Add single sign-on support via SSPI on Windows (#8463)

* Add single sign-on support via SSPI on Windows

* Ensure plugins implement interface

* Ensure plugins implement interface

* Move functions used only by the SSPI auth method to sspi_windows.go

* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected

* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.

* Update documentation for the new 'SPNEGO with SSPI' login source

* Mention in documentation that ROOT_URL should contain the FQDN of the server

* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)

* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)

* Add option in SSPIConfig for removing of domains from logon names

* Update helper text for StripDomainNames option

* Make sure handleSignIn() is called after a new user object is created by SSPI auth method

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates

* Remove code duplication

* Log errors in ActiveLoginSources

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert suffix of randomly generated E-mails for Reverse proxy authentication

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert unneeded white-space change in template

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Add copyright comments at the top of new files

* Use loopback name for randomly generated emails

* Add locale tag for the SSPISeparatorReplacement field with proper casing

* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields

* Update docs/content/doc/features/authentication.en-us.md

Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>

* Remove Priority() method and define the order in which SSO auth methods should be executed in one place

* Log authenticated username only if it's not empty

* Rephrase helper text for automatic creation of users

* Return error if more than one active SSPI auth source is found

* Change newUser() function to return error, letting caller log/handle the error

* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed

* Refactor initialization of the list containing SSO auth methods

* Validate SSPI settings on POST

* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page

* Make 'Default language' in SSPI config empty, unless changed by admin

* Show error if admin tries to add a second authentication source of type SSPI

* Simplify declaration of global variable

* Rebuild gitgraph.js on Linux

* Make sure config values containing only whitespace are not accepted

7 files changed, 842 insertions, 0 deletions

diff --git a/modules/auth/sso/basic.go b/modules/auth/sso/basic.go
new file mode 100644
index 0000000000..7f1841df71
--- /dev/null
+++ b/modules/auth/sso/basic.go
@@ -0,0 +1,125 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &Basic{}
+)
+
+// Basic implements the SingleSignOn interface and authenticates requests (API requests
+// only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
+// header.
+type Basic struct {
+}
+
+// Init does nothing as the Basic implementation does not need to allocate any resources
+func (b *Basic) Init() error {
+	return nil
+}
+
+// Free does nothing as the Basic implementation does not have to release any resources
+func (b *Basic) Free() error {
+	return nil
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
+// it from settings.
+func (b *Basic) IsEnabled() bool {
+	return setting.Service.EnableBasicAuth
+}
+
+// VerifyAuthData extracts and validates Basic data (username and password/token) from the
+// "Authorization" header of the request and returns the corresponding user object for that
+// name/token on successful validation.
+// Returns nil if header is empty or validation fails.
+func (b *Basic) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	baHead := ctx.Req.Header.Get("Authorization")
+	if len(baHead) == 0 {
+		return nil
+	}
+
+	auths := strings.Fields(baHead)
+	if len(auths) != 2 || auths[0] != "Basic" {
+		return nil
+	}
+
+	var u *models.User
+	uname, passwd, _ := base.BasicAuthDecode(auths[1])
+
+	// Check if username or password is a token
+	isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
+	// Assume username is token
+	authToken := uname
+	if !isUsernameToken {
+		// Assume password is token
+		authToken = passwd
+	}
+
+	uid := CheckOAuthAccessToken(authToken)
+	if uid != 0 {
+		var err error
+		ctx.Data["IsApiToken"] = true
+
+		u, err = models.GetUserByID(uid)
+		if err != nil {
+			log.Error("GetUserByID:  %v", err)
+			return nil
+		}
+	}
+	token, err := models.GetAccessTokenBySHA(authToken)
+	if err == nil {
+		if isUsernameToken {
+			u, err = models.GetUserByID(token.UID)
+			if err != nil {
+				log.Error("GetUserByID:  %v", err)
+				return nil
+			}
+		} else {
+			u, err = models.GetUserByName(uname)
+			if err != nil {
+				log.Error("GetUserByID:  %v", err)
+				return nil
+			}
+			if u.ID != token.UID {
+				return nil
+			}
+		}
+		token.UpdatedUnix = timeutil.TimeStampNow()
+		if err = models.UpdateAccessToken(token); err != nil {
+			log.Error("UpdateAccessToken:  %v", err)
+		}
+	} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+		log.Error("GetAccessTokenBySha: %v", err)
+	}
+
+	if u == nil {
+		u, err = models.UserSignIn(uname, passwd)
+		if err != nil {
+			if !models.IsErrUserNotExist(err) {
+				log.Error("UserSignIn: %v", err)
+			}
+			return nil
+		}
+	} else {
+		ctx.Data["IsApiToken"] = true
+	}
+
+	return u
+}
diff --git a/modules/auth/sso/interface.go b/modules/auth/sso/interface.go
new file mode 100644
index 0000000000..89cc227e79
--- /dev/null
+++ b/modules/auth/sso/interface.go
@@ -0,0 +1,33 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"code.gitea.io/gitea/models"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// SingleSignOn represents a SSO authentication method (plugin) for HTTP requests.
+type SingleSignOn interface {
+	// Init should be called exactly once before using any of the other methods,
+	// in order to allow the plugin to allocate necessary resources
+	Init() error
+
+	// Free should be called exactly once before application closes, in order to
+	// give chance to the plugin to free any allocated resources
+	Free() error
+
+	// IsEnabled checks if the current SSO method has been enabled in settings.
+	IsEnabled() bool
+
+	// VerifyAuthData tries to verify the SSO authentication data contained in the request.
+	// If verification is successful returns either an existing user object (with id > 0)
+	// or a new user object (with id = 0) populated with the information that was found
+	// in the authentication data (username or email).
+	// Returns nil if verification fails.
+	VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User
+}
diff --git a/modules/auth/sso/oauth2.go b/modules/auth/sso/oauth2.go
new file mode 100644
index 0000000000..e677490b80
--- /dev/null
+++ b/modules/auth/sso/oauth2.go
@@ -0,0 +1,142 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &OAuth2{}
+)
+
+// CheckOAuthAccessToken returns uid of user from oauth token
+func CheckOAuthAccessToken(accessToken string) int64 {
+	// JWT tokens require a "."
+	if !strings.Contains(accessToken, ".") {
+		return 0
+	}
+	token, err := models.ParseOAuth2Token(accessToken)
+	if err != nil {
+		log.Trace("ParseOAuth2Token: %v", err)
+		return 0
+	}
+	var grant *models.OAuth2Grant
+	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+		return 0
+	}
+	if token.Type != models.TypeAccessToken {
+		return 0
+	}
+	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
+		return 0
+	}
+	return grant.UserID
+}
+
+// OAuth2 implements the SingleSignOn interface and authenticates requests
+// (API requests only) by looking for an OAuth token in query parameters or the
+// "Authorization" header.
+type OAuth2 struct {
+}
+
+// Init does nothing as the OAuth2 implementation does not need to allocate any resources
+func (o *OAuth2) Init() error {
+	return nil
+}
+
+// Free does nothing as the OAuth2 implementation does not have to release any resources
+func (o *OAuth2) Free() error {
+	return nil
+}
+
+// userIDFromToken returns the user id corresponding to the OAuth token.
+func (o *OAuth2) userIDFromToken(ctx *macaron.Context) int64 {
+	// Check access token.
+	tokenSHA := ctx.Query("token")
+	if len(tokenSHA) == 0 {
+		tokenSHA = ctx.Query("access_token")
+	}
+	if len(tokenSHA) == 0 {
+		// Well, check with header again.
+		auHead := ctx.Req.Header.Get("Authorization")
+		if len(auHead) > 0 {
+			auths := strings.Fields(auHead)
+			if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+				tokenSHA = auths[1]
+			}
+		}
+	}
+	if len(tokenSHA) == 0 {
+		return 0
+	}
+
+	// Let's see if token is valid.
+	if strings.Contains(tokenSHA, ".") {
+		uid := CheckOAuthAccessToken(tokenSHA)
+		if uid != 0 {
+			ctx.Data["IsApiToken"] = true
+		}
+		return uid
+	}
+	t, err := models.GetAccessTokenBySHA(tokenSHA)
+	if err != nil {
+		if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
+			log.Error("GetAccessTokenBySHA: %v", err)
+		}
+		return 0
+	}
+	t.UpdatedUnix = timeutil.TimeStampNow()
+	if err = models.UpdateAccessToken(t); err != nil {
+		log.Error("UpdateAccessToken: %v", err)
+	}
+	ctx.Data["IsApiToken"] = true
+	return t.UID
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible
+// to disable it from settings.
+func (o *OAuth2) IsEnabled() bool {
+	return true
+}
+
+// VerifyAuthData extracts the user ID from the OAuth token in the query parameters
+// or the "Authorization" header and returns the corresponding user object for that ID.
+// If verification is successful returns an existing user object.
+// Returns nil if verification fails.
+func (o *OAuth2) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	if !models.HasEngine {
+		return nil
+	}
+
+	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
+		return nil
+	}
+
+	id := o.userIDFromToken(ctx)
+	if id <= 0 {
+		return nil
+	}
+
+	user, err := models.GetUserByID(id)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserByName: %v", err)
+		}
+		return nil
+	}
+
+	return user
+}
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
new file mode 100644
index 0000000000..feb5364518
--- /dev/null
+++ b/modules/auth/sso/reverseproxy.go
@@ -0,0 +1,115 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+	gouuid "github.com/satori/go.uuid"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &ReverseProxy{}
+)
+
+// ReverseProxy implements the SingleSignOn interface, but actually relies on
+// a reverse proxy for authentication of users.
+// On successful authentication the proxy is expected to populate the username in the
+// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
+// user in the "setting.ReverseProxyAuthEmail" header.
+type ReverseProxy struct {
+}
+
+// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
+func (r *ReverseProxy) getUserName(ctx *macaron.Context) string {
+	webAuthUser := strings.TrimSpace(ctx.Req.Header.Get(setting.ReverseProxyAuthUser))
+	if len(webAuthUser) == 0 {
+		return ""
+	}
+	return webAuthUser
+}
+
+// Init does nothing as the ReverseProxy implementation does not need initialization
+func (r *ReverseProxy) Init() error {
+	return nil
+}
+
+// Free does nothing as the ReverseProxy implementation does not have to release resources
+func (r *ReverseProxy) Free() error {
+	return nil
+}
+
+// IsEnabled checks if EnableReverseProxyAuth setting is true
+func (r *ReverseProxy) IsEnabled() bool {
+	return setting.Service.EnableReverseProxyAuth
+}
+
+// VerifyAuthData extracts the username from the "setting.ReverseProxyAuthUser" header
+// of the request and returns the corresponding user object for that name.
+// Verification of header data is not performed as it should have already been done by
+// the revese proxy.
+// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
+// user object is returned (populated with username or email found in header).
+// Returns nil if header is empty.
+func (r *ReverseProxy) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	username := r.getUserName(ctx)
+	if len(username) == 0 {
+		return nil
+	}
+
+	user, err := models.GetUserByName(username)
+	if err != nil {
+		if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
+			return r.newUser(ctx)
+		}
+		log.Error("GetUserByName: %v", err)
+		return nil
+	}
+
+	return user
+}
+
+// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
+func (r *ReverseProxy) isAutoRegisterAllowed() bool {
+	return setting.Service.EnableReverseProxyAutoRegister
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (r *ReverseProxy) newUser(ctx *macaron.Context) *models.User {
+	username := r.getUserName(ctx)
+	if len(username) == 0 {
+		return nil
+	}
+
+	email := gouuid.NewV4().String() + "@localhost"
+	if setting.Service.EnableReverseProxyEmail {
+		webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)
+		if len(webAuthEmail) > 0 {
+			email = webAuthEmail
+		}
+	}
+
+	user := &models.User{
+		Name:     username,
+		Email:    email,
+		Passwd:   username,
+		IsActive: true,
+	}
+	if err := models.CreateUser(user); err != nil {
+		// FIXME: should I create a system notice?
+		log.Error("CreateUser: %v", err)
+		return nil
+	}
+	return user
+}
diff --git a/modules/auth/sso/session.go b/modules/auth/sso/session.go
new file mode 100644
index 0000000000..c9176b9c31
--- /dev/null
+++ b/modules/auth/sso/session.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"code.gitea.io/gitea/models"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &Session{}
+)
+
+// Session checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+type Session struct {
+}
+
+// Init does nothing as the Session implementation does not need to allocate any resources
+func (s *Session) Init() error {
+	return nil
+}
+
+// Free does nothing as the Session implementation does not have to release any resources
+func (s *Session) Free() error {
+	return nil
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
+// it from settings.
+func (s *Session) IsEnabled() bool {
+	return true
+}
+
+// VerifyAuthData checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+// Returns nil if there is no user uid stored in the session.
+func (s *Session) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	user := SessionUser(sess)
+	if user != nil {
+		return user
+	}
+	return nil
+}
diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
new file mode 100644
index 0000000000..cf8148d89b
--- /dev/null
+++ b/modules/auth/sso/sso.go
@@ -0,0 +1,141 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// ssoMethods contains the list of SSO authentication plugins in the order they are expected to be
+// executed.
+//
+// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
+// in the session (if there is a user id stored in session other plugins might return the user
+// object for that id).
+//
+// The Session plugin is expected to be executed second, in order to skip authentication
+// for users that have already signed in.
+var ssoMethods = []SingleSignOn{
+	&OAuth2{},
+	&Session{},
+	&ReverseProxy{},
+	&Basic{},
+}
+
+// The purpose of the following three function variables is to let the linter know that
+// those functions are not dead code and are actually being used
+var (
+	_ = handleSignIn
+)
+
+// Methods returns the instances of all registered SSO methods
+func Methods() []SingleSignOn {
+	return ssoMethods
+}
+
+// Register adds the specified instance to the list of available SSO methods
+func Register(method SingleSignOn) {
+	ssoMethods = append(ssoMethods, method)
+}
+
+// Init should be called exactly once when the application starts to allow SSO plugins
+// to allocate necessary resources
+func Init() {
+	for _, method := range Methods() {
+		err := method.Init()
+		if err != nil {
+			log.Error("Could not initialize '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
+		}
+	}
+}
+
+// Free should be called exactly once when the application is terminating to allow SSO plugins
+// to release necessary resources
+func Free() {
+	for _, method := range Methods() {
+		err := method.Free()
+		if err != nil {
+			log.Error("Could not free '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
+		}
+	}
+}
+
+// SessionUser returns the user object corresponding to the "uid" session variable.
+func SessionUser(sess session.Store) *models.User {
+	// Get user ID
+	uid := sess.Get("uid")
+	if uid == nil {
+		return nil
+	}
+	id, ok := uid.(int64)
+	if !ok {
+		return nil
+	}
+
+	// Get user object
+	user, err := models.GetUserByID(id)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserById: %v", err)
+		}
+		return nil
+	}
+	return user
+}
+
+// isAPIPath returns true if the specified URL is an API path
+func isAPIPath(ctx *macaron.Context) bool {
+	return strings.HasPrefix(ctx.Req.URL.Path, "/api/")
+}
+
+// isAttachmentDownload check if request is a file download (GET) with URL to an attachment
+func isAttachmentDownload(ctx *macaron.Context) bool {
+	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
+}
+
+// handleSignIn clears existing session variables and stores new ones for the specified user object
+func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) {
+	_ = sess.Delete("openid_verified_uri")
+	_ = sess.Delete("openid_signin_remember")
+	_ = sess.Delete("openid_determined_email")
+	_ = sess.Delete("openid_determined_username")
+	_ = sess.Delete("twofaUid")
+	_ = sess.Delete("twofaRemember")
+	_ = sess.Delete("u2fChallenge")
+	_ = sess.Delete("linkAccount")
+	err := sess.Set("uid", user.ID)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error setting session: %v", err))
+	}
+	err = sess.Set("uname", user.Name)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error setting session: %v", err))
+	}
+
+	// Language setting of the user overwrites the one previously set
+	// If the user does not have a locale set, we save the current one.
+	if len(user.Language) == 0 {
+		user.Language = ctx.Locale.Language()
+		if err := models.UpdateUserCols(user, "language"); err != nil {
+			log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language))
+			return
+		}
+	}
+
+	ctx.SetCookie("lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+
+	// Clear whatever CSRF has right now, force to generate a new one
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+}
diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go
new file mode 100644
index 0000000000..3153fc63cd
--- /dev/null
+++ b/modules/auth/sso/sspi_windows.go
@@ -0,0 +1,237 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"errors"
+	"reflect"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+
+	"github.com/quasoft/websspi"
+	gouuid "github.com/satori/go.uuid"
+)
+
+const (
+	tplSignIn base.TplName = "user/auth/signin"
+)
+
+var (
+	// sspiAuth is a global instance of the websspi authentication package,
+	// which is used to avoid acquiring the server credential handle on
+	// every request
+	sspiAuth *websspi.Authenticator
+
+	// Ensure the struct implements the interface.
+	_ SingleSignOn = &SSPI{}
+)
+
+// SSPI implements the SingleSignOn interface and authenticates requests
+// via the built-in SSPI module in Windows for SPNEGO authentication.
+// On successful authentication returns a valid user object.
+// Returns nil if authentication fails.
+type SSPI struct {
+}
+
+// Init creates a new global websspi.Authenticator object
+func (s *SSPI) Init() error {
+	config := websspi.NewConfig()
+	var err error
+	sspiAuth, err = websspi.New(config)
+	return err
+}
+
+// Free releases resources used by the global websspi.Authenticator object
+func (s *SSPI) Free() error {
+	return sspiAuth.Free()
+}
+
+// IsEnabled checks if there is an active SSPI authentication source
+func (s *SSPI) IsEnabled() bool {
+	return models.IsSSPIEnabled()
+}
+
+// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
+// If authentication is successful, returs the corresponding user object.
+// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
+// response code, as required by the SPNEGO protocol.
+func (s *SSPI) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	if !s.shouldAuthenticate(ctx) {
+		return nil
+	}
+
+	cfg, err := s.getConfig()
+	if err != nil {
+		log.Error("could not get SSPI config: %v", err)
+		return nil
+	}
+
+	userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp)
+	if err != nil {
+		log.Warn("Authentication failed with error: %v\n", err)
+		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
+
+		// Include the user login page in the 401 response to allow the user
+		// to login with another authentication method if SSPI authentication
+		// fails
+		addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed"))
+		ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
+		ctx.Data["EnableSSPI"] = true
+		ctx.HTML(401, string(tplSignIn))
+		return nil
+	}
+	if outToken != "" {
+		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
+	}
+
+	username := sanitizeUsername(userInfo.Username, cfg)
+	if len(username) == 0 {
+		return nil
+	}
+	log.Info("Authenticated as %s\n", username)
+
+	user, err := models.GetUserByName(username)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserByName: %v", err)
+			return nil
+		}
+		if !cfg.AutoCreateUsers {
+			log.Error("User '%s' not found", username)
+			return nil
+		}
+		user, err = s.newUser(ctx, username, cfg)
+		if err != nil {
+			log.Error("CreateUser: %v", err)
+			return nil
+		}
+	}
+
+	// Make sure requests to API paths and PWA resources do not create a new session
+	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
+		handleSignIn(ctx, sess, user)
+	}
+
+	return user
+}
+
+// getConfig retrieves the SSPI configuration from login sources
+func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
+	sources, err := models.ActiveLoginSources(models.LoginSSPI)
+	if err != nil {
+		return nil, err
+	}
+	if len(sources) == 0 {
+		return nil, errors.New("no active login sources of type SSPI found")
+	}
+	if len(sources) > 1 {
+		return nil, errors.New("more than one active login source of type SSPI found")
+	}
+	return sources[0].SSPI(), nil
+}
+
+func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
+	shouldAuth = false
+	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
+	if path == "/user/login" {
+		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
+			shouldAuth = false
+		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
+			shouldAuth = true
+		}
+	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
+		shouldAuth = true
+	}
+	return
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (s *SSPI) newUser(ctx *macaron.Context, username string, cfg *models.SSPIConfig) (*models.User, error) {
+	email := gouuid.NewV4().String() + "@localhost.localdomain"
+	user := &models.User{
+		Name:                         username,
+		Email:                        email,
+		KeepEmailPrivate:             true,
+		Passwd:                       gouuid.NewV4().String(),
+		IsActive:                     cfg.AutoActivateUsers,
+		Language:                     cfg.DefaultLanguage,
+		UseCustomAvatar:              true,
+		Avatar:                       base.DefaultAvatarLink(),
+		EmailNotificationsPreference: models.EmailNotificationsDisabled,
+	}
+	if err := models.CreateUser(user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
+// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
+// from UPNs (eg. "user@domain.local" becomes "user")
+func stripDomainNames(username string) string {
+	if strings.Contains(username, "\\") {
+		parts := strings.SplitN(username, "\\", 2)
+		if len(parts) > 1 {
+			username = parts[1]
+		}
+	} else if strings.Contains(username, "@") {
+		parts := strings.Split(username, "@")
+		if len(parts) > 1 {
+			username = parts[0]
+		}
+	}
+	return username
+}
+
+func replaceSeparators(username string, cfg *models.SSPIConfig) string {
+	newSep := cfg.SeparatorReplacement
+	username = strings.ReplaceAll(username, "\\", newSep)
+	username = strings.ReplaceAll(username, "/", newSep)
+	username = strings.ReplaceAll(username, "@", newSep)
+	return username
+}
+
+func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
+	if len(username) == 0 {
+		return ""
+	}
+	if cfg.StripDomainNames {
+		username = stripDomainNames(username)
+	}
+	// Replace separators even if we have already stripped the domain name part,
+	// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
+	username = replaceSeparators(username, cfg)
+	return username
+}
+
+// addFlashErr adds an error message to the Flash object mapped to a macaron.Context
+func addFlashErr(ctx *macaron.Context, err string) {
+	fv := ctx.GetVal(reflect.TypeOf(&session.Flash{}))
+	if !fv.IsValid() {
+		return
+	}
+	flash, ok := fv.Interface().(*session.Flash)
+	if !ok {
+		return
+	}
+	flash.Error(err)
+	ctx.Data["Flash"] = flash
+}
+
+// init registers the SSPI auth method as the last method in the list.
+// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
+// fails (or if negotiation should continue), which would prevent other authentication methods
+// to execute at all.
+func init() {
+	Register(&SSPI{})
+}