Restore PAM user autocreation functionality (#15825)

* Restore PAM user autocreation functionality

PAM autoregistration of users currently fails due to email invalidity.
This PR adds a new setting to PAM to allow an email domain to be set
or just sets the email to the noreply address and if that fails falls
back to uuid@localhost

Fix #15702

Signed-off-by: Andrew Thornton <art27@cantab.net>
* As per KN4CKER

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/models/login_source.go b/models/login_source.go
index fd977e20a5d7b201d69c564bc987c494312b39ff..57b1d56bb2bcd843f39b7cb79e5e6d8cb2f73406 100644 (file)
--- a/models/login_source.go
+++ b/models/login_source.go
@@ -21,6 +21,7 @@ import (
        "code.gitea.io/gitea/modules/setting"
        "code.gitea.io/gitea/modules/timeutil"
        "code.gitea.io/gitea/modules/util"
+       gouuid "github.com/google/uuid"
        jsoniter "github.com/json-iterator/go"
 
        "xorm.io/xorm"
@@ -116,6 +117,7 @@ func (cfg *SMTPConfig) ToDB() ([]byte, error) {
 // PAMConfig holds configuration for the PAM login source.
 type PAMConfig struct {
        ServiceName string // pam service (e.g. system-auth)
+       EmailDomain string
 }
 
 // FromDB fills up a PAMConfig from serialized format.
@@ -696,15 +698,26 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon
 
        // Allow PAM sources with `@` in their name, like from Active Directory
        username := pamLogin
+       email := pamLogin
        idx := strings.Index(pamLogin, "@")
        if idx > -1 {
                username = pamLogin[:idx]
        }
+       if ValidateEmail(email) != nil {
+               if cfg.EmailDomain != "" {
+                       email = fmt.Sprintf("%s@%s", username, cfg.EmailDomain)
+               } else {
+                       email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress)
+               }
+               if ValidateEmail(email) != nil {
+                       email = gouuid.New().String() + "@localhost"
+               }
+       }
 
        user = &User{
                LowerName:   strings.ToLower(username),
                Name:        username,
-               Email:       pamLogin,
+               Email:       email,
                Passwd:      password,
                LoginType:   LoginPAM,
                LoginSource: sourceID,

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 7e9229e1cdacf12a74c604ee8049129f879b628b..936677e31d333179d8b8df12b0667b49d4087ab7 100644 (file)
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2313,6 +2313,7 @@ auths.allowed_domains_helper = Leave empty to allow all domains. Separate multip
 auths.enable_tls = Enable TLS Encryption
 auths.skip_tls_verify = Skip TLS Verify
 auths.pam_service_name = PAM Service Name
+auths.pam_email_domain = PAM Email Domain (optional)
 auths.oauth2_provider = OAuth2 Provider
 auths.oauth2_icon_url = Icon URL
 auths.oauth2_clientID = Client ID (Key)

diff --git a/routers/admin/auths.go b/routers/admin/auths.go
index a0a20fa023bfb39c004fe650722d2f401996465d..a2f9ab0a5c326f89ac8739f48e62a45a20ae9722 100644 (file)
--- a/routers/admin/auths.go
+++ b/routers/admin/auths.go
@@ -240,6 +240,7 @@ func NewAuthSourcePost(ctx *context.Context) {
        case models.LoginPAM:
                config = &models.PAMConfig{
                        ServiceName: form.PAMServiceName,
+                       EmailDomain: form.PAMEmailDomain,
                }
        case models.LoginOAuth2:
                config = parseOAuth2Config(form)
@@ -347,6 +348,7 @@ func EditAuthSourcePost(ctx *context.Context) {
        case models.LoginPAM:
                config = &models.PAMConfig{
                        ServiceName: form.PAMServiceName,
+                       EmailDomain: form.PAMEmailDomain,
                }
        case models.LoginOAuth2:
                config = parseOAuth2Config(form)

diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
index 7cf6b9fcd5edadb3ae5d86f207236b21cc8dadd5..30621cadffc2f19d8ae04dbf722210839ab8002a 100644 (file)
--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -51,6 +51,7 @@ type AuthenticationForm struct {
        TLS                           bool
        SkipVerify                    bool
        PAMServiceName                string
+       PAMEmailDomain                string
        Oauth2Provider                string
        Oauth2Key                     string
        Oauth2Secret                  string

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index e14c3be761649078e56c101b5126b76f1aef28d2..e4d7a2e1e1fb288292a7fe6307e73d7d44ec555c 100644 (file)
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -188,6 +188,10 @@
                                                <label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
                                                <input id="pam_service_name" name="pam_service_name" value="{{$cfg.ServiceName}}" required>
                                        </div>
+                                       <div class="field">
+                                               <label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
+                                               <input id="pam_email_domain" name="pam_email_domain" value="{{$cfg.EmailDomain}}">
+                                       </div>
                                {{end}}
 
                                <!-- OAuth2 -->

diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index 36a5d2c632a8302457b55f6e8cd2f9960ea85c63..302132e06b2f13487f4bc1775ecb53b4a669ec22 100644 (file)
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -38,6 +38,8 @@
                                <div class="pam required field {{if not (eq .type 4)}}hide{{end}}">
                                        <label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
                                        <input id="pam_service_name" name="pam_service_name" value="{{.pam_service_name}}" />
+                                       <label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
+                                       <input id="pam_email_domain" name="pam_email_domain" value="{{.pam_email_domain}}">
                                </div>
 
                                <!-- OAuth2 -->