diff options
Diffstat (limited to 'models')
| -rw-r--r-- | models/error.go | 40 | ||||
| -rw-r--r-- | models/external_login_user.go | 74 | ||||
| -rw-r--r-- | models/login_source.go | 160 | ||||
| -rw-r--r-- | models/migrations/migrations.go | 2 | ||||
| -rw-r--r-- | models/migrations/v18.go | 25 | ||||
| -rw-r--r-- | models/user.go | 21 |
6 files changed, 309 insertions, 13 deletions
diff --git a/models/error.go b/models/error.go index 85d250c84a..472c8c9426 100644 --- a/models/error.go +++ b/models/error.go @@ -847,3 +847,43 @@ func IsErrUploadNotExist(err error) bool { func (err ErrUploadNotExist) Error() string { return fmt.Sprintf("attachment does not exist [id: %d, uuid: %s]", err.ID, err.UUID) } + +// ___________ __ .__ .____ .__ ____ ___ +// \_ _____/__ ____/ |_ ___________ ____ _____ | | | | ____ ____ |__| ____ | | \______ ___________ +// | __)_\ \/ /\ __\/ __ \_ __ \/ \\__ \ | | | | / _ \ / ___\| |/ \ | | / ___// __ \_ __ \ +// | \> < | | \ ___/| | \/ | \/ __ \| |__ | |__( <_> ) /_/ > | | \ | | /\___ \\ ___/| | \/ +// /_______ /__/\_ \ |__| \___ >__| |___| (____ /____/ |_______ \____/\___ /|__|___| / |______//____ >\___ >__| +// \/ \/ \/ \/ \/ \/ /_____/ \/ \/ \/ + +// ErrExternalLoginUserAlreadyExist represents a "ExternalLoginUserAlreadyExist" kind of error. +type ErrExternalLoginUserAlreadyExist struct { + ExternalID string + UserID int64 + LoginSourceID int64 +} + +// IsErrExternalLoginUserAlreadyExist checks if an error is a ExternalLoginUserAlreadyExist. +func IsErrExternalLoginUserAlreadyExist(err error) bool { + _, ok := err.(ErrExternalLoginUserAlreadyExist) + return ok +} + +func (err ErrExternalLoginUserAlreadyExist) Error() string { + return fmt.Sprintf("external login user already exists [externalID: %s, userID: %d, loginSourceID: %d]", err.ExternalID, err.UserID, err.LoginSourceID) +} + +// ErrExternalLoginUserNotExist represents a "ExternalLoginUserNotExist" kind of error. +type ErrExternalLoginUserNotExist struct { + UserID int64 + LoginSourceID int64 +} + +// IsErrExternalLoginUserNotExist checks if an error is a ExternalLoginUserNotExist. +func IsErrExternalLoginUserNotExist(err error) bool { + _, ok := err.(ErrExternalLoginUserNotExist) + return ok +} + +func (err ErrExternalLoginUserNotExist) Error() string { + return fmt.Sprintf("external login user link does not exists [userID: %d, loginSourceID: %d]", err.UserID, err.LoginSourceID) +} diff --git a/models/external_login_user.go b/models/external_login_user.go new file mode 100644 index 0000000000..ade1b8a13b --- /dev/null +++ b/models/external_login_user.go @@ -0,0 +1,74 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package models + +import "github.com/markbates/goth" + +// ExternalLoginUser makes the connecting between some existing user and additional external login sources +type ExternalLoginUser struct { + ExternalID string `xorm:"NOT NULL"` + UserID int64 `xorm:"NOT NULL"` + LoginSourceID int64 `xorm:"NOT NULL"` +} + +// GetExternalLogin checks if a externalID in loginSourceID scope already exists +func GetExternalLogin(externalLoginUser *ExternalLoginUser) (bool, error) { + return x.Get(externalLoginUser) +} + +// ListAccountLinks returns a map with the ExternalLoginUser and its LoginSource +func ListAccountLinks(user *User) ([]*ExternalLoginUser, error) { + externalAccounts := make([]*ExternalLoginUser, 0, 5) + err := x.Where("user_id=?", user.ID). + Desc("login_source_id"). + Find(&externalAccounts) + + if err != nil { + return nil, err + } + + return externalAccounts, nil +} + +// LinkAccountToUser link the gothUser to the user +func LinkAccountToUser(user *User, gothUser goth.User) error { + loginSource, err := GetActiveOAuth2LoginSourceByName(gothUser.Provider) + if err != nil { + return err + } + + externalLoginUser := &ExternalLoginUser{ + ExternalID: gothUser.UserID, + UserID: user.ID, + LoginSourceID: loginSource.ID, + } + has, err := x.Get(externalLoginUser) + if err != nil { + return err + } else if has { + return ErrExternalLoginUserAlreadyExist{gothUser.UserID, user.ID, loginSource.ID} + } + + _, err = x.Insert(externalLoginUser) + return err +} + +// RemoveAccountLink will remove all external login sources for the given user +func RemoveAccountLink(user *User, loginSourceID int64) (int64, error) { + deleted, err := x.Delete(&ExternalLoginUser{UserID: user.ID, LoginSourceID: loginSourceID}) + if err != nil { + return deleted, err + } + if deleted < 1 { + return deleted, ErrExternalLoginUserNotExist{user.ID, loginSourceID} + } + return deleted, err +} + +// RemoveAllAccountLinks will remove all external login sources for the given user +func RemoveAllAccountLinks(user *User) error { + _, err := x.Delete(&ExternalLoginUser{UserID: user.ID}) + return err +} diff --git a/models/login_source.go b/models/login_source.go index 3fe5e172e3..8d5d08dea6 100644 --- a/models/login_source.go +++ b/models/login_source.go @@ -22,6 +22,7 @@ import ( "code.gitea.io/gitea/modules/auth/ldap" "code.gitea.io/gitea/modules/auth/pam" "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/auth/oauth2" ) // LoginType represents an login type. @@ -30,19 +31,21 @@ type LoginType int // Note: new type must append to the end of list to maintain compatibility. const ( LoginNoType LoginType = iota - LoginPlain // 1 - LoginLDAP // 2 - LoginSMTP // 3 - LoginPAM // 4 - LoginDLDAP // 5 + LoginPlain // 1 + LoginLDAP // 2 + LoginSMTP // 3 + LoginPAM // 4 + LoginDLDAP // 5 + LoginOAuth2 // 6 ) // LoginNames contains the name of LoginType values. var LoginNames = map[LoginType]string{ - LoginLDAP: "LDAP (via BindDN)", - LoginDLDAP: "LDAP (simple auth)", // Via direct bind - LoginSMTP: "SMTP", - LoginPAM: "PAM", + LoginLDAP: "LDAP (via BindDN)", + LoginDLDAP: "LDAP (simple auth)", // Via direct bind + LoginSMTP: "SMTP", + LoginPAM: "PAM", + LoginOAuth2: "OAuth2", } // SecurityProtocolNames contains the name of SecurityProtocol values. @@ -57,6 +60,7 @@ var ( _ core.Conversion = &LDAPConfig{} _ core.Conversion = &SMTPConfig{} _ core.Conversion = &PAMConfig{} + _ core.Conversion = &OAuth2Config{} ) // LDAPConfig holds configuration for LDAP login source. @@ -115,6 +119,23 @@ func (cfg *PAMConfig) ToDB() ([]byte, error) { return json.Marshal(cfg) } +// OAuth2Config holds configuration for the OAuth2 login source. +type OAuth2Config struct { + Provider string + ClientID string + ClientSecret string +} + +// FromDB fills up an OAuth2Config from serialized format. +func (cfg *OAuth2Config) FromDB(bs []byte) error { + return json.Unmarshal(bs, cfg) +} + +// ToDB exports an SMTPConfig to a serialized format. +func (cfg *OAuth2Config) ToDB() ([]byte, error) { + return json.Marshal(cfg) +} + // LoginSource represents an external way for authorizing users. type LoginSource struct { ID int64 `xorm:"pk autoincr"` @@ -162,6 +183,8 @@ func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) { source.Cfg = new(SMTPConfig) case LoginPAM: source.Cfg = new(PAMConfig) + case LoginOAuth2: + source.Cfg = new(OAuth2Config) default: panic("unrecognized login source type: " + com.ToStr(*val)) } @@ -203,6 +226,11 @@ func (source *LoginSource) IsPAM() bool { return source.Type == LoginPAM } +// IsOAuth2 returns true of this source is of the OAuth2 type. +func (source *LoginSource) IsOAuth2() bool { + return source.Type == LoginOAuth2 +} + // HasTLS returns true of this source supports TLS. func (source *LoginSource) HasTLS() bool { return ((source.IsLDAP() || source.IsDLDAP()) && @@ -250,6 +278,11 @@ func (source *LoginSource) PAM() *PAMConfig { return source.Cfg.(*PAMConfig) } +// OAuth2 returns OAuth2Config for this source, if of OAuth2 type. +func (source *LoginSource) OAuth2() *OAuth2Config { + return source.Cfg.(*OAuth2Config) +} + // CreateLoginSource inserts a LoginSource in the DB if not already // existing with the given name. func CreateLoginSource(source *LoginSource) error { @@ -261,12 +294,16 @@ func CreateLoginSource(source *LoginSource) error { } _, err = x.Insert(source) + if err == nil && source.IsOAuth2() { + oAuth2Config := source.OAuth2() + oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret) + } return err } // LoginSources returns a slice of all login sources found in DB. func LoginSources() ([]*LoginSource, error) { - auths := make([]*LoginSource, 0, 5) + auths := make([]*LoginSource, 0, 6) return auths, x.Find(&auths) } @@ -285,6 +322,11 @@ func GetLoginSourceByID(id int64) (*LoginSource, error) { // UpdateSource updates a LoginSource record in DB. func UpdateSource(source *LoginSource) error { _, err := x.Id(source.ID).AllCols().Update(source) + if err == nil && source.IsOAuth2() { + oAuth2Config := source.OAuth2() + oauth2.RemoveProvider(source.Name) + oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret) + } return err } @@ -296,6 +338,18 @@ func DeleteSource(source *LoginSource) error { } else if count > 0 { return ErrLoginSourceInUse{source.ID} } + + count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID}) + if err != nil { + return err + } else if count > 0 { + return ErrLoginSourceInUse{source.ID} + } + + if source.IsOAuth2() { + oauth2.RemoveProvider(source.Name) + } + _, err = x.Id(source.ID).Delete(new(LoginSource)) return err } @@ -444,7 +498,7 @@ func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPC idx := strings.Index(login, "@") if idx == -1 { return nil, ErrUserNotExist{0, login, 0} - } else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) { + } else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx + 1:]) { return nil, ErrUserNotExist{0, login, 0} } } @@ -526,6 +580,27 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon return user, CreateUser(user) } +// ________ _____ __ .__ ________ +// \_____ \ / _ \ __ ___/ |_| |__ \_____ \ +// / | \ / /_\ \| | \ __\ | \ / ____/ +// / | \/ | \ | /| | | Y \/ \ +// \_______ /\____|__ /____/ |__| |___| /\_______ \ +// \/ \/ \/ \/ + +// OAuth2Provider describes the display values of a single OAuth2 provider +type OAuth2Provider struct { + Name string + DisplayName string + Image string +} + +// OAuth2Providers contains the map of registered OAuth2 providers in Gitea (based on goth) +// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider) +// value is used to store display data +var OAuth2Providers = map[string]OAuth2Provider{ + "github": {Name: "github", DisplayName:"GitHub", Image: "/img/github.png"}, +} + // ExternalUserLogin attempts a login using external source types. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) { if !source.IsActived { @@ -560,7 +635,7 @@ func UserSignIn(username, password string) (*User, error) { if hasUser { switch user.LoginType { - case LoginNoType, LoginPlain: + case LoginNoType, LoginPlain, LoginOAuth2: if user.ValidatePassword(password) { return user, nil } @@ -580,12 +655,16 @@ func UserSignIn(username, password string) (*User, error) { } } - sources := make([]*LoginSource, 0, 3) + sources := make([]*LoginSource, 0, 5) if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil { return nil, err } for _, source := range sources { + if source.IsOAuth2() { + // don't try to authenticate against OAuth2 sources + continue + } authUser, err := ExternalUserLogin(nil, username, password, source, true) if err == nil { return authUser, nil @@ -596,3 +675,58 @@ func UserSignIn(username, password string) (*User, error) { return nil, ErrUserNotExist{user.ID, user.Name, 0} } + +// GetActiveOAuth2ProviderLoginSources returns all actived LoginOAuth2 sources +func GetActiveOAuth2ProviderLoginSources() ([]*LoginSource, error) { + sources := make([]*LoginSource, 0, 1) + if err := x.UseBool().Find(&sources, &LoginSource{IsActived: true, Type: LoginOAuth2}); err != nil { + return nil, err + } + return sources, nil +} + +// GetActiveOAuth2LoginSourceByName returns a OAuth2 LoginSource based on the given name +func GetActiveOAuth2LoginSourceByName(name string) (*LoginSource, error) { + loginSource := &LoginSource{ + Name: name, + Type: LoginOAuth2, + IsActived: true, + } + + has, err := x.UseBool().Get(loginSource) + if !has || err != nil { + return nil, err + } + + return loginSource, nil +} + +// GetActiveOAuth2Providers returns the map of configured active OAuth2 providers +// key is used as technical name (like in the callbackURL) +// values to display +func GetActiveOAuth2Providers() (map[string]OAuth2Provider, error) { + // Maybe also seperate used and unused providers so we can force the registration of only 1 active provider for each type + + loginSources, err := GetActiveOAuth2ProviderLoginSources() + if err != nil { + return nil, err + } + + providers := make(map[string]OAuth2Provider) + for _, source := range loginSources { + providers[source.Name] = OAuth2Providers[source.OAuth2().Provider] + } + + return providers, nil +} + +// InitOAuth2 initialize the OAuth2 lib and register all active OAuth2 providers in the library +func InitOAuth2() { + oauth2.Init() + loginSources, _ := GetActiveOAuth2ProviderLoginSources() + + for _, source := range loginSources { + oAuth2Config := source.OAuth2() + oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret) + } +} diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index e54d502b7d..2a1c70af77 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -84,6 +84,8 @@ var migrations = []Migration{ NewMigration("create repo unit table and add units for all repos", addUnitsToTables), // v17 -> v18 NewMigration("set protect branches updated with created", setProtectedBranchUpdatedWithCreated), + // v18 -> v19 + NewMigration("add external login user", addExternalLoginUser), } // Migrate database to current version diff --git a/models/migrations/v18.go b/models/migrations/v18.go new file mode 100644 index 0000000000..be51615341 --- /dev/null +++ b/models/migrations/v18.go @@ -0,0 +1,25 @@ +// Copyright 2016 Gitea. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "fmt" + + "github.com/go-xorm/xorm" +) + +// ExternalLoginUser makes the connecting between some existing user and additional external login sources +type ExternalLoginUser struct { + ExternalID string `xorm:"NOT NULL"` + UserID int64 `xorm:"NOT NULL"` + LoginSourceID int64 `xorm:"NOT NULL"` +} + +func addExternalLoginUser(x *xorm.Engine) error { + if err := x.Sync2(new(ExternalLoginUser)); err != nil { + return fmt.Errorf("Sync2: %v", err) + } + return nil +} diff --git a/models/user.go b/models/user.go index c9ddbe7c8b..d0f711448d 100644 --- a/models/user.go +++ b/models/user.go @@ -196,6 +196,11 @@ func (u *User) IsLocal() bool { return u.LoginType <= LoginPlain } +// IsOAuth2 returns true if user login type is LoginOAuth2. +func (u *User) IsOAuth2() bool { + return u.LoginType == LoginOAuth2 +} + // HasForkedRepo checks if user has already forked a repository with given ID. func (u *User) HasForkedRepo(repoID int64) bool { _, has := HasForkedRepo(u.ID, repoID) @@ -397,6 +402,11 @@ func (u *User) ValidatePassword(passwd string) bool { return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1 } +// IsPasswordSet checks if the password is set or left empty +func (u *User) IsPasswordSet() bool { + return !u.ValidatePassword("") +} + // UploadAvatar saves custom avatar for user. // FIXME: split uploads to different subdirs in case we have massive users. func (u *User) UploadAvatar(data []byte) error { @@ -947,6 +957,12 @@ func deleteUser(e *xorm.Session, u *User) error { return fmt.Errorf("clear assignee: %v", err) } + // ***** START: ExternalLoginUser ***** + if err = RemoveAllAccountLinks(u); err != nil { + return fmt.Errorf("ExternalLoginUser: %v", err) + } + // ***** END: ExternalLoginUser ***** + if _, err = e.Id(u.ID).Delete(new(User)); err != nil { return fmt.Errorf("Delete: %v", err) } @@ -1190,6 +1206,11 @@ func GetUserByEmail(email string) (*User, error) { return nil, ErrUserNotExist{0, email, 0} } +// GetUser checks if a user already exists +func GetUser(user *User) (bool, error) { + return x.Get(user) +} + // SearchUserOptions contains the options for searching type SearchUserOptions struct { Keyword string |