diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-03-28 12:46:28 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-28 12:46:28 +0800 |
| commit | 6526733a58632086d51ce7211b3a4dc75dbbef90 (patch) | |
| tree | d4d00230c18e0b4bbae1a767ef3f52800d284a14 /routers | |
| parent | d6fa138e7ce7c36ce253a3c847e3218fd31452c4 (diff) | |
| download | gitea-6526733a58632086d51ce7211b3a4dc75dbbef90.tar.gz gitea-6526733a58632086d51ce7211b3a4dc75dbbef90.zip | |
Let web and API routes have different auth methods group (#19168)
* remove the global methods but create dynamiclly
* Fix lint
* Fix windows lint
* Fix windows lint
* some improvements
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/api.go | 27 | ||||
| -rw-r--r-- | routers/api/v1/auth.go | 12 | ||||
| -rw-r--r-- | routers/api/v1/auth_windows.go | 20 | ||||
| -rw-r--r-- | routers/web/auth.go | 12 | ||||
| -rw-r--r-- | routers/web/auth_windows.go | 20 | ||||
| -rw-r--r-- | routers/web/web.go | 27 |
6 files changed, 116 insertions, 2 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 5ac6fba29b..3debf58a17 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -563,6 +563,26 @@ func bind(obj interface{}) http.HandlerFunc { }) } +// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored +// in the session (if there is a user id stored in session other plugins might return the user +// object for that id). +// +// The Session plugin is expected to be executed second, in order to skip authentication +// for users that have already signed in. +func buildAuthGroup() *auth.Group { + group := auth.NewGroup( + &auth.OAuth2{}, + &auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API + auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052 + ) + if setting.Service.EnableReverseProxyAuth { + group.Add(&auth.ReverseProxy{}) + } + specialAdd(group) + + return group +} + // Routes registers all v1 APIs routes to web application. func Routes(sessioner func(http.Handler) http.Handler) *web.Route { m := web.NewRoute() @@ -583,8 +603,13 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { } m.Use(context.APIContexter()) + group := buildAuthGroup() + if err := group.Init(); err != nil { + log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err) + } + // Get user from session if logged in. - m.Use(context.APIAuth(auth.NewGroup(auth.Methods()...))) + m.Use(context.APIAuth(group)) m.Use(context.ToggleAPI(&context.ToggleOptions{ SignInRequired: setting.Service.RequireSignInView, diff --git a/routers/api/v1/auth.go b/routers/api/v1/auth.go new file mode 100644 index 0000000000..359c9ec56b --- /dev/null +++ b/routers/api/v1/auth.go @@ -0,0 +1,12 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +//go:build !windows +// +build !windows + +package v1 + +import auth_service "code.gitea.io/gitea/services/auth" + +func specialAdd(group *auth_service.Group) {} diff --git a/routers/api/v1/auth_windows.go b/routers/api/v1/auth_windows.go new file mode 100644 index 0000000000..d41c4bb223 --- /dev/null +++ b/routers/api/v1/auth_windows.go @@ -0,0 +1,20 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package v1 + +import ( + "code.gitea.io/gitea/models/auth" + auth_service "code.gitea.io/gitea/services/auth" +) + +// specialAdd registers the SSPI auth method as the last method in the list. +// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation +// fails (or if negotiation should continue), which would prevent other authentication methods +// to execute at all. +func specialAdd(group *auth_service.Group) { + if auth.IsSSPIEnabled() { + group.Add(&auth_service.SSPI{}) + } +} diff --git a/routers/web/auth.go b/routers/web/auth.go new file mode 100644 index 0000000000..4a7fb856be --- /dev/null +++ b/routers/web/auth.go @@ -0,0 +1,12 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +//go:build !windows +// +build !windows + +package web + +import auth_service "code.gitea.io/gitea/services/auth" + +func specialAdd(group *auth_service.Group) {} diff --git a/routers/web/auth_windows.go b/routers/web/auth_windows.go new file mode 100644 index 0000000000..f404fd3771 --- /dev/null +++ b/routers/web/auth_windows.go @@ -0,0 +1,20 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package web + +import ( + "code.gitea.io/gitea/models/auth" + auth_service "code.gitea.io/gitea/services/auth" +) + +// specialAdd registers the SSPI auth method as the last method in the list. +// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation +// fails (or if negotiation should continue), which would prevent other authentication methods +// to execute at all. +func specialAdd(group *auth_service.Group) { + if auth.IsSSPIEnabled() { + group.Add(&auth_service.SSPI{}) + } +} diff --git a/routers/web/web.go b/routers/web/web.go index f4cabaab6e..14e90348b8 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -73,6 +73,26 @@ func CorsHandler() func(next http.Handler) http.Handler { } } +// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored +// in the session (if there is a user id stored in session other plugins might return the user +// object for that id). +// +// The Session plugin is expected to be executed second, in order to skip authentication +// for users that have already signed in. +func buildAuthGroup() *auth_service.Group { + group := auth_service.NewGroup( + &auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth realted routers + &auth_service.Basic{}, // FIXME: this should be removed and only applied in download and git/lfs routers + auth_service.SharedSession, + ) + if setting.Service.EnableReverseProxyAuth { + group.Add(&auth_service.ReverseProxy{}) + } + specialAdd(group) + + return group +} + // Routes returns all web routes func Routes(sessioner func(http.Handler) http.Handler) *web.Route { routes := web.NewRoute() @@ -160,8 +180,13 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { // Removed: toolbox.Toolboxer middleware will provide debug information which seems unnecessary common = append(common, context.Contexter()) + group := buildAuthGroup() + if err := group.Init(); err != nil { + log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err) + } + // Get user from session if logged in. - common = append(common, context.Auth(auth_service.NewGroup(auth_service.Methods()...))) + common = append(common, context.Auth(group)) // GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route common = append(common, middleware.GetHead) |