+++ /dev/null
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/web/middleware"
-)
-
-// Ensure the struct implements the interface.
-var (
- _ SingleSignOn = &Basic{}
-)
-
-// Basic implements the SingleSignOn interface and authenticates requests (API requests
-// only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
-// header.
-type Basic struct {
-}
-
-// Init does nothing as the Basic implementation does not need to allocate any resources
-func (b *Basic) Init() error {
- return nil
-}
-
-// Free does nothing as the Basic implementation does not have to release any resources
-func (b *Basic) Free() error {
- return nil
-}
-
-// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
-// it from settings.
-func (b *Basic) IsEnabled() bool {
- return true
-}
-
-// VerifyAuthData extracts and validates Basic data (username and password/token) from the
-// "Authorization" header of the request and returns the corresponding user object for that
-// name/token on successful validation.
-// Returns nil if header is empty or validation fails.
-func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
-
- // Basic authentication should only fire on API, Download or on Git or LFSPaths
- if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
- return nil
- }
-
- baHead := req.Header.Get("Authorization")
- if len(baHead) == 0 {
- return nil
- }
-
- auths := strings.SplitN(baHead, " ", 2)
- if len(auths) != 2 || (auths[0] != "Basic" && auths[0] != "basic") {
- return nil
- }
-
- uname, passwd, _ := base.BasicAuthDecode(auths[1])
-
- // Check if username or password is a token
- isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
- // Assume username is token
- authToken := uname
- if !isUsernameToken {
- log.Trace("Basic Authorization: Attempting login for: %s", uname)
- // Assume password is token
- authToken = passwd
- } else {
- log.Trace("Basic Authorization: Attempting login with username as token")
- }
-
- uid := CheckOAuthAccessToken(authToken)
- if uid != 0 {
- log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
-
- u, err := models.GetUserByID(uid)
- if err != nil {
- log.Error("GetUserByID: %v", err)
- return nil
- }
-
- store.GetData()["IsApiToken"] = true
- return u
- }
-
- token, err := models.GetAccessTokenBySHA(authToken)
- if err == nil {
- log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)
- u, err := models.GetUserByID(token.UID)
- if err != nil {
- log.Error("GetUserByID: %v", err)
- return nil
- }
-
- token.UpdatedUnix = timeutil.TimeStampNow()
- if err = models.UpdateAccessToken(token); err != nil {
- log.Error("UpdateAccessToken: %v", err)
- }
-
- store.GetData()["IsApiToken"] = true
- return u
- } else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
- log.Error("GetAccessTokenBySha: %v", err)
- }
-
- if !setting.Service.EnableBasicAuth {
- return nil
- }
-
- log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
- u, err := models.UserSignIn(uname, passwd)
- if err != nil {
- if !models.IsErrUserNotExist(err) {
- log.Error("UserSignIn: %v", err)
- }
- return nil
- }
-
- log.Trace("Basic Authorization: Logged in user %-v", u)
-
- return u
-}
+++ /dev/null
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/session"
- "code.gitea.io/gitea/modules/web/middleware"
-)
-
-// DataStore represents a data store
-type DataStore middleware.DataStore
-
-// SessionStore represents a session store
-type SessionStore session.Store
-
-// SingleSignOn represents a SSO authentication method (plugin) for HTTP requests.
-type SingleSignOn interface {
- // Init should be called exactly once before using any of the other methods,
- // in order to allow the plugin to allocate necessary resources
- Init() error
-
- // Free should be called exactly once before application closes, in order to
- // give chance to the plugin to free any allocated resources
- Free() error
-
- // IsEnabled checks if the current SSO method has been enabled in settings.
- IsEnabled() bool
-
- // VerifyAuthData tries to verify the SSO authentication data contained in the request.
- // If verification is successful returns either an existing user object (with id > 0)
- // or a new user object (with id = 0) populated with the information that was found
- // in the authentication data (username or email).
- // Returns nil if verification fails.
- VerifyAuthData(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User
-}
+++ /dev/null
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
- "strings"
- "time"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/web/middleware"
-)
-
-// Ensure the struct implements the interface.
-var (
- _ SingleSignOn = &OAuth2{}
-)
-
-// CheckOAuthAccessToken returns uid of user from oauth token
-func CheckOAuthAccessToken(accessToken string) int64 {
- // JWT tokens require a "."
- if !strings.Contains(accessToken, ".") {
- return 0
- }
- token, err := models.ParseOAuth2Token(accessToken)
- if err != nil {
- log.Trace("ParseOAuth2Token: %v", err)
- return 0
- }
- var grant *models.OAuth2Grant
- if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
- return 0
- }
- if token.Type != models.TypeAccessToken {
- return 0
- }
- if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
- return 0
- }
- return grant.UserID
-}
-
-// OAuth2 implements the SingleSignOn interface and authenticates requests
-// (API requests only) by looking for an OAuth token in query parameters or the
-// "Authorization" header.
-type OAuth2 struct {
-}
-
-// Init does nothing as the OAuth2 implementation does not need to allocate any resources
-func (o *OAuth2) Init() error {
- return nil
-}
-
-// Free does nothing as the OAuth2 implementation does not have to release any resources
-func (o *OAuth2) Free() error {
- return nil
-}
-
-// userIDFromToken returns the user id corresponding to the OAuth token.
-func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
- _ = req.ParseForm()
-
- // Check access token.
- tokenSHA := req.Form.Get("token")
- if len(tokenSHA) == 0 {
- tokenSHA = req.Form.Get("access_token")
- }
- if len(tokenSHA) == 0 {
- // Well, check with header again.
- auHead := req.Header.Get("Authorization")
- if len(auHead) > 0 {
- auths := strings.Fields(auHead)
- if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
- tokenSHA = auths[1]
- }
- }
- }
- if len(tokenSHA) == 0 {
- return 0
- }
-
- // Let's see if token is valid.
- if strings.Contains(tokenSHA, ".") {
- uid := CheckOAuthAccessToken(tokenSHA)
- if uid != 0 {
- store.GetData()["IsApiToken"] = true
- }
- return uid
- }
- t, err := models.GetAccessTokenBySHA(tokenSHA)
- if err != nil {
- if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
- log.Error("GetAccessTokenBySHA: %v", err)
- }
- return 0
- }
- t.UpdatedUnix = timeutil.TimeStampNow()
- if err = models.UpdateAccessToken(t); err != nil {
- log.Error("UpdateAccessToken: %v", err)
- }
- store.GetData()["IsApiToken"] = true
- return t.UID
-}
-
-// IsEnabled returns true as this plugin is enabled by default and its not possible
-// to disable it from settings.
-func (o *OAuth2) IsEnabled() bool {
- return true
-}
-
-// VerifyAuthData extracts the user ID from the OAuth token in the query parameters
-// or the "Authorization" header and returns the corresponding user object for that ID.
-// If verification is successful returns an existing user object.
-// Returns nil if verification fails.
-func (o *OAuth2) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
- if !models.HasEngine {
- return nil
- }
-
- if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
- return nil
- }
-
- id := o.userIDFromToken(req, store)
- if id <= 0 {
- return nil
- }
- log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
-
- user, err := models.GetUserByID(id)
- if err != nil {
- if !models.IsErrUserNotExist(err) {
- log.Error("GetUserByName: %v", err)
- }
- return nil
- }
-
- log.Trace("OAuth2 Authorization: Logged in user %-v", user)
- return user
-}
+++ /dev/null
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/web/middleware"
-
- gouuid "github.com/google/uuid"
-)
-
-// Ensure the struct implements the interface.
-var (
- _ SingleSignOn = &ReverseProxy{}
-)
-
-// ReverseProxy implements the SingleSignOn interface, but actually relies on
-// a reverse proxy for authentication of users.
-// On successful authentication the proxy is expected to populate the username in the
-// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
-// user in the "setting.ReverseProxyAuthEmail" header.
-type ReverseProxy struct {
-}
-
-// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
-func (r *ReverseProxy) getUserName(req *http.Request) string {
- webAuthUser := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))
- if len(webAuthUser) == 0 {
- return ""
- }
- return webAuthUser
-}
-
-// Init does nothing as the ReverseProxy implementation does not need initialization
-func (r *ReverseProxy) Init() error {
- return nil
-}
-
-// Free does nothing as the ReverseProxy implementation does not have to release resources
-func (r *ReverseProxy) Free() error {
- return nil
-}
-
-// IsEnabled checks if EnableReverseProxyAuth setting is true
-func (r *ReverseProxy) IsEnabled() bool {
- return setting.Service.EnableReverseProxyAuth
-}
-
-// VerifyAuthData extracts the username from the "setting.ReverseProxyAuthUser" header
-// of the request and returns the corresponding user object for that name.
-// Verification of header data is not performed as it should have already been done by
-// the revese proxy.
-// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
-// user object is returned (populated with username or email found in header).
-// Returns nil if header is empty.
-func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
- username := r.getUserName(req)
- if len(username) == 0 {
- return nil
- }
- log.Trace("ReverseProxy Authorization: Found username: %s", username)
-
- user, err := models.GetUserByName(username)
- if err != nil {
- if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
- log.Error("GetUserByName: %v", err)
- return nil
- }
- user = r.newUser(req)
- }
-
- // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
- if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
- if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
- handleSignIn(w, req, sess, user)
- }
- }
- store.GetData()["IsReverseProxy"] = true
-
- log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
- return user
-}
-
-// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
-func (r *ReverseProxy) isAutoRegisterAllowed() bool {
- return setting.Service.EnableReverseProxyAutoRegister
-}
-
-// newUser creates a new user object for the purpose of automatic registration
-// and populates its name and email with the information present in request headers.
-func (r *ReverseProxy) newUser(req *http.Request) *models.User {
- username := r.getUserName(req)
- if len(username) == 0 {
- return nil
- }
-
- email := gouuid.New().String() + "@localhost"
- if setting.Service.EnableReverseProxyEmail {
- webAuthEmail := req.Header.Get(setting.ReverseProxyAuthEmail)
- if len(webAuthEmail) > 0 {
- email = webAuthEmail
- }
- }
-
- user := &models.User{
- Name: username,
- Email: email,
- IsActive: true,
- }
- if err := models.CreateUser(user); err != nil {
- // FIXME: should I create a system notice?
- log.Error("CreateUser: %v", err)
- return nil
- }
-
- return user
-}
+++ /dev/null
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
-
- "code.gitea.io/gitea/models"
-)
-
-// Ensure the struct implements the interface.
-var (
- _ SingleSignOn = &Session{}
-)
-
-// Session checks if there is a user uid stored in the session and returns the user
-// object for that uid.
-type Session struct {
-}
-
-// Init does nothing as the Session implementation does not need to allocate any resources
-func (s *Session) Init() error {
- return nil
-}
-
-// Free does nothing as the Session implementation does not have to release any resources
-func (s *Session) Free() error {
- return nil
-}
-
-// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
-// it from settings.
-func (s *Session) IsEnabled() bool {
- return true
-}
-
-// VerifyAuthData checks if there is a user uid stored in the session and returns the user
-// object for that uid.
-// Returns nil if there is no user uid stored in the session.
-func (s *Session) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
- user := SessionUser(sess)
- if user != nil {
- return user
- }
- return nil
-}
+++ /dev/null
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "fmt"
- "net/http"
- "reflect"
- "regexp"
- "strings"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/web/middleware"
-)
-
-// ssoMethods contains the list of SSO authentication plugins in the order they are expected to be
-// executed.
-//
-// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
-// in the session (if there is a user id stored in session other plugins might return the user
-// object for that id).
-//
-// The Session plugin is expected to be executed second, in order to skip authentication
-// for users that have already signed in.
-var ssoMethods = []SingleSignOn{
- &OAuth2{},
- &Basic{},
- &Session{},
- &ReverseProxy{},
-}
-
-// The purpose of the following three function variables is to let the linter know that
-// those functions are not dead code and are actually being used
-var (
- _ = handleSignIn
-)
-
-// Methods returns the instances of all registered SSO methods
-func Methods() []SingleSignOn {
- return ssoMethods
-}
-
-// Register adds the specified instance to the list of available SSO methods
-func Register(method SingleSignOn) {
- ssoMethods = append(ssoMethods, method)
-}
-
-// Init should be called exactly once when the application starts to allow SSO plugins
-// to allocate necessary resources
-func Init() {
- for _, method := range Methods() {
- err := method.Init()
- if err != nil {
- log.Error("Could not initialize '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
- }
- }
-}
-
-// Free should be called exactly once when the application is terminating to allow SSO plugins
-// to release necessary resources
-func Free() {
- for _, method := range Methods() {
- err := method.Free()
- if err != nil {
- log.Error("Could not free '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
- }
- }
-}
-
-// SessionUser returns the user object corresponding to the "uid" session variable.
-func SessionUser(sess SessionStore) *models.User {
- // Get user ID
- uid := sess.Get("uid")
- if uid == nil {
- return nil
- }
- log.Trace("Session Authorization: Found user[%d]", uid)
-
- id, ok := uid.(int64)
- if !ok {
- return nil
- }
-
- // Get user object
- user, err := models.GetUserByID(id)
- if err != nil {
- if !models.IsErrUserNotExist(err) {
- log.Error("GetUserById: %v", err)
- }
- return nil
- }
-
- log.Trace("Session Authorization: Logged in user %-v", user)
- return user
-}
-
-// isAttachmentDownload check if request is a file download (GET) with URL to an attachment
-func isAttachmentDownload(req *http.Request) bool {
- return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
-}
-
-var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
-var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
-
-func isGitRawOrLFSPath(req *http.Request) bool {
- if gitRawPathRe.MatchString(req.URL.Path) {
- return true
- }
- if setting.LFS.StartServer {
- return lfsPathRe.MatchString(req.URL.Path)
- }
- return false
-}
-
-// handleSignIn clears existing session variables and stores new ones for the specified user object
-func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *models.User) {
- _ = sess.Delete("openid_verified_uri")
- _ = sess.Delete("openid_signin_remember")
- _ = sess.Delete("openid_determined_email")
- _ = sess.Delete("openid_determined_username")
- _ = sess.Delete("twofaUid")
- _ = sess.Delete("twofaRemember")
- _ = sess.Delete("u2fChallenge")
- _ = sess.Delete("linkAccount")
- err := sess.Set("uid", user.ID)
- if err != nil {
- log.Error(fmt.Sprintf("Error setting session: %v", err))
- }
- err = sess.Set("uname", user.Name)
- if err != nil {
- log.Error(fmt.Sprintf("Error setting session: %v", err))
- }
-
- // Language setting of the user overwrites the one previously set
- // If the user does not have a locale set, we save the current one.
- if len(user.Language) == 0 {
- lc := middleware.Locale(resp, req)
- user.Language = lc.Language()
- if err := models.UpdateUserCols(user, "language"); err != nil {
- log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language))
- return
- }
- }
-
- middleware.SetLocaleCookie(resp, user.Language, 0)
-
- // Clear whatever CSRF has right now, force to generate a new one
- middleware.DeleteCSRFCookie(resp)
-}
+++ /dev/null
-// Copyright 2014 The Gogs Authors. All rights reserved.
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
- "testing"
-
- "code.gitea.io/gitea/modules/setting"
-)
-
-func Test_isGitRawOrLFSPath(t *testing.T) {
-
- tests := []struct {
- path string
-
- want bool
- }{
- {
- "/owner/repo/git-upload-pack",
- true,
- },
- {
- "/owner/repo/git-receive-pack",
- true,
- },
- {
- "/owner/repo/info/refs",
- true,
- },
- {
- "/owner/repo/HEAD",
- true,
- },
- {
- "/owner/repo/objects/info/alternates",
- true,
- },
- {
- "/owner/repo/objects/info/http-alternates",
- true,
- },
- {
- "/owner/repo/objects/info/packs",
- true,
- },
- {
- "/owner/repo/objects/info/blahahsdhsdkla",
- true,
- },
- {
- "/owner/repo/objects/01/23456789abcdef0123456789abcdef01234567",
- true,
- },
- {
- "/owner/repo/objects/pack/pack-123456789012345678921234567893124567894.pack",
- true,
- },
- {
- "/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
- true,
- },
- {
- "/owner/repo/raw/branch/foo/fanaso",
- true,
- },
- {
- "/owner/repo/stars",
- false,
- },
- {
- "/notowner",
- false,
- },
- {
- "/owner/repo",
- false,
- },
- {
- "/owner/repo/commit/123456789012345678921234567893124567894",
- false,
- },
- }
- lfsTests := []string{
- "/owner/repo/info/lfs/",
- "/owner/repo/info/lfs/objects/batch",
- "/owner/repo/info/lfs/objects/oid/filename",
- "/owner/repo/info/lfs/objects/oid",
- "/owner/repo/info/lfs/objects",
- "/owner/repo/info/lfs/verify",
- "/owner/repo/info/lfs/locks",
- "/owner/repo/info/lfs/locks/verify",
- "/owner/repo/info/lfs/locks/123/unlock",
- }
-
- origLFSStartServer := setting.LFS.StartServer
-
- for _, tt := range tests {
- t.Run(tt.path, func(t *testing.T) {
- req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
- setting.LFS.StartServer = false
- if got := isGitRawOrLFSPath(req); got != tt.want {
- t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
- }
- setting.LFS.StartServer = true
- if got := isGitRawOrLFSPath(req); got != tt.want {
- t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
- }
- })
- }
- for _, tt := range lfsTests {
- t.Run(tt, func(t *testing.T) {
- req, _ := http.NewRequest("POST", tt, nil)
- setting.LFS.StartServer = false
- if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
- t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
- }
- setting.LFS.StartServer = true
- if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
- t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
- }
- })
- }
- setting.LFS.StartServer = origLFSStartServer
-}
+++ /dev/null
-// Copyright 2019 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "errors"
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/templates"
- "code.gitea.io/gitea/modules/web/middleware"
-
- gouuid "github.com/google/uuid"
- "github.com/quasoft/websspi"
- "github.com/unrolled/render"
-)
-
-const (
- tplSignIn base.TplName = "user/auth/signin"
-)
-
-var (
- // sspiAuth is a global instance of the websspi authentication package,
- // which is used to avoid acquiring the server credential handle on
- // every request
- sspiAuth *websspi.Authenticator
-
- // Ensure the struct implements the interface.
- _ SingleSignOn = &SSPI{}
-)
-
-// SSPI implements the SingleSignOn interface and authenticates requests
-// via the built-in SSPI module in Windows for SPNEGO authentication.
-// On successful authentication returns a valid user object.
-// Returns nil if authentication fails.
-type SSPI struct {
- rnd *render.Render
-}
-
-// Init creates a new global websspi.Authenticator object
-func (s *SSPI) Init() error {
- config := websspi.NewConfig()
- var err error
- sspiAuth, err = websspi.New(config)
- if err != nil {
- return err
- }
- s.rnd = render.New(render.Options{
- Extensions: []string{".tmpl"},
- Directory: "templates",
- Funcs: templates.NewFuncMap(),
- Asset: templates.GetAsset,
- AssetNames: templates.GetAssetNames,
- IsDevelopment: !setting.IsProd(),
- })
- return nil
-}
-
-// Free releases resources used by the global websspi.Authenticator object
-func (s *SSPI) Free() error {
- return sspiAuth.Free()
-}
-
-// IsEnabled checks if there is an active SSPI authentication source
-func (s *SSPI) IsEnabled() bool {
- return models.IsSSPIEnabled()
-}
-
-// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
-// If authentication is successful, returs the corresponding user object.
-// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
-// response code, as required by the SPNEGO protocol.
-func (s *SSPI) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
- if !s.shouldAuthenticate(req) {
- return nil
- }
-
- cfg, err := s.getConfig()
- if err != nil {
- log.Error("could not get SSPI config: %v", err)
- return nil
- }
-
- log.Trace("SSPI Authorization: Attempting to authenticate")
- userInfo, outToken, err := sspiAuth.Authenticate(req, w)
- if err != nil {
- log.Warn("Authentication failed with error: %v\n", err)
- sspiAuth.AppendAuthenticateHeader(w, outToken)
-
- // Include the user login page in the 401 response to allow the user
- // to login with another authentication method if SSPI authentication
- // fails
- store.GetData()["Flash"] = map[string]string{
- "ErrorMsg": err.Error(),
- }
- store.GetData()["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
- store.GetData()["EnableSSPI"] = true
-
- err := s.rnd.HTML(w, 401, string(tplSignIn), templates.BaseVars().Merge(store.GetData()))
- if err != nil {
- log.Error("%v", err)
- }
-
- return nil
- }
- if outToken != "" {
- sspiAuth.AppendAuthenticateHeader(w, outToken)
- }
-
- username := sanitizeUsername(userInfo.Username, cfg)
- if len(username) == 0 {
- return nil
- }
- log.Info("Authenticated as %s\n", username)
-
- user, err := models.GetUserByName(username)
- if err != nil {
- if !models.IsErrUserNotExist(err) {
- log.Error("GetUserByName: %v", err)
- return nil
- }
- if !cfg.AutoCreateUsers {
- log.Error("User '%s' not found", username)
- return nil
- }
- user, err = s.newUser(username, cfg)
- if err != nil {
- log.Error("CreateUser: %v", err)
- return nil
- }
- }
-
- // Make sure requests to API paths and PWA resources do not create a new session
- if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
- handleSignIn(w, req, sess, user)
- }
-
- log.Trace("SSPI Authorization: Logged in user %-v", user)
- return user
-}
-
-// getConfig retrieves the SSPI configuration from login sources
-func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
- sources, err := models.ActiveLoginSources(models.LoginSSPI)
- if err != nil {
- return nil, err
- }
- if len(sources) == 0 {
- return nil, errors.New("no active login sources of type SSPI found")
- }
- if len(sources) > 1 {
- return nil, errors.New("more than one active login source of type SSPI found")
- }
- return sources[0].SSPI(), nil
-}
-
-func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
- shouldAuth = false
- path := strings.TrimSuffix(req.URL.Path, "/")
- if path == "/user/login" {
- if req.FormValue("user_name") != "" && req.FormValue("password") != "" {
- shouldAuth = false
- } else if req.FormValue("auth_with_sspi") == "1" {
- shouldAuth = true
- }
- } else if middleware.IsInternalPath(req) {
- shouldAuth = false
- } else if middleware.IsAPIPath(req) || isAttachmentDownload(req) {
- shouldAuth = true
- }
- return
-}
-
-// newUser creates a new user object for the purpose of automatic registration
-// and populates its name and email with the information present in request headers.
-func (s *SSPI) newUser(username string, cfg *models.SSPIConfig) (*models.User, error) {
- email := gouuid.New().String() + "@localhost.localdomain"
- user := &models.User{
- Name: username,
- Email: email,
- KeepEmailPrivate: true,
- Passwd: gouuid.New().String(),
- IsActive: cfg.AutoActivateUsers,
- Language: cfg.DefaultLanguage,
- UseCustomAvatar: true,
- Avatar: models.DefaultAvatarLink(),
- EmailNotificationsPreference: models.EmailNotificationsDisabled,
- }
- if err := models.CreateUser(user); err != nil {
- return nil, err
- }
- return user, nil
-}
-
-// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
-// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
-// from UPNs (eg. "user@domain.local" becomes "user")
-func stripDomainNames(username string) string {
- if strings.Contains(username, "\\") {
- parts := strings.SplitN(username, "\\", 2)
- if len(parts) > 1 {
- username = parts[1]
- }
- } else if strings.Contains(username, "@") {
- parts := strings.Split(username, "@")
- if len(parts) > 1 {
- username = parts[0]
- }
- }
- return username
-}
-
-func replaceSeparators(username string, cfg *models.SSPIConfig) string {
- newSep := cfg.SeparatorReplacement
- username = strings.ReplaceAll(username, "\\", newSep)
- username = strings.ReplaceAll(username, "/", newSep)
- username = strings.ReplaceAll(username, "@", newSep)
- return username
-}
-
-func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
- if len(username) == 0 {
- return ""
- }
- if cfg.StripDomainNames {
- username = stripDomainNames(username)
- }
- // Replace separators even if we have already stripped the domain name part,
- // as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
- username = replaceSeparators(username, cfg)
- return username
-}
-
-// init registers the SSPI auth method as the last method in the list.
-// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
-// fails (or if negotiation should continue), which would prevent other authentication methods
-// to execute at all.
-func init() {
- Register(&SSPI{})
-}
+++ /dev/null
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-
-package sso
-
-import (
- "net/http"
-
- "code.gitea.io/gitea/models"
-)
-
-// SignedInUser returns the user object of signed user.
-// It returns a bool value to indicate whether user uses basic auth or not.
-func SignedInUser(req *http.Request, w http.ResponseWriter, ds DataStore, sess SessionStore) (*models.User, bool) {
- if !models.HasEngine {
- return nil, false
- }
-
- // Try to sign in with each of the enabled plugins
- for _, ssoMethod := range Methods() {
- if !ssoMethod.IsEnabled() {
- continue
- }
- user := ssoMethod.VerifyAuthData(req, w, ds, sess)
- if user != nil {
- _, isBasic := ssoMethod.(*Basic)
- return user, isBasic
- }
- }
-
- return nil, false
-}
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth/sso"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/services/auth"
"gitea.com/go-chi/session"
)
}
}
+// APIAuth converts auth.Auth as a middleware
+func APIAuth(authMethod auth.Auth) func(*APIContext) {
+ return func(ctx *APIContext) {
+ // Get user from session if logged in.
+ ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+ if ctx.User != nil {
+ ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == new(auth.Basic).Name()
+ ctx.IsSigned = true
+ ctx.Data["IsSigned"] = ctx.IsSigned
+ ctx.Data["SignedUser"] = ctx.User
+ ctx.Data["SignedUserID"] = ctx.User.ID
+ ctx.Data["SignedUserName"] = ctx.User.Name
+ ctx.Data["IsAdmin"] = ctx.User.IsAdmin
+ } else {
+ ctx.Data["SignedUserID"] = int64(0)
+ ctx.Data["SignedUserName"] = ""
+ }
+ }
+}
+
// APIContexter returns apicontext as middleware
func APIContexter() func(http.Handler) http.Handler {
var csrfOpts = getCsrfOpts()
}
}
- // Get user from session if logged in.
- ctx.User, ctx.IsBasicAuth = sso.SignedInUser(ctx.Req, ctx.Resp, &ctx, ctx.Session)
- if ctx.User != nil {
- ctx.IsSigned = true
- ctx.Data["IsSigned"] = ctx.IsSigned
- ctx.Data["SignedUser"] = ctx.User
- ctx.Data["SignedUserID"] = ctx.User.ID
- ctx.Data["SignedUserName"] = ctx.User.Name
- ctx.Data["IsAdmin"] = ctx.User.IsAdmin
- } else {
- ctx.Data["SignedUserID"] = int64(0)
- ctx.Data["SignedUserName"] = ""
- }
-
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
"time"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth/sso"
"code.gitea.io/gitea/modules/base"
mc "code.gitea.io/gitea/modules/cache"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/templates"
"code.gitea.io/gitea/modules/translation"
"code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/services/auth"
"gitea.com/go-chi/cache"
"gitea.com/go-chi/session"
}
}
+// Auth converts auth.Auth as a middleware
+func Auth(authMethod auth.Auth) func(*Context) {
+ return func(ctx *Context) {
+ ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+ if ctx.User != nil {
+ ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == new(auth.Basic).Name()
+ ctx.IsSigned = true
+ ctx.Data["IsSigned"] = ctx.IsSigned
+ ctx.Data["SignedUser"] = ctx.User
+ ctx.Data["SignedUserID"] = ctx.User.ID
+ ctx.Data["SignedUserName"] = ctx.User.Name
+ ctx.Data["IsAdmin"] = ctx.User.IsAdmin
+ } else {
+ ctx.Data["SignedUserID"] = int64(0)
+ ctx.Data["SignedUserName"] = ""
+
+ // ensure the session uid is deleted
+ _ = ctx.Session.Delete("uid")
+ }
+ }
+}
+
// Contexter initializes a classic context for a request.
func Contexter() func(next http.Handler) http.Handler {
var rnd = templates.HTMLRenderer()
}
}
- // Get user from session if logged in.
- ctx.User, ctx.IsBasicAuth = sso.SignedInUser(ctx.Req, ctx.Resp, &ctx, ctx.Session)
-
- if ctx.User != nil {
- ctx.IsSigned = true
- ctx.Data["IsSigned"] = ctx.IsSigned
- ctx.Data["SignedUser"] = ctx.User
- ctx.Data["SignedUserID"] = ctx.User.ID
- ctx.Data["SignedUserName"] = ctx.User.Name
- ctx.Data["IsAdmin"] = ctx.User.IsAdmin
- } else {
- ctx.Data["SignedUserID"] = int64(0)
- ctx.Data["SignedUserName"] = ""
-
- // ensure the session uid is deleted
- _ = ctx.Session.Delete("uid")
- }
-
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
"code.gitea.io/gitea/routers/api/v1/settings"
_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation
"code.gitea.io/gitea/routers/api/v1/user"
+ "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/forms"
"gitea.com/go-chi/binding"
}
m.Use(context.APIContexter())
+ // Get user from session if logged in.
+ m.Use(context.APIAuth(auth.NewGroup(auth.Methods()...)))
+
m.Use(context.ToggleAPI(&context.ToggleOptions{
SignInRequired: setting.Service.RequireSignInView,
}))
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth/sso"
"code.gitea.io/gitea/modules/cache"
"code.gitea.io/gitea/modules/cron"
"code.gitea.io/gitea/modules/eventsource"
"code.gitea.io/gitea/routers/common"
"code.gitea.io/gitea/routers/private"
web_routers "code.gitea.io/gitea/routers/web"
+ "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/mailer"
mirror_service "code.gitea.io/gitea/services/mirror"
pull_service "code.gitea.io/gitea/services/pull"
} else {
ssh.Unused()
}
- sso.Init()
+ auth.Init()
svg.Init()
}
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth/sso"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/httpcache"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/storage"
"code.gitea.io/gitea/modules/templates"
"code.gitea.io/gitea/modules/web/middleware"
+ "code.gitea.io/gitea/services/auth"
"gitea.com/go-chi/session"
)
}
if user == nil {
// Get user from session if logged in - do not attempt to sign-in
- user = sso.SessionUser(sessionStore)
+ user = auth.SessionUser(sessionStore)
}
if user != nil {
store["IsSigned"] = true
"strings"
"code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth/sso"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/web"
+ "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/forms"
"gitea.com/go-chi/binding"
ctx.HandleText(http.StatusUnauthorized, "no valid auth token authorization")
return
}
- uid := sso.CheckOAuthAccessToken(auths[1])
+ uid := auth.CheckOAuthAccessToken(auths[1])
if uid == 0 {
handleBearerTokenError(ctx, BearerTokenError{
ErrorCode: BearerTokenErrorCodeInvalidToken,
"code.gitea.io/gitea/routers/web/repo"
"code.gitea.io/gitea/routers/web/user"
userSetting "code.gitea.io/gitea/routers/web/user/setting"
+ "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/forms"
"code.gitea.io/gitea/services/lfs"
"code.gitea.io/gitea/services/mailer"
// Removed: toolbox.Toolboxer middleware will provide debug informations which seems unnecessary
common = append(common, context.Contexter())
+ // Get user from session if logged in.
+ common = append(common, context.Auth(auth.NewGroup(auth.Methods()...)))
+
// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route
common = append(common, middleware.GetHead)
--- /dev/null
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "fmt"
+ "net/http"
+ "reflect"
+ "regexp"
+ "strings"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web/middleware"
+)
+
+// authMethods contains the list of authentication plugins in the order they are expected to be
+// executed.
+//
+// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
+// in the session (if there is a user id stored in session other plugins might return the user
+// object for that id).
+//
+// The Session plugin is expected to be executed second, in order to skip authentication
+// for users that have already signed in.
+var authMethods = []Auth{
+ &OAuth2{},
+ &Basic{},
+ &Session{},
+}
+
+// The purpose of the following three function variables is to let the linter know that
+// those functions are not dead code and are actually being used
+var (
+ _ = handleSignIn
+)
+
+// Methods returns the instances of all registered methods
+func Methods() []Auth {
+ return authMethods
+}
+
+// Register adds the specified instance to the list of available methods
+func Register(method Auth) {
+ authMethods = append(authMethods, method)
+}
+
+// Init should be called exactly once when the application starts to allow plugins
+// to allocate necessary resources
+func Init() {
+ if setting.Service.EnableReverseProxyAuth {
+ Register(&ReverseProxy{})
+ }
+ specialInit()
+ for _, method := range Methods() {
+ err := method.Init()
+ if err != nil {
+ log.Error("Could not initialize '%s' auth method, error: %s", reflect.TypeOf(method).String(), err)
+ }
+ }
+}
+
+// Free should be called exactly once when the application is terminating to allow Auth plugins
+// to release necessary resources
+func Free() {
+ for _, method := range Methods() {
+ err := method.Free()
+ if err != nil {
+ log.Error("Could not free '%s' auth method, error: %s", reflect.TypeOf(method).String(), err)
+ }
+ }
+}
+
+// isAttachmentDownload check if request is a file download (GET) with URL to an attachment
+func isAttachmentDownload(req *http.Request) bool {
+ return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
+}
+
+var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
+var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
+
+func isGitRawOrLFSPath(req *http.Request) bool {
+ if gitRawPathRe.MatchString(req.URL.Path) {
+ return true
+ }
+ if setting.LFS.StartServer {
+ return lfsPathRe.MatchString(req.URL.Path)
+ }
+ return false
+}
+
+// handleSignIn clears existing session variables and stores new ones for the specified user object
+func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *models.User) {
+ _ = sess.Delete("openid_verified_uri")
+ _ = sess.Delete("openid_signin_remember")
+ _ = sess.Delete("openid_determined_email")
+ _ = sess.Delete("openid_determined_username")
+ _ = sess.Delete("twofaUid")
+ _ = sess.Delete("twofaRemember")
+ _ = sess.Delete("u2fChallenge")
+ _ = sess.Delete("linkAccount")
+ err := sess.Set("uid", user.ID)
+ if err != nil {
+ log.Error(fmt.Sprintf("Error setting session: %v", err))
+ }
+ err = sess.Set("uname", user.Name)
+ if err != nil {
+ log.Error(fmt.Sprintf("Error setting session: %v", err))
+ }
+
+ // Language setting of the user overwrites the one previously set
+ // If the user does not have a locale set, we save the current one.
+ if len(user.Language) == 0 {
+ lc := middleware.Locale(resp, req)
+ user.Language = lc.Language()
+ if err := models.UpdateUserCols(user, "language"); err != nil {
+ log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language))
+ return
+ }
+ }
+
+ middleware.SetLocaleCookie(resp, user.Language, 0)
+
+ // Clear whatever CSRF has right now, force to generate a new one
+ middleware.DeleteCSRFCookie(resp)
+}
--- /dev/null
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+ "testing"
+
+ "code.gitea.io/gitea/modules/setting"
+)
+
+func Test_isGitRawOrLFSPath(t *testing.T) {
+
+ tests := []struct {
+ path string
+
+ want bool
+ }{
+ {
+ "/owner/repo/git-upload-pack",
+ true,
+ },
+ {
+ "/owner/repo/git-receive-pack",
+ true,
+ },
+ {
+ "/owner/repo/info/refs",
+ true,
+ },
+ {
+ "/owner/repo/HEAD",
+ true,
+ },
+ {
+ "/owner/repo/objects/info/alternates",
+ true,
+ },
+ {
+ "/owner/repo/objects/info/http-alternates",
+ true,
+ },
+ {
+ "/owner/repo/objects/info/packs",
+ true,
+ },
+ {
+ "/owner/repo/objects/info/blahahsdhsdkla",
+ true,
+ },
+ {
+ "/owner/repo/objects/01/23456789abcdef0123456789abcdef01234567",
+ true,
+ },
+ {
+ "/owner/repo/objects/pack/pack-123456789012345678921234567893124567894.pack",
+ true,
+ },
+ {
+ "/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
+ true,
+ },
+ {
+ "/owner/repo/raw/branch/foo/fanaso",
+ true,
+ },
+ {
+ "/owner/repo/stars",
+ false,
+ },
+ {
+ "/notowner",
+ false,
+ },
+ {
+ "/owner/repo",
+ false,
+ },
+ {
+ "/owner/repo/commit/123456789012345678921234567893124567894",
+ false,
+ },
+ }
+ lfsTests := []string{
+ "/owner/repo/info/lfs/",
+ "/owner/repo/info/lfs/objects/batch",
+ "/owner/repo/info/lfs/objects/oid/filename",
+ "/owner/repo/info/lfs/objects/oid",
+ "/owner/repo/info/lfs/objects",
+ "/owner/repo/info/lfs/verify",
+ "/owner/repo/info/lfs/locks",
+ "/owner/repo/info/lfs/locks/verify",
+ "/owner/repo/info/lfs/locks/123/unlock",
+ }
+
+ origLFSStartServer := setting.LFS.StartServer
+
+ for _, tt := range tests {
+ t.Run(tt.path, func(t *testing.T) {
+ req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
+ setting.LFS.StartServer = false
+ if got := isGitRawOrLFSPath(req); got != tt.want {
+ t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
+ }
+ setting.LFS.StartServer = true
+ if got := isGitRawOrLFSPath(req); got != tt.want {
+ t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
+ }
+ })
+ }
+ for _, tt := range lfsTests {
+ t.Run(tt, func(t *testing.T) {
+ req, _ := http.NewRequest("POST", tt, nil)
+ setting.LFS.StartServer = false
+ if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
+ t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
+ }
+ setting.LFS.StartServer = true
+ if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
+ t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
+ }
+ })
+ }
+ setting.LFS.StartServer = origLFSStartServer
+}
--- /dev/null
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+ "strings"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/web/middleware"
+)
+
+// Ensure the struct implements the interface.
+var (
+ _ Auth = &Basic{}
+)
+
+// Basic implements the Auth interface and authenticates requests (API requests
+// only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
+// header.
+type Basic struct {
+}
+
+// Name represents the name of auth method
+func (b *Basic) Name() string {
+ return "basic"
+}
+
+// Init does nothing as the Basic implementation does not need to allocate any resources
+func (b *Basic) Init() error {
+ return nil
+}
+
+// Free does nothing as the Basic implementation does not have to release any resources
+func (b *Basic) Free() error {
+ return nil
+}
+
+// Verify extracts and validates Basic data (username and password/token) from the
+// "Authorization" header of the request and returns the corresponding user object for that
+// name/token on successful validation.
+// Returns nil if header is empty or validation fails.
+func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ // Basic authentication should only fire on API, Download or on Git or LFSPaths
+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
+ return nil
+ }
+
+ baHead := req.Header.Get("Authorization")
+ if len(baHead) == 0 {
+ return nil
+ }
+
+ auths := strings.SplitN(baHead, " ", 2)
+ if len(auths) != 2 || (auths[0] != "Basic" && auths[0] != "basic") {
+ return nil
+ }
+
+ uname, passwd, _ := base.BasicAuthDecode(auths[1])
+
+ // Check if username or password is a token
+ isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
+ // Assume username is token
+ authToken := uname
+ if !isUsernameToken {
+ log.Trace("Basic Authorization: Attempting login for: %s", uname)
+ // Assume password is token
+ authToken = passwd
+ } else {
+ log.Trace("Basic Authorization: Attempting login with username as token")
+ }
+
+ uid := CheckOAuthAccessToken(authToken)
+ if uid != 0 {
+ log.Trace("Basic Authorization: Valid OAuthAccessToken for user[%d]", uid)
+
+ u, err := models.GetUserByID(uid)
+ if err != nil {
+ log.Error("GetUserByID: %v", err)
+ return nil
+ }
+
+ store.GetData()["IsApiToken"] = true
+ return u
+ }
+
+ token, err := models.GetAccessTokenBySHA(authToken)
+ if err == nil {
+ log.Trace("Basic Authorization: Valid AccessToken for user[%d]", uid)
+ u, err := models.GetUserByID(token.UID)
+ if err != nil {
+ log.Error("GetUserByID: %v", err)
+ return nil
+ }
+
+ token.UpdatedUnix = timeutil.TimeStampNow()
+ if err = models.UpdateAccessToken(token); err != nil {
+ log.Error("UpdateAccessToken: %v", err)
+ }
+
+ store.GetData()["IsApiToken"] = true
+ return u
+ } else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+ log.Error("GetAccessTokenBySha: %v", err)
+ }
+
+ if !setting.Service.EnableBasicAuth {
+ return nil
+ }
+
+ log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
+ u, err := models.UserSignIn(uname, passwd)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) {
+ log.Error("UserSignIn: %v", err)
+ }
+ return nil
+ }
+
+ log.Trace("Basic Authorization: Logged in user %-v", u)
+
+ return u
+}
--- /dev/null
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+
+ "code.gitea.io/gitea/models"
+)
+
+// Ensure the struct implements the interface.
+var (
+ _ Auth = &Group{}
+)
+
+// Group implements the Auth interface with serval Auth.
+type Group struct {
+ methods []Auth
+}
+
+// NewGroup creates a new auth group
+func NewGroup(methods ...Auth) *Group {
+ return &Group{
+ methods: methods,
+ }
+}
+
+// Name represents the name of auth method
+func (b *Group) Name() string {
+ return "group"
+}
+
+// Init does nothing as the Basic implementation does not need to allocate any resources
+func (b *Group) Init() error {
+ for _, m := range b.methods {
+ if err := m.Init(); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+// Free does nothing as the Basic implementation does not have to release any resources
+func (b *Group) Free() error {
+ for _, m := range b.methods {
+ if err := m.Free(); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+// Verify extracts and validates
+func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ if !models.HasEngine {
+ return nil
+ }
+
+ // Try to sign in with each of the enabled plugins
+ for _, ssoMethod := range b.methods {
+ user := ssoMethod.Verify(req, w, store, sess)
+ if user != nil {
+ if store.GetData()["AuthedMethod"] == nil {
+ store.GetData()["AuthedMethod"] = ssoMethod.Name()
+ }
+ return user
+ }
+ }
+
+ return nil
+}
--- /dev/null
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/session"
+ "code.gitea.io/gitea/modules/web/middleware"
+)
+
+// DataStore represents a data store
+type DataStore middleware.DataStore
+
+// SessionStore represents a session store
+type SessionStore session.Store
+
+// Auth represents an authentication method (plugin) for HTTP requests.
+type Auth interface {
+ Name() string
+
+ // Init should be called exactly once before using any of the other methods,
+ // in order to allow the plugin to allocate necessary resources
+ Init() error
+
+ // Free should be called exactly once before application closes, in order to
+ // give chance to the plugin to free any allocated resources
+ Free() error
+
+ // Verify tries to verify the authentication data contained in the request.
+ // If verification is successful returns either an existing user object (with id > 0)
+ // or a new user object (with id = 0) populated with the information that was found
+ // in the authentication data (username or email).
+ // Returns nil if verification fails.
+ Verify(http *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User
+}
--- /dev/null
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+ "strings"
+ "time"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/web/middleware"
+)
+
+// Ensure the struct implements the interface.
+var (
+ _ Auth = &OAuth2{}
+)
+
+// CheckOAuthAccessToken returns uid of user from oauth token
+func CheckOAuthAccessToken(accessToken string) int64 {
+ // JWT tokens require a "."
+ if !strings.Contains(accessToken, ".") {
+ return 0
+ }
+ token, err := models.ParseOAuth2Token(accessToken)
+ if err != nil {
+ log.Trace("ParseOAuth2Token: %v", err)
+ return 0
+ }
+ var grant *models.OAuth2Grant
+ if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+ return 0
+ }
+ if token.Type != models.TypeAccessToken {
+ return 0
+ }
+ if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
+ return 0
+ }
+ return grant.UserID
+}
+
+// OAuth2 implements the Auth interface and authenticates requests
+// (API requests only) by looking for an OAuth token in query parameters or the
+// "Authorization" header.
+type OAuth2 struct {
+}
+
+// Init does nothing as the OAuth2 implementation does not need to allocate any resources
+func (o *OAuth2) Init() error {
+ return nil
+}
+
+// Name represents the name of auth method
+func (o *OAuth2) Name() string {
+ return "oauth2"
+}
+
+// Free does nothing as the OAuth2 implementation does not have to release any resources
+func (o *OAuth2) Free() error {
+ return nil
+}
+
+// userIDFromToken returns the user id corresponding to the OAuth token.
+func (o *OAuth2) userIDFromToken(req *http.Request, store DataStore) int64 {
+ _ = req.ParseForm()
+
+ // Check access token.
+ tokenSHA := req.Form.Get("token")
+ if len(tokenSHA) == 0 {
+ tokenSHA = req.Form.Get("access_token")
+ }
+ if len(tokenSHA) == 0 {
+ // Well, check with header again.
+ auHead := req.Header.Get("Authorization")
+ if len(auHead) > 0 {
+ auths := strings.Fields(auHead)
+ if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+ tokenSHA = auths[1]
+ }
+ }
+ }
+ if len(tokenSHA) == 0 {
+ return 0
+ }
+
+ // Let's see if token is valid.
+ if strings.Contains(tokenSHA, ".") {
+ uid := CheckOAuthAccessToken(tokenSHA)
+ if uid != 0 {
+ store.GetData()["IsApiToken"] = true
+ }
+ return uid
+ }
+ t, err := models.GetAccessTokenBySHA(tokenSHA)
+ if err != nil {
+ if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+ log.Error("GetAccessTokenBySHA: %v", err)
+ }
+ return 0
+ }
+ t.UpdatedUnix = timeutil.TimeStampNow()
+ if err = models.UpdateAccessToken(t); err != nil {
+ log.Error("UpdateAccessToken: %v", err)
+ }
+ store.GetData()["IsApiToken"] = true
+ return t.UID
+}
+
+// Verify extracts the user ID from the OAuth token in the query parameters
+// or the "Authorization" header and returns the corresponding user object for that ID.
+// If verification is successful returns an existing user object.
+// Returns nil if verification fails.
+func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ if !models.HasEngine {
+ return nil
+ }
+
+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
+ return nil
+ }
+
+ id := o.userIDFromToken(req, store)
+ if id <= 0 {
+ return nil
+ }
+ log.Trace("OAuth2 Authorization: Found token for user[%d]", id)
+
+ user, err := models.GetUserByID(id)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) {
+ log.Error("GetUserByName: %v", err)
+ }
+ return nil
+ }
+
+ log.Trace("OAuth2 Authorization: Logged in user %-v", user)
+ return user
+}
--- /dev/null
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+// +build !windows
+
+package auth
+
+func specialInit() {}
--- /dev/null
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+ "strings"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/web/middleware"
+
+ gouuid "github.com/google/uuid"
+)
+
+// Ensure the struct implements the interface.
+var (
+ _ Auth = &ReverseProxy{}
+)
+
+// ReverseProxy implements the Auth interface, but actually relies on
+// a reverse proxy for authentication of users.
+// On successful authentication the proxy is expected to populate the username in the
+// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
+// user in the "setting.ReverseProxyAuthEmail" header.
+type ReverseProxy struct {
+}
+
+// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
+func (r *ReverseProxy) getUserName(req *http.Request) string {
+ webAuthUser := strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))
+ if len(webAuthUser) == 0 {
+ return ""
+ }
+ return webAuthUser
+}
+
+// Name represents the name of auth method
+func (r *ReverseProxy) Name() string {
+ return "reverse_proxy"
+}
+
+// Init does nothing as the ReverseProxy implementation does not need initialization
+func (r *ReverseProxy) Init() error {
+ return nil
+}
+
+// Free does nothing as the ReverseProxy implementation does not have to release resources
+func (r *ReverseProxy) Free() error {
+ return nil
+}
+
+// Verify extracts the username from the "setting.ReverseProxyAuthUser" header
+// of the request and returns the corresponding user object for that name.
+// Verification of header data is not performed as it should have already been done by
+// the revese proxy.
+// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
+// user object is returned (populated with username or email found in header).
+// Returns nil if header is empty.
+func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ username := r.getUserName(req)
+ if len(username) == 0 {
+ return nil
+ }
+ log.Trace("ReverseProxy Authorization: Found username: %s", username)
+
+ user, err := models.GetUserByName(username)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
+ log.Error("GetUserByName: %v", err)
+ return nil
+ }
+ user = r.newUser(req)
+ }
+
+ // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
+ if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
+ handleSignIn(w, req, sess, user)
+ }
+ }
+ store.GetData()["IsReverseProxy"] = true
+
+ log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
+ return user
+}
+
+// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
+func (r *ReverseProxy) isAutoRegisterAllowed() bool {
+ return setting.Service.EnableReverseProxyAutoRegister
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (r *ReverseProxy) newUser(req *http.Request) *models.User {
+ username := r.getUserName(req)
+ if len(username) == 0 {
+ return nil
+ }
+
+ email := gouuid.New().String() + "@localhost"
+ if setting.Service.EnableReverseProxyEmail {
+ webAuthEmail := req.Header.Get(setting.ReverseProxyAuthEmail)
+ if len(webAuthEmail) > 0 {
+ email = webAuthEmail
+ }
+ }
+
+ user := &models.User{
+ Name: username,
+ Email: email,
+ IsActive: true,
+ }
+ if err := models.CreateUser(user); err != nil {
+ // FIXME: should I create a system notice?
+ log.Error("CreateUser: %v", err)
+ return nil
+ }
+
+ return user
+}
--- /dev/null
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "net/http"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/log"
+)
+
+// Ensure the struct implements the interface.
+var (
+ _ Auth = &Session{}
+)
+
+// Session checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+type Session struct {
+}
+
+// Init does nothing as the Session implementation does not need to allocate any resources
+func (s *Session) Init() error {
+ return nil
+}
+
+// Name represents the name of auth method
+func (s *Session) Name() string {
+ return "session"
+}
+
+// Free does nothing as the Session implementation does not have to release any resources
+func (s *Session) Free() error {
+ return nil
+}
+
+// Verify checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+// Returns nil if there is no user uid stored in the session.
+func (s *Session) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ user := SessionUser(sess)
+ if user != nil {
+ return user
+ }
+ return nil
+}
+
+// SessionUser returns the user object corresponding to the "uid" session variable.
+func SessionUser(sess SessionStore) *models.User {
+ // Get user ID
+ uid := sess.Get("uid")
+ if uid == nil {
+ return nil
+ }
+ log.Trace("Session Authorization: Found user[%d]", uid)
+
+ id, ok := uid.(int64)
+ if !ok {
+ return nil
+ }
+
+ // Get user object
+ user, err := models.GetUserByID(id)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) {
+ log.Error("GetUserById: %v", err)
+ }
+ return nil
+ }
+
+ log.Trace("Session Authorization: Logged in user %-v", user)
+ return user
+}
--- /dev/null
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+ "errors"
+ "net/http"
+ "strings"
+
+ "code.gitea.io/gitea/models"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/templates"
+ "code.gitea.io/gitea/modules/web/middleware"
+
+ gouuid "github.com/google/uuid"
+ "github.com/quasoft/websspi"
+ "github.com/unrolled/render"
+)
+
+const (
+ tplSignIn base.TplName = "user/auth/signin"
+)
+
+var (
+ // sspiAuth is a global instance of the websspi authentication package,
+ // which is used to avoid acquiring the server credential handle on
+ // every request
+ sspiAuth *websspi.Authenticator
+
+ // Ensure the struct implements the interface.
+ _ Auth = &SSPI{}
+)
+
+// SSPI implements the SingleSignOn interface and authenticates requests
+// via the built-in SSPI module in Windows for SPNEGO authentication.
+// On successful authentication returns a valid user object.
+// Returns nil if authentication fails.
+type SSPI struct {
+ rnd *render.Render
+}
+
+// Init creates a new global websspi.Authenticator object
+func (s *SSPI) Init() error {
+ config := websspi.NewConfig()
+ var err error
+ sspiAuth, err = websspi.New(config)
+ if err != nil {
+ return err
+ }
+ s.rnd = render.New(render.Options{
+ Extensions: []string{".tmpl"},
+ Directory: "templates",
+ Funcs: templates.NewFuncMap(),
+ Asset: templates.GetAsset,
+ AssetNames: templates.GetAssetNames,
+ IsDevelopment: !setting.IsProd(),
+ })
+ return nil
+}
+
+// Name represents the name of auth method
+func (s *SSPI) Name() string {
+ return "sspi"
+}
+
+// Free releases resources used by the global websspi.Authenticator object
+func (s *SSPI) Free() error {
+ return sspiAuth.Free()
+}
+
+// Verify uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
+// If authentication is successful, returs the corresponding user object.
+// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
+// response code, as required by the SPNEGO protocol.
+func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+ if !s.shouldAuthenticate(req) {
+ return nil
+ }
+
+ cfg, err := s.getConfig()
+ if err != nil {
+ log.Error("could not get SSPI config: %v", err)
+ return nil
+ }
+
+ log.Trace("SSPI Authorization: Attempting to authenticate")
+ userInfo, outToken, err := sspiAuth.Authenticate(req, w)
+ if err != nil {
+ log.Warn("Authentication failed with error: %v\n", err)
+ sspiAuth.AppendAuthenticateHeader(w, outToken)
+
+ // Include the user login page in the 401 response to allow the user
+ // to login with another authentication method if SSPI authentication
+ // fails
+ store.GetData()["Flash"] = map[string]string{
+ "ErrorMsg": err.Error(),
+ }
+ store.GetData()["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
+ store.GetData()["EnableSSPI"] = true
+
+ err := s.rnd.HTML(w, 401, string(tplSignIn), templates.BaseVars().Merge(store.GetData()))
+ if err != nil {
+ log.Error("%v", err)
+ }
+
+ return nil
+ }
+ if outToken != "" {
+ sspiAuth.AppendAuthenticateHeader(w, outToken)
+ }
+
+ username := sanitizeUsername(userInfo.Username, cfg)
+ if len(username) == 0 {
+ return nil
+ }
+ log.Info("Authenticated as %s\n", username)
+
+ user, err := models.GetUserByName(username)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) {
+ log.Error("GetUserByName: %v", err)
+ return nil
+ }
+ if !cfg.AutoCreateUsers {
+ log.Error("User '%s' not found", username)
+ return nil
+ }
+ user, err = s.newUser(username, cfg)
+ if err != nil {
+ log.Error("CreateUser: %v", err)
+ return nil
+ }
+ }
+
+ // Make sure requests to API paths and PWA resources do not create a new session
+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
+ handleSignIn(w, req, sess, user)
+ }
+
+ log.Trace("SSPI Authorization: Logged in user %-v", user)
+ return user
+}
+
+// getConfig retrieves the SSPI configuration from login sources
+func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
+ sources, err := models.ActiveLoginSources(models.LoginSSPI)
+ if err != nil {
+ return nil, err
+ }
+ if len(sources) == 0 {
+ return nil, errors.New("no active login sources of type SSPI found")
+ }
+ if len(sources) > 1 {
+ return nil, errors.New("more than one active login source of type SSPI found")
+ }
+ return sources[0].SSPI(), nil
+}
+
+func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
+ shouldAuth = false
+ path := strings.TrimSuffix(req.URL.Path, "/")
+ if path == "/user/login" {
+ if req.FormValue("user_name") != "" && req.FormValue("password") != "" {
+ shouldAuth = false
+ } else if req.FormValue("auth_with_sspi") == "1" {
+ shouldAuth = true
+ }
+ } else if middleware.IsAPIPath(req) || isAttachmentDownload(req) {
+ shouldAuth = true
+ }
+ return
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (s *SSPI) newUser(username string, cfg *models.SSPIConfig) (*models.User, error) {
+ email := gouuid.New().String() + "@localhost.localdomain"
+ user := &models.User{
+ Name: username,
+ Email: email,
+ KeepEmailPrivate: true,
+ Passwd: gouuid.New().String(),
+ IsActive: cfg.AutoActivateUsers,
+ Language: cfg.DefaultLanguage,
+ UseCustomAvatar: true,
+ Avatar: models.DefaultAvatarLink(),
+ EmailNotificationsPreference: models.EmailNotificationsDisabled,
+ }
+ if err := models.CreateUser(user); err != nil {
+ return nil, err
+ }
+ return user, nil
+}
+
+// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
+// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
+// from UPNs (eg. "user@domain.local" becomes "user")
+func stripDomainNames(username string) string {
+ if strings.Contains(username, "\\") {
+ parts := strings.SplitN(username, "\\", 2)
+ if len(parts) > 1 {
+ username = parts[1]
+ }
+ } else if strings.Contains(username, "@") {
+ parts := strings.Split(username, "@")
+ if len(parts) > 1 {
+ username = parts[0]
+ }
+ }
+ return username
+}
+
+func replaceSeparators(username string, cfg *models.SSPIConfig) string {
+ newSep := cfg.SeparatorReplacement
+ username = strings.ReplaceAll(username, "\\", newSep)
+ username = strings.ReplaceAll(username, "/", newSep)
+ username = strings.ReplaceAll(username, "@", newSep)
+ return username
+}
+
+func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
+ if len(username) == 0 {
+ return ""
+ }
+ if cfg.StripDomainNames {
+ username = stripDomainNames(username)
+ }
+ // Replace separators even if we have already stripped the domain name part,
+ // as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
+ username = replaceSeparators(username, cfg)
+ return username
+}
+
+// specialInit registers the SSPI auth method as the last method in the list.
+// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
+// fails (or if negotiation should continue), which would prevent other authentication methods
+// to execute at all.
+func specialInit() {
+ if models.IsSSPIEnabled() {
+ Register(&SSPI{})
+ }
+}
projects / gitea.git / commitdiff