aboutsummaryrefslogtreecommitdiffstats
path: root/routers/web/auth/linkaccount.go
diff options
context:
space:
mode:
authortechknowlogick <techknowlogick@gitea.com>2024-02-22 19:08:17 -0500
committerGitHub <noreply@github.com>2024-02-23 00:08:17 +0000
commit5bb8d1924d77c675467694de26697b876d709a17 (patch)
tree5082621a5a26d56b5eccd2a70bbb35a76a2c6ae5 /routers/web/auth/linkaccount.go
parentc4b0cb4d0d527793296cf801e611f77666f86551 (diff)
downloadgitea-5bb8d1924d77c675467694de26697b876d709a17.tar.gz
gitea-5bb8d1924d77c675467694de26697b876d709a17.zip
Support SAML authentication (#25165)
Closes https://github.com/go-gitea/gitea/issues/5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
Diffstat (limited to 'routers/web/auth/linkaccount.go')
-rw-r--r--routers/web/auth/linkaccount.go45
1 files changed, 25 insertions, 20 deletions
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
index 1d94e52fe3..c62ae84083 100644
--- a/routers/web/auth/linkaccount.go
+++ b/routers/web/auth/linkaccount.go
@@ -48,13 +48,13 @@ func LinkAccount(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
+ externalLinkUser := ctx.Session.Get("linkAccountUser")
+ if externalLinkUser == nil {
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
return
}
- gu, _ := gothUser.(goth.User)
+ gu := externalLinkUser.(auth.LinkAccountUser).GothUser
uname, err := getUserName(&gu)
if err != nil {
ctx.ServerError("UserSignIn", err)
@@ -135,12 +135,14 @@ func LinkAccountPostSignIn(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
- gothUser := ctx.Session.Get("linkAccountGothUser")
- if gothUser == nil {
+ externalLinkUserInterface := ctx.Session.Get("linkAccountUser")
+ if externalLinkUserInterface == nil {
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
return
}
+ externalLinkUser := externalLinkUserInterface.(auth.LinkAccountUser)
+
if ctx.HasError() {
ctx.HTML(http.StatusOK, tplLinkAccount)
return
@@ -152,10 +154,10 @@ func LinkAccountPostSignIn(ctx *context.Context) {
return
}
- linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
+ linkAccount(ctx, u, externalLinkUser.GothUser, signInForm.Remember, externalLinkUser.Type)
}
-func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
+func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool, authType auth.Type) {
updateAvatarIfNeed(ctx, gothUser.AvatarURL, u)
// If this user is enrolled in 2FA, we can't sign the user in just yet.
@@ -168,7 +170,7 @@ func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, r
return
}
- err = externalaccount.LinkAccountToUser(ctx, u, gothUser)
+ err = externalaccount.LinkAccountToUser(ctx, u, gothUser, authType)
if err != nil {
ctx.ServerError("UserLinkAccount", err)
return
@@ -222,14 +224,14 @@ func LinkAccountPostRegister(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
- gothUserInterface := ctx.Session.Get("linkAccountGothUser")
- if gothUserInterface == nil {
+ externalLinkUser := ctx.Session.Get("linkAccountUser")
+ if externalLinkUser == nil {
ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
return
}
- gothUser, ok := gothUserInterface.(goth.User)
+ linkUser, ok := externalLinkUser.(auth.LinkAccountUser)
if !ok {
- ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
+ ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountUser type is %t but not goth.User", externalLinkUser))
return
}
@@ -275,7 +277,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
}
}
- authSource, err := auth.GetActiveOAuth2SourceByName(ctx, gothUser.Provider)
+ authSource, err := auth.GetActiveAuthSourceByName(ctx, linkUser.GothUser.Provider, linkUser.Type)
if err != nil {
ctx.ServerError("CreateUser", err)
return
@@ -285,21 +287,24 @@ func LinkAccountPostRegister(ctx *context.Context) {
Name: form.UserName,
Email: form.Email,
Passwd: form.Password,
- LoginType: auth.OAuth2,
+ LoginType: authSource.Type,
LoginSource: authSource.ID,
- LoginName: gothUser.UserID,
+ LoginName: linkUser.GothUser.UserID,
}
- if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &gothUser, false) {
+ if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &linkUser.GothUser, false, linkUser.Type) {
// error already handled
return
}
- source := authSource.Cfg.(*oauth2.Source)
- if err := syncGroupsToTeams(ctx, source, &gothUser, u); err != nil {
- ctx.ServerError("SyncGroupsToTeams", err)
- return
+ if linkUser.Type == auth.OAuth2 {
+ source := authSource.Cfg.(*oauth2.Source)
+ if err := syncGroupsToTeams(ctx, source, &linkUser.GothUser, u); err != nil {
+ ctx.ServerError("SyncGroupsToTeams", err)
+ return
+ }
}
+ // TODO we will support some form of group mapping for SAML
handleSignIn(ctx, u, false)
}