenticate(user, login, password) } diff --git a/services/auth/source/oauth2/source_callout.go b/services/auth/source/oauth2/source_callout.go new file mode 100644 index 0000000000000..8f4663f3bea12 --- /dev/null +++ b/services/auth/source/oauth2/source_callout.go @@ -0,0 +1,42 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package oauth2 + +import ( + "net/http" + + "github.com/markbates/goth" + "github.com/markbates/goth/gothic" +) + +// Callout redirects request/response pair to authenticate against the provider +func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error { + // not sure if goth is thread safe (?) when using multiple providers + request.Header.Set(ProviderHeaderKey, source.loginSource.Name) + + // don't use the default gothic begin handler to prevent issues when some error occurs + // normally the gothic library will write some custom stuff to the response instead of our own nice error page + //gothic.BeginAuthHandler(response, request) + + url, err := gothic.GetAuthURL(response, request) + if err == nil { + http.Redirect(response, request, url, http.StatusTemporaryRedirect) + } + return err +} + +// Callback handles OAuth callback, resolve to a goth user and send back to original url +// this will trigger a new authentication request, but because we save it in the session we can use that +func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) { + // not sure if goth is thread safe (?) when using multiple providers + request.Header.Set(ProviderHeaderKey, source.loginSource.Name) + + user, err := gothic.CompleteUserAuth(response, request) + if err != nil { + return user, err + } + + return user, nil +} From 550ed703ee456937b7aa4498c19980bf68772a4d Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:19:13 +0100 Subject: [PATCH 21/44] Add explanation to assert_interface_test.go Signed-off-by: Andrew Thornton --- services/auth/source/db/assert_interface_test.go | 3 +++ services/auth/source/ldap/assert_interface_test.go | 3 +++ services/auth/source/oauth2/assert_interface_test.go | 3 +++ services/auth/source/pam/assert_interface_test.go | 3 +++ services/auth/source/smtp/assert_interface_test.go | 3 +++ services/auth/source/sspi/assert_interface_test.go | 3 +++ 6 files changed, 18 insertions(+) diff --git a/services/auth/source/db/assert_interface_test.go b/services/auth/source/db/assert_interface_test.go index 09346669c944c..2e0fa9ba2247a 100644 --- a/services/auth/source/db/assert_interface_test.go +++ b/services/auth/source/db/assert_interface_test.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/services/auth/source/db" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { auth.PasswordAuthenticator models.LoginConfig diff --git a/services/auth/source/ldap/assert_interface_test.go b/services/auth/source/ldap/assert_interface_test.go index 2b57ca0fa733b..4cf3eafe76358 100644 --- a/services/auth/source/ldap/assert_interface_test.go +++ b/services/auth/source/ldap/assert_interface_test.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/services/auth/source/ldap" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { auth.PasswordAuthenticator auth.SynchronizableSource diff --git a/services/auth/source/oauth2/assert_interface_test.go b/services/auth/source/oauth2/assert_interface_test.go index b527ec9881bc8..4157427ff2f76 100644 --- a/services/auth/source/oauth2/assert_interface_test.go +++ b/services/auth/source/oauth2/assert_interface_test.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/services/auth/source/oauth2" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { models.LoginConfig models.LoginSourceSettable diff --git a/services/auth/source/pam/assert_interface_test.go b/services/auth/source/pam/assert_interface_test.go index e4371d282d570..a0bebdf9c6799 100644 --- a/services/auth/source/pam/assert_interface_test.go +++ b/services/auth/source/pam/assert_interface_test.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/services/auth/source/pam" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { auth.PasswordAuthenticator models.LoginConfig diff --git a/services/auth/source/smtp/assert_interface_test.go b/services/auth/source/smtp/assert_interface_test.go index 261d0108f57c1..bc2042e069965 100644 --- a/services/auth/source/smtp/assert_interface_test.go +++ b/services/auth/source/smtp/assert_interface_test.go @@ -10,6 +10,9 @@ import ( "code.gitea.io/gitea/services/auth/source/smtp" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { auth.PasswordAuthenticator models.LoginConfig diff --git a/services/auth/source/sspi/assert_interface_test.go b/services/auth/source/sspi/assert_interface_test.go index a958a3a4d31f1..605a6ec6c541a 100644 --- a/services/auth/source/sspi/assert_interface_test.go +++ b/services/auth/source/sspi/assert_interface_test.go @@ -9,6 +9,9 @@ import ( "code.gitea.io/gitea/services/auth/source/sspi" ) +// This test file exists to assert that our Source exposes the interfaces that we expect +// It tightly binds the interfaces and implementation without breaking go import cycles + type sourceInterface interface { models.LoginConfig } From 8f1303775c42e35928da27408fb41a342f8babe9 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:21:02 +0100 Subject: [PATCH 22/44] fixup! Despecialize db authentication and fix bug --- models/login_source.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/models/login_source.go b/models/login_source.go index c8dd160fcaa84..a1086c02224b4 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -281,6 +281,11 @@ func IsSSPIEnabled() bool { // GetLoginSourceByID returns login source by given ID. func GetLoginSourceByID(id int64) (*LoginSource, error) { source := new(LoginSource) + if id == 0 { + source.Cfg = registeredLoginConfigs[LoginNoType]() + return source, nil + } + has, err := x.ID(id).Get(source) if err != nil { return nil, err From 49c6c2a253e73442aada05967faed2a0d4783219 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:28:50 +0100 Subject: [PATCH 23/44] create AllActiveLoginSources as ActiveLoginSources(-1) is a bit weird Signed-off-by: Andrew Thornton --- models/login_source.go | 16 +++++++++------- services/auth/signin.go | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/models/login_source.go b/models/login_source.go index a1086c02224b4..da9189175b912 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -248,16 +248,18 @@ func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) { return sources, nil } +// AllActiveLoginSources returns all active sources +func AllActiveLoginSources() ([]*LoginSource, error) { + sources := make([]*LoginSource, 0, 5) + if err := x.Where("is_actived = ?", true).Find(&sources); err != nil { + return nil, err + } + return sources, nil +} + // ActiveLoginSources returns all active sources of the specified type func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 1) - if loginType < 0 { - if err := x.Where("is_actived = ?", true).Find(&sources); err != nil { - return nil, err - } - return sources, nil - } - if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil { return nil, err } diff --git a/services/auth/signin.go b/services/auth/signin.go index a0430274e06dc..a527e02bca37f 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -77,7 +77,7 @@ func UserSignIn(username, password string) (*models.User, error) { return user, nil } - sources, err := models.ActiveLoginSources(-1) + sources, err := models.AllActiveLoginSources() if err != nil { return nil, err } From c17fda3ab91d8bcee12f210236470658df9df059 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:32:52 +0100 Subject: [PATCH 24/44] Handle prohibit logins correctly Signed-off-by: Andrew Thornton --- services/auth/signin.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/auth/signin.go b/services/auth/signin.go index a527e02bca37f..224688e8d1195 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -96,10 +96,10 @@ func UserSignIn(username, password string) (*models.User, error) { authUser, err := authenticator.Authenticate(nil, username, password) if err == nil { - if !user.ProhibitLogin { + if !authUser.ProhibitLogin { return authUser, nil } - err = models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name} + err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name} } log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) From cb668e5bf3b9d94edad6bbec5ed4f3583273b31c Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 04:35:20 +0100 Subject: [PATCH 25/44] fixup! Despecialize db authentication and fix bug --- services/auth/source/db/source.go | 1 + 1 file changed, 1 insertion(+) diff --git a/services/auth/source/db/source.go b/services/auth/source/db/source.go index 1d7942cbc966f..182c05f0dfcc5 100644 --- a/services/auth/source/db/source.go +++ b/services/auth/source/db/source.go @@ -6,6 +6,7 @@ package db import "code.gitea.io/gitea/models" +// Source is a password authentication service type Source struct{} // FromDB fills up an OAuth2Config from serialized format. From 320136e428b446c0c8feb40343a1d9a9f5857e34 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 05:00:32 +0100 Subject: [PATCH 26/44] Simplify auth.Method interface Signed-off-by: Andrew Thornton --- services/auth/auth.go | 14 ++++++++++++-- services/auth/basic.go | 11 +---------- services/auth/group.go | 30 +++++++++++++++++++----------- services/auth/interface.go | 26 ++++++++++++++++++-------- services/auth/oauth2.go | 11 +---------- services/auth/reverseproxy.go | 11 +---------- services/auth/session.go | 10 ---------- services/auth/sspi_windows.go | 5 ++++- 8 files changed, 56 insertions(+), 62 deletions(-) diff --git a/services/auth/auth.go b/services/auth/auth.go index 1dedfbf779b58..854abcacd1667 100644 --- a/services/auth/auth.go +++ b/services/auth/auth.go @@ -57,7 +57,12 @@ func Init() { } specialInit() for _, method := range Methods() { - err := method.Init() + initalizable, ok := method.(Initializable) + if !ok { + continue + } + + err := initalizable.Init() if err != nil { log.Error("Could not initialize '%s' auth method, error: %s", reflect.TypeOf(method).String(), err) } @@ -68,7 +73,12 @@ func Init() { // to release necessary resources func Free() { for _, method := range Methods() { - err := method.Free() + freeable, ok := method.(Freeable) + if !ok { + continue + } + + err := freeable.Free() if err != nil { log.Error("Could not free '%s' auth method, error: %s", reflect.TypeOf(method).String(), err) } diff --git a/services/auth/basic.go b/services/auth/basic.go index f0486f905c379..d492a52a6693f 100644 --- a/services/auth/basic.go +++ b/services/auth/basic.go @@ -20,6 +20,7 @@ import ( // Ensure the struct implements the interface. var ( _ Method = &Basic{} + _ Named = &Basic{} ) // Basic implements the Auth interface and authenticates requests (API requests @@ -33,16 +34,6 @@ func (b *Basic) Name() string { return "basic" } -// Init does nothing as the Basic implementation does not need to allocate any resources -func (b *Basic) Init() error { - return nil -} - -// Free does nothing as the Basic implementation does not have to release any resources -func (b *Basic) Free() error { - return nil -} - // Verify extracts and validates Basic data (username and password/token) from the // "Authorization" header of the request and returns the corresponding user object for that // name/token on successful validation. diff --git a/services/auth/group.go b/services/auth/group.go index 7e887cfa8b58e..fb885b818ab4d 100644 --- a/services/auth/group.go +++ b/services/auth/group.go @@ -12,7 +12,9 @@ import ( // Ensure the struct implements the interface. var ( - _ Method = &Group{} + _ Method = &Group{} + _ Initializable = &Group{} + _ Freeable = &Group{} ) // Group implements the Auth interface with serval Auth. @@ -27,15 +29,15 @@ func NewGroup(methods ...Method) *Group { } } -// Name represents the name of auth method -func (b *Group) Name() string { - return "group" -} - // Init does nothing as the Basic implementation does not need to allocate any resources func (b *Group) Init() error { - for _, m := range b.methods { - if err := m.Init(); err != nil { + for _, method := range b.methods { + initializable, ok := method.(Initializable) + if !ok { + continue + } + + if err := initializable.Init(); err != nil { return err } } @@ -44,8 +46,12 @@ func (b *Group) Init() error { // Free does nothing as the Basic implementation does not have to release any resources func (b *Group) Free() error { - for _, m := range b.methods { - if err := m.Free(); err != nil { + for _, method := range b.methods { + freeable, ok := method.(Freeable) + if !ok { + continue + } + if err := freeable.Free(); err != nil { return err } } @@ -63,7 +69,9 @@ func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore user := ssoMethod.Verify(req, w, store, sess) if user != nil { if store.GetData()["AuthedMethod"] == nil { - store.GetData()["AuthedMethod"] = ssoMethod.Name() + if named, ok := ssoMethod.(Named); ok { + store.GetData()["AuthedMethod"] = named.Name() + } } return user } diff --git a/services/auth/interface.go b/services/auth/interface.go index 44effb1d0ae0f..51c7043370bb1 100644 --- a/services/auth/interface.go +++ b/services/auth/interface.go @@ -21,22 +21,32 @@ type SessionStore session.Store // Method represents an authentication method (plugin) for HTTP requests. type Method interface { - Name() string + // Verify tries to verify the authentication data contained in the request. + // If verification is successful returns either an existing user object (with id > 0) + // or a new user object (with id = 0) populated with the information that was found + // in the authentication data (username or email). + // Returns nil if verification fails. + Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User +} +// Initializable represents a structure that requires initialization +// It usually should only be called once before anything else is called +type Initializable interface { // Init should be called exactly once before using any of the other methods, // in order to allow the plugin to allocate necessary resources Init() error +} +// Named represents a named thing +type Named interface { + Name() string +} + +// Freeable represents a structure that is required to be freed +type Freeable interface { // Free should be called exactly once before application closes, in order to // give chance to the plugin to free any allocated resources Free() error - - // Verify tries to verify the authentication data contained in the request. - // If verification is successful returns either an existing user object (with id > 0) - // or a new user object (with id = 0) populated with the information that was found - // in the authentication data (username or email). - // Returns nil if verification fails. - Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User } // PasswordAuthenticator represents a source of authentication diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go index b6b922de7a4d6..93806c7072aa2 100644 --- a/services/auth/oauth2.go +++ b/services/auth/oauth2.go @@ -20,6 +20,7 @@ import ( // Ensure the struct implements the interface. var ( _ Method = &OAuth2{} + _ Named = &OAuth2{} ) // CheckOAuthAccessToken returns uid of user from oauth token @@ -52,21 +53,11 @@ func CheckOAuthAccessToken(accessToken string) int64 { type OAuth2 struct { } -// Init does nothing as the OAuth2 implementation does not need to allocate any resources -func (o *OAuth2) Init() error { - return nil -} - // Name represents the name of auth method func (o *OAuth2) Name() string { return "oauth2" } -// Free does nothing as the OAuth2 implementation does not have to release any resources -func (o *OAuth2) Free() error { - return nil -} - // userIDFromToken returns the user id corresponding to the OAuth token. func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 { _ = req.ParseForm() diff --git a/services/auth/reverseproxy.go b/services/auth/reverseproxy.go index 90d830846e165..46d8d3fa6379d 100644 --- a/services/auth/reverseproxy.go +++ b/services/auth/reverseproxy.go @@ -20,6 +20,7 @@ import ( // Ensure the struct implements the interface. var ( _ Method = &ReverseProxy{} + _ Named = &ReverseProxy{} ) // ReverseProxy implements the Auth interface, but actually relies on @@ -44,16 +45,6 @@ func (r *ReverseProxy) Name() string { return "reverse_proxy" } -// Init does nothing as the ReverseProxy implementation does not need initialization -func (r *ReverseProxy) Init() error { - return nil -} - -// Free does nothing as the ReverseProxy implementation does not have to release resources -func (r *ReverseProxy) Free() error { - return nil -} - // Verify extracts the username from the "setting.ReverseProxyAuthUser" header // of the request and returns the corresponding user object for that name. // Verification of header data is not performed as it should have already been done by diff --git a/services/auth/session.go b/services/auth/session.go index c3fcbc2bda67c..c93fa8c1939ba 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -21,21 +21,11 @@ var ( type Session struct { } -// Init does nothing as the Session implementation does not need to allocate any resources -func (s *Session) Init() error { - return nil -} - // Name represents the name of auth method func (s *Session) Name() string { return "session" } -// Free does nothing as the Session implementation does not have to release any resources -func (s *Session) Free() error { - return nil -} - // Verify checks if there is a user uid stored in the session and returns the user // object for that uid. // Returns nil if there is no user uid stored in the session. diff --git a/services/auth/sspi_windows.go b/services/auth/sspi_windows.go index 1d31ceaf9e1ce..c99dad712463f 100644 --- a/services/auth/sspi_windows.go +++ b/services/auth/sspi_windows.go @@ -33,7 +33,10 @@ var ( sspiAuth *websspi.Authenticator // Ensure the struct implements the interface. - _ Method = &SSPI{} + _ Method = &SSPI{} + _ Named = &SSPI{} + _ Initializable = &SSPI{} + _ Freeable = &SSPI{} ) // SSPI implements the SingleSignOn interface and authenticates requests From f26a8170a72e0cf4754711ffbd6622dcef7d5f11 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 05:02:09 +0100 Subject: [PATCH 27/44] fixup! Simplify auth.Method interface --- services/auth/session.go | 1 + 1 file changed, 1 insertion(+) diff --git a/services/auth/session.go b/services/auth/session.go index c93fa8c1939ba..9a6e2d95d0d3c 100644 --- a/services/auth/session.go +++ b/services/auth/session.go @@ -14,6 +14,7 @@ import ( // Ensure the struct implements the interface. var ( _ Method = &Session{} + _ Named = &Session{} ) // Session checks if there is a user uid stored in the session and returns the user From 2db8e5d460939cec7422339fd3838652bdc718fd Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 05:05:02 +0100 Subject: [PATCH 28/44] fixup! fixup! Despecialize db authentication and fix bug --- models/login_source.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/models/login_source.go b/models/login_source.go index da9189175b912..c27dcfa281bac 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -285,6 +285,9 @@ func GetLoginSourceByID(id int64) (*LoginSource, error) { source := new(LoginSource) if id == 0 { source.Cfg = registeredLoginConfigs[LoginNoType]() + // Set this source to active + // FIXME: allow disabling of db based password authentication in future + source.IsActived = true return source, nil } From 46cae9df5959a66056134ba704bcbeb51e834015 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 05:10:40 +0100 Subject: [PATCH 29/44] fixup! Handle prohibit logins correctly --- services/auth/signin.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/auth/signin.go b/services/auth/signin.go index 224688e8d1195..5b9fd81df3c7c 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -105,5 +105,5 @@ func UserSignIn(username, password string) (*models.User, error) { log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) } - return nil, models.ErrUserNotExist{UID: user.ID, Name: user.Name} + return nil, models.ErrUserNotExist{Name: username} } From 65714ff0f008359196d3d4d05b9fa95ef51bfb29 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Mon, 21 Jun 2021 09:08:50 +0100 Subject: [PATCH 30/44] fixup! fixup! Simplify auth.Method interface --- services/auth/auth.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/auth/auth.go b/services/auth/auth.go index 854abcacd1667..11a8c6ed1c999 100644 --- a/services/auth/auth.go +++ b/services/auth/auth.go @@ -57,12 +57,12 @@ func Init() { } specialInit() for _, method := range Methods() { - initalizable, ok := method.(Initializable) + initializable, ok := method.(Initializable) if !ok { continue } - err := initalizable.Init() + err := initializable.Init() if err != nil { log.Error("Could not initialize '%s' auth method, error: %s", reflect.TypeOf(method).String(), err) } From e1a015fca5e332dae203a6df25600c74ac7d139a Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Wed, 23 Jun 2021 22:32:11 +0100 Subject: [PATCH 31/44] Fix #16235 Signed-off-by: Andrew Thornton --- services/auth/signin.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/services/auth/signin.go b/services/auth/signin.go index 5b9fd81df3c7c..43135d60a97bd 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -102,7 +102,11 @@ func UserSignIn(username, password string) (*models.User, error) { err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name} } - log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) + if models.IsErrUserNotExist(err) { + log.Debug("Failed to login '%s' via '%s': %v", username, source.Name, err) + } else { + log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err) + } } return nil, models.ErrUserNotExist{Name: username} From 339a74b67d3c6abce2327fda567d3feb6c1c35fb Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 27 Jun 2021 12:44:38 +0100 Subject: [PATCH 32/44] Fix #16252 - Equivalent to #16268 Signed-off-by: Andrew Thornton --- models/login_source.go | 12 ++++++++++++ models/repo_unit.go | 15 +++++---------- services/auth/source/ldap/source.go | 4 +--- services/auth/source/oauth2/source.go | 3 +-- services/auth/source/pam/source.go | 3 +-- services/auth/source/smtp/source.go | 3 +-- services/auth/source/sspi/source.go | 3 +-- 7 files changed, 22 insertions(+), 21 deletions(-) diff --git a/models/login_source.go b/models/login_source.go index c27dcfa281bac..b048f6c5dc613 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -11,6 +11,7 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/timeutil" + jsoniter "github.com/json-iterator/go" "xorm.io/xorm" "xorm.io/xorm/convert" @@ -126,6 +127,17 @@ func Cell2Int64(val xorm.Cell) int64 { return (*val).(int64) } +// JsonUnmarshalIgnoreErroneousBOM - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's +// possible that a Blob may gain an unwanted prefix of 0xff 0xfe. +func JsonUnmarshalIgnoreErroneousBOM(bs []byte, v interface{}) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + err := json.Unmarshal(bs, &v) + if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe { + err = json.Unmarshal(bs[2:], &v) + } + return err +} + // BeforeSet is invoked from XORM before setting the value of a field of this object. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { diff --git a/models/repo_unit.go b/models/repo_unit.go index 1d54579a6e727..5021b9a06f592 100644 --- a/models/repo_unit.go +++ b/models/repo_unit.go @@ -28,8 +28,7 @@ type UnitConfig struct{} // FromDB fills up a UnitConfig from serialized format. func (cfg *UnitConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) + return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a UnitConfig to a serialized format. @@ -45,8 +44,7 @@ type ExternalWikiConfig struct { // FromDB fills up a ExternalWikiConfig from serialized format. func (cfg *ExternalWikiConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) + return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a ExternalWikiConfig to a serialized format. @@ -64,8 +62,7 @@ type ExternalTrackerConfig struct { // FromDB fills up a ExternalTrackerConfig from serialized format. func (cfg *ExternalTrackerConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) + return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a ExternalTrackerConfig to a serialized format. @@ -83,8 +80,7 @@ type IssuesConfig struct { // FromDB fills up a IssuesConfig from serialized format. func (cfg *IssuesConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) + return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a IssuesConfig to a serialized format. @@ -107,8 +103,7 @@ type PullRequestsConfig struct { // FromDB fills up a PullRequestsConfig from serialized format. func (cfg *PullRequestsConfig) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &cfg) + return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a PullRequestsConfig to a serialized format. diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index 80ed3e75e6e51..e3a685f7cd7b4 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -65,13 +65,11 @@ type wrappedSource struct { // FromDB fills up a LDAPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - wrapped := &wrappedSource{ Source: source, } - err := json.Unmarshal(bs, &wrapped) + err := models.JsonUnmarshalIgnoreErroneousBOM(bs, &wrapped) if err != nil { return err } diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go index 7780b5cc42638..4a59546731819 100644 --- a/services/auth/source/oauth2/source.go +++ b/services/auth/source/oauth2/source.go @@ -32,8 +32,7 @@ type Source struct { // FromDB fills up an OAuth2Config from serialized format. func (source *Source) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, source) + return models.JsonUnmarshalIgnoreErroneousBOM(bs, source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go index 124d61974af97..431356f62cbb6 100644 --- a/services/auth/source/pam/source.go +++ b/services/auth/source/pam/source.go @@ -28,8 +28,7 @@ type Source struct { // FromDB fills up a PAMConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, &source) + return models.JsonUnmarshalIgnoreErroneousBOM(bs, &source) } // ToDB exports a PAMConfig to a serialized format. diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go index 104322dedc608..eb80110775d6f 100644 --- a/services/auth/source/smtp/source.go +++ b/services/auth/source/smtp/source.go @@ -32,8 +32,7 @@ type Source struct { // FromDB fills up an SMTPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, source) + return models.JsonUnmarshalIgnoreErroneousBOM(bs, source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/sspi/source.go b/services/auth/source/sspi/source.go index fe0ff143c7698..2e09700ada0df 100644 --- a/services/auth/source/sspi/source.go +++ b/services/auth/source/sspi/source.go @@ -27,8 +27,7 @@ type Source struct { // FromDB fills up an SSPIConfig from serialized format. func (cfg *Source) FromDB(bs []byte) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - return json.Unmarshal(bs, cfg) + return models.JsonUnmarshalIgnoreErroneousBOM(bs, cfg) } // ToDB exports an SSPIConfig to a serialized format. From 88d95469758bcb158c619a3c7a4ec70065387d89 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 27 Jun 2021 15:40:18 +0100 Subject: [PATCH 33/44] fixup! Fix #16252 - Equivalent to #16268 Signed-off-by: Andrew Thornton --- models/helper.go | 15 +++++++++++++++ models/login_source.go | 12 ------------ models/repo_unit.go | 10 +++++----- services/auth/source/ldap/source.go | 2 +- services/auth/source/oauth2/source.go | 2 +- services/auth/source/pam/source.go | 2 +- services/auth/source/smtp/source.go | 2 +- services/auth/source/sspi/source.go | 2 +- 8 files changed, 25 insertions(+), 22 deletions(-) diff --git a/models/helper.go b/models/helper.go index 91063b2d131ae..b839d06bf5762 100644 --- a/models/helper.go +++ b/models/helper.go @@ -4,6 +4,10 @@ package models +import ( + jsoniter "github.com/json-iterator/go" +) + func keysInt64(m map[int64]struct{}) []int64 { keys := make([]int64, 0, len(m)) for k := range m { @@ -27,3 +31,14 @@ func valuesUser(m map[int64]*User) []*User { } return values } + +// JSONUnmarshalIgnoreErroneousBOM - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's +// possible that a Blob may gain an unwanted prefix of 0xff 0xfe. +func JSONUnmarshalIgnoreErroneousBOM(bs []byte, v interface{}) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + err := json.Unmarshal(bs, &v) + if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe { + err = json.Unmarshal(bs[2:], &v) + } + return err +} diff --git a/models/login_source.go b/models/login_source.go index b048f6c5dc613..c27dcfa281bac 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -11,7 +11,6 @@ import ( "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/timeutil" - jsoniter "github.com/json-iterator/go" "xorm.io/xorm" "xorm.io/xorm/convert" @@ -127,17 +126,6 @@ func Cell2Int64(val xorm.Cell) int64 { return (*val).(int64) } -// JsonUnmarshalIgnoreErroneousBOM - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's -// possible that a Blob may gain an unwanted prefix of 0xff 0xfe. -func JsonUnmarshalIgnoreErroneousBOM(bs []byte, v interface{}) error { - json := jsoniter.ConfigCompatibleWithStandardLibrary - err := json.Unmarshal(bs, &v) - if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe { - err = json.Unmarshal(bs[2:], &v) - } - return err -} - // BeforeSet is invoked from XORM before setting the value of a field of this object. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { if colName == "type" { diff --git a/models/repo_unit.go b/models/repo_unit.go index 5021b9a06f592..6edb7e1853ac4 100644 --- a/models/repo_unit.go +++ b/models/repo_unit.go @@ -28,7 +28,7 @@ type UnitConfig struct{} // FromDB fills up a UnitConfig from serialized format. func (cfg *UnitConfig) FromDB(bs []byte) error { - return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return JSONUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a UnitConfig to a serialized format. @@ -44,7 +44,7 @@ type ExternalWikiConfig struct { // FromDB fills up a ExternalWikiConfig from serialized format. func (cfg *ExternalWikiConfig) FromDB(bs []byte) error { - return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return JSONUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a ExternalWikiConfig to a serialized format. @@ -62,7 +62,7 @@ type ExternalTrackerConfig struct { // FromDB fills up a ExternalTrackerConfig from serialized format. func (cfg *ExternalTrackerConfig) FromDB(bs []byte) error { - return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return JSONUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a ExternalTrackerConfig to a serialized format. @@ -80,7 +80,7 @@ type IssuesConfig struct { // FromDB fills up a IssuesConfig from serialized format. func (cfg *IssuesConfig) FromDB(bs []byte) error { - return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return JSONUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a IssuesConfig to a serialized format. @@ -103,7 +103,7 @@ type PullRequestsConfig struct { // FromDB fills up a PullRequestsConfig from serialized format. func (cfg *PullRequestsConfig) FromDB(bs []byte) error { - return JsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return JSONUnmarshalIgnoreErroneousBOM(bs, &cfg) } // ToDB exports a PullRequestsConfig to a serialized format. diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index e3a685f7cd7b4..affbcfbd99b1e 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -69,7 +69,7 @@ func (source *Source) FromDB(bs []byte) error { Source: source, } - err := models.JsonUnmarshalIgnoreErroneousBOM(bs, &wrapped) + err := models.JSONUnmarshalIgnoreErroneousBOM(bs, &wrapped) if err != nil { return err } diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go index 4a59546731819..f054e7960ed7b 100644 --- a/services/auth/source/oauth2/source.go +++ b/services/auth/source/oauth2/source.go @@ -32,7 +32,7 @@ type Source struct { // FromDB fills up an OAuth2Config from serialized format. func (source *Source) FromDB(bs []byte) error { - return models.JsonUnmarshalIgnoreErroneousBOM(bs, source) + return models.JSONUnmarshalIgnoreErroneousBOM(bs, source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go index 431356f62cbb6..4655f32d868cf 100644 --- a/services/auth/source/pam/source.go +++ b/services/auth/source/pam/source.go @@ -28,7 +28,7 @@ type Source struct { // FromDB fills up a PAMConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - return models.JsonUnmarshalIgnoreErroneousBOM(bs, &source) + return models.JSONUnmarshalIgnoreErroneousBOM(bs, &source) } // ToDB exports a PAMConfig to a serialized format. diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go index eb80110775d6f..3a9a816a0e268 100644 --- a/services/auth/source/smtp/source.go +++ b/services/auth/source/smtp/source.go @@ -32,7 +32,7 @@ type Source struct { // FromDB fills up an SMTPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - return models.JsonUnmarshalIgnoreErroneousBOM(bs, source) + return models.JSONUnmarshalIgnoreErroneousBOM(bs, source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/sspi/source.go b/services/auth/source/sspi/source.go index 2e09700ada0df..949d2bab8ea6b 100644 --- a/services/auth/source/sspi/source.go +++ b/services/auth/source/sspi/source.go @@ -27,7 +27,7 @@ type Source struct { // FromDB fills up an SSPIConfig from serialized format. func (cfg *Source) FromDB(bs []byte) error { - return models.JsonUnmarshalIgnoreErroneousBOM(bs, cfg) + return models.JSONUnmarshalIgnoreErroneousBOM(bs, cfg) } // ToDB exports an SSPIConfig to a serialized format. From ee5f3985cefe8466208f75ef415c4a619b7377cc Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Wed, 14 Jul 2021 22:22:41 +0100 Subject: [PATCH 34/44] as per lafriks use migration instead Signed-off-by: Andrew Thornton --- .../Test_unwrapLDAPSourceCfg/login_source.yml | 41 ++++++++++ models/migrations/migrations.go | 2 + models/migrations/v189.go | 79 +++++++++++++++++++ models/migrations/v189_test.go | 49 ++++++++++++ services/auth/source/ldap/source.go | 16 +--- 5 files changed, 173 insertions(+), 14 deletions(-) create mode 100644 models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml create mode 100644 models/migrations/v189.go create mode 100644 models/migrations/v189_test.go diff --git a/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml new file mode 100644 index 0000000000000..a9e699fcc2e32 --- /dev/null +++ b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml @@ -0,0 +1,41 @@ +# type LoginSource struct { +# ID int64 `xorm:"pk autoincr"` +# Type int +# Cfg []byte `xorm:"TEXT"` +# Expected []byte `xorm:"TEXT"` +# } +- + id: 1 + type: 1 + cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" +- + id: 2 + type: 2 + cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + expected: "{\"A\":\"string\",\"B\":1}" +- + id: 3 + type: 3 + cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" +- + id: 4 + type: 4 + cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" +- + id: 5 + type: 5 + cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + expected: "{\"A\":\"string\",\"B\":1}" +- + id: 6 + type: 2 + cfg: "{\"A\":\"string\",\"B\":1}" + expected: "{\"A\":\"string\",\"B\":1}" +- + id: 7 + type: 5 + cfg: "{\"A\":\"string\",\"B\":1}" + expected: "{\"A\":\"string\",\"B\":1}" diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 7a4193199c2f4..fed7b909c1ae2 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -327,6 +327,8 @@ var migrations = []Migration{ NewMigration("Drop unneeded webhook related columns", dropWebhookColumns), // v188 -> v189 NewMigration("Add key is verified to gpg key", addKeyIsVerified), + // v189 -> v190 + NewMigration("Unwrap ldap.Sources", unwrapLDAPSourceCfg), } // GetCurrentDBVersion returns the current db version diff --git a/models/migrations/v189.go b/models/migrations/v189.go new file mode 100644 index 0000000000000..06c558a7c8edc --- /dev/null +++ b/models/migrations/v189.go @@ -0,0 +1,79 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "fmt" + + jsoniter "github.com/json-iterator/go" + "xorm.io/xorm" +) + +func unwrapLDAPSourceCfg(x *xorm.Engine) error { + jsonUnmarshalIgnoreErroneousBOM := func(bs []byte, v interface{}) error { + json := jsoniter.ConfigCompatibleWithStandardLibrary + err := json.Unmarshal(bs, &v) + if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe { + err = json.Unmarshal(bs[2:], &v) + } + return err + } + + // LoginSource represents an external way for authorizing users. + type LoginSource struct { + ID int64 `xorm:"pk autoincr"` + Type int + IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` + Cfg string `xorm:"TEXT"` + } + + const ldapType = 2 + const dldapType = 5 + + type WrappedSource struct { + Source map[string]interface{} + } + + // change lower_email as unique + if err := x.Sync2(new(LoginSource)); err != nil { + return err + } + + sess := x.NewSession() + defer sess.Close() + + const batchSize = 100 + for start := 0; ; start += batchSize { + sources := make([]*LoginSource, 0, batchSize) + if err := sess.Limit(batchSize, start).Where("`type` = ? OR `type` = ?", ldapType, dldapType).Find(&sources); err != nil { + return err + } + if len(sources) == 0 { + break + } + + for _, source := range sources { + wrapped := &WrappedSource{ + Source: map[string]interface{}{}, + } + err := jsonUnmarshalIgnoreErroneousBOM([]byte(source.Cfg), wrapped) + if err != nil { + return fmt.Errorf("failed to unmarshal %s: %w", string(source.Cfg), err) + } + if wrapped.Source != nil && len(wrapped.Source) > 0 { + bs, err := jsoniter.Marshal(wrapped.Source) + if err != nil { + return err + } + source.Cfg = string(bs) + if _, err := sess.ID(source.ID).Cols("cfg").Update(source); err != nil { + return err + } + } + } + } + + return nil +} diff --git a/models/migrations/v189_test.go b/models/migrations/v189_test.go new file mode 100644 index 0000000000000..d0be065f7c5bc --- /dev/null +++ b/models/migrations/v189_test.go @@ -0,0 +1,49 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_unwrapLDAPSourceCfg(t *testing.T) { + // LoginSource represents an external way for authorizing users. + type LoginSource struct { + ID int64 `xorm:"pk autoincr"` + Type int + IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` + Cfg string `xorm:"TEXT"` + Expected string `xorm:"TEXT"` + } + + // Prepare and load the testing database + x, deferable := prepareTestEnv(t, 0, new(LoginSource)) + if x == nil || t.Failed() { + defer deferable() + return + } + defer deferable() + + // Run the migration + if err := unwrapLDAPSourceCfg(x); err != nil { + assert.NoError(t, err) + return + } + + const batchSize = 100 + for start := 0; ; start += batchSize { + sources := make([]*LoginSource, 0, batchSize) + if len(sources) == 0 { + break + } + + for _, source := range sources { + assert.Equal(t, string(source.Cfg), string(source.Expected), "unwrapLDAPSourceCfg failed for %d", source.ID) + } + } + +} diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index affbcfbd99b1e..8fc815eb2c9d6 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -58,18 +58,9 @@ type Source struct { loginSource *models.LoginSource } -// wrappedSource wraps the source to ensure that the FromDB/ToDB results are the same as previously -type wrappedSource struct { - Source *Source -} - // FromDB fills up a LDAPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - wrapped := &wrappedSource{ - Source: source, - } - - err := models.JSONUnmarshalIgnoreErroneousBOM(bs, &wrapped) + err := models.JSONUnmarshalIgnoreErroneousBOM(bs, source) if err != nil { return err } @@ -89,10 +80,7 @@ func (source *Source) ToDB() ([]byte, error) { } source.BindPassword = "" json := jsoniter.ConfigCompatibleWithStandardLibrary - wrapped := &wrappedSource{ - Source: source, - } - return json.Marshal(wrapped) + return json.Marshal(source) } // SecurityProtocolName returns the name of configured security From 3497354ddbd39280addb8c36e5578648f884567c Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 12:29:20 +0100 Subject: [PATCH 35/44] fix tests Signed-off-by: Andrew Thornton --- .../Test_unwrapLDAPSourceCfg/login_source.yml | 24 +++++++++---------- models/migrations/v189_test.go | 5 ++++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml index a9e699fcc2e32..f753d13110cac 100644 --- a/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml +++ b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml @@ -12,30 +12,30 @@ - id: 2 type: 2 - cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" - expected: "{\"A\":\"string\",\"B\":1}" + cfg: "{\"Source\":{\"A\":\"string2\",\"B\":2}}" + expected: "{\"A\":\"string2\",\"B\":2}" - id: 3 type: 3 - cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" - expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + cfg: "{\"Source\":{\"A\":\"string3\",\"B\":3}}" + expected: "{\"Source\":{\"A\":\"string3\",\"B\":3}}" - id: 4 type: 4 - cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" - expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" + cfg: "{\"Source\":{\"A\":\"string4\",\"B\":4}}" + expected: "{\"Source\":{\"A\":\"string4\",\"B\":4}}" - id: 5 type: 5 - cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" - expected: "{\"A\":\"string\",\"B\":1}" + cfg: "{\"Source\":{\"A\":\"string5\",\"B\":5}}" + expected: "{\"A\":\"string5\",\"B\":5}" - id: 6 type: 2 - cfg: "{\"A\":\"string\",\"B\":1}" - expected: "{\"A\":\"string\",\"B\":1}" + cfg: "{\"A\":\"string6\",\"B\":6}" + expected: "{\"A\":\"string6\",\"B\":6}" - id: 7 type: 5 - cfg: "{\"A\":\"string\",\"B\":1}" - expected: "{\"A\":\"string\",\"B\":1}" + cfg: "{\"A\":\"string7\",\"B\":7}" + expected: "{\"A\":\"string7\",\"B\":7}" diff --git a/models/migrations/v189_test.go b/models/migrations/v189_test.go index d0be065f7c5bc..b891b7eac4573 100644 --- a/models/migrations/v189_test.go +++ b/models/migrations/v189_test.go @@ -37,6 +37,11 @@ func Test_unwrapLDAPSourceCfg(t *testing.T) { const batchSize = 100 for start := 0; ; start += batchSize { sources := make([]*LoginSource, 0, batchSize) + if err := x.Table("login_source").Limit(batchSize, start).Find(&sources); err != nil { + assert.NoError(t, err) + return + } + if len(sources) == 0 { break } From f1fb660fa5902d2f99f63da232e35083385db3bd Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 13:16:33 +0100 Subject: [PATCH 36/44] fix test Signed-off-by: Andrew Thornton --- models/migrations/v189_test.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/models/migrations/v189_test.go b/models/migrations/v189_test.go index b891b7eac4573..6e2b4df69bf33 100644 --- a/models/migrations/v189_test.go +++ b/models/migrations/v189_test.go @@ -7,6 +7,7 @@ package migrations import ( "testing" + jsoniter "github.com/json-iterator/go" "github.com/stretchr/testify/assert" ) @@ -47,7 +48,20 @@ func Test_unwrapLDAPSourceCfg(t *testing.T) { } for _, source := range sources { - assert.Equal(t, string(source.Cfg), string(source.Expected), "unwrapLDAPSourceCfg failed for %d", source.ID) + converted := map[string]interface{}{} + expected := map[string]interface{}{} + + if err := jsoniter.Unmarshal([]byte(source.Cfg), &converted); err != nil { + assert.NoError(t, err) + return + } + + if err := jsoniter.Unmarshal([]byte(source.Expected), &expected); err != nil { + assert.NoError(t, err) + return + } + + assert.EqualValues(t, expected, converted, "unwrapLDAPSourceCfg failed for %d", source.ID) } } From 28b57480223f0532f417ec9908b77dd6de3ce00b Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 18:28:03 +0100 Subject: [PATCH 37/44] not sure if this will help Signed-off-by: Andrew Thornton --- models/migrations/v189.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/migrations/v189.go b/models/migrations/v189.go index 06c558a7c8edc..b3b805a48b446 100644 --- a/models/migrations/v189.go +++ b/models/migrations/v189.go @@ -58,7 +58,7 @@ func unwrapLDAPSourceCfg(x *xorm.Engine) error { wrapped := &WrappedSource{ Source: map[string]interface{}{}, } - err := jsonUnmarshalIgnoreErroneousBOM([]byte(source.Cfg), wrapped) + err := jsonUnmarshalIgnoreErroneousBOM([]byte(source.Cfg), &wrapped) if err != nil { return fmt.Errorf("failed to unmarshal %s: %w", string(source.Cfg), err) } From aa478358ad2b3532e8e580820e6cae9b6cba5daa Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 18:50:30 +0100 Subject: [PATCH 38/44] And rename IsActived to IsActive Signed-off-by: Andrew Thornton --- cmd/admin.go | 10 ++-- cmd/admin_auth_ldap.go | 10 ++-- cmd/admin_auth_ldap_test.go | 56 +++++++++---------- models/login_source.go | 12 ++-- .../Test_unwrapLDAPSourceCfg/login_source.yml | 7 +++ models/migrations/v189.go | 14 ++++- models/migrations/v189_test.go | 33 ++++++++--- models/oauth2.go | 4 +- routers/web/admin/auths.go | 4 +- services/auth/signin.go | 4 +- services/auth/source/oauth2/init.go | 2 +- services/auth/sync.go | 2 +- templates/admin/auth/edit.tmpl | 2 +- templates/admin/auth/list.tmpl | 2 +- .../user/settings/security_accountlinks.tmpl | 2 +- 15 files changed, 99 insertions(+), 65 deletions(-) diff --git a/cmd/admin.go b/cmd/admin.go index 5a0da5cb8d97e..69c8a5669af5d 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -626,10 +626,10 @@ func runAddOauth(c *cli.Context) error { } return models.CreateLoginSource(&models.LoginSource{ - Type: models.LoginOAuth2, - Name: c.String("name"), - IsActived: true, - Cfg: parseOAuth2Config(c), + Type: models.LoginOAuth2, + Name: c.String("name"), + IsActive: true, + Cfg: parseOAuth2Config(c), }) } @@ -729,7 +729,7 @@ func runListAuth(c *cli.Context) error { w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags) fmt.Fprintf(w, "ID\tName\tType\tEnabled\n") for _, source := range loginSources { - fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, models.LoginNames[source.Type], source.IsActived) + fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, models.LoginNames[source.Type], source.IsActive) } w.Flush() diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index 6427add8ab42b..4314930a3e083 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -172,7 +172,7 @@ func parseLoginSource(c *cli.Context, loginSource *models.LoginSource) { loginSource.Name = c.String("name") } if c.IsSet("not-active") { - loginSource.IsActived = !c.Bool("not-active") + loginSource.IsActive = !c.Bool("not-active") } if c.IsSet("synchronize-users") { loginSource.IsSyncEnabled = c.Bool("synchronize-users") @@ -289,8 +289,8 @@ func (a *authService) addLdapBindDn(c *cli.Context) error { } loginSource := &models.LoginSource{ - Type: models.LoginLDAP, - IsActived: true, // active by default + Type: models.LoginLDAP, + IsActive: true, // active by default Cfg: &ldap.Source{ Enabled: true, // always true }, @@ -334,8 +334,8 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error { } loginSource := &models.LoginSource{ - Type: models.LoginDLDAP, - IsActived: true, // active by default + Type: models.LoginDLDAP, + IsActive: true, // active by default Cfg: &ldap.Source{ Enabled: true, // always true }, diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index bcf4325f0601b..692b11e3f422d 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -54,7 +54,7 @@ func TestAddLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, Name: "ldap (via Bind DN) source full", - IsActived: false, + IsActive: false, IsSyncEnabled: true, Cfg: &ldap.Source{ Name: "ldap (via Bind DN) source full", @@ -92,9 +92,9 @@ func TestAddLdapBindDn(t *testing.T) { "--email-attribute", "mail-bind min", }, loginSource: &models.LoginSource{ - Type: models.LoginLDAP, - Name: "ldap (via Bind DN) source min", - IsActived: true, + Type: models.LoginLDAP, + Name: "ldap (via Bind DN) source min", + IsActive: true, Cfg: &ldap.Source{ Name: "ldap (via Bind DN) source min", Host: "ldap-bind-server min", @@ -272,9 +272,9 @@ func TestAddLdapSimpleAuth(t *testing.T) { "--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org", }, loginSource: &models.LoginSource{ - Type: models.LoginDLDAP, - Name: "ldap (simple auth) source full", - IsActived: false, + Type: models.LoginDLDAP, + Name: "ldap (simple auth) source full", + IsActive: false, Cfg: &ldap.Source{ Name: "ldap (simple auth) source full", Host: "ldap-simple-server full", @@ -308,9 +308,9 @@ func TestAddLdapSimpleAuth(t *testing.T) { "--user-dn", "cn=%s,ou=Users,dc=min-domain-simple,dc=org", }, loginSource: &models.LoginSource{ - Type: models.LoginDLDAP, - Name: "ldap (simple auth) source min", - IsActived: true, + Type: models.LoginDLDAP, + Name: "ldap (simple auth) source min", + IsActive: true, Cfg: &ldap.Source{ Name: "ldap (simple auth) source min", Host: "ldap-simple-server min", @@ -508,8 +508,8 @@ func TestUpdateLdapBindDn(t *testing.T) { }, id: 23, existingLoginSource: &models.LoginSource{ - Type: models.LoginLDAP, - IsActived: true, + Type: models.LoginLDAP, + IsActive: true, Cfg: &ldap.Source{ Enabled: true, }, @@ -517,7 +517,7 @@ func TestUpdateLdapBindDn(t *testing.T) { loginSource: &models.LoginSource{ Type: models.LoginLDAP, Name: "ldap (via Bind DN) source full", - IsActived: false, + IsActive: false, IsSyncEnabled: true, Cfg: &ldap.Source{ Name: "ldap (via Bind DN) source full", @@ -576,14 +576,14 @@ func TestUpdateLdapBindDn(t *testing.T) { "--not-active", }, existingLoginSource: &models.LoginSource{ - Type: models.LoginLDAP, - IsActived: true, - Cfg: &ldap.Source{}, + Type: models.LoginLDAP, + IsActive: true, + Cfg: &ldap.Source{}, }, loginSource: &models.LoginSource{ - Type: models.LoginLDAP, - IsActived: false, - Cfg: &ldap.Source{}, + Type: models.LoginLDAP, + IsActive: false, + Cfg: &ldap.Source{}, }, }, // case 4 @@ -936,9 +936,9 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { }, id: 7, loginSource: &models.LoginSource{ - Type: models.LoginDLDAP, - Name: "ldap (simple auth) source full", - IsActived: false, + Type: models.LoginDLDAP, + Name: "ldap (simple auth) source full", + IsActive: false, Cfg: &ldap.Source{ Name: "ldap (simple auth) source full", Host: "ldap-simple-server full", @@ -992,14 +992,14 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { "--not-active", }, existingLoginSource: &models.LoginSource{ - Type: models.LoginDLDAP, - IsActived: true, - Cfg: &ldap.Source{}, + Type: models.LoginDLDAP, + IsActive: true, + Cfg: &ldap.Source{}, }, loginSource: &models.LoginSource{ - Type: models.LoginDLDAP, - IsActived: false, - Cfg: &ldap.Source{}, + Type: models.LoginDLDAP, + IsActive: false, + Cfg: &ldap.Source{}, }, }, // case 4 diff --git a/models/login_source.go b/models/login_source.go index ff35ee377c518..5e1c6e222435e 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -105,7 +105,7 @@ type LoginSource struct { ID int64 `xorm:"pk autoincr"` Type LoginType Name string `xorm:"UNIQUE"` - IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` + IsActive bool `xorm:"INDEX NOT NULL DEFAULT false"` IsSyncEnabled bool `xorm:"INDEX NOT NULL DEFAULT false"` Cfg convert.Conversion `xorm:"TEXT"` @@ -214,7 +214,7 @@ func CreateLoginSource(source *LoginSource) error { return err } - if !source.IsActived { + if !source.IsActive { return nil } @@ -251,7 +251,7 @@ func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) { // AllActiveLoginSources returns all active sources func AllActiveLoginSources() ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 5) - if err := x.Where("is_actived = ?", true).Find(&sources); err != nil { + if err := x.Where("is_active = ?", true).Find(&sources); err != nil { return nil, err } return sources, nil @@ -260,7 +260,7 @@ func AllActiveLoginSources() ([]*LoginSource, error) { // ActiveLoginSources returns all active sources of the specified type func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 1) - if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil { + if err := x.Where("is_active = ? and type = ?", true, loginType).Find(&sources); err != nil { return nil, err } return sources, nil @@ -287,7 +287,7 @@ func GetLoginSourceByID(id int64) (*LoginSource, error) { source.Cfg = registeredLoginConfigs[LoginNoType]() // Set this source to active // FIXME: allow disabling of db based password authentication in future - source.IsActived = true + source.IsActive = true return source, nil } @@ -316,7 +316,7 @@ func UpdateSource(source *LoginSource) error { return err } - if !source.IsActived { + if !source.IsActive { return nil } diff --git a/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml index f753d13110cac..4b72ba145ecb8 100644 --- a/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml +++ b/models/migrations/fixtures/Test_unwrapLDAPSourceCfg/login_source.yml @@ -7,35 +7,42 @@ - id: 1 type: 1 + is_actived: false cfg: "{\"Source\":{\"A\":\"string\",\"B\":1}}" expected: "{\"Source\":{\"A\":\"string\",\"B\":1}}" - id: 2 type: 2 + is_actived: true cfg: "{\"Source\":{\"A\":\"string2\",\"B\":2}}" expected: "{\"A\":\"string2\",\"B\":2}" - id: 3 type: 3 + is_actived: false cfg: "{\"Source\":{\"A\":\"string3\",\"B\":3}}" expected: "{\"Source\":{\"A\":\"string3\",\"B\":3}}" - id: 4 type: 4 + is_actived: true cfg: "{\"Source\":{\"A\":\"string4\",\"B\":4}}" expected: "{\"Source\":{\"A\":\"string4\",\"B\":4}}" - id: 5 type: 5 + is_actived: false cfg: "{\"Source\":{\"A\":\"string5\",\"B\":5}}" expected: "{\"A\":\"string5\",\"B\":5}" - id: 6 type: 2 + is_actived: true cfg: "{\"A\":\"string6\",\"B\":6}" expected: "{\"A\":\"string6\",\"B\":6}" - id: 7 type: 5 + is_actived: false cfg: "{\"A\":\"string7\",\"B\":7}" expected: "{\"A\":\"string7\",\"B\":7}" diff --git a/models/migrations/v189.go b/models/migrations/v189.go index b3b805a48b446..08aec7de0458e 100644 --- a/models/migrations/v189.go +++ b/models/migrations/v189.go @@ -26,6 +26,7 @@ func unwrapLDAPSourceCfg(x *xorm.Engine) error { ID int64 `xorm:"pk autoincr"` Type int IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` + IsActive bool `xorm:"INDEX NOT NULL DEFAULT false"` Cfg string `xorm:"TEXT"` } @@ -75,5 +76,16 @@ func unwrapLDAPSourceCfg(x *xorm.Engine) error { } } - return nil + if _, err := x.SetExpr("is_active", "is_actived").Update(&LoginSource{}); err != nil { + return fmt.Errorf("SetExpr Update failed: %w", err) + } + + if err := sess.Begin(); err != nil { + return err + } + if err := dropTableColumns(sess, "login_source", "is_actived"); err != nil { + return err + } + + return sess.Commit() } diff --git a/models/migrations/v189_test.go b/models/migrations/v189_test.go index 6e2b4df69bf33..7a740948bb837 100644 --- a/models/migrations/v189_test.go +++ b/models/migrations/v189_test.go @@ -11,24 +11,38 @@ import ( "github.com/stretchr/testify/assert" ) +// LoginSource represents an external way for authorizing users. +type LoginSourceOriginal_v189 struct { + ID int64 `xorm:"pk autoincr"` + Type int + IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` + Cfg string `xorm:"TEXT"` + Expected string `xorm:"TEXT"` +} + +func (ls *LoginSourceOriginal_v189) TableName() string { + return "login_source" +} + func Test_unwrapLDAPSourceCfg(t *testing.T) { - // LoginSource represents an external way for authorizing users. - type LoginSource struct { - ID int64 `xorm:"pk autoincr"` - Type int - IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` - Cfg string `xorm:"TEXT"` - Expected string `xorm:"TEXT"` - } // Prepare and load the testing database - x, deferable := prepareTestEnv(t, 0, new(LoginSource)) + x, deferable := prepareTestEnv(t, 0, new(LoginSourceOriginal_v189)) if x == nil || t.Failed() { defer deferable() return } defer deferable() + // LoginSource represents an external way for authorizing users. + type LoginSource struct { + ID int64 `xorm:"pk autoincr"` + Type int + IsActive bool `xorm:"INDEX NOT NULL DEFAULT false"` + Cfg string `xorm:"TEXT"` + Expected string `xorm:"TEXT"` + } + // Run the migration if err := unwrapLDAPSourceCfg(x); err != nil { assert.NoError(t, err) @@ -62,6 +76,7 @@ func Test_unwrapLDAPSourceCfg(t *testing.T) { } assert.EqualValues(t, expected, converted, "unwrapLDAPSourceCfg failed for %d", source.ID) + assert.EqualValues(t, source.ID%2 == 0, source.IsActive, "unwrapLDAPSourceCfg failed for %d", source.ID) } } diff --git a/models/oauth2.go b/models/oauth2.go index ad5761e525aa5..127e8d760321b 100644 --- a/models/oauth2.go +++ b/models/oauth2.go @@ -7,7 +7,7 @@ package models // GetActiveOAuth2ProviderLoginSources returns all actived LoginOAuth2 sources func GetActiveOAuth2ProviderLoginSources() ([]*LoginSource, error) { sources := make([]*LoginSource, 0, 1) - if err := x.Where("is_actived = ? and type = ?", true, LoginOAuth2).Find(&sources); err != nil { + if err := x.Where("is_active = ? and type = ?", true, LoginOAuth2).Find(&sources); err != nil { return nil, err } return sources, nil @@ -16,7 +16,7 @@ func GetActiveOAuth2ProviderLoginSources() ([]*LoginSource, error) { // GetActiveOAuth2LoginSourceByName returns a OAuth2 LoginSource based on the given name func GetActiveOAuth2LoginSourceByName(name string) (*LoginSource, error) { loginSource := new(LoginSource) - has, err := x.Where("name = ? and type = ? and is_actived = ?", name, LoginOAuth2, true).Get(loginSource) + has, err := x.Where("name = ? and type = ? and is_active = ?", name, LoginOAuth2, true).Get(loginSource) if !has || err != nil { return nil, err } diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index 19c24ce251c3b..20efd4a2aca03 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -272,7 +272,7 @@ func NewAuthSourcePost(ctx *context.Context) { if err := models.CreateLoginSource(&models.LoginSource{ Type: models.LoginType(form.Type), Name: form.Name, - IsActived: form.IsActive, + IsActive: form.IsActive, IsSyncEnabled: form.IsSyncEnabled, Cfg: config, }); err != nil { @@ -365,7 +365,7 @@ func EditAuthSourcePost(ctx *context.Context) { } source.Name = form.Name - source.IsActived = form.IsActive + source.IsActive = form.IsActive source.IsSyncEnabled = form.IsSyncEnabled source.Cfg = config if err := models.UpdateSource(source); err != nil { diff --git a/services/auth/signin.go b/services/auth/signin.go index 43135d60a97bd..2c4bf9b35b7e3 100644 --- a/services/auth/signin.go +++ b/services/auth/signin.go @@ -54,7 +54,7 @@ func UserSignIn(username, password string) (*models.User, error) { return nil, err } - if !source.IsActived { + if !source.IsActive { return nil, models.ErrLoginSourceNotActived } @@ -83,7 +83,7 @@ func UserSignIn(username, password string) (*models.User, error) { } for _, source := range sources { - if !source.IsActived { + if !source.IsActive { // don't try to authenticate non-active sources continue } diff --git a/services/auth/source/oauth2/init.go b/services/auth/source/oauth2/init.go index f602e6725afb3..f797fd7fd4852 100644 --- a/services/auth/source/oauth2/init.go +++ b/services/auth/source/oauth2/init.go @@ -72,7 +72,7 @@ func initOAuth2LoginSources() error { err := oauth2Source.RegisterSource() if err != nil { log.Critical("Unable to register source: %s due to Error: %v. This source will be disabled.", source.Name, err) - source.IsActived = false + source.IsActive = false if err = models.UpdateSource(source); err != nil { log.Critical("Unable to update source %s to disable it. Error: %v", err) return err diff --git a/services/auth/sync.go b/services/auth/sync.go index a608787aad891..a34b4d1d2694f 100644 --- a/services/auth/sync.go +++ b/services/auth/sync.go @@ -22,7 +22,7 @@ func SyncExternalUsers(ctx context.Context, updateExisting bool) error { } for _, s := range ls { - if !s.IsActived || !s.IsSyncEnabled { + if !s.IsActive || !s.IsSyncEnabled { continue } select { diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index d825cd7d12de6..01c4b57395c9d 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -325,7 +325,7 @@
- +
diff --git a/templates/admin/auth/list.tmpl b/templates/admin/auth/list.tmpl index d5d8aadb56315..35ab976022bb2 100644 --- a/templates/admin/auth/list.tmpl +++ b/templates/admin/auth/list.tmpl @@ -28,7 +28,7 @@ {{.ID}} {{.Name}} {{.TypeName}} - {{if .IsActived}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} + {{if .IsActive}}{{svg "octicon-check"}}{{else}}{{svg "octicon-x"}}{{end}} {{.UpdatedUnix.FormatShort}} {{.CreatedUnix.FormatShort}} {{svg "octicon-pencil"}} diff --git a/templates/user/settings/security_accountlinks.tmpl b/templates/user/settings/security_accountlinks.tmpl index 9c2436dd3f76b..5aa9282083b61 100644 --- a/templates/user/settings/security_accountlinks.tmpl +++ b/templates/user/settings/security_accountlinks.tmpl @@ -16,7 +16,7 @@
{{$provider}} - {{if $loginSource.IsActived}}{{$.i18n.Tr "settings.active"}}{{end}} + {{if $loginSource.IsActive}}{{$.i18n.Tr "settings.active"}}{{end}}
{{end}} From 5244f402c0ad85a65b75a60188fa039684d73218 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 18:52:58 +0100 Subject: [PATCH 39/44] fixup! And rename IsActived to IsActive Signed-off-by: Andrew Thornton --- models/migrations/v189_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/models/migrations/v189_test.go b/models/migrations/v189_test.go index 7a740948bb837..f4fe6dec3f9ee 100644 --- a/models/migrations/v189_test.go +++ b/models/migrations/v189_test.go @@ -12,7 +12,7 @@ import ( ) // LoginSource represents an external way for authorizing users. -type LoginSourceOriginal_v189 struct { +type LoginSourceOriginalV189 struct { ID int64 `xorm:"pk autoincr"` Type int IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"` @@ -20,14 +20,14 @@ type LoginSourceOriginal_v189 struct { Expected string `xorm:"TEXT"` } -func (ls *LoginSourceOriginal_v189) TableName() string { +func (ls *LoginSourceOriginalV189) TableName() string { return "login_source" } func Test_unwrapLDAPSourceCfg(t *testing.T) { // Prepare and load the testing database - x, deferable := prepareTestEnv(t, 0, new(LoginSourceOriginal_v189)) + x, deferable := prepareTestEnv(t, 0, new(LoginSourceOriginalV189)) if x == nil || t.Failed() { defer deferable() return From 28c8f311e93c3dd14a6665fa40e49c424c1573ff Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Thu, 15 Jul 2021 19:28:18 +0100 Subject: [PATCH 40/44] Delete db at the end of migration tests Signed-off-by: Andrew Thornton --- models/migrations/migrations_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/models/migrations/migrations_test.go b/models/migrations/migrations_test.go index 26066580d8978..634bfc84865dc 100644 --- a/models/migrations/migrations_test.go +++ b/models/migrations/migrations_test.go @@ -220,6 +220,9 @@ func prepareTestEnv(t *testing.T, skip int, syncModels ...interface{}) (*xorm.En if err := x.Close(); err != nil { t.Errorf("error during close: %v", err) } + if err := deleteDB(); err != nil { + t.Errorf("unable to reset database: %v", err) + } } } if err != nil { From 699bd4207dbbe26b0c2624e7ccb3d7293d2be324 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Fri, 16 Jul 2021 18:17:31 +0100 Subject: [PATCH 41/44] Add basic edit ldap auth test & actually fix #16252 One of the reasons why #16447 was needed and why #16268 was needed in the first place was because it appears that editing ldap configuration doesn't get tested. This PR therefore adds a basic test that will run the edit pipeline. In doing so it's now clear that #16447 and #16268 aren't actually solving #16252. It turns out that what actually happens is that is that the bytes are actually double encoded. This PR now changes the json unmarshal wrapper to handle this double encode. Fix #16252 Signed-off-by: Andrew Thornton --- integrations/auth_ldap_test.go | 54 ++++++++++++++++++++++++++++++++++ models/login_source.go | 36 ++++++++++++++++++----- models/repo_unit.go | 10 +++---- 3 files changed, 87 insertions(+), 13 deletions(-) diff --git a/integrations/auth_ldap_test.go b/integrations/auth_ldap_test.go index 4d82c092e7280..59f51951234e0 100644 --- a/integrations/auth_ldap_test.go +++ b/integrations/auth_ldap_test.go @@ -144,6 +144,60 @@ func TestLDAPUserSignin(t *testing.T) { assert.Equal(t, u.Email, htmlDoc.Find(`label[for="email"]`).Siblings().First().Text()) } +func TestLDAPAuthChange(t *testing.T) { + defer prepareTestEnv(t)() + addAuthSourceLDAP(t, "") + + session := loginUser(t, "user1") + req := NewRequest(t, "GET", "/admin/auths") + resp := session.MakeRequest(t, req, http.StatusOK) + doc := NewHTMLParser(t, resp.Body) + href, exists := doc.Find("table.table td a").Attr("href") + if !exists { + assert.True(t, exists, "No authentication source found") + return + } + + req = NewRequest(t, "GET", href) + resp = session.MakeRequest(t, req, http.StatusOK) + doc = NewHTMLParser(t, resp.Body) + csrf := doc.GetCSRF() + host, _ := doc.Find(`input[name="host"]`).Attr("value") + assert.Equal(t, host, getLDAPServerHost()) + binddn, _ := doc.Find(`input[name="bind_dn"]`).Attr("value") + assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com") + + req = NewRequestWithValues(t, "POST", href, map[string]string{ + "_csrf": csrf, + "type": "2", + "name": "ldap", + "host": getLDAPServerHost(), + "port": "389", + "bind_dn": "uid=gitea,ou=service,dc=planetexpress,dc=com", + "bind_password": "password", + "user_base": "ou=people,dc=planetexpress,dc=com", + "filter": "(&(objectClass=inetOrgPerson)(memberOf=cn=git,ou=people,dc=planetexpress,dc=com)(uid=%s))", + "admin_filter": "(memberOf=cn=admin_staff,ou=people,dc=planetexpress,dc=com)", + "restricted_filter": "(uid=leela)", + "attribute_username": "uid", + "attribute_name": "givenName", + "attribute_surname": "sn", + "attribute_mail": "mail", + "attribute_ssh_public_key": "", + "is_sync_enabled": "on", + "is_active": "on", + }) + session.MakeRequest(t, req, http.StatusFound) + + req = NewRequest(t, "GET", href) + resp = session.MakeRequest(t, req, http.StatusOK) + doc = NewHTMLParser(t, resp.Body) + host, _ = doc.Find(`input[name="host"]`).Attr("value") + assert.Equal(t, host, getLDAPServerHost()) + binddn, _ = doc.Find(`input[name="bind_dn"]`).Attr("value") + assert.Equal(t, binddn, "uid=gitea,ou=service,dc=planetexpress,dc=com") +} + func TestLDAPUserSync(t *testing.T) { if skipLDAPTests() { t.Skip() diff --git a/models/login_source.go b/models/login_source.go index bbd605bb41d7d..5674196e0c66e 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -7,6 +7,7 @@ package models import ( "crypto/tls" + "encoding/binary" "errors" "fmt" "net/smtp" @@ -70,11 +71,30 @@ var ( _ convert.Conversion = &SSPIConfig{} ) -// jsonUnmarshalIgnoreErroneousBOM - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's -// possible that a Blob may gain an unwanted prefix of 0xff 0xfe. -func jsonUnmarshalIgnoreErroneousBOM(bs []byte, v interface{}) error { +// jsonUnmarshalHandleDoubleEncode - due to a bug in xorm (see https://gitea.com/xorm/xorm/pulls/1957) - it's +// possible that a Blob may be double encoded or gain an unwanted prefix of 0xff 0xfe. +func jsonUnmarshalHandleDoubleEncode(bs []byte, v interface{}) error { json := jsoniter.ConfigCompatibleWithStandardLibrary err := json.Unmarshal(bs, v) + if err != nil { + ok := true + rs := []byte{} + temp := make([]byte, 2) + for _, rn := range string(bs) { + if rn > 0xffff { + ok = false + break + } + binary.LittleEndian.PutUint16(temp, uint16(rn)) + rs = append(rs, temp...) + } + if ok { + if rs[0] == 0xff && rs[1] == 0xfe { + rs = rs[2:] + } + err = json.Unmarshal(rs, v) + } + } if err != nil && len(bs) > 2 && bs[0] == 0xff && bs[1] == 0xfe { err = json.Unmarshal(bs[2:], v) } @@ -88,7 +108,7 @@ type LDAPConfig struct { // FromDB fills up a LDAPConfig from serialized format. func (cfg *LDAPConfig) FromDB(bs []byte) error { - err := jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + err := jsonUnmarshalHandleDoubleEncode(bs, &cfg) if err != nil { return err } @@ -129,7 +149,7 @@ type SMTPConfig struct { // FromDB fills up an SMTPConfig from serialized format. func (cfg *SMTPConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, cfg) + return jsonUnmarshalHandleDoubleEncode(bs, cfg) } // ToDB exports an SMTPConfig to a serialized format. @@ -146,7 +166,7 @@ type PAMConfig struct { // FromDB fills up a PAMConfig from serialized format. func (cfg *PAMConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, cfg) + return jsonUnmarshalHandleDoubleEncode(bs, cfg) } // ToDB exports a PAMConfig to a serialized format. @@ -167,7 +187,7 @@ type OAuth2Config struct { // FromDB fills up an OAuth2Config from serialized format. func (cfg *OAuth2Config) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, cfg) + return jsonUnmarshalHandleDoubleEncode(bs, cfg) } // ToDB exports an SMTPConfig to a serialized format. @@ -187,7 +207,7 @@ type SSPIConfig struct { // FromDB fills up an SSPIConfig from serialized format. func (cfg *SSPIConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, cfg) + return jsonUnmarshalHandleDoubleEncode(bs, cfg) } // ToDB exports an SSPIConfig to a serialized format. diff --git a/models/repo_unit.go b/models/repo_unit.go index a12e056a7d5ad..f430e4f7f3bf0 100644 --- a/models/repo_unit.go +++ b/models/repo_unit.go @@ -28,7 +28,7 @@ type UnitConfig struct{} // FromDB fills up a UnitConfig from serialized format. func (cfg *UnitConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return jsonUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports a UnitConfig to a serialized format. @@ -44,7 +44,7 @@ type ExternalWikiConfig struct { // FromDB fills up a ExternalWikiConfig from serialized format. func (cfg *ExternalWikiConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return jsonUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports a ExternalWikiConfig to a serialized format. @@ -62,7 +62,7 @@ type ExternalTrackerConfig struct { // FromDB fills up a ExternalTrackerConfig from serialized format. func (cfg *ExternalTrackerConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return jsonUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports a ExternalTrackerConfig to a serialized format. @@ -80,7 +80,7 @@ type IssuesConfig struct { // FromDB fills up a IssuesConfig from serialized format. func (cfg *IssuesConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return jsonUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports a IssuesConfig to a serialized format. @@ -104,7 +104,7 @@ type PullRequestsConfig struct { // FromDB fills up a PullRequestsConfig from serialized format. func (cfg *PullRequestsConfig) FromDB(bs []byte) error { - return jsonUnmarshalIgnoreErroneousBOM(bs, &cfg) + return jsonUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports a PullRequestsConfig to a serialized format. From 70b197538b1afbd9be962ae6b420e65fceb26e75 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 17 Jul 2021 09:36:34 +0100 Subject: [PATCH 42/44] fixup! Merge branch 'add-ldap-configuration-edit-tests' into move-login-out-of-models Signed-off-by: Andrew Thornton --- services/auth/source/ldap/source.go | 2 +- services/auth/source/oauth2/source.go | 2 +- services/auth/source/smtp/source.go | 2 +- services/auth/source/sspi/source.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go index 58efc9b29fd88..87be0117ee5d8 100644 --- a/services/auth/source/ldap/source.go +++ b/services/auth/source/ldap/source.go @@ -60,7 +60,7 @@ type Source struct { // FromDB fills up a LDAPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - err := models.JSONUnmarshalHandleDoubleEncode(bs, source) + err := models.JSONUnmarshalHandleDoubleEncode(bs, &source) if err != nil { return err } diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go index 8bbb39df67943..e9c49ef90b8ac 100644 --- a/services/auth/source/oauth2/source.go +++ b/services/auth/source/oauth2/source.go @@ -32,7 +32,7 @@ type Source struct { // FromDB fills up an OAuth2Config from serialized format. func (source *Source) FromDB(bs []byte) error { - return models.JSONUnmarshalHandleDoubleEncode(bs, source) + return models.JSONUnmarshalHandleDoubleEncode(bs, &source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go index 0333e1e6f9e1c..0f948d5381897 100644 --- a/services/auth/source/smtp/source.go +++ b/services/auth/source/smtp/source.go @@ -32,7 +32,7 @@ type Source struct { // FromDB fills up an SMTPConfig from serialized format. func (source *Source) FromDB(bs []byte) error { - return models.JSONUnmarshalHandleDoubleEncode(bs, source) + return models.JSONUnmarshalHandleDoubleEncode(bs, &source) } // ToDB exports an SMTPConfig to a serialized format. diff --git a/services/auth/source/sspi/source.go b/services/auth/source/sspi/source.go index c10ac0e7aa5b6..e4be446f30dbe 100644 --- a/services/auth/source/sspi/source.go +++ b/services/auth/source/sspi/source.go @@ -27,7 +27,7 @@ type Source struct { // FromDB fills up an SSPIConfig from serialized format. func (cfg *Source) FromDB(bs []byte) error { - return models.JSONUnmarshalHandleDoubleEncode(bs, cfg) + return models.JSONUnmarshalHandleDoubleEncode(bs, &cfg) } // ToDB exports an SSPIConfig to a serialized format. From 116f109021b94e0dd51dd66c64d4f5346e8b401d Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 17 Jul 2021 16:04:36 +0100 Subject: [PATCH 43/44] fix edit template Signed-off-by: Andrew Thornton --- templates/admin/auth/edit.tmpl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index 01c4b57395c9d..3fbfedefe7012 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -22,7 +22,7 @@ {{if or .Source.IsLDAP .Source.IsDLDAP}} - {{ $cfg:=.Source.LDAP }} + {{ $cfg:=.Source.Cfg }}
@@ -151,7 +151,7 @@ {{if .Source.IsSMTP}} - {{ $cfg:=.Source.SMTP }} + {{ $cfg:=.Source.Cfg }}
@@ -182,7 +182,7 @@ {{if .Source.IsPAM}} - {{ $cfg:=.Source.PAM }} + {{ $cfg:=.Source.Cfg }}
@@ -195,7 +195,7 @@ {{if .Source.IsOAuth2}} - {{ $cfg:=.Source.OAuth2 }} + {{ $cfg:=.Source.Cfg }}
@@ -258,7 +258,7 @@ {{if .Source.IsSSPI}} - {{ $cfg:=.Source.SSPI }} + {{ $cfg:=.Source.Cfg }}
From 66cb90f93d6d505034a1debffb8eb36d4026b5b1 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Sat, 17 Jul 2021 20:53:56 +0200 Subject: [PATCH 44/44] sort import --- cmd/admin.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/admin.go b/cmd/admin.go index 69c8a5669af5d..94e78186c902f 100644 --- a/cmd/admin.go +++ b/cmd/admin.go @@ -14,8 +14,6 @@ import ( "text/tabwriter" "code.gitea.io/gitea/models" - "code.gitea.io/gitea/services/auth/source/oauth2" - "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/graceful" "code.gitea.io/gitea/modules/log" @@ -23,6 +21,7 @@ import ( repo_module "code.gitea.io/gitea/modules/repository" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/storage" + "code.gitea.io/gitea/services/auth/source/oauth2" "github.com/urfave/cli" )