summaryrefslogtreecommitdiffstats
path: root/cmd
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-12-14 08:37:11 +0000
committerGitHub <noreply@github.com>2021-12-14 16:37:11 +0800
commit0981ec30c3d5218939d44fc2f40725b0b4a03684 (patch)
tree5479fb309f9800310cf2268d493e1cd33abfeac6 /cmd
parentb4782e24d2821bbb5647eff2eaf5c338e92324db (diff)
downloadgitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.tar.gz
gitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.zip
Add Option to synchronize Admin & Restricted states from OIDC/OAuth2 along with Setting Scopes (#16766)
* Add setting to OAuth handlers to override local 2FA settings This PR adds a setting to OAuth and OpenID login sources to allow the source to override local 2FA requirements. Fix #13939 Signed-off-by: Andrew Thornton <art27@cantab.net> * Fix regression from #16544 Signed-off-by: Andrew Thornton <art27@cantab.net> * Add scopes settings Signed-off-by: Andrew Thornton <art27@cantab.net> * fix trace logging in auth_openid Signed-off-by: Andrew Thornton <art27@cantab.net> * add required claim options Signed-off-by: Andrew Thornton <art27@cantab.net> * Move UpdateExternalUser to externalaccount Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow OAuth2/OIDC to set Admin/Restricted status Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow use of the same group claim name for the prohibit login value Signed-off-by: Andrew Thornton <art27@cantab.net> * fixup! Move UpdateExternalUser to externalaccount * as per wxiaoguang Signed-off-by: Andrew Thornton <art27@cantab.net> * add label back in Signed-off-by: Andrew Thornton <art27@cantab.net> * adjust localisation Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/admin.go58
1 files changed, 58 insertions, 0 deletions
diff --git a/cmd/admin.go b/cmd/admin.go
index f36e9f5de7..65a0bfb7bf 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -299,6 +299,36 @@ var (
Name: "skip-local-2fa",
Usage: "Set to true to skip local 2fa for users authenticated by this source",
},
+ cli.StringSliceFlag{
+ Name: "scopes",
+ Value: nil,
+ Usage: "Scopes to request when to authenticate against this OAuth2 source",
+ },
+ cli.StringFlag{
+ Name: "required-claim-name",
+ Value: "",
+ Usage: "Claim name that has to be set to allow users to login with this source",
+ },
+ cli.StringFlag{
+ Name: "required-claim-value",
+ Value: "",
+ Usage: "Claim value that has to be set to allow users to login with this source",
+ },
+ cli.StringFlag{
+ Name: "group-claim-name",
+ Value: "",
+ Usage: "Claim name providing group names for this source",
+ },
+ cli.StringFlag{
+ Name: "admin-group",
+ Value: "",
+ Usage: "Group Claim value for administrator users",
+ },
+ cli.StringFlag{
+ Name: "restricted-group",
+ Value: "",
+ Usage: "Group Claim value for restricted users",
+ },
}
microcmdAuthUpdateOauth = cli.Command{
@@ -649,6 +679,12 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
CustomURLMapping: customURLMapping,
IconURL: c.String("icon-url"),
SkipLocalTwoFA: c.Bool("skip-local-2fa"),
+ Scopes: c.StringSlice("scopes"),
+ RequiredClaimName: c.String("required-claim-name"),
+ RequiredClaimValue: c.String("required-claim-value"),
+ GroupClaimName: c.String("group-claim-name"),
+ AdminGroup: c.String("admin-group"),
+ RestrictedGroup: c.String("restricted-group"),
}
}
@@ -711,6 +747,28 @@ func runUpdateOauth(c *cli.Context) error {
oAuth2Config.IconURL = c.String("icon-url")
}
+ if c.IsSet("scopes") {
+ oAuth2Config.Scopes = c.StringSlice("scopes")
+ }
+
+ if c.IsSet("required-claim-name") {
+ oAuth2Config.RequiredClaimName = c.String("required-claim-name")
+
+ }
+ if c.IsSet("required-claim-value") {
+ oAuth2Config.RequiredClaimValue = c.String("required-claim-value")
+ }
+
+ if c.IsSet("group-claim-name") {
+ oAuth2Config.GroupClaimName = c.String("group-claim-name")
+ }
+ if c.IsSet("admin-group") {
+ oAuth2Config.AdminGroup = c.String("admin-group")
+ }
+ if c.IsSet("restricted-group") {
+ oAuth2Config.RestrictedGroup = c.String("restricted-group")
+ }
+
// update custom URL mapping
var customURLMapping = &oauth2.CustomURLMapping{}