Map OIDC groups to Orgs/Teams (#21441)

Fixes #19555

Test-Instructions:
https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000

This PR implements the mapping of user groups provided by OIDC providers
to orgs teams in Gitea. The main part is a refactoring of the existing
LDAP code to make it usable from different providers.

Refactorings:
- Moved the router auth code from module to service because of import
cycles
- Changed some model methods to take a `Context` parameter
- Moved the mapping code from LDAP to a common location

I've tested it with Keycloak but other providers should work too. The
JSON mapping format is the same as for LDAP.


![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png)

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

1 files changed, 60 insertions, 0 deletions

diff --git a/services/auth/middleware.go b/services/auth/middleware.go
new file mode 100644
index 0000000000..cccaab2998
--- /dev/null
+++ b/services/auth/middleware.go
@@ -0,0 +1,60 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/web/middleware"
+)
+
+// Auth is a middleware to authenticate a web user
+func Auth(authMethod Method) func(*context.Context) {
+	return func(ctx *context.Context) {
+		if err := authShared(ctx, authMethod); err != nil {
+			log.Error("Failed to verify user: %v", err)
+			ctx.Error(http.StatusUnauthorized, "Verify")
+			return
+		}
+		if ctx.Doer == nil {
+			// ensure the session uid is deleted
+			_ = ctx.Session.Delete("uid")
+		}
+	}
+}
+
+// APIAuth is a middleware to authenticate an api user
+func APIAuth(authMethod Method) func(*context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if err := authShared(ctx.Context, authMethod); err != nil {
+			ctx.Error(http.StatusUnauthorized, "APIAuth", err)
+		}
+	}
+}
+
+func authShared(ctx *context.Context, authMethod Method) error {
+	var err error
+	ctx.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+	if err != nil {
+		return err
+	}
+	if ctx.Doer != nil {
+		if ctx.Locale.Language() != ctx.Doer.Language {
+			ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+		}
+		ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == BasicMethodName
+		ctx.IsSigned = true
+		ctx.Data["IsSigned"] = ctx.IsSigned
+		ctx.Data["SignedUser"] = ctx.Doer
+		ctx.Data["SignedUserID"] = ctx.Doer.ID
+		ctx.Data["SignedUserName"] = ctx.Doer.Name
+		ctx.Data["IsAdmin"] = ctx.Doer.IsAdmin
+	} else {
+		ctx.Data["SignedUserID"] = int64(0)
+		ctx.Data["SignedUserName"] = ""
+	}
+	return nil
+}