Add single sign-on support via SSPI on Windows (#8463)

* Add single sign-on support via SSPI on Windows

* Ensure plugins implement interface

* Ensure plugins implement interface

* Move functions used only by the SSPI auth method to sspi_windows.go

* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected

* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.

* Update documentation for the new 'SPNEGO with SSPI' login source

* Mention in documentation that ROOT_URL should contain the FQDN of the server

* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)

* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)

* Add option in SSPIConfig for removing of domains from logon names

* Update helper text for StripDomainNames option

* Make sure handleSignIn() is called after a new user object is created by SSPI auth method

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates

* Remove code duplication

* Log errors in ActiveLoginSources

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert suffix of randomly generated E-mails for Reverse proxy authentication

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert unneeded white-space change in template

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Add copyright comments at the top of new files

* Use loopback name for randomly generated emails

* Add locale tag for the SSPISeparatorReplacement field with proper casing

* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields

* Update docs/content/doc/features/authentication.en-us.md

Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>

* Remove Priority() method and define the order in which SSO auth methods should be executed in one place

* Log authenticated username only if it's not empty

* Rephrase helper text for automatic creation of users

* Return error if more than one active SSPI auth source is found

* Change newUser() function to return error, letting caller log/handle the error

* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed

* Refactor initialization of the list containing SSO auth methods

* Validate SSPI settings on POST

* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page

* Make 'Default language' in SSPI config empty, unless changed by admin

* Show error if admin tries to add a second authentication source of type SSPI

* Simplify declaration of global variable

* Rebuild gitgraph.js on Linux

* Make sure config values containing only whitespace are not accepted

1 files changed, 9 insertions, 207 deletions

diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index 1ba149f0f8..16ea9f15e3 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -8,19 +8,14 @@ package auth
 import (
 	"reflect"
 	"strings"
-	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/base"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/auth/sso"
 	"code.gitea.io/gitea/modules/validation"
 
 	"gitea.com/macaron/binding"
 	"gitea.com/macaron/macaron"
 	"gitea.com/macaron/session"
-	gouuid "github.com/satori/go.uuid"
 	"github.com/unknwon/com"
 )
 
@@ -29,92 +24,6 @@ func IsAPIPath(url string) bool {
 	return strings.HasPrefix(url, "/api/")
 }
 
-// IsAttachmentDownload check if request is a file download (GET) with URL to an attachment
-func IsAttachmentDownload(ctx *macaron.Context) bool {
-	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
-}
-
-// SignedInID returns the id of signed in user.
-func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
-	if !models.HasEngine {
-		return 0
-	}
-
-	// Check access token.
-	if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentDownload(ctx) {
-		tokenSHA := ctx.Query("token")
-		if len(tokenSHA) == 0 {
-			tokenSHA = ctx.Query("access_token")
-		}
-		if len(tokenSHA) == 0 {
-			// Well, check with header again.
-			auHead := ctx.Req.Header.Get("Authorization")
-			if len(auHead) > 0 {
-				auths := strings.Fields(auHead)
-				if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
-					tokenSHA = auths[1]
-				}
-			}
-		}
-
-		// Let's see if token is valid.
-		if len(tokenSHA) > 0 {
-			if strings.Contains(tokenSHA, ".") {
-				uid := CheckOAuthAccessToken(tokenSHA)
-				if uid != 0 {
-					ctx.Data["IsApiToken"] = true
-				}
-				return uid
-			}
-			t, err := models.GetAccessTokenBySHA(tokenSHA)
-			if err != nil {
-				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
-					log.Error("GetAccessTokenBySHA: %v", err)
-				}
-				return 0
-			}
-			t.UpdatedUnix = timeutil.TimeStampNow()
-			if err = models.UpdateAccessToken(t); err != nil {
-				log.Error("UpdateAccessToken: %v", err)
-			}
-			ctx.Data["IsApiToken"] = true
-			return t.UID
-		}
-	}
-
-	uid := sess.Get("uid")
-	if uid == nil {
-		return 0
-	} else if id, ok := uid.(int64); ok {
-		return id
-	}
-	return 0
-}
-
-// CheckOAuthAccessToken returns uid of user from oauth token token
-func CheckOAuthAccessToken(accessToken string) int64 {
-	// JWT tokens require a "."
-	if !strings.Contains(accessToken, ".") {
-		return 0
-	}
-	token, err := models.ParseOAuth2Token(accessToken)
-	if err != nil {
-		log.Trace("ParseOAuth2Token: %v", err)
-		return 0
-	}
-	var grant *models.OAuth2Grant
-	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
-		return 0
-	}
-	if token.Type != models.TypeAccessToken {
-		return 0
-	}
-	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
-		return 0
-	}
-	return grant.UserID
-}
-
 // SignedInUser returns the user object of signed user.
 // It returns a bool value to indicate whether user uses basic auth or not.
 func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) {
@@ -122,125 +31,18 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 		return nil, false
 	}
 
-	if uid := SignedInID(ctx, sess); uid > 0 {
-		user, err := models.GetUserByID(uid)
-		if err == nil {
-			return user, false
-		} else if !models.IsErrUserNotExist(err) {
-			log.Error("GetUserById: %v", err)
+	// Try to sign in with each of the enabled plugins
+	for _, ssoMethod := range sso.Methods() {
+		if !ssoMethod.IsEnabled() {
+			continue
 		}
-	}
-
-	if setting.Service.EnableReverseProxyAuth {
-		webAuthUser := ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
-		if len(webAuthUser) > 0 {
-			u, err := models.GetUserByName(webAuthUser)
-			if err != nil {
-				if !models.IsErrUserNotExist(err) {
-					log.Error("GetUserByName: %v", err)
-					return nil, false
-				}
-
-				// Check if enabled auto-registration.
-				if setting.Service.EnableReverseProxyAutoRegister {
-					email := gouuid.NewV4().String() + "@localhost"
-					if setting.Service.EnableReverseProxyEmail {
-						webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)
-						if len(webAuthEmail) > 0 {
-							email = webAuthEmail
-						}
-					}
-					u := &models.User{
-						Name:     webAuthUser,
-						Email:    email,
-						Passwd:   webAuthUser,
-						IsActive: true,
-					}
-					if err = models.CreateUser(u); err != nil {
-						// FIXME: should I create a system notice?
-						log.Error("CreateUser: %v", err)
-						return nil, false
-					}
-					return u, false
-				}
-			}
-			return u, false
+		user := ssoMethod.VerifyAuthData(ctx, sess)
+		if user != nil {
+			_, isBasic := ssoMethod.(*sso.Basic)
+			return user, isBasic
 		}
 	}
 
-	// Check with basic auth.
-	baHead := ctx.Req.Header.Get("Authorization")
-	if len(baHead) > 0 {
-		auths := strings.Fields(baHead)
-		if len(auths) == 2 && auths[0] == "Basic" {
-			var u *models.User
-
-			uname, passwd, _ := base.BasicAuthDecode(auths[1])
-
-			// Check if username or password is a token
-			isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
-			// Assume username is token
-			authToken := uname
-			if !isUsernameToken {
-				// Assume password is token
-				authToken = passwd
-			}
-
-			uid := CheckOAuthAccessToken(authToken)
-			if uid != 0 {
-				var err error
-				ctx.Data["IsApiToken"] = true
-
-				u, err = models.GetUserByID(uid)
-				if err != nil {
-					log.Error("GetUserByID:  %v", err)
-					return nil, false
-				}
-			}
-			token, err := models.GetAccessTokenBySHA(authToken)
-			if err == nil {
-				if isUsernameToken {
-					u, err = models.GetUserByID(token.UID)
-					if err != nil {
-						log.Error("GetUserByID:  %v", err)
-						return nil, false
-					}
-				} else {
-					u, err = models.GetUserByName(uname)
-					if err != nil {
-						log.Error("GetUserByID:  %v", err)
-						return nil, false
-					}
-					if u.ID != token.UID {
-						return nil, false
-					}
-				}
-				token.UpdatedUnix = timeutil.TimeStampNow()
-				if err = models.UpdateAccessToken(token); err != nil {
-					log.Error("UpdateAccessToken:  %v", err)
-				}
-			} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
-				log.Error("GetAccessTokenBySha: %v", err)
-			}
-
-			if u == nil {
-				if !setting.Service.EnableBasicAuth {
-					return nil, false
-				}
-				u, err = models.UserSignIn(uname, passwd)
-				if err != nil {
-					if !models.IsErrUserNotExist(err) {
-						log.Error("UserSignIn: %v", err)
-					}
-					return nil, false
-				}
-			} else {
-				ctx.Data["IsApiToken"] = true
-			}
-
-			return u, true
-		}
-	}
 	return nil, false
 }