Add PAM authentication

diff --git a/.travis.yml b/.travis.yml
index 4149e1731660c4ff34b56fe0cda6f920db5dbf7d..113773d69775b98a3b27d9d9a90aa8ca0f6ac1ca 100644 (file)
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,11 +6,13 @@ go:
   - 1.4
   - tip
 
-sudo: false
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y libpam-dev
 
 script: go build -v
 
 notifications:
   email:
     - u@gogs.io
-  slack: gophercn:o5pSanyTeNhnfYc3QnG0X7Wx
\ No newline at end of file
+  slack: gophercn:o5pSanyTeNhnfYc3QnG0X7Wx

diff --git a/conf/locale/locale_en-US.ini b/conf/locale/locale_en-US.ini
index 3fbc71cb1481fd0f7b7804bad3364c325a3c7fdc..8e768ae6ec6ea8997bc2b939585f9a2303cc6616 100644 (file)
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@@ -619,6 +619,7 @@ auths.smtp_auth = SMTP Authorization Type
 auths.smtphost = SMTP Host
 auths.smtpport = SMTP Port
 auths.enable_tls = Enable TLS Encryption
+auths.pam_service_name = PAM Service Name
 auths.enable_auto_register = Enable Auto Registration
 auths.tips = Tips
 auths.edit = Edit Authorization Setting

diff --git a/models/login.go b/models/login.go
index 916e27310cc5bca9415c2ff373d5059cdaffa85c..8b773c1397ac1f632b37ee9eaa6a15e3464b891c 100644 (file)
--- a/models/login.go
+++ b/models/login.go
@@ -17,6 +17,7 @@ import (
        "github.com/go-xorm/xorm"
 
        "github.com/gogits/gogs/modules/auth/ldap"
+       "github.com/gogits/gogs/modules/auth/pam"
        "github.com/gogits/gogs/modules/log"
        "github.com/gogits/gogs/modules/uuid"
 )
@@ -28,6 +29,7 @@ const (
        PLAIN
        LDAP
        SMTP
+       PAM
 )
 
 var (
@@ -39,12 +41,14 @@ var (
 var LoginTypes = map[LoginType]string{
        LDAP: "LDAP",
        SMTP: "SMTP",
+       PAM: "PAM",
 }
 
 // Ensure structs implemented interface.
 var (
        _ core.Conversion = &LDAPConfig{}
        _ core.Conversion = &SMTPConfig{}
+       _ core.Conversion = &PAMConfig{}
 )
 
 type LDAPConfig struct {
@@ -74,6 +78,18 @@ func (cfg *SMTPConfig) ToDB() ([]byte, error) {
        return json.Marshal(cfg)
 }
 
+type PAMConfig struct {
+       ServiceName string // pam service (e.g. system-auth)
+}
+
+func (cfg *PAMConfig) FromDB(bs []byte) error {
+       return json.Unmarshal(bs, &cfg)
+}
+
+func (cfg *PAMConfig) ToDB() ([]byte, error) {
+       return json.Marshal(cfg)
+}
+
 type LoginSource struct {
        Id                int64
        Type              LoginType
@@ -97,6 +113,10 @@ func (source *LoginSource) SMTP() *SMTPConfig {
        return source.Cfg.(*SMTPConfig)
 }
 
+func (source *LoginSource) PAM() *PAMConfig {
+       return source.Cfg.(*PAMConfig)
+}
+
 func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
        if colName == "type" {
                ty := (*val).(int64)
@@ -105,6 +125,8 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
                        source.Cfg = new(LDAPConfig)
                case SMTP:
                        source.Cfg = new(SMTPConfig)
+               case PAM:
+                       source.Cfg = new(PAMConfig)
                }
        }
 }
@@ -197,6 +219,13 @@ func UserSignIn(uname, passwd string) (*User, error) {
                                        return u, nil
                                }
                                log.Warn("Fail to login(%s) by SMTP(%s): %v", uname, source.Name, err)
+                       } else if source.Type == PAM {
+                               u, err := LoginUserPAMSource(nil, uname, passwd,
+                                       source.Id, source.Cfg.(*PAMConfig), true)
+                               if err == nil {
+                                       return u, nil
+                               }
+                               log.Warn("Fail to login(%s) by PAM(%s): %v", uname, source.Name, err)
                        }
                }
 
@@ -218,6 +247,8 @@ func UserSignIn(uname, passwd string) (*User, error) {
                return LoginUserLdapSource(u, u.LoginName, passwd, source.Id, source.Cfg.(*LDAPConfig), false)
        case SMTP:
                return LoginUserSMTPSource(u, u.LoginName, passwd, source.Id, source.Cfg.(*SMTPConfig), false)
+       case PAM:
+               return LoginUserPAMSource(u, u.LoginName, passwd, source.Id, source.Cfg.(*PAMConfig), false)
        }
        return nil, ErrUnsupportedLoginType
 }
@@ -359,3 +390,33 @@ func LoginUserSMTPSource(u *User, name, passwd string, sourceId int64, cfg *SMTP
        err := CreateUser(u)
        return u, err
 }
+
+// Query if name/passwd can login against PAM
+// Create a local user if success
+// Return the same LoginUserPlain semantic
+func LoginUserPAMSource(u *User, name, passwd string, sourceId int64, cfg *PAMConfig, autoRegister bool) (*User, error) {
+       if err := pam.PAMAuth(cfg.ServiceName, name, passwd); err != nil {
+               if strings.Contains(err.Error(), "Authentication failure") {
+                       return nil, ErrUserNotExist
+               }
+               return nil, err
+       }
+
+       if !autoRegister {
+               return u, nil
+       }
+
+       // fake a local user creation
+       u = &User{
+               LowerName:   strings.ToLower(name),
+               Name:        strings.ToLower(name),
+               LoginType:   PAM,
+               LoginSource: sourceId,
+               LoginName:   name,
+               IsActive:    true,
+               Passwd:      passwd,
+               Email:       name,
+       }
+       err := CreateUser(u)
+       return u, err
+}

diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go
index 7d4599991406985dc40677b175e3937dd8f0a35f..1102dc3492a040af71b05f2a1d0f3b0a0ce21938 100644 (file)
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@@ -30,6 +30,7 @@ type AuthenticationForm struct {
        SMTPPort          int    `form:"smtp_port"`
        TLS               bool   `form:"tls"`
        AllowAutoRegister bool   `form:"allowautoregister"`
+       PAMServiceName    string
 }
 
 func (f *AuthenticationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {

diff --git a/modules/auth/pam/pam.go b/modules/auth/pam/pam.go
new file mode 100644 (file)
index 0000000..7d150b1
--- /dev/null
+++ b/modules/auth/pam/pam.go
@@ -0,0 +1,35 @@
+// +build !windows
+
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package pam
+
+import (
+       "errors"
+
+       "github.com/msteinert/pam"
+)
+
+func PAMAuth(serviceName, userName, passwd string) error {
+       t, err := pam.StartFunc(serviceName, userName, func(s pam.Style, msg string) (string, error) {
+               switch s {
+               case pam.PromptEchoOff:
+                       return passwd, nil
+               case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:
+                       return "", nil
+               }
+               return "", errors.New("Unrecognized PAM message style")
+       })
+
+       if err != nil {
+               return err
+       }
+
+       if err = t.Authenticate(0); err != nil {
+               return err
+       }
+
+       return nil
+}

diff --git a/modules/auth/pam/pam_stub.go b/modules/auth/pam/pam_stub.go
new file mode 100644 (file)
index 0000000..2f210bf
--- /dev/null
+++ b/modules/auth/pam/pam_stub.go
@@ -0,0 +1,15 @@
+// +build windows
+
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package pam
+
+import (
+       "errors"
+)
+
+func PAMAuth(serviceName, userName, passwd string) error {
+       return errors.New("PAM not supported")
+}

diff --git a/public/ng/js/gogs.js b/public/ng/js/gogs.js
index c5fd719c32d75b3e732b9db07c4c376906640f49..7ffef8af8bec781b198f7255362d128ffa17d967 100644 (file)
--- a/public/ng/js/gogs.js
+++ b/public/ng/js/gogs.js
@@ -753,10 +753,17 @@ function initAdmin() {
         if (v == 2) {
             $('.ldap').toggleShow();
             $('.smtp').toggleHide();
+            $('.pam').toggleHide();
         }
         if (v == 3) {
             $('.smtp').toggleShow();
             $('.ldap').toggleHide();
+            $('.pam').toggleHide();
+        }
+        if (v == 4) {
+            $('.pam').toggleShow();
+            $('.smtp').toggleHide();
+            $('.ldap').toggleHide();
         }
     });
 

diff --git a/routers/admin/auths.go b/routers/admin/auths.go
index b13b0bd134fdfd2feaa4bb4bea198e5191457d91..2bec7da46cf66051a202089d8ea04c28ac469f33 100644 (file)
--- a/routers/admin/auths.go
+++ b/routers/admin/auths.go
@@ -84,6 +84,10 @@ func NewAuthSourcePost(ctx *middleware.Context, form auth.AuthenticationForm) {
                        Port: form.SMTPPort,
                        TLS:  form.TLS,
                }
+       case models.PAM:
+               u = &models.PAMConfig{
+                       ServiceName: form.PAMServiceName,
+               }
        default:
                ctx.Error(400)
                return
@@ -166,6 +170,10 @@ func EditAuthSourcePost(ctx *middleware.Context, form auth.AuthenticationForm) {
                        Port: form.SMTPPort,
                        TLS:  form.TLS,
                }
+       case models.PAM:
+               config = &models.PAMConfig{
+                       ServiceName: form.PAMServiceName,
+               }
        default:
                ctx.Error(400)
                return

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index a178b7175658644e84ce11fe39434aeeeeac620a..12d1d1f8f20957b647f893702198b67651bd8897 100644 (file)
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -91,6 +91,12 @@
                                     <label class="req" for="smtp_port">{{.i18n.Tr "admin.auths.smtpport"}}</label>
                                     <input class="ipt ipt-large ipt-radius {{if .Err_SmtpPort}}ipt-error{{end}}" id="smtp_port" name="smtp_port" value="{{.Source.SMTP.Port}}" />
                                 </div>
+
+                                {{else if eq $type 4}}
+                                <div class="field">
+                                    <label class="req" for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
+                                    <input class="ipt ipt-large ipt-radius {{if .Err_PAMServiceName}}ipt-error{{end}}" id="pam_service_name" name="pam_service_name" value="{{.Source.PAM.ServiceName}}" />
+                                </div>
                                 {{end}}
 
                                 <div class="field">

diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 0d1f2ab4173257de8f3643fb113868e1cab66d80..36b90cfb48d9e868b3c24fcc9fe7a6475d77dccd 100644 (file)
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -86,6 +86,12 @@
                                         <input class="ipt ipt-large ipt-radius {{if .Err_SmtpPort}}ipt-error{{end}}" id="smtp_port" name="smtp_port" value="{{.smtp_port}}" />
                                     </div>
                                 </div>
+                                <div class="pam hidden">
+                                    <div class="field">
+                                        <label class="req" for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
+                                        <input class="ipt ipt-large ipt-radius {{if .Err_PAMServiceName}}ipt-error{{end}}" id="pam_service_name" name="pam_service_name" value="{{.pam_service_name}}" />
+                                    </div>
+                                </div>
                                 <div class="field">
                                     <div class="smtp hidden">
                                         <label></label>