Add single sign-on support via SSPI on Windows (#8463)

* Add single sign-on support via SSPI on Windows

* Ensure plugins implement interface

* Ensure plugins implement interface

* Move functions used only by the SSPI auth method to sspi_windows.go

* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected

* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.

* Update documentation for the new 'SPNEGO with SSPI' login source

* Mention in documentation that ROOT_URL should contain the FQDN of the server

* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)

* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)

* Add option in SSPIConfig for removing of domains from logon names

* Update helper text for StripDomainNames option

* Make sure handleSignIn() is called after a new user object is created by SSPI auth method

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Remove default value from text of form field helper

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates

* Remove code duplication

* Log errors in ActiveLoginSources

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert suffix of randomly generated E-mails for Reverse proxy authentication

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Revert unneeded white-space change in template

Co-Authored-By: Lauris BH <lauris@nix.lv>

* Add copyright comments at the top of new files

* Use loopback name for randomly generated emails

* Add locale tag for the SSPISeparatorReplacement field with proper casing

* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields

* Update docs/content/doc/features/authentication.en-us.md

Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com>

* Remove Priority() method and define the order in which SSO auth methods should be executed in one place

* Log authenticated username only if it's not empty

* Rephrase helper text for automatic creation of users

* Return error if more than one active SSPI auth source is found

* Change newUser() function to return error, letting caller log/handle the error

* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed

* Refactor initialization of the list containing SSO auth methods

* Validate SSPI settings on POST

* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page

* Make 'Default language' in SSPI config empty, unless changed by admin

* Show error if admin tries to add a second authentication source of type SSPI

* Simplify declaration of global variable

* Rebuild gitgraph.js on Linux

* Make sure config values containing only whitespace are not accepted

4 files changed, 73 insertions, 2 deletions

diff --git a/routers/admin/auths.go b/routers/admin/auths.go
index 8e0c27e226..8a16e36bf5 100644
--- a/routers/admin/auths.go
+++ b/routers/admin/auths.go
@@ -5,7 +5,9 @@
 package admin
 
 import (
+	"errors"
 	"fmt"
+	"regexp"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
@@ -15,6 +17,7 @@ import (
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/unknwon/com"
 	"xorm.io/core"
@@ -26,6 +29,11 @@ const (
 	tplAuthEdit base.TplName = "admin/auth/edit"
 )
 
+var (
+	separatorAntiPattern = regexp.MustCompile(`[^\w-\.]`)
+	langCodePattern      = regexp.MustCompile(`^[a-z]{2}-[A-Z]{2}$`)
+)
+
 // Authentications show authentication config page
 func Authentications(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("admin.authentication")
@@ -55,6 +63,7 @@ var (
 		{models.LoginNames[models.LoginSMTP], models.LoginSMTP},
 		{models.LoginNames[models.LoginPAM], models.LoginPAM},
 		{models.LoginNames[models.LoginOAuth2], models.LoginOAuth2},
+		{models.LoginNames[models.LoginSSPI], models.LoginSSPI},
 	}
 	securityProtocols = []dropdownItem{
 		{models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted},
@@ -81,6 +90,12 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
 	ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
 
+	ctx.Data["SSPIAutoCreateUsers"] = true
+	ctx.Data["SSPIAutoActivateUsers"] = true
+	ctx.Data["SSPIStripDomainNames"] = true
+	ctx.Data["SSPISeparatorReplacement"] = "_"
+	ctx.Data["SSPIDefaultLanguage"] = ""
+
 	// only the first as default
 	for key := range models.OAuth2Providers {
 		ctx.Data["oauth2_provider"] = key
@@ -152,6 +167,30 @@ func parseOAuth2Config(form auth.AuthenticationForm) *models.OAuth2Config {
 	}
 }
 
+func parseSSPIConfig(ctx *context.Context, form auth.AuthenticationForm) (*models.SSPIConfig, error) {
+	if util.IsEmptyString(form.SSPISeparatorReplacement) {
+		ctx.Data["Err_SSPISeparatorReplacement"] = true
+		return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.require_error"))
+	}
+	if separatorAntiPattern.MatchString(form.SSPISeparatorReplacement) {
+		ctx.Data["Err_SSPISeparatorReplacement"] = true
+		return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.alpha_dash_dot_error"))
+	}
+
+	if form.SSPIDefaultLanguage != "" && !langCodePattern.MatchString(form.SSPIDefaultLanguage) {
+		ctx.Data["Err_SSPIDefaultLanguage"] = true
+		return nil, errors.New(ctx.Tr("form.lang_select_error"))
+	}
+
+	return &models.SSPIConfig{
+		AutoCreateUsers:      form.SSPIAutoCreateUsers,
+		AutoActivateUsers:    form.SSPIAutoActivateUsers,
+		StripDomainNames:     form.SSPIStripDomainNames,
+		SeparatorReplacement: form.SSPISeparatorReplacement,
+		DefaultLanguage:      form.SSPIDefaultLanguage,
+	}, nil
+}
+
 // NewAuthSourcePost response for adding an auth source
 func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["Title"] = ctx.Tr("admin.auths.new")
@@ -166,6 +205,12 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["OAuth2Providers"] = models.OAuth2Providers
 	ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
 
+	ctx.Data["SSPIAutoCreateUsers"] = true
+	ctx.Data["SSPIAutoActivateUsers"] = true
+	ctx.Data["SSPIStripDomainNames"] = true
+	ctx.Data["SSPISeparatorReplacement"] = "_"
+	ctx.Data["SSPIDefaultLanguage"] = ""
+
 	hasTLS := false
 	var config core.Conversion
 	switch models.LoginType(form.Type) {
@@ -181,6 +226,19 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 		}
 	case models.LoginOAuth2:
 		config = parseOAuth2Config(form)
+	case models.LoginSSPI:
+		var err error
+		config, err = parseSSPIConfig(ctx, form)
+		if err != nil {
+			ctx.RenderWithErr(err.Error(), tplAuthNew, form)
+			return
+		}
+		existing, err := models.LoginSourcesByType(models.LoginSSPI)
+		if err != nil || len(existing) > 0 {
+			ctx.Data["Err_Type"] = true
+			ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
+			return
+		}
 	default:
 		ctx.Error(400)
 		return
@@ -274,6 +332,12 @@ func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 		}
 	case models.LoginOAuth2:
 		config = parseOAuth2Config(form)
+	case models.LoginSSPI:
+		config, err = parseSSPIConfig(ctx, form)
+		if err != nil {
+			ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
+			return
+		}
 	default:
 		ctx.Error(400)
 		return
diff --git a/routers/init.go b/routers/init.go
index 4623f02e66..e161143f47 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -10,6 +10,7 @@ import (
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/migrations"
+	"code.gitea.io/gitea/modules/auth/sso"
 	"code.gitea.io/gitea/modules/cache"
 	"code.gitea.io/gitea/modules/cron"
 	"code.gitea.io/gitea/modules/git"
@@ -124,4 +125,8 @@ func GlobalInit() {
 			ssh.Unused()
 		}
 	}
+
+	if setting.InstallLock {
+		sso.Init()
+	}
 }
diff --git a/routers/repo/http.go b/routers/repo/http.go
index 63cce0f713..0025ba2af4 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -19,7 +19,7 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/auth"
+	"code.gitea.io/gitea/modules/auth/sso"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/git"
@@ -169,7 +169,7 @@ func HTTP(ctx *context.Context) {
 				// Assume password is token
 				authToken = authPasswd
 			}
-			uid := auth.CheckOAuthAccessToken(authToken)
+			uid := sso.CheckOAuthAccessToken(authToken)
 			if uid != 0 {
 				ctx.Data["IsApiToken"] = true
 
diff --git a/routers/user/auth.go b/routers/user/auth.go
index d0ad4afffd..1596e11bbb 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -137,6 +137,7 @@ func SignIn(ctx *context.Context) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
 	ctx.Data["PageIsSignIn"] = true
 	ctx.Data["PageIsLogin"] = true
+	ctx.Data["EnableSSPI"] = models.IsSSPIEnabled()
 
 	ctx.HTML(200, tplSignIn)
 }
@@ -156,6 +157,7 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
 	ctx.Data["PageIsSignIn"] = true
 	ctx.Data["PageIsLogin"] = true
+	ctx.Data["EnableSSPI"] = models.IsSSPIEnabled()
 
 	if ctx.HasError() {
 		ctx.HTML(200, tplSignIn)