@@ -15,8 +15,8 @@ import ( | |||
"code.gitea.io/gitea/models" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/git" | |||
"code.gitea.io/gitea/modules/graceful" | |||
@@ -700,8 +700,8 @@ func runAddOauth(c *cli.Context) error { | |||
return err | |||
} | |||
return login.CreateSource(&login.Source{ | |||
Type: login.OAuth2, | |||
return auth.CreateSource(&auth.Source{ | |||
Type: auth.OAuth2, | |||
Name: c.String("name"), | |||
IsActive: true, | |||
Cfg: parseOAuth2Config(c), | |||
@@ -720,7 +720,7 @@ func runUpdateOauth(c *cli.Context) error { | |||
return err | |||
} | |||
source, err := login.GetSourceByID(c.Int64("id")) | |||
source, err := auth.GetSourceByID(c.Int64("id")) | |||
if err != nil { | |||
return err | |||
} | |||
@@ -801,7 +801,7 @@ func runUpdateOauth(c *cli.Context) error { | |||
oAuth2Config.CustomURLMapping = customURLMapping | |||
source.Cfg = oAuth2Config | |||
return login.UpdateSource(source) | |||
return auth.UpdateSource(source) | |||
} | |||
func runListAuth(c *cli.Context) error { | |||
@@ -812,7 +812,7 @@ func runListAuth(c *cli.Context) error { | |||
return err | |||
} | |||
loginSources, err := login.Sources() | |||
authSources, err := auth.Sources() | |||
if err != nil { | |||
return err | |||
@@ -831,7 +831,7 @@ func runListAuth(c *cli.Context) error { | |||
// loop through each source and print | |||
w := tabwriter.NewWriter(os.Stdout, c.Int("min-width"), c.Int("tab-width"), c.Int("padding"), padChar, flags) | |||
fmt.Fprintf(w, "ID\tName\tType\tEnabled\n") | |||
for _, source := range loginSources { | |||
for _, source := range authSources { | |||
fmt.Fprintf(w, "%d\t%s\t%s\t%t\n", source.ID, source.Name, source.Type.String(), source.IsActive) | |||
} | |||
w.Flush() | |||
@@ -851,10 +851,10 @@ func runDeleteAuth(c *cli.Context) error { | |||
return err | |||
} | |||
source, err := login.GetSourceByID(c.Int64("id")) | |||
source, err := auth.GetSourceByID(c.Int64("id")) | |||
if err != nil { | |||
return err | |||
} | |||
return auth_service.DeleteLoginSource(source) | |||
return auth_service.DeleteSource(source) | |||
} |
@@ -9,7 +9,7 @@ import ( | |||
"fmt" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth/source/ldap" | |||
"github.com/urfave/cli" | |||
@@ -17,10 +17,10 @@ import ( | |||
type ( | |||
authService struct { | |||
initDB func(ctx context.Context) error | |||
createLoginSource func(loginSource *login.Source) error | |||
updateLoginSource func(loginSource *login.Source) error | |||
getLoginSourceByID func(id int64) (*login.Source, error) | |||
initDB func(ctx context.Context) error | |||
createAuthSource func(*auth.Source) error | |||
updateAuthSource func(*auth.Source) error | |||
getAuthSourceByID func(id int64) (*auth.Source, error) | |||
} | |||
) | |||
@@ -168,23 +168,23 @@ var ( | |||
// newAuthService creates a service with default functions. | |||
func newAuthService() *authService { | |||
return &authService{ | |||
initDB: initDB, | |||
createLoginSource: login.CreateSource, | |||
updateLoginSource: login.UpdateSource, | |||
getLoginSourceByID: login.GetSourceByID, | |||
initDB: initDB, | |||
createAuthSource: auth.CreateSource, | |||
updateAuthSource: auth.UpdateSource, | |||
getAuthSourceByID: auth.GetSourceByID, | |||
} | |||
} | |||
// parseLoginSource assigns values on loginSource according to command line flags. | |||
func parseLoginSource(c *cli.Context, loginSource *login.Source) { | |||
// parseAuthSource assigns values on authSource according to command line flags. | |||
func parseAuthSource(c *cli.Context, authSource *auth.Source) { | |||
if c.IsSet("name") { | |||
loginSource.Name = c.String("name") | |||
authSource.Name = c.String("name") | |||
} | |||
if c.IsSet("not-active") { | |||
loginSource.IsActive = !c.Bool("not-active") | |||
authSource.IsActive = !c.Bool("not-active") | |||
} | |||
if c.IsSet("synchronize-users") { | |||
loginSource.IsSyncEnabled = c.Bool("synchronize-users") | |||
authSource.IsSyncEnabled = c.Bool("synchronize-users") | |||
} | |||
} | |||
@@ -275,23 +275,23 @@ func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) { | |||
return 0, false | |||
} | |||
// getLoginSource gets the login source by its id defined in the command line flags. | |||
// getAuthSource gets the login source by its id defined in the command line flags. | |||
// It returns an error if the id is not set, does not match any source or if the source is not of expected type. | |||
func (a *authService) getLoginSource(c *cli.Context, loginType login.Type) (*login.Source, error) { | |||
func (a *authService) getAuthSource(c *cli.Context, authType auth.Type) (*auth.Source, error) { | |||
if err := argsSet(c, "id"); err != nil { | |||
return nil, err | |||
} | |||
loginSource, err := a.getLoginSourceByID(c.Int64("id")) | |||
authSource, err := a.getAuthSourceByID(c.Int64("id")) | |||
if err != nil { | |||
return nil, err | |||
} | |||
if loginSource.Type != loginType { | |||
return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", loginType.String(), loginSource.Type.String()) | |||
if authSource.Type != authType { | |||
return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String()) | |||
} | |||
return loginSource, nil | |||
return authSource, nil | |||
} | |||
// addLdapBindDn adds a new LDAP via Bind DN authentication source. | |||
@@ -307,20 +307,20 @@ func (a *authService) addLdapBindDn(c *cli.Context) error { | |||
return err | |||
} | |||
loginSource := &login.Source{ | |||
Type: login.LDAP, | |||
authSource := &auth.Source{ | |||
Type: auth.LDAP, | |||
IsActive: true, // active by default | |||
Cfg: &ldap.Source{ | |||
Enabled: true, // always true | |||
}, | |||
} | |||
parseLoginSource(c, loginSource) | |||
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { | |||
parseAuthSource(c, authSource) | |||
if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil { | |||
return err | |||
} | |||
return a.createLoginSource(loginSource) | |||
return a.createAuthSource(authSource) | |||
} | |||
// updateLdapBindDn updates a new LDAP via Bind DN authentication source. | |||
@@ -332,17 +332,17 @@ func (a *authService) updateLdapBindDn(c *cli.Context) error { | |||
return err | |||
} | |||
loginSource, err := a.getLoginSource(c, login.LDAP) | |||
authSource, err := a.getAuthSource(c, auth.LDAP) | |||
if err != nil { | |||
return err | |||
} | |||
parseLoginSource(c, loginSource) | |||
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { | |||
parseAuthSource(c, authSource) | |||
if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil { | |||
return err | |||
} | |||
return a.updateLoginSource(loginSource) | |||
return a.updateAuthSource(authSource) | |||
} | |||
// addLdapSimpleAuth adds a new LDAP (simple auth) authentication source. | |||
@@ -358,20 +358,20 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error { | |||
return err | |||
} | |||
loginSource := &login.Source{ | |||
Type: login.DLDAP, | |||
authSource := &auth.Source{ | |||
Type: auth.DLDAP, | |||
IsActive: true, // active by default | |||
Cfg: &ldap.Source{ | |||
Enabled: true, // always true | |||
}, | |||
} | |||
parseLoginSource(c, loginSource) | |||
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { | |||
parseAuthSource(c, authSource) | |||
if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil { | |||
return err | |||
} | |||
return a.createLoginSource(loginSource) | |||
return a.createAuthSource(authSource) | |||
} | |||
// updateLdapBindDn updates a new LDAP (simple auth) authentication source. | |||
@@ -383,15 +383,15 @@ func (a *authService) updateLdapSimpleAuth(c *cli.Context) error { | |||
return err | |||
} | |||
loginSource, err := a.getLoginSource(c, login.DLDAP) | |||
authSource, err := a.getAuthSource(c, auth.DLDAP) | |||
if err != nil { | |||
return err | |||
} | |||
parseLoginSource(c, loginSource) | |||
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil { | |||
parseAuthSource(c, authSource) | |||
if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil { | |||
return err | |||
} | |||
return a.updateLoginSource(loginSource) | |||
return a.updateAuthSource(authSource) | |||
} |
@@ -8,7 +8,7 @@ import ( | |||
"context" | |||
"testing" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth/source/ldap" | |||
"github.com/stretchr/testify/assert" | |||
@@ -23,9 +23,9 @@ func TestAddLdapBindDn(t *testing.T) { | |||
// Test cases | |||
var cases = []struct { | |||
args []string | |||
loginSource *login.Source | |||
errMsg string | |||
args []string | |||
source *auth.Source | |||
errMsg string | |||
}{ | |||
// case 0 | |||
{ | |||
@@ -53,8 +53,8 @@ func TestAddLdapBindDn(t *testing.T) { | |||
"--synchronize-users", | |||
"--page-size", "99", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
source: &auth.Source{ | |||
Type: auth.LDAP, | |||
Name: "ldap (via Bind DN) source full", | |||
IsActive: false, | |||
IsSyncEnabled: true, | |||
@@ -94,8 +94,8 @@ func TestAddLdapBindDn(t *testing.T) { | |||
"--user-filter", "(memberOf=cn=user-group,ou=example,dc=min-domain-bind,dc=org)", | |||
"--email-attribute", "mail-bind min", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
source: &auth.Source{ | |||
Type: auth.LDAP, | |||
Name: "ldap (via Bind DN) source min", | |||
IsActive: true, | |||
Cfg: &ldap.Source{ | |||
@@ -206,21 +206,21 @@ func TestAddLdapBindDn(t *testing.T) { | |||
for n, c := range cases { | |||
// Mock functions. | |||
var createdLoginSource *login.Source | |||
var createdAuthSource *auth.Source | |||
service := &authService{ | |||
initDB: func(context.Context) error { | |||
return nil | |||
}, | |||
createLoginSource: func(loginSource *login.Source) error { | |||
createdLoginSource = loginSource | |||
createAuthSource: func(authSource *auth.Source) error { | |||
createdAuthSource = authSource | |||
return nil | |||
}, | |||
updateLoginSource: func(loginSource *login.Source) error { | |||
assert.FailNow(t, "case %d: should not call updateLoginSource", n) | |||
updateAuthSource: func(authSource *auth.Source) error { | |||
assert.FailNow(t, "case %d: should not call updateAuthSource", n) | |||
return nil | |||
}, | |||
getLoginSourceByID: func(id int64) (*login.Source, error) { | |||
assert.FailNow(t, "case %d: should not call getLoginSourceByID", n) | |||
getAuthSourceByID: func(id int64) (*auth.Source, error) { | |||
assert.FailNow(t, "case %d: should not call getAuthSourceByID", n) | |||
return nil, nil | |||
}, | |||
} | |||
@@ -236,7 +236,7 @@ func TestAddLdapBindDn(t *testing.T) { | |||
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n) | |||
} else { | |||
assert.NoError(t, err, "case %d: should have no errors", n) | |||
assert.Equal(t, c.loginSource, createdLoginSource, "case %d: wrong loginSource", n) | |||
assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n) | |||
} | |||
} | |||
} | |||
@@ -249,9 +249,9 @@ func TestAddLdapSimpleAuth(t *testing.T) { | |||
// Test cases | |||
var cases = []struct { | |||
args []string | |||
loginSource *login.Source | |||
errMsg string | |||
args []string | |||
authSource *auth.Source | |||
errMsg string | |||
}{ | |||
// case 0 | |||
{ | |||
@@ -275,8 +275,8 @@ func TestAddLdapSimpleAuth(t *testing.T) { | |||
"--avatar-attribute", "avatar-simple full", | |||
"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Name: "ldap (simple auth) source full", | |||
IsActive: false, | |||
Cfg: &ldap.Source{ | |||
@@ -312,8 +312,8 @@ func TestAddLdapSimpleAuth(t *testing.T) { | |||
"--email-attribute", "mail-simple min", | |||
"--user-dn", "cn=%s,ou=Users,dc=min-domain-simple,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Name: "ldap (simple auth) source min", | |||
IsActive: true, | |||
Cfg: &ldap.Source{ | |||
@@ -437,21 +437,21 @@ func TestAddLdapSimpleAuth(t *testing.T) { | |||
for n, c := range cases { | |||
// Mock functions. | |||
var createdLoginSource *login.Source | |||
var createdAuthSource *auth.Source | |||
service := &authService{ | |||
initDB: func(context.Context) error { | |||
return nil | |||
}, | |||
createLoginSource: func(loginSource *login.Source) error { | |||
createdLoginSource = loginSource | |||
createAuthSource: func(authSource *auth.Source) error { | |||
createdAuthSource = authSource | |||
return nil | |||
}, | |||
updateLoginSource: func(loginSource *login.Source) error { | |||
assert.FailNow(t, "case %d: should not call updateLoginSource", n) | |||
updateAuthSource: func(authSource *auth.Source) error { | |||
assert.FailNow(t, "case %d: should not call updateAuthSource", n) | |||
return nil | |||
}, | |||
getLoginSourceByID: func(id int64) (*login.Source, error) { | |||
assert.FailNow(t, "case %d: should not call getLoginSourceByID", n) | |||
getAuthSourceByID: func(id int64) (*auth.Source, error) { | |||
assert.FailNow(t, "case %d: should not call getAuthSourceByID", n) | |||
return nil, nil | |||
}, | |||
} | |||
@@ -467,7 +467,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { | |||
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n) | |||
} else { | |||
assert.NoError(t, err, "case %d: should have no errors", n) | |||
assert.Equal(t, c.loginSource, createdLoginSource, "case %d: wrong loginSource", n) | |||
assert.Equal(t, c.authSource, createdAuthSource, "case %d: wrong authSource", n) | |||
} | |||
} | |||
} | |||
@@ -480,11 +480,11 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
// Test cases | |||
var cases = []struct { | |||
args []string | |||
id int64 | |||
existingLoginSource *login.Source | |||
loginSource *login.Source | |||
errMsg string | |||
args []string | |||
id int64 | |||
existingAuthSource *auth.Source | |||
authSource *auth.Source | |||
errMsg string | |||
}{ | |||
// case 0 | |||
{ | |||
@@ -513,15 +513,15 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--page-size", "99", | |||
}, | |||
id: 23, | |||
existingLoginSource: &login.Source{ | |||
Type: login.LDAP, | |||
existingAuthSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
IsActive: true, | |||
Cfg: &ldap.Source{ | |||
Enabled: true, | |||
}, | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Name: "ldap (via Bind DN) source full", | |||
IsActive: false, | |||
IsSyncEnabled: true, | |||
@@ -555,8 +555,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"ldap-test", | |||
"--id", "1", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
}, | |||
@@ -567,8 +567,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--name", "ldap (via Bind DN) source", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Name: "ldap (via Bind DN) source", | |||
Cfg: &ldap.Source{ | |||
Name: "ldap (via Bind DN) source", | |||
@@ -582,13 +582,13 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--not-active", | |||
}, | |||
existingLoginSource: &login.Source{ | |||
Type: login.LDAP, | |||
existingAuthSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
IsActive: true, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
IsActive: false, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
@@ -600,8 +600,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--security-protocol", "LDAPS", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
SecurityProtocol: ldap.SecurityProtocol(1), | |||
}, | |||
@@ -614,8 +614,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--skip-tls-verify", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
SkipVerify: true, | |||
}, | |||
@@ -628,8 +628,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--host", "ldap-server", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
Host: "ldap-server", | |||
}, | |||
@@ -642,8 +642,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--port", "389", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
Port: 389, | |||
}, | |||
@@ -656,8 +656,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--user-search-base", "ou=Users,dc=domain,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
UserBase: "ou=Users,dc=domain,dc=org", | |||
}, | |||
@@ -670,8 +670,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--user-filter", "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
Filter: "(memberOf=cn=user-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
@@ -684,8 +684,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
@@ -698,8 +698,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--username-attribute", "uid", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeUsername: "uid", | |||
}, | |||
@@ -712,8 +712,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--firstname-attribute", "givenName", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeName: "givenName", | |||
}, | |||
@@ -726,8 +726,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--surname-attribute", "sn", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeSurname: "sn", | |||
}, | |||
@@ -740,8 +740,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--email-attribute", "mail", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeMail: "mail", | |||
}, | |||
@@ -754,8 +754,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--attributes-in-bind", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributesInBind: true, | |||
}, | |||
@@ -768,8 +768,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--public-ssh-key-attribute", "publickey", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeSSHPublicKey: "publickey", | |||
}, | |||
@@ -782,8 +782,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--bind-dn", "cn=readonly,dc=domain,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
BindDN: "cn=readonly,dc=domain,dc=org", | |||
}, | |||
@@ -796,8 +796,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--bind-password", "secret", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
BindPassword: "secret", | |||
}, | |||
@@ -810,8 +810,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--synchronize-users", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
IsSyncEnabled: true, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
@@ -823,8 +823,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"--id", "1", | |||
"--page-size", "12", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.LDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{ | |||
SearchPageSize: 12, | |||
}, | |||
@@ -852,8 +852,8 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
"ldap-test", | |||
"--id", "1", | |||
}, | |||
existingLoginSource: &login.Source{ | |||
Type: login.OAuth2, | |||
existingAuthSource: &auth.Source{ | |||
Type: auth.OAuth2, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
errMsg: "Invalid authentication type. expected: LDAP (via BindDN), actual: OAuth2", | |||
@@ -862,28 +862,28 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
for n, c := range cases { | |||
// Mock functions. | |||
var updatedLoginSource *login.Source | |||
var updatedAuthSource *auth.Source | |||
service := &authService{ | |||
initDB: func(context.Context) error { | |||
return nil | |||
}, | |||
createLoginSource: func(loginSource *login.Source) error { | |||
assert.FailNow(t, "case %d: should not call createLoginSource", n) | |||
createAuthSource: func(authSource *auth.Source) error { | |||
assert.FailNow(t, "case %d: should not call createAuthSource", n) | |||
return nil | |||
}, | |||
updateLoginSource: func(loginSource *login.Source) error { | |||
updatedLoginSource = loginSource | |||
updateAuthSource: func(authSource *auth.Source) error { | |||
updatedAuthSource = authSource | |||
return nil | |||
}, | |||
getLoginSourceByID: func(id int64) (*login.Source, error) { | |||
getAuthSourceByID: func(id int64) (*auth.Source, error) { | |||
if c.id != 0 { | |||
assert.Equal(t, c.id, id, "case %d: wrong id", n) | |||
} | |||
if c.existingLoginSource != nil { | |||
return c.existingLoginSource, nil | |||
if c.existingAuthSource != nil { | |||
return c.existingAuthSource, nil | |||
} | |||
return &login.Source{ | |||
Type: login.LDAP, | |||
return &auth.Source{ | |||
Type: auth.LDAP, | |||
Cfg: &ldap.Source{}, | |||
}, nil | |||
}, | |||
@@ -900,7 +900,7 @@ func TestUpdateLdapBindDn(t *testing.T) { | |||
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n) | |||
} else { | |||
assert.NoError(t, err, "case %d: should have no errors", n) | |||
assert.Equal(t, c.loginSource, updatedLoginSource, "case %d: wrong loginSource", n) | |||
assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n) | |||
} | |||
} | |||
} | |||
@@ -913,11 +913,11 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
// Test cases | |||
var cases = []struct { | |||
args []string | |||
id int64 | |||
existingLoginSource *login.Source | |||
loginSource *login.Source | |||
errMsg string | |||
args []string | |||
id int64 | |||
existingAuthSource *auth.Source | |||
authSource *auth.Source | |||
errMsg string | |||
}{ | |||
// case 0 | |||
{ | |||
@@ -943,8 +943,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org", | |||
}, | |||
id: 7, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Name: "ldap (simple auth) source full", | |||
IsActive: false, | |||
Cfg: &ldap.Source{ | |||
@@ -973,8 +973,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"ldap-test", | |||
"--id", "1", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
}, | |||
@@ -985,8 +985,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--name", "ldap (simple auth) source", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Name: "ldap (simple auth) source", | |||
Cfg: &ldap.Source{ | |||
Name: "ldap (simple auth) source", | |||
@@ -1000,13 +1000,13 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--not-active", | |||
}, | |||
existingLoginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
existingAuthSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
IsActive: true, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
IsActive: false, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
@@ -1018,8 +1018,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--security-protocol", "starttls", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
SecurityProtocol: ldap.SecurityProtocol(2), | |||
}, | |||
@@ -1032,8 +1032,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--skip-tls-verify", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
SkipVerify: true, | |||
}, | |||
@@ -1046,8 +1046,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--host", "ldap-server", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
Host: "ldap-server", | |||
}, | |||
@@ -1060,8 +1060,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--port", "987", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
Port: 987, | |||
}, | |||
@@ -1074,8 +1074,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--user-search-base", "ou=Users,dc=domain,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
UserBase: "ou=Users,dc=domain,dc=org", | |||
}, | |||
@@ -1088,8 +1088,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--user-filter", "(&(objectClass=posixAccount)(cn=%s))", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
Filter: "(&(objectClass=posixAccount)(cn=%s))", | |||
}, | |||
@@ -1102,8 +1102,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=domain,dc=org)", | |||
}, | |||
@@ -1116,8 +1116,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--username-attribute", "uid", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeUsername: "uid", | |||
}, | |||
@@ -1130,8 +1130,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--firstname-attribute", "givenName", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeName: "givenName", | |||
}, | |||
@@ -1144,8 +1144,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--surname-attribute", "sn", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeSurname: "sn", | |||
}, | |||
@@ -1158,8 +1158,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--email-attribute", "mail", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeMail: "mail", | |||
@@ -1173,8 +1173,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--public-ssh-key-attribute", "publickey", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
AttributeSSHPublicKey: "publickey", | |||
}, | |||
@@ -1187,8 +1187,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"--id", "1", | |||
"--user-dn", "cn=%s,ou=Users,dc=domain,dc=org", | |||
}, | |||
loginSource: &login.Source{ | |||
Type: login.DLDAP, | |||
authSource: &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{ | |||
UserDN: "cn=%s,ou=Users,dc=domain,dc=org", | |||
}, | |||
@@ -1216,8 +1216,8 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
"ldap-test", | |||
"--id", "1", | |||
}, | |||
existingLoginSource: &login.Source{ | |||
Type: login.PAM, | |||
existingAuthSource: &auth.Source{ | |||
Type: auth.PAM, | |||
Cfg: &ldap.Source{}, | |||
}, | |||
errMsg: "Invalid authentication type. expected: LDAP (simple auth), actual: PAM", | |||
@@ -1226,28 +1226,28 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
for n, c := range cases { | |||
// Mock functions. | |||
var updatedLoginSource *login.Source | |||
var updatedAuthSource *auth.Source | |||
service := &authService{ | |||
initDB: func(context.Context) error { | |||
return nil | |||
}, | |||
createLoginSource: func(loginSource *login.Source) error { | |||
assert.FailNow(t, "case %d: should not call createLoginSource", n) | |||
createAuthSource: func(authSource *auth.Source) error { | |||
assert.FailNow(t, "case %d: should not call createAuthSource", n) | |||
return nil | |||
}, | |||
updateLoginSource: func(loginSource *login.Source) error { | |||
updatedLoginSource = loginSource | |||
updateAuthSource: func(authSource *auth.Source) error { | |||
updatedAuthSource = authSource | |||
return nil | |||
}, | |||
getLoginSourceByID: func(id int64) (*login.Source, error) { | |||
getAuthSourceByID: func(id int64) (*auth.Source, error) { | |||
if c.id != 0 { | |||
assert.Equal(t, c.id, id, "case %d: wrong id", n) | |||
} | |||
if c.existingLoginSource != nil { | |||
return c.existingLoginSource, nil | |||
if c.existingAuthSource != nil { | |||
return c.existingAuthSource, nil | |||
} | |||
return &login.Source{ | |||
Type: login.DLDAP, | |||
return &auth.Source{ | |||
Type: auth.DLDAP, | |||
Cfg: &ldap.Source{}, | |||
}, nil | |||
}, | |||
@@ -1264,7 +1264,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { | |||
assert.EqualError(t, err, c.errMsg, "case %d: error should match", n) | |||
} else { | |||
assert.NoError(t, err, "case %d: should have no errors", n) | |||
assert.Equal(t, c.loginSource, updatedLoginSource, "case %d: wrong loginSource", n) | |||
assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n) | |||
} | |||
} | |||
} |
@@ -9,7 +9,7 @@ import ( | |||
"net/http" | |||
"testing" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/unittest" | |||
user_model "code.gitea.io/gitea/models/user" | |||
api "code.gitea.io/gitea/modules/structs" | |||
@@ -47,7 +47,7 @@ func testAPICreateOAuth2Application(t *testing.T) { | |||
assert.Len(t, createdApp.ClientID, 36) | |||
assert.NotEmpty(t, createdApp.Created) | |||
assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0]) | |||
unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{UID: user.ID, Name: createdApp.Name}) | |||
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{UID: user.ID, Name: createdApp.Name}) | |||
} | |||
func testAPIListOAuth2Applications(t *testing.T) { | |||
@@ -55,13 +55,13 @@ func testAPIListOAuth2Applications(t *testing.T) { | |||
session := loginUser(t, user.Name) | |||
token := getTokenForLoggedInUser(t, session) | |||
existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ | |||
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ | |||
UID: user.ID, | |||
Name: "test-app-1", | |||
RedirectURIs: []string{ | |||
"http://www.google.com", | |||
}, | |||
}).(*login.OAuth2Application) | |||
}).(*auth.OAuth2Application) | |||
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2?token=%s", token) | |||
req := NewRequest(t, "GET", urlStr) | |||
@@ -76,7 +76,7 @@ func testAPIListOAuth2Applications(t *testing.T) { | |||
assert.Len(t, expectedApp.ClientID, 36) | |||
assert.Empty(t, expectedApp.ClientSecret) | |||
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0]) | |||
unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
} | |||
func testAPIDeleteOAuth2Application(t *testing.T) { | |||
@@ -84,16 +84,16 @@ func testAPIDeleteOAuth2Application(t *testing.T) { | |||
session := loginUser(t, user.Name) | |||
token := getTokenForLoggedInUser(t, session) | |||
oldApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ | |||
oldApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ | |||
UID: user.ID, | |||
Name: "test-app-1", | |||
}).(*login.OAuth2Application) | |||
}).(*auth.OAuth2Application) | |||
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", oldApp.ID, token) | |||
req := NewRequest(t, "DELETE", urlStr) | |||
session.MakeRequest(t, req, http.StatusNoContent) | |||
unittest.AssertNotExistsBean(t, &login.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name}) | |||
unittest.AssertNotExistsBean(t, &auth.OAuth2Application{UID: oldApp.UID, Name: oldApp.Name}) | |||
// Delete again will return not found | |||
req = NewRequest(t, "DELETE", urlStr) | |||
@@ -105,13 +105,13 @@ func testAPIGetOAuth2Application(t *testing.T) { | |||
session := loginUser(t, user.Name) | |||
token := getTokenForLoggedInUser(t, session) | |||
existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ | |||
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ | |||
UID: user.ID, | |||
Name: "test-app-1", | |||
RedirectURIs: []string{ | |||
"http://www.google.com", | |||
}, | |||
}).(*login.OAuth2Application) | |||
}).(*auth.OAuth2Application) | |||
urlStr := fmt.Sprintf("/api/v1/user/applications/oauth2/%d?token=%s", existApp.ID, token) | |||
req := NewRequest(t, "GET", urlStr) | |||
@@ -127,19 +127,19 @@ func testAPIGetOAuth2Application(t *testing.T) { | |||
assert.Empty(t, expectedApp.ClientSecret) | |||
assert.Len(t, expectedApp.RedirectURIs, 1) | |||
assert.EqualValues(t, existApp.RedirectURIs[0], expectedApp.RedirectURIs[0]) | |||
unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
} | |||
func testAPIUpdateOAuth2Application(t *testing.T) { | |||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User) | |||
existApp := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ | |||
existApp := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ | |||
UID: user.ID, | |||
Name: "test-app-1", | |||
RedirectURIs: []string{ | |||
"http://www.google.com", | |||
}, | |||
}).(*login.OAuth2Application) | |||
}).(*auth.OAuth2Application) | |||
appBody := api.CreateOAuth2ApplicationOptions{ | |||
Name: "test-app-1", | |||
@@ -161,5 +161,5 @@ func testAPIUpdateOAuth2Application(t *testing.T) { | |||
assert.Len(t, expectedApp.RedirectURIs, 2) | |||
assert.EqualValues(t, expectedApp.RedirectURIs[0], appBody.RedirectURIs[0]) | |||
assert.EqualValues(t, expectedApp.RedirectURIs[1], appBody.RedirectURIs[1]) | |||
unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: expectedApp.ID, Name: expectedApp.Name}) | |||
} |
@@ -11,8 +11,8 @@ import ( | |||
"strings" | |||
"time" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/perm" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/log" | |||
@@ -92,7 +92,7 @@ func addKey(e db.Engine, key *PublicKey) (err error) { | |||
} | |||
// AddPublicKey adds new public key to database and authorized_keys file. | |||
func AddPublicKey(ownerID int64, name, content string, loginSourceID int64) (*PublicKey, error) { | |||
func AddPublicKey(ownerID int64, name, content string, authSourceID int64) (*PublicKey, error) { | |||
log.Trace(content) | |||
fingerprint, err := calcFingerprint(content) | |||
@@ -128,7 +128,7 @@ func AddPublicKey(ownerID int64, name, content string, loginSourceID int64) (*Pu | |||
Content: content, | |||
Mode: perm.AccessModeWrite, | |||
Type: KeyTypeUser, | |||
LoginSourceID: loginSourceID, | |||
LoginSourceID: authSourceID, | |||
} | |||
if err = addKey(sess, key); err != nil { | |||
return nil, fmt.Errorf("addKey: %v", err) | |||
@@ -223,10 +223,10 @@ func CountPublicKeys(userID int64) (int64, error) { | |||
} | |||
// ListPublicKeysBySource returns a list of synchronized public keys for a given user and login source. | |||
func ListPublicKeysBySource(uid, loginSourceID int64) ([]*PublicKey, error) { | |||
func ListPublicKeysBySource(uid, authSourceID int64) ([]*PublicKey, error) { | |||
keys := make([]*PublicKey, 0, 5) | |||
return keys, db.GetEngine(db.DefaultContext). | |||
Where("owner_id = ? AND login_source_id = ?", uid, loginSourceID). | |||
Where("owner_id = ? AND login_source_id = ?", uid, authSourceID). | |||
Find(&keys) | |||
} | |||
@@ -261,7 +261,7 @@ func DeletePublicKeys(ctx context.Context, keyIDs ...int64) error { | |||
// PublicKeysAreExternallyManaged returns whether the provided KeyID represents an externally managed Key | |||
func PublicKeysAreExternallyManaged(keys []*PublicKey) ([]bool, error) { | |||
sources := make([]*login.Source, 0, 5) | |||
sources := make([]*auth.Source, 0, 5) | |||
externals := make([]bool, len(keys)) | |||
keyloop: | |||
for i, key := range keys { | |||
@@ -270,7 +270,7 @@ keyloop: | |||
continue keyloop | |||
} | |||
var source *login.Source | |||
var source *auth.Source | |||
sourceloop: | |||
for _, s := range sources { | |||
@@ -282,11 +282,11 @@ keyloop: | |||
if source == nil { | |||
var err error | |||
source, err = login.GetSourceByID(key.LoginSourceID) | |||
source, err = auth.GetSourceByID(key.LoginSourceID) | |||
if err != nil { | |||
if login.IsErrSourceNotExist(err) { | |||
if auth.IsErrSourceNotExist(err) { | |||
externals[i] = false | |||
sources[i] = &login.Source{ | |||
sources[i] = &auth.Source{ | |||
ID: key.LoginSourceID, | |||
} | |||
continue keyloop | |||
@@ -295,7 +295,7 @@ keyloop: | |||
} | |||
} | |||
if sshKeyProvider, ok := source.Cfg.(login.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { | |||
if sshKeyProvider, ok := source.Cfg.(auth.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { | |||
// Disable setting SSH keys for this user | |||
externals[i] = true | |||
} | |||
@@ -313,14 +313,14 @@ func PublicKeyIsExternallyManaged(id int64) (bool, error) { | |||
if key.LoginSourceID == 0 { | |||
return false, nil | |||
} | |||
source, err := login.GetSourceByID(key.LoginSourceID) | |||
source, err := auth.GetSourceByID(key.LoginSourceID) | |||
if err != nil { | |||
if login.IsErrSourceNotExist(err) { | |||
if auth.IsErrSourceNotExist(err) { | |||
return false, nil | |||
} | |||
return false, err | |||
} | |||
if sshKeyProvider, ok := source.Cfg.(login.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { | |||
if sshKeyProvider, ok := source.Cfg.(auth.SSHKeyProvider); ok && sshKeyProvider.ProvidesSSHKeys() { | |||
// Disable setting SSH keys for this user | |||
return true, nil | |||
} | |||
@@ -360,7 +360,7 @@ func deleteKeysMarkedForDeletion(keys []string) (bool, error) { | |||
} | |||
// AddPublicKeysBySource add a users public keys. Returns true if there are changes. | |||
func AddPublicKeysBySource(usr *user_model.User, s *login.Source, sshPublicKeys []string) bool { | |||
func AddPublicKeysBySource(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool { | |||
var sshKeysNeedUpdate bool | |||
for _, sshKey := range sshPublicKeys { | |||
var err error | |||
@@ -398,7 +398,7 @@ func AddPublicKeysBySource(usr *user_model.User, s *login.Source, sshPublicKeys | |||
} | |||
// SynchronizePublicKeys updates a users public keys. Returns true if there are changes. | |||
func SynchronizePublicKeys(usr *user_model.User, s *login.Source, sshPublicKeys []string) bool { | |||
func SynchronizePublicKeys(usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool { | |||
var sshKeysNeedUpdate bool | |||
log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name) |
@@ -25,7 +25,7 @@ import ( | |||
// This file contains functions related to principals | |||
// AddPrincipalKey adds new principal to database and authorized_principals file. | |||
func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*PublicKey, error) { | |||
func AddPrincipalKey(ownerID int64, content string, authSourceID int64) (*PublicKey, error) { | |||
ctx, committer, err := db.TxContext() | |||
if err != nil { | |||
return nil, err | |||
@@ -49,7 +49,7 @@ func AddPrincipalKey(ownerID int64, content string, loginSourceID int64) (*Publi | |||
Content: content, | |||
Mode: perm.AccessModeWrite, | |||
Type: KeyTypePrincipal, | |||
LoginSourceID: loginSourceID, | |||
LoginSourceID: authSourceID, | |||
} | |||
if err = addPrincipalKey(sess, key); err != nil { | |||
return nil, fmt.Errorf("addKey: %v", err) |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"path/filepath" |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"crypto/sha256" | |||
@@ -510,3 +510,55 @@ func revokeOAuth2Grant(e db.Engine, grantID, userID int64) error { | |||
_, err := e.Delete(&OAuth2Grant{ID: grantID, UserID: userID}) | |||
return err | |||
} | |||
// ErrOAuthClientIDInvalid will be thrown if client id cannot be found | |||
type ErrOAuthClientIDInvalid struct { | |||
ClientID string | |||
} | |||
// IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist. | |||
func IsErrOauthClientIDInvalid(err error) bool { | |||
_, ok := err.(ErrOAuthClientIDInvalid) | |||
return ok | |||
} | |||
// Error returns the error message | |||
func (err ErrOAuthClientIDInvalid) Error() string { | |||
return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID) | |||
} | |||
// ErrOAuthApplicationNotFound will be thrown if id cannot be found | |||
type ErrOAuthApplicationNotFound struct { | |||
ID int64 | |||
} | |||
// IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist. | |||
func IsErrOAuthApplicationNotFound(err error) bool { | |||
_, ok := err.(ErrOAuthApplicationNotFound) | |||
return ok | |||
} | |||
// Error returns the error message | |||
func (err ErrOAuthApplicationNotFound) Error() string { | |||
return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID) | |||
} | |||
// GetActiveOAuth2ProviderSources returns all actived LoginOAuth2 sources | |||
func GetActiveOAuth2ProviderSources() ([]*Source, error) { | |||
sources := make([]*Source, 0, 1) | |||
if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, OAuth2).Find(&sources); err != nil { | |||
return nil, err | |||
} | |||
return sources, nil | |||
} | |||
// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name | |||
func GetActiveOAuth2SourceByName(name string) (*Source, error) { | |||
authSource := new(Source) | |||
has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource) | |||
if !has || err != nil { | |||
return nil, err | |||
} | |||
return authSource, nil | |||
} |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"testing" |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"fmt" |
@@ -3,12 +3,11 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"fmt" | |||
"reflect" | |||
"strconv" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/modules/log" | |||
@@ -84,10 +83,7 @@ type RegisterableSource interface { | |||
UnregisterSource() error | |||
} | |||
// SourceSettable configurations can have their loginSource set on them | |||
type SourceSettable interface { | |||
SetLoginSource(*Source) | |||
} | |||
var registeredConfigs = map[Type]func() Config{} | |||
// RegisterTypeConfig register a config for a provided type | |||
func RegisterTypeConfig(typ Type, exemplar Config) { | |||
@@ -105,7 +101,10 @@ func RegisterTypeConfig(typ Type, exemplar Config) { | |||
} | |||
} | |||
var registeredConfigs = map[Type]func() Config{} | |||
// SourceSettable configurations can have their authSource set on them | |||
type SourceSettable interface { | |||
SetAuthSource(*Source) | |||
} | |||
// Source represents an external way for authorizing users. | |||
type Source struct { | |||
@@ -129,30 +128,17 @@ func init() { | |||
db.RegisterModel(new(Source)) | |||
} | |||
// Cell2Int64 converts a xorm.Cell type to int64, | |||
// and handles possible irregular cases. | |||
func Cell2Int64(val xorm.Cell) int64 { | |||
switch (*val).(type) { | |||
case []uint8: | |||
log.Trace("Cell2Int64 ([]uint8): %v", *val) | |||
v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64) | |||
return v | |||
} | |||
return (*val).(int64) | |||
} | |||
// BeforeSet is invoked from XORM before setting the value of a field of this object. | |||
func (source *Source) BeforeSet(colName string, val xorm.Cell) { | |||
if colName == "type" { | |||
typ := Type(Cell2Int64(val)) | |||
typ := Type(db.Cell2Int64(val)) | |||
constructor, ok := registeredConfigs[typ] | |||
if !ok { | |||
return | |||
} | |||
source.Cfg = constructor() | |||
if settable, ok := source.Cfg.(SourceSettable); ok { | |||
settable.SetLoginSource(source) | |||
settable.SetAuthSource(source) | |||
} | |||
} | |||
} | |||
@@ -211,7 +197,7 @@ func (source *Source) SkipVerify() bool { | |||
return ok && skipVerifiable.IsSkipVerify() | |||
} | |||
// CreateSource inserts a LoginSource in the DB if not already | |||
// CreateSource inserts a AuthSource in the DB if not already | |||
// existing with the given name. | |||
func CreateSource(source *Source) error { | |||
has, err := db.GetEngine(db.DefaultContext).Where("name=?", source.Name).Exist(new(Source)) | |||
@@ -235,7 +221,7 @@ func CreateSource(source *Source) error { | |||
} | |||
if settable, ok := source.Cfg.(SourceSettable); ok { | |||
settable.SetLoginSource(source) | |||
settable.SetAuthSource(source) | |||
} | |||
registerableSource, ok := source.Cfg.(RegisterableSource) | |||
@@ -245,7 +231,7 @@ func CreateSource(source *Source) error { | |||
err = registerableSource.RegisterSource() | |||
if err != nil { | |||
// remove the LoginSource in case of errors while registering configuration | |||
// remove the AuthSource in case of errors while registering configuration | |||
if _, err := db.GetEngine(db.DefaultContext).Delete(source); err != nil { | |||
log.Error("CreateSource: Error while wrapOpenIDConnectInitializeError: %v", err) | |||
} | |||
@@ -322,11 +308,11 @@ func GetSourceByID(id int64) (*Source, error) { | |||
// UpdateSource updates a Source record in DB. | |||
func UpdateSource(source *Source) error { | |||
var originalLoginSource *Source | |||
var originalSource *Source | |||
if source.IsOAuth2() { | |||
// keep track of the original values so we can restore in case of errors while registering OAuth2 providers | |||
var err error | |||
if originalLoginSource, err = GetSourceByID(source.ID); err != nil { | |||
if originalSource, err = GetSourceByID(source.ID); err != nil { | |||
return err | |||
} | |||
} | |||
@@ -341,7 +327,7 @@ func UpdateSource(source *Source) error { | |||
} | |||
if settable, ok := source.Cfg.(SourceSettable); ok { | |||
settable.SetLoginSource(source) | |||
settable.SetAuthSource(source) | |||
} | |||
registerableSource, ok := source.Cfg.(RegisterableSource) | |||
@@ -352,7 +338,7 @@ func UpdateSource(source *Source) error { | |||
err = registerableSource.RegisterSource() | |||
if err != nil { | |||
// restore original values since we cannot update the provider it self | |||
if _, err := db.GetEngine(db.DefaultContext).ID(source.ID).AllCols().Update(originalLoginSource); err != nil { | |||
if _, err := db.GetEngine(db.DefaultContext).ID(source.ID).AllCols().Update(originalSource); err != nil { | |||
log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err) | |||
} | |||
} |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"strings" | |||
@@ -34,10 +34,10 @@ func (source *TestSource) ToDB() ([]byte, error) { | |||
return json.Marshal(source) | |||
} | |||
func TestDumpLoginSource(t *testing.T) { | |||
func TestDumpAuthSource(t *testing.T) { | |||
assert.NoError(t, unittest.PrepareTestDatabase()) | |||
loginSourceSchema, err := db.TableInfo(new(Source)) | |||
authSourceSchema, err := db.TableInfo(new(Source)) | |||
assert.NoError(t, err) | |||
RegisterTypeConfig(OAuth2, new(TestSource)) | |||
@@ -54,7 +54,7 @@ func TestDumpLoginSource(t *testing.T) { | |||
sb := new(strings.Builder) | |||
db.DumpTables([]*schemas.Table{loginSourceSchema}, sb) | |||
db.DumpTables([]*schemas.Table{authSourceSchema}, sb) | |||
assert.Contains(t, sb.String(), `"Provider":"ConvertibleSourceName"`) | |||
} |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"crypto/md5" |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"fmt" |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
package auth | |||
import ( | |||
"encoding/hex" |
@@ -6,9 +6,12 @@ package db | |||
import ( | |||
"fmt" | |||
"strconv" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"xorm.io/xorm" | |||
"xorm.io/xorm/schemas" | |||
) | |||
@@ -39,3 +42,16 @@ func ConvertUtf8ToUtf8mb4() error { | |||
return nil | |||
} | |||
// Cell2Int64 converts a xorm.Cell type to int64, | |||
// and handles possible irregular cases. | |||
func Cell2Int64(val xorm.Cell) int64 { | |||
switch (*val).(type) { | |||
case []uint8: | |||
log.Trace("Cell2Int64 ([]uint8): %v", *val) | |||
v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64) | |||
return v | |||
} | |||
return (*val).(int64) | |||
} |
@@ -1,70 +0,0 @@ | |||
// Copyright 2017 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package login | |||
import ( | |||
"fmt" | |||
"code.gitea.io/gitea/models/db" | |||
) | |||
// ________ _____ __ .__ | |||
// \_____ \ / _ \ __ ___/ |_| |__ | |||
// / | \ / /_\ \| | \ __\ | \ | |||
// / | \/ | \ | /| | | Y \ | |||
// \_______ /\____|__ /____/ |__| |___| / | |||
// \/ \/ \/ | |||
// ErrOAuthClientIDInvalid will be thrown if client id cannot be found | |||
type ErrOAuthClientIDInvalid struct { | |||
ClientID string | |||
} | |||
// IsErrOauthClientIDInvalid checks if an error is a ErrReviewNotExist. | |||
func IsErrOauthClientIDInvalid(err error) bool { | |||
_, ok := err.(ErrOAuthClientIDInvalid) | |||
return ok | |||
} | |||
// Error returns the error message | |||
func (err ErrOAuthClientIDInvalid) Error() string { | |||
return fmt.Sprintf("Client ID invalid [Client ID: %s]", err.ClientID) | |||
} | |||
// ErrOAuthApplicationNotFound will be thrown if id cannot be found | |||
type ErrOAuthApplicationNotFound struct { | |||
ID int64 | |||
} | |||
// IsErrOAuthApplicationNotFound checks if an error is a ErrReviewNotExist. | |||
func IsErrOAuthApplicationNotFound(err error) bool { | |||
_, ok := err.(ErrOAuthApplicationNotFound) | |||
return ok | |||
} | |||
// Error returns the error message | |||
func (err ErrOAuthApplicationNotFound) Error() string { | |||
return fmt.Sprintf("OAuth application not found [ID: %d]", err.ID) | |||
} | |||
// GetActiveOAuth2ProviderLoginSources returns all actived LoginOAuth2 sources | |||
func GetActiveOAuth2ProviderLoginSources() ([]*Source, error) { | |||
sources := make([]*Source, 0, 1) | |||
if err := db.GetEngine(db.DefaultContext).Where("is_active = ? and type = ?", true, OAuth2).Find(&sources); err != nil { | |||
return nil, err | |||
} | |||
return sources, nil | |||
} | |||
// GetActiveOAuth2LoginSourceByName returns a OAuth2 LoginSource based on the given name | |||
func GetActiveOAuth2LoginSourceByName(name string) (*Source, error) { | |||
loginSource := new(Source) | |||
has, err := db.GetEngine(db.DefaultContext).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(loginSource) | |||
if !has || err != nil { | |||
return nil, err | |||
} | |||
return loginSource, nil | |||
} |
@@ -8,7 +8,6 @@ import ( | |||
"fmt" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/unit" | |||
"code.gitea.io/gitea/modules/json" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
@@ -170,7 +169,7 @@ func (cfg *PullRequestsConfig) AllowedMergeStyleCount() int { | |||
func (r *RepoUnit) BeforeSet(colName string, val xorm.Cell) { | |||
switch colName { | |||
case "type": | |||
switch unit.Type(login.Cell2Int64(val)) { | |||
switch unit.Type(db.Cell2Int64(val)) { | |||
case unit.TypeCode, unit.TypeReleases, unit.TypeWiki, unit.TypeProjects: | |||
r.Config = new(UnitConfig) | |||
case unit.TypeExternalWiki: |
@@ -6,8 +6,8 @@ package models | |||
import ( | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
repo_model "code.gitea.io/gitea/models/repo" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/models/webhook" | |||
@@ -21,7 +21,7 @@ type Statistic struct { | |||
Repo, Watch, Star, Action, Access, | |||
Issue, IssueClosed, IssueOpen, | |||
Comment, Oauth, Follow, | |||
Mirror, Release, LoginSource, Webhook, | |||
Mirror, Release, AuthSource, Webhook, | |||
Milestone, Label, HookTask, | |||
Team, UpdateTask, Project, | |||
ProjectBoard, Attachment int64 | |||
@@ -98,7 +98,7 @@ func GetStatistic() (stats Statistic) { | |||
stats.Counter.Follow, _ = e.Count(new(user_model.Follow)) | |||
stats.Counter.Mirror, _ = e.Count(new(repo_model.Mirror)) | |||
stats.Counter.Release, _ = e.Count(new(Release)) | |||
stats.Counter.LoginSource = login.CountSources() | |||
stats.Counter.AuthSource = auth.CountSources() | |||
stats.Counter.Webhook, _ = e.Count(new(webhook.Webhook)) | |||
stats.Counter.Milestone, _ = e.Count(new(Milestone)) | |||
stats.Counter.Label, _ = e.Count(new(Label)) |
@@ -10,8 +10,8 @@ import ( | |||
"fmt" | |||
"time" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
@@ -68,7 +68,7 @@ func NewAccessToken(t *AccessToken) error { | |||
} | |||
t.TokenSalt = salt | |||
t.Token = base.EncodeSha1(gouuid.New().String()) | |||
t.TokenHash = login.HashToken(t.Token, t.TokenSalt) | |||
t.TokenHash = auth.HashToken(t.Token, t.TokenSalt) | |||
t.TokenLastEight = t.Token[len(t.Token)-8:] | |||
_, err = db.GetEngine(db.DefaultContext).Insert(t) | |||
return err | |||
@@ -130,7 +130,7 @@ func GetAccessTokenBySHA(token string) (*AccessToken, error) { | |||
} | |||
for _, t := range tokens { | |||
tempHash := login.HashToken(token, t.TokenSalt) | |||
tempHash := auth.HashToken(token, t.TokenSalt) | |||
if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 { | |||
if successfulAccessTokenCache != nil { | |||
successfulAccessTokenCache.Add(token, t.ID) |
@@ -7,8 +7,8 @@ package user | |||
import ( | |||
"fmt" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
) | |||
// UserList is a list of user. | |||
@@ -40,13 +40,13 @@ func (users UserList) GetTwoFaStatus() map[int64]bool { | |||
return results | |||
} | |||
func (users UserList) loadTwoFactorStatus(e db.Engine) (map[int64]*login.TwoFactor, error) { | |||
func (users UserList) loadTwoFactorStatus(e db.Engine) (map[int64]*auth.TwoFactor, error) { | |||
if len(users) == 0 { | |||
return nil, nil | |||
} | |||
userIDs := users.GetUserIDs() | |||
tokenMaps := make(map[int64]*login.TwoFactor, len(userIDs)) | |||
tokenMaps := make(map[int64]*auth.TwoFactor, len(userIDs)) | |||
err := e. | |||
In("uid", userIDs). | |||
Find(&tokenMaps) |
@@ -19,8 +19,8 @@ import ( | |||
_ "image/jpeg" // Needed for jpeg support | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/modules/auth/openid" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/git" | |||
@@ -89,7 +89,7 @@ type User struct { | |||
// is to change his/her password after registration. | |||
MustChangePassword bool `xorm:"NOT NULL DEFAULT false"` | |||
LoginType login.Type | |||
LoginType auth.Type | |||
LoginSource int64 `xorm:"NOT NULL DEFAULT 0"` | |||
LoginName string | |||
Type UserType | |||
@@ -232,12 +232,12 @@ func GetAllUsers() ([]*User, error) { | |||
// IsLocal returns true if user login type is LoginPlain. | |||
func (u *User) IsLocal() bool { | |||
return u.LoginType <= login.Plain | |||
return u.LoginType <= auth.Plain | |||
} | |||
// IsOAuth2 returns true if user login type is LoginOAuth2. | |||
func (u *User) IsOAuth2() bool { | |||
return u.LoginType == login.OAuth2 | |||
return u.LoginType == auth.OAuth2 | |||
} | |||
// MaxCreationLimit returns the number of repositories a user is allowed to create | |||
@@ -1012,7 +1012,7 @@ func GetUserIDsByNames(names []string, ignoreNonExistent bool) ([]int64, error) | |||
} | |||
// GetUsersBySource returns a list of Users for a login source | |||
func GetUsersBySource(s *login.Source) ([]*User, error) { | |||
func GetUsersBySource(s *auth.Source) ([]*User, error) { | |||
var users []*User | |||
err := db.GetEngine(db.DefaultContext).Where("login_type = ? AND login_source = ?", s.Type, s.ID).Find(&users) | |||
return users, err |
@@ -9,8 +9,8 @@ import ( | |||
"strings" | |||
"testing" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/unittest" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/structs" | |||
@@ -21,7 +21,7 @@ import ( | |||
func TestOAuth2Application_LoadUser(t *testing.T) { | |||
assert.NoError(t, unittest.PrepareTestDatabase()) | |||
app := unittest.AssertExistsAndLoadBean(t, &login.OAuth2Application{ID: 1}).(*login.OAuth2Application) | |||
app := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: 1}).(*auth.OAuth2Application) | |||
user, err := GetUserByID(app.UID) | |||
assert.NoError(t, err) | |||
assert.NotNil(t, user) |
@@ -13,13 +13,13 @@ import ( | |||
"net/url" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
repo_model "code.gitea.io/gitea/models/repo" | |||
"code.gitea.io/gitea/modules/git" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
"code.gitea.io/gitea/services/auth" | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"gitea.com/go-chi/session" | |||
) | |||
@@ -225,9 +225,9 @@ func (ctx *APIContext) CheckForOTP() { | |||
} | |||
otpHeader := ctx.Req.Header.Get("X-Gitea-OTP") | |||
twofa, err := login.GetTwoFactorByUID(ctx.Context.User.ID) | |||
twofa, err := auth.GetTwoFactorByUID(ctx.Context.User.ID) | |||
if err != nil { | |||
if login.IsErrTwoFactorNotEnrolled(err) { | |||
if auth.IsErrTwoFactorNotEnrolled(err) { | |||
return // No 2FA enrollment for this user | |||
} | |||
ctx.Context.Error(http.StatusInternalServerError) | |||
@@ -244,8 +244,8 @@ func (ctx *APIContext) CheckForOTP() { | |||
} | |||
} | |||
// APIAuth converts auth.Auth as a middleware | |||
func APIAuth(authMethod auth.Method) func(*APIContext) { | |||
// APIAuth converts auth_service.Auth as a middleware | |||
func APIAuth(authMethod auth_service.Method) func(*APIContext) { | |||
return func(ctx *APIContext) { | |||
// Get user from session if logged in. | |||
ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) | |||
@@ -253,7 +253,7 @@ func APIAuth(authMethod auth.Method) func(*APIContext) { | |||
if ctx.Locale.Language() != ctx.User.Language { | |||
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req) | |||
} | |||
ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth.BasicMethodName | |||
ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == auth_service.BasicMethodName | |||
ctx.IsSigned = true | |||
ctx.Data["IsSigned"] = ctx.IsSigned | |||
ctx.Data["SignedUser"] = ctx.User |
@@ -8,7 +8,7 @@ package context | |||
import ( | |||
"net/http" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
@@ -154,9 +154,9 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) { | |||
if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) { | |||
return // Skip 2FA | |||
} | |||
twofa, err := login.GetTwoFactorByUID(ctx.User.ID) | |||
twofa, err := auth.GetTwoFactorByUID(ctx.User.ID) | |||
if err != nil { | |||
if login.IsErrTwoFactorNotEnrolled(err) { | |||
if auth.IsErrTwoFactorNotEnrolled(err) { | |||
return // No 2FA enrollment for this user | |||
} | |||
ctx.InternalServerError(err) |
@@ -13,7 +13,7 @@ import ( | |||
"code.gitea.io/gitea/models" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/perm" | |||
repo_model "code.gitea.io/gitea/models/repo" | |||
"code.gitea.io/gitea/models/unit" | |||
@@ -344,8 +344,8 @@ func ToTopicResponse(topic *repo_model.Topic) *api.TopicResponse { | |||
} | |||
} | |||
// ToOAuth2Application convert from login.OAuth2Application to api.OAuth2Application | |||
func ToOAuth2Application(app *login.OAuth2Application) *api.OAuth2Application { | |||
// ToOAuth2Application convert from auth.OAuth2Application to api.OAuth2Application | |||
func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application { | |||
return &api.OAuth2Application{ | |||
ID: app.ID, | |||
Name: app.Name, |
@@ -297,7 +297,7 @@ func (c Collector) Collect(ch chan<- prometheus.Metric) { | |||
ch <- prometheus.MustNewConstMetric( | |||
c.LoginSources, | |||
prometheus.GaugeValue, | |||
float64(stats.Counter.LoginSource), | |||
float64(stats.Counter.AuthSource), | |||
) | |||
ch <- prometheus.MustNewConstMetric( | |||
c.Milestones, |
@@ -8,7 +8,7 @@ import ( | |||
"log" | |||
"sync" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
"gitea.com/go-chi/session" | |||
@@ -72,7 +72,7 @@ func (s *DBStore) Release() error { | |||
return err | |||
} | |||
return login.UpdateSession(s.sid, data) | |||
return auth.UpdateSession(s.sid, data) | |||
} | |||
// Flush deletes all session data. | |||
@@ -98,7 +98,7 @@ func (p *DBProvider) Init(maxLifetime int64, connStr string) error { | |||
// Read returns raw session store by session ID. | |||
func (p *DBProvider) Read(sid string) (session.RawStore, error) { | |||
s, err := login.ReadSession(sid) | |||
s, err := auth.ReadSession(sid) | |||
if err != nil { | |||
return nil, err | |||
} | |||
@@ -118,7 +118,7 @@ func (p *DBProvider) Read(sid string) (session.RawStore, error) { | |||
// Exist returns true if session with given ID exists. | |||
func (p *DBProvider) Exist(sid string) bool { | |||
has, err := login.ExistSession(sid) | |||
has, err := auth.ExistSession(sid) | |||
if err != nil { | |||
panic("session/DB: error checking existence: " + err.Error()) | |||
} | |||
@@ -127,12 +127,12 @@ func (p *DBProvider) Exist(sid string) bool { | |||
// Destroy deletes a session by session ID. | |||
func (p *DBProvider) Destroy(sid string) error { | |||
return login.DestroySession(sid) | |||
return auth.DestroySession(sid) | |||
} | |||
// Regenerate regenerates a session store from old session ID to new one. | |||
func (p *DBProvider) Regenerate(oldsid, sid string) (_ session.RawStore, err error) { | |||
s, err := login.RegenerateSession(oldsid, sid) | |||
s, err := auth.RegenerateSession(oldsid, sid) | |||
if err != nil { | |||
return nil, err | |||
@@ -153,7 +153,7 @@ func (p *DBProvider) Regenerate(oldsid, sid string) (_ session.RawStore, err err | |||
// Count counts and returns number of sessions. | |||
func (p *DBProvider) Count() int { | |||
total, err := login.CountSessions() | |||
total, err := auth.CountSessions() | |||
if err != nil { | |||
panic("session/DB: error counting records: " + err.Error()) | |||
} | |||
@@ -162,7 +162,7 @@ func (p *DBProvider) Count() int { | |||
// GC calls GC to clean expired sessions. | |||
func (p *DBProvider) GC() { | |||
if err := login.CleanupSessions(p.maxLifetime); err != nil { | |||
if err := auth.CleanupSessions(p.maxLifetime); err != nil { | |||
log.Printf("session/DB: error garbage collecting: %v", err) | |||
} | |||
} |
@@ -13,8 +13,8 @@ import ( | |||
"code.gitea.io/gitea/models" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/convert" | |||
@@ -30,17 +30,17 @@ import ( | |||
user_service "code.gitea.io/gitea/services/user" | |||
) | |||
func parseLoginSource(ctx *context.APIContext, u *user_model.User, sourceID int64, loginName string) { | |||
func parseAuthSource(ctx *context.APIContext, u *user_model.User, sourceID int64, loginName string) { | |||
if sourceID == 0 { | |||
return | |||
} | |||
source, err := login.GetSourceByID(sourceID) | |||
source, err := auth.GetSourceByID(sourceID) | |||
if err != nil { | |||
if login.IsErrSourceNotExist(err) { | |||
if auth.IsErrSourceNotExist(err) { | |||
ctx.Error(http.StatusUnprocessableEntity, "", err) | |||
} else { | |||
ctx.Error(http.StatusInternalServerError, "login.GetSourceByID", err) | |||
ctx.Error(http.StatusInternalServerError, "auth.GetSourceByID", err) | |||
} | |||
return | |||
} | |||
@@ -82,13 +82,13 @@ func CreateUser(ctx *context.APIContext) { | |||
Passwd: form.Password, | |||
MustChangePassword: true, | |||
IsActive: true, | |||
LoginType: login.Plain, | |||
LoginType: auth.Plain, | |||
} | |||
if form.MustChangePassword != nil { | |||
u.MustChangePassword = *form.MustChangePassword | |||
} | |||
parseLoginSource(ctx, u, form.SourceID, form.LoginName) | |||
parseAuthSource(ctx, u, form.SourceID, form.LoginName) | |||
if ctx.Written() { | |||
return | |||
} | |||
@@ -168,7 +168,7 @@ func EditUser(ctx *context.APIContext) { | |||
return | |||
} | |||
parseLoginSource(ctx, u, form.SourceID, form.LoginName) | |||
parseAuthSource(ctx, u, form.SourceID, form.LoginName) | |||
if ctx.Written() { | |||
return | |||
} |
@@ -12,7 +12,7 @@ import ( | |||
"strconv" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/convert" | |||
api "code.gitea.io/gitea/modules/structs" | |||
@@ -213,7 +213,7 @@ func CreateOauth2Application(ctx *context.APIContext) { | |||
data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions) | |||
app, err := login.CreateOAuth2Application(login.CreateOAuth2ApplicationOptions{ | |||
app, err := auth.CreateOAuth2Application(auth.CreateOAuth2ApplicationOptions{ | |||
Name: data.Name, | |||
UserID: ctx.User.ID, | |||
RedirectURIs: data.RedirectURIs, | |||
@@ -252,7 +252,7 @@ func ListOauth2Applications(ctx *context.APIContext) { | |||
// "200": | |||
// "$ref": "#/responses/OAuth2ApplicationList" | |||
apps, total, err := login.ListOAuth2Applications(ctx.User.ID, utils.GetListOptions(ctx)) | |||
apps, total, err := auth.ListOAuth2Applications(ctx.User.ID, utils.GetListOptions(ctx)) | |||
if err != nil { | |||
ctx.Error(http.StatusInternalServerError, "ListOAuth2Applications", err) | |||
return | |||
@@ -288,8 +288,8 @@ func DeleteOauth2Application(ctx *context.APIContext) { | |||
// "404": | |||
// "$ref": "#/responses/notFound" | |||
appID := ctx.ParamsInt64(":id") | |||
if err := login.DeleteOAuth2Application(appID, ctx.User.ID); err != nil { | |||
if login.IsErrOAuthApplicationNotFound(err) { | |||
if err := auth.DeleteOAuth2Application(appID, ctx.User.ID); err != nil { | |||
if auth.IsErrOAuthApplicationNotFound(err) { | |||
ctx.NotFound() | |||
} else { | |||
ctx.Error(http.StatusInternalServerError, "DeleteOauth2ApplicationByID", err) | |||
@@ -320,9 +320,9 @@ func GetOauth2Application(ctx *context.APIContext) { | |||
// "404": | |||
// "$ref": "#/responses/notFound" | |||
appID := ctx.ParamsInt64(":id") | |||
app, err := login.GetOAuth2ApplicationByID(appID) | |||
app, err := auth.GetOAuth2ApplicationByID(appID) | |||
if err != nil { | |||
if login.IsErrOauthClientIDInvalid(err) || login.IsErrOAuthApplicationNotFound(err) { | |||
if auth.IsErrOauthClientIDInvalid(err) || auth.IsErrOAuthApplicationNotFound(err) { | |||
ctx.NotFound() | |||
} else { | |||
ctx.Error(http.StatusInternalServerError, "GetOauth2ApplicationByID", err) | |||
@@ -363,14 +363,14 @@ func UpdateOauth2Application(ctx *context.APIContext) { | |||
data := web.GetForm(ctx).(*api.CreateOAuth2ApplicationOptions) | |||
app, err := login.UpdateOAuth2Application(login.UpdateOAuth2ApplicationOptions{ | |||
app, err := auth.UpdateOAuth2Application(auth.UpdateOAuth2ApplicationOptions{ | |||
Name: data.Name, | |||
UserID: ctx.User.ID, | |||
ID: appID, | |||
RedirectURIs: data.RedirectURIs, | |||
}) | |||
if err != nil { | |||
if login.IsErrOauthClientIDInvalid(err) || login.IsErrOAuthApplicationNotFound(err) { | |||
if auth.IsErrOauthClientIDInvalid(err) || auth.IsErrOAuthApplicationNotFound(err) { | |||
ctx.NotFound() | |||
} else { | |||
ctx.Error(http.StatusInternalServerError, "UpdateOauth2ApplicationByID", err) |
@@ -13,7 +13,7 @@ import ( | |||
"strconv" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/auth/pam" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
@@ -24,7 +24,7 @@ import ( | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/ldap" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
pamService "code.gitea.io/gitea/services/auth/source/pam" | |||
pam_service "code.gitea.io/gitea/services/auth/source/pam" | |||
"code.gitea.io/gitea/services/auth/source/smtp" | |||
"code.gitea.io/gitea/services/auth/source/sspi" | |||
"code.gitea.io/gitea/services/forms" | |||
@@ -50,13 +50,13 @@ func Authentications(ctx *context.Context) { | |||
ctx.Data["PageIsAdminAuthentications"] = true | |||
var err error | |||
ctx.Data["Sources"], err = login.Sources() | |||
ctx.Data["Sources"], err = auth.Sources() | |||
if err != nil { | |||
ctx.ServerError("login.Sources", err) | |||
ctx.ServerError("auth.Sources", err) | |||
return | |||
} | |||
ctx.Data["Total"] = login.CountSources() | |||
ctx.Data["Total"] = auth.CountSources() | |||
ctx.HTML(http.StatusOK, tplAuths) | |||
} | |||
@@ -68,14 +68,14 @@ type dropdownItem struct { | |||
var ( | |||
authSources = func() []dropdownItem { | |||
items := []dropdownItem{ | |||
{login.LDAP.String(), login.LDAP}, | |||
{login.DLDAP.String(), login.DLDAP}, | |||
{login.SMTP.String(), login.SMTP}, | |||
{login.OAuth2.String(), login.OAuth2}, | |||
{login.SSPI.String(), login.SSPI}, | |||
{auth.LDAP.String(), auth.LDAP}, | |||
{auth.DLDAP.String(), auth.DLDAP}, | |||
{auth.SMTP.String(), auth.SMTP}, | |||
{auth.OAuth2.String(), auth.OAuth2}, | |||
{auth.SSPI.String(), auth.SSPI}, | |||
} | |||
if pam.Supported { | |||
items = append(items, dropdownItem{login.Names[login.PAM], login.PAM}) | |||
items = append(items, dropdownItem{auth.Names[auth.PAM], auth.PAM}) | |||
} | |||
return items | |||
}() | |||
@@ -93,8 +93,8 @@ func NewAuthSource(ctx *context.Context) { | |||
ctx.Data["PageIsAdmin"] = true | |||
ctx.Data["PageIsAdminAuthentications"] = true | |||
ctx.Data["type"] = login.LDAP | |||
ctx.Data["CurrentTypeName"] = login.Names[login.LDAP] | |||
ctx.Data["type"] = auth.LDAP | |||
ctx.Data["CurrentTypeName"] = auth.Names[auth.LDAP] | |||
ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted] | |||
ctx.Data["smtp_auth"] = "PLAIN" | |||
ctx.Data["is_active"] = true | |||
@@ -226,7 +226,7 @@ func NewAuthSourcePost(ctx *context.Context) { | |||
ctx.Data["PageIsAdmin"] = true | |||
ctx.Data["PageIsAdminAuthentications"] = true | |||
ctx.Data["CurrentTypeName"] = login.Type(form.Type).String() | |||
ctx.Data["CurrentTypeName"] = auth.Type(form.Type).String() | |||
ctx.Data["CurrentSecurityProtocol"] = ldap.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)] | |||
ctx.Data["AuthSources"] = authSources | |||
ctx.Data["SecurityProtocols"] = securityProtocols | |||
@@ -242,29 +242,29 @@ func NewAuthSourcePost(ctx *context.Context) { | |||
hasTLS := false | |||
var config convert.Conversion | |||
switch login.Type(form.Type) { | |||
case login.LDAP, login.DLDAP: | |||
switch auth.Type(form.Type) { | |||
case auth.LDAP, auth.DLDAP: | |||
config = parseLDAPConfig(form) | |||
hasTLS = ldap.SecurityProtocol(form.SecurityProtocol) > ldap.SecurityProtocolUnencrypted | |||
case login.SMTP: | |||
case auth.SMTP: | |||
config = parseSMTPConfig(form) | |||
hasTLS = true | |||
case login.PAM: | |||
config = &pamService.Source{ | |||
case auth.PAM: | |||
config = &pam_service.Source{ | |||
ServiceName: form.PAMServiceName, | |||
EmailDomain: form.PAMEmailDomain, | |||
SkipLocalTwoFA: form.SkipLocalTwoFA, | |||
} | |||
case login.OAuth2: | |||
case auth.OAuth2: | |||
config = parseOAuth2Config(form) | |||
case login.SSPI: | |||
case auth.SSPI: | |||
var err error | |||
config, err = parseSSPIConfig(ctx, form) | |||
if err != nil { | |||
ctx.RenderWithErr(err.Error(), tplAuthNew, form) | |||
return | |||
} | |||
existing, err := login.SourcesByType(login.SSPI) | |||
existing, err := auth.SourcesByType(auth.SSPI) | |||
if err != nil || len(existing) > 0 { | |||
ctx.Data["Err_Type"] = true | |||
ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form) | |||
@@ -281,18 +281,18 @@ func NewAuthSourcePost(ctx *context.Context) { | |||
return | |||
} | |||
if err := login.CreateSource(&login.Source{ | |||
Type: login.Type(form.Type), | |||
if err := auth.CreateSource(&auth.Source{ | |||
Type: auth.Type(form.Type), | |||
Name: form.Name, | |||
IsActive: form.IsActive, | |||
IsSyncEnabled: form.IsSyncEnabled, | |||
Cfg: config, | |||
}); err != nil { | |||
if login.IsErrSourceAlreadyExist(err) { | |||
if auth.IsErrSourceAlreadyExist(err) { | |||
ctx.Data["Err_Name"] = true | |||
ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_exist", err.(login.ErrSourceAlreadyExist).Name), tplAuthNew, form) | |||
ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_exist", err.(auth.ErrSourceAlreadyExist).Name), tplAuthNew, form) | |||
} else { | |||
ctx.ServerError("login.CreateSource", err) | |||
ctx.ServerError("auth.CreateSource", err) | |||
} | |||
return | |||
} | |||
@@ -314,9 +314,9 @@ func EditAuthSource(ctx *context.Context) { | |||
oauth2providers := oauth2.GetOAuth2Providers() | |||
ctx.Data["OAuth2Providers"] = oauth2providers | |||
source, err := login.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
if err != nil { | |||
ctx.ServerError("login.GetSourceByID", err) | |||
ctx.ServerError("auth.GetSourceByID", err) | |||
return | |||
} | |||
ctx.Data["Source"] = source | |||
@@ -349,9 +349,9 @@ func EditAuthSourcePost(ctx *context.Context) { | |||
oauth2providers := oauth2.GetOAuth2Providers() | |||
ctx.Data["OAuth2Providers"] = oauth2providers | |||
source, err := login.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
if err != nil { | |||
ctx.ServerError("login.GetSourceByID", err) | |||
ctx.ServerError("auth.GetSourceByID", err) | |||
return | |||
} | |||
ctx.Data["Source"] = source | |||
@@ -363,19 +363,19 @@ func EditAuthSourcePost(ctx *context.Context) { | |||
} | |||
var config convert.Conversion | |||
switch login.Type(form.Type) { | |||
case login.LDAP, login.DLDAP: | |||
switch auth.Type(form.Type) { | |||
case auth.LDAP, auth.DLDAP: | |||
config = parseLDAPConfig(form) | |||
case login.SMTP: | |||
case auth.SMTP: | |||
config = parseSMTPConfig(form) | |||
case login.PAM: | |||
config = &pamService.Source{ | |||
case auth.PAM: | |||
config = &pam_service.Source{ | |||
ServiceName: form.PAMServiceName, | |||
EmailDomain: form.PAMEmailDomain, | |||
} | |||
case login.OAuth2: | |||
case auth.OAuth2: | |||
config = parseOAuth2Config(form) | |||
case login.SSPI: | |||
case auth.SSPI: | |||
config, err = parseSSPIConfig(ctx, form) | |||
if err != nil { | |||
ctx.RenderWithErr(err.Error(), tplAuthEdit, form) | |||
@@ -390,7 +390,7 @@ func EditAuthSourcePost(ctx *context.Context) { | |||
source.IsActive = form.IsActive | |||
source.IsSyncEnabled = form.IsSyncEnabled | |||
source.Cfg = config | |||
if err := login.UpdateSource(source); err != nil { | |||
if err := auth.UpdateSource(source); err != nil { | |||
if oauth2.IsErrOpenIDConnectInitialize(err) { | |||
ctx.Flash.Error(err.Error(), true) | |||
ctx.HTML(http.StatusOK, tplAuthEdit) | |||
@@ -407,17 +407,17 @@ func EditAuthSourcePost(ctx *context.Context) { | |||
// DeleteAuthSource response for deleting an auth source | |||
func DeleteAuthSource(ctx *context.Context) { | |||
source, err := login.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
source, err := auth.GetSourceByID(ctx.ParamsInt64(":authid")) | |||
if err != nil { | |||
ctx.ServerError("login.GetSourceByID", err) | |||
ctx.ServerError("auth.GetSourceByID", err) | |||
return | |||
} | |||
if err = auth_service.DeleteLoginSource(source); err != nil { | |||
if login.IsErrSourceInUse(err) { | |||
if err = auth_service.DeleteSource(source); err != nil { | |||
if auth.IsErrSourceInUse(err) { | |||
ctx.Flash.Error(ctx.Tr("admin.auths.still_in_used")) | |||
} else { | |||
ctx.Flash.Error(fmt.Sprintf("DeleteLoginSource: %v", err)) | |||
ctx.Flash.Error(fmt.Sprintf("auth_service.DeleteSource: %v", err)) | |||
} | |||
ctx.JSON(http.StatusOK, map[string]interface{}{ | |||
"redirect": setting.AppSubURL + "/admin/auths/" + url.PathEscape(ctx.Params(":authid")), |
@@ -12,8 +12,8 @@ import ( | |||
"strings" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
@@ -81,9 +81,9 @@ func NewUser(ctx *context.Context) { | |||
ctx.Data["login_type"] = "0-0" | |||
sources, err := login.Sources() | |||
sources, err := auth.Sources() | |||
if err != nil { | |||
ctx.ServerError("login.Sources", err) | |||
ctx.ServerError("auth.Sources", err) | |||
return | |||
} | |||
ctx.Data["Sources"] = sources | |||
@@ -100,9 +100,9 @@ func NewUserPost(ctx *context.Context) { | |||
ctx.Data["PageIsAdminUsers"] = true | |||
ctx.Data["DefaultUserVisibilityMode"] = setting.Service.DefaultUserVisibilityMode | |||
sources, err := login.Sources() | |||
sources, err := auth.Sources() | |||
if err != nil { | |||
ctx.ServerError("login.Sources", err) | |||
ctx.ServerError("auth.Sources", err) | |||
return | |||
} | |||
ctx.Data["Sources"] = sources | |||
@@ -119,19 +119,19 @@ func NewUserPost(ctx *context.Context) { | |||
Email: form.Email, | |||
Passwd: form.Password, | |||
IsActive: true, | |||
LoginType: login.Plain, | |||
LoginType: auth.Plain, | |||
} | |||
if len(form.LoginType) > 0 { | |||
fields := strings.Split(form.LoginType, "-") | |||
if len(fields) == 2 { | |||
lType, _ := strconv.ParseInt(fields[0], 10, 0) | |||
u.LoginType = login.Type(lType) | |||
u.LoginType = auth.Type(lType) | |||
u.LoginSource, _ = strconv.ParseInt(fields[1], 10, 64) | |||
u.LoginName = form.LoginName | |||
} | |||
} | |||
if u.LoginType == login.NoType || u.LoginType == login.Plain { | |||
if u.LoginType == auth.NoType || u.LoginType == auth.Plain { | |||
if len(form.Password) < setting.MinPasswordLength { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplUserNew, &form) | |||
@@ -201,26 +201,26 @@ func prepareUserInfo(ctx *context.Context) *user_model.User { | |||
ctx.Data["User"] = u | |||
if u.LoginSource > 0 { | |||
ctx.Data["LoginSource"], err = login.GetSourceByID(u.LoginSource) | |||
ctx.Data["LoginSource"], err = auth.GetSourceByID(u.LoginSource) | |||
if err != nil { | |||
ctx.ServerError("login.GetSourceByID", err) | |||
ctx.ServerError("auth.GetSourceByID", err) | |||
return nil | |||
} | |||
} else { | |||
ctx.Data["LoginSource"] = &login.Source{} | |||
ctx.Data["LoginSource"] = &auth.Source{} | |||
} | |||
sources, err := login.Sources() | |||
sources, err := auth.Sources() | |||
if err != nil { | |||
ctx.ServerError("login.Sources", err) | |||
ctx.ServerError("auth.Sources", err) | |||
return nil | |||
} | |||
ctx.Data["Sources"] = sources | |||
ctx.Data["TwoFactorEnabled"] = true | |||
_, err = login.GetTwoFactorByUID(u.ID) | |||
_, err = auth.GetTwoFactorByUID(u.ID) | |||
if err != nil { | |||
if !login.IsErrTwoFactorNotEnrolled(err) { | |||
if !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("IsErrTwoFactorNotEnrolled", err) | |||
return nil | |||
} | |||
@@ -268,11 +268,11 @@ func EditUserPost(ctx *context.Context) { | |||
fields := strings.Split(form.LoginType, "-") | |||
if len(fields) == 2 { | |||
loginType, _ := strconv.ParseInt(fields[0], 10, 0) | |||
loginSource, _ := strconv.ParseInt(fields[1], 10, 64) | |||
authSource, _ := strconv.ParseInt(fields[1], 10, 64) | |||
if u.LoginSource != loginSource { | |||
u.LoginSource = loginSource | |||
u.LoginType = login.Type(loginType) | |||
if u.LoginSource != authSource { | |||
u.LoginSource = authSource | |||
u.LoginType = auth.Type(loginType) | |||
} | |||
} | |||
@@ -325,13 +325,13 @@ func EditUserPost(ctx *context.Context) { | |||
} | |||
if form.Reset2FA { | |||
tf, err := login.GetTwoFactorByUID(u.ID) | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
tf, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("GetTwoFactorByUID", err) | |||
return | |||
} | |||
if err = login.DeleteTwoFactorByID(tf.ID, u.ID); err != nil { | |||
if err = auth.DeleteTwoFactorByID(tf.ID, u.ID); err != nil { | |||
ctx.ServerError("DeleteTwoFactorByID", err) | |||
return | |||
} |
@@ -0,0 +1,166 @@ | |||
// Copyright 2017 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"errors" | |||
"net/http" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/services/externalaccount" | |||
"code.gitea.io/gitea/services/forms" | |||
) | |||
var ( | |||
tplTwofa base.TplName = "user/auth/twofa" | |||
tplTwofaScratch base.TplName = "user/auth/twofa_scratch" | |||
) | |||
// TwoFactor shows the user a two-factor authentication page. | |||
func TwoFactor(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("twofa") | |||
// Check auto-login. | |||
if checkAutoLogin(ctx) { | |||
return | |||
} | |||
// Ensure user is in a 2FA session. | |||
if ctx.Session.Get("twofaUid") == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in 2FA session")) | |||
return | |||
} | |||
ctx.HTML(http.StatusOK, tplTwofa) | |||
} | |||
// TwoFactorPost validates a user's two-factor authentication token. | |||
func TwoFactorPost(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.TwoFactorAuthForm) | |||
ctx.Data["Title"] = ctx.Tr("twofa") | |||
// Ensure user is in a 2FA session. | |||
idSess := ctx.Session.Get("twofaUid") | |||
if idSess == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in 2FA session")) | |||
return | |||
} | |||
id := idSess.(int64) | |||
twofa, err := auth.GetTwoFactorByUID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
// Validate the passcode with the stored TOTP secret. | |||
ok, err := twofa.ValidateTOTP(form.Passcode) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if ok && twofa.LastUsedPasscode != form.Passcode { | |||
remember := ctx.Session.Get("twofaRemember").(bool) | |||
u, err := user_model.GetUserByID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if ctx.Session.Get("linkAccount") != nil { | |||
err = externalaccount.LinkAccountFromStore(ctx.Session, u) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
} | |||
twofa.LastUsedPasscode = form.Passcode | |||
if err = auth.UpdateTwoFactor(twofa); err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
handleSignIn(ctx, u, remember) | |||
return | |||
} | |||
ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, forms.TwoFactorAuthForm{}) | |||
} | |||
// TwoFactorScratch shows the scratch code form for two-factor authentication. | |||
func TwoFactorScratch(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("twofa_scratch") | |||
// Check auto-login. | |||
if checkAutoLogin(ctx) { | |||
return | |||
} | |||
// Ensure user is in a 2FA session. | |||
if ctx.Session.Get("twofaUid") == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in 2FA session")) | |||
return | |||
} | |||
ctx.HTML(http.StatusOK, tplTwofaScratch) | |||
} | |||
// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token. | |||
func TwoFactorScratchPost(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.TwoFactorScratchAuthForm) | |||
ctx.Data["Title"] = ctx.Tr("twofa_scratch") | |||
// Ensure user is in a 2FA session. | |||
idSess := ctx.Session.Get("twofaUid") | |||
if idSess == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in 2FA session")) | |||
return | |||
} | |||
id := idSess.(int64) | |||
twofa, err := auth.GetTwoFactorByUID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
// Validate the passcode with the stored TOTP secret. | |||
if twofa.VerifyScratchToken(form.Token) { | |||
// Invalidate the scratch token. | |||
_, err = twofa.GenerateScratchToken() | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if err = auth.UpdateTwoFactor(twofa); err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
remember := ctx.Session.Get("twofaRemember").(bool) | |||
u, err := user_model.GetUserByID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
handleSignInFull(ctx, u, remember, false) | |||
if ctx.Written() { | |||
return | |||
} | |||
ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
return | |||
} | |||
ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, forms.TwoFactorScratchAuthForm{}) | |||
} |
@@ -0,0 +1,795 @@ | |||
// Copyright 2014 The Gogs Authors. All rights reserved. | |||
// Copyright 2018 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"fmt" | |||
"net/http" | |||
"strings" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/eventsource" | |||
"code.gitea.io/gitea/modules/hcaptcha" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/password" | |||
"code.gitea.io/gitea/modules/recaptcha" | |||
"code.gitea.io/gitea/modules/session" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
"code.gitea.io/gitea/routers/utils" | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
"code.gitea.io/gitea/services/externalaccount" | |||
"code.gitea.io/gitea/services/forms" | |||
"code.gitea.io/gitea/services/mailer" | |||
"github.com/markbates/goth" | |||
) | |||
const ( | |||
// tplSignIn template for sign in page | |||
tplSignIn base.TplName = "user/auth/signin" | |||
// tplSignUp template path for sign up page | |||
tplSignUp base.TplName = "user/auth/signup" | |||
// TplActivate template path for activate user | |||
TplActivate base.TplName = "user/auth/activate" | |||
) | |||
// AutoSignIn reads cookie and try to auto-login. | |||
func AutoSignIn(ctx *context.Context) (bool, error) { | |||
if !db.HasEngine { | |||
return false, nil | |||
} | |||
uname := ctx.GetCookie(setting.CookieUserName) | |||
if len(uname) == 0 { | |||
return false, nil | |||
} | |||
isSucceed := false | |||
defer func() { | |||
if !isSucceed { | |||
log.Trace("auto-login cookie cleared: %s", uname) | |||
ctx.DeleteCookie(setting.CookieUserName) | |||
ctx.DeleteCookie(setting.CookieRememberName) | |||
} | |||
}() | |||
u, err := user_model.GetUserByName(uname) | |||
if err != nil { | |||
if !user_model.IsErrUserNotExist(err) { | |||
return false, fmt.Errorf("GetUserByName: %v", err) | |||
} | |||
return false, nil | |||
} | |||
if val, ok := ctx.GetSuperSecureCookie( | |||
base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name { | |||
return false, nil | |||
} | |||
isSucceed = true | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
return false, fmt.Errorf("unable to RegenerateSession: Error: %w", err) | |||
} | |||
// Set session IDs | |||
if err := ctx.Session.Set("uid", u.ID); err != nil { | |||
return false, err | |||
} | |||
if err := ctx.Session.Set("uname", u.Name); err != nil { | |||
return false, err | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
return false, err | |||
} | |||
if err := resetLocale(ctx, u); err != nil { | |||
return false, err | |||
} | |||
middleware.DeleteCSRFCookie(ctx.Resp) | |||
return true, nil | |||
} | |||
func resetLocale(ctx *context.Context, u *user_model.User) error { | |||
// Language setting of the user overwrites the one previously set | |||
// If the user does not have a locale set, we save the current one. | |||
if len(u.Language) == 0 { | |||
u.Language = ctx.Locale.Language() | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil { | |||
return err | |||
} | |||
} | |||
middleware.SetLocaleCookie(ctx.Resp, u.Language, 0) | |||
if ctx.Locale.Language() != u.Language { | |||
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req) | |||
} | |||
return nil | |||
} | |||
func checkAutoLogin(ctx *context.Context) bool { | |||
// Check auto-login | |||
isSucceed, err := AutoSignIn(ctx) | |||
if err != nil { | |||
ctx.ServerError("AutoSignIn", err) | |||
return true | |||
} | |||
redirectTo := ctx.FormString("redirect_to") | |||
if len(redirectTo) > 0 { | |||
middleware.SetRedirectToCookie(ctx.Resp, redirectTo) | |||
} else { | |||
redirectTo = ctx.GetCookie("redirect_to") | |||
} | |||
if isSucceed { | |||
middleware.DeleteRedirectToCookie(ctx.Resp) | |||
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL)) | |||
return true | |||
} | |||
return false | |||
} | |||
// SignIn render sign in page | |||
func SignIn(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("sign_in") | |||
// Check auto-login | |||
if checkAutoLogin(ctx) { | |||
return | |||
} | |||
orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers() | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names | |||
ctx.Data["OAuth2Providers"] = oauth2Providers | |||
ctx.Data["Title"] = ctx.Tr("sign_in") | |||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login" | |||
ctx.Data["PageIsSignIn"] = true | |||
ctx.Data["PageIsLogin"] = true | |||
ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled() | |||
ctx.HTML(http.StatusOK, tplSignIn) | |||
} | |||
// SignInPost response for sign in request | |||
func SignInPost(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("sign_in") | |||
orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers() | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names | |||
ctx.Data["OAuth2Providers"] = oauth2Providers | |||
ctx.Data["Title"] = ctx.Tr("sign_in") | |||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login" | |||
ctx.Data["PageIsSignIn"] = true | |||
ctx.Data["PageIsLogin"] = true | |||
ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled() | |||
if ctx.HasError() { | |||
ctx.HTML(http.StatusOK, tplSignIn) | |||
return | |||
} | |||
form := web.GetForm(ctx).(*forms.SignInForm) | |||
u, source, err := auth_service.UserSignIn(form.UserName, form.Password) | |||
if err != nil { | |||
if user_model.IsErrUserNotExist(err) { | |||
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form) | |||
log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err) | |||
} else if user_model.IsErrEmailAlreadyUsed(err) { | |||
ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form) | |||
log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err) | |||
} else if user_model.IsErrUserProhibitLogin(err) { | |||
log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err) | |||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") | |||
ctx.HTML(http.StatusOK, "user/auth/prohibit_login") | |||
} else if user_model.IsErrUserInactive(err) { | |||
if setting.Service.RegisterEmailConfirm { | |||
ctx.Data["Title"] = ctx.Tr("auth.active_your_account") | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
} else { | |||
log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err) | |||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") | |||
ctx.HTML(http.StatusOK, "user/auth/prohibit_login") | |||
} | |||
} else { | |||
ctx.ServerError("UserSignIn", err) | |||
} | |||
return | |||
} | |||
// Now handle 2FA: | |||
// First of all if the source can skip local two fa we're done | |||
if skipper, ok := source.Cfg.(auth_service.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() { | |||
handleSignIn(ctx, u, form.Remember) | |||
return | |||
} | |||
// If this user is enrolled in 2FA TOTP, we can't sign the user in just yet. | |||
// Instead, redirect them to the 2FA authentication page. | |||
hasTOTPtwofa, err := auth.HasTwoFactorByUID(u.ID) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
// Check if the user has u2f registration | |||
hasU2Ftwofa, err := auth.HasU2FRegistrationsByUID(u.ID) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if !hasTOTPtwofa && !hasU2Ftwofa { | |||
// No two factor auth configured we can sign in the user | |||
handleSignIn(ctx, u, form.Remember) | |||
return | |||
} | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("UserSignIn: Unable to set regenerate session", err) | |||
return | |||
} | |||
// User will need to use 2FA TOTP or U2F, save data | |||
if err := ctx.Session.Set("twofaUid", u.ID); err != nil { | |||
ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err) | |||
return | |||
} | |||
if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil { | |||
ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err) | |||
return | |||
} | |||
if hasTOTPtwofa { | |||
// User will need to use U2F, save data | |||
if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil { | |||
ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err) | |||
return | |||
} | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
ctx.ServerError("UserSignIn: Unable to save session", err) | |||
return | |||
} | |||
// If we have U2F redirect there first | |||
if hasU2Ftwofa { | |||
ctx.Redirect(setting.AppSubURL + "/user/u2f") | |||
return | |||
} | |||
// Fallback to 2FA | |||
ctx.Redirect(setting.AppSubURL + "/user/two_factor") | |||
} | |||
// This handles the final part of the sign-in process of the user. | |||
func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) { | |||
redirect := handleSignInFull(ctx, u, remember, true) | |||
if ctx.Written() { | |||
return | |||
} | |||
ctx.Redirect(redirect) | |||
} | |||
func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool, obeyRedirect bool) string { | |||
if remember { | |||
days := 86400 * setting.LogInRememberDays | |||
ctx.SetCookie(setting.CookieUserName, u.Name, days) | |||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), | |||
setting.CookieRememberName, u.Name, days) | |||
} | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("RegenerateSession", err) | |||
return setting.AppSubURL + "/" | |||
} | |||
// Delete the openid, 2fa and linkaccount data | |||
_ = ctx.Session.Delete("openid_verified_uri") | |||
_ = ctx.Session.Delete("openid_signin_remember") | |||
_ = ctx.Session.Delete("openid_determined_email") | |||
_ = ctx.Session.Delete("openid_determined_username") | |||
_ = ctx.Session.Delete("twofaUid") | |||
_ = ctx.Session.Delete("twofaRemember") | |||
_ = ctx.Session.Delete("u2fChallenge") | |||
_ = ctx.Session.Delete("linkAccount") | |||
if err := ctx.Session.Set("uid", u.ID); err != nil { | |||
log.Error("Error setting uid %d in session: %v", u.ID, err) | |||
} | |||
if err := ctx.Session.Set("uname", u.Name); err != nil { | |||
log.Error("Error setting uname %s session: %v", u.Name, err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Unable to store session: %v", err) | |||
} | |||
// Language setting of the user overwrites the one previously set | |||
// If the user does not have a locale set, we save the current one. | |||
if len(u.Language) == 0 { | |||
u.Language = ctx.Locale.Language() | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil { | |||
ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language)) | |||
return setting.AppSubURL + "/" | |||
} | |||
} | |||
middleware.SetLocaleCookie(ctx.Resp, u.Language, 0) | |||
if ctx.Locale.Language() != u.Language { | |||
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req) | |||
} | |||
// Clear whatever CSRF has right now, force to generate a new one | |||
middleware.DeleteCSRFCookie(ctx.Resp) | |||
// Register last login | |||
u.SetLastLogin() | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil { | |||
ctx.ServerError("UpdateUserCols", err) | |||
return setting.AppSubURL + "/" | |||
} | |||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) { | |||
middleware.DeleteRedirectToCookie(ctx.Resp) | |||
if obeyRedirect { | |||
ctx.RedirectToFirst(redirectTo) | |||
} | |||
return redirectTo | |||
} | |||
if obeyRedirect { | |||
ctx.Redirect(setting.AppSubURL + "/") | |||
} | |||
return setting.AppSubURL + "/" | |||
} | |||
func getUserName(gothUser *goth.User) string { | |||
switch setting.OAuth2Client.Username { | |||
case setting.OAuth2UsernameEmail: | |||
return strings.Split(gothUser.Email, "@")[0] | |||
case setting.OAuth2UsernameNickname: | |||
return gothUser.NickName | |||
default: // OAuth2UsernameUserid | |||
return gothUser.UserID | |||
} | |||
} | |||
// HandleSignOut resets the session and sets the cookies | |||
func HandleSignOut(ctx *context.Context) { | |||
_ = ctx.Session.Flush() | |||
_ = ctx.Session.Destroy(ctx.Resp, ctx.Req) | |||
ctx.DeleteCookie(setting.CookieUserName) | |||
ctx.DeleteCookie(setting.CookieRememberName) | |||
middleware.DeleteCSRFCookie(ctx.Resp) | |||
middleware.DeleteLocaleCookie(ctx.Resp) | |||
middleware.DeleteRedirectToCookie(ctx.Resp) | |||
} | |||
// SignOut sign out from login status | |||
func SignOut(ctx *context.Context) { | |||
if ctx.User != nil { | |||
eventsource.GetManager().SendMessageBlocking(ctx.User.ID, &eventsource.Event{ | |||
Name: "logout", | |||
Data: ctx.Session.ID(), | |||
}) | |||
} | |||
HandleSignOut(ctx) | |||
ctx.Redirect(setting.AppSubURL + "/") | |||
} | |||
// SignUp render the register page | |||
func SignUp(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("sign_up") | |||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up" | |||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha | |||
ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL | |||
ctx.Data["Captcha"] = context.GetImageCaptcha() | |||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType | |||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey | |||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey | |||
ctx.Data["PageIsSignUp"] = true | |||
//Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true | |||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration | |||
ctx.HTML(http.StatusOK, tplSignUp) | |||
} | |||
// SignUpPost response for sign up information submission | |||
func SignUpPost(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.RegisterForm) | |||
ctx.Data["Title"] = ctx.Tr("sign_up") | |||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up" | |||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha | |||
ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL | |||
ctx.Data["Captcha"] = context.GetImageCaptcha() | |||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType | |||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey | |||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey | |||
ctx.Data["PageIsSignUp"] = true | |||
//Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true | |||
if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration { | |||
ctx.Error(http.StatusForbidden) | |||
return | |||
} | |||
if ctx.HasError() { | |||
ctx.HTML(http.StatusOK, tplSignUp) | |||
return | |||
} | |||
if setting.Service.EnableCaptcha { | |||
var valid bool | |||
var err error | |||
switch setting.Service.CaptchaType { | |||
case setting.ImageCaptcha: | |||
valid = context.GetImageCaptcha().VerifyReq(ctx.Req) | |||
case setting.ReCaptcha: | |||
valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse) | |||
case setting.HCaptcha: | |||
valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse) | |||
default: | |||
ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType)) | |||
return | |||
} | |||
if err != nil { | |||
log.Debug("%s", err.Error()) | |||
} | |||
if !valid { | |||
ctx.Data["Err_Captcha"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form) | |||
return | |||
} | |||
} | |||
if !form.IsEmailDomainAllowed() { | |||
ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form) | |||
return | |||
} | |||
if form.Password != form.Retype { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form) | |||
return | |||
} | |||
if len(form.Password) < setting.MinPasswordLength { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form) | |||
return | |||
} | |||
if !password.IsComplexEnough(form.Password) { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form) | |||
return | |||
} | |||
pwned, err := password.IsPwned(ctx, form.Password) | |||
if pwned { | |||
errMsg := ctx.Tr("auth.password_pwned") | |||
if err != nil { | |||
log.Error(err.Error()) | |||
errMsg = ctx.Tr("auth.password_pwned_err") | |||
} | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(errMsg, tplSignUp, &form) | |||
return | |||
} | |||
u := &user_model.User{ | |||
Name: form.UserName, | |||
Email: form.Email, | |||
Passwd: form.Password, | |||
IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), | |||
IsRestricted: setting.Service.DefaultUserIsRestricted, | |||
} | |||
if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) { | |||
// error already handled | |||
return | |||
} | |||
ctx.Flash.Success(ctx.Tr("auth.sign_up_successful")) | |||
handleSignIn(ctx, u, false) | |||
} | |||
// createAndHandleCreatedUser calls createUserInContext and | |||
// then handleUserCreated. | |||
func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool { | |||
if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) { | |||
return false | |||
} | |||
return handleUserCreated(ctx, u, gothUser) | |||
} | |||
// createUserInContext creates a user and handles errors within a given context. | |||
// Optionally a template can be specified. | |||
func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) { | |||
if err := user_model.CreateUser(u); err != nil { | |||
if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) { | |||
if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto { | |||
var user *user_model.User | |||
user = &user_model.User{Name: u.Name} | |||
hasUser, err := user_model.GetUser(user) | |||
if !hasUser || err != nil { | |||
user = &user_model.User{Email: u.Email} | |||
hasUser, err = user_model.GetUser(user) | |||
if !hasUser || err != nil { | |||
ctx.ServerError("UserLinkAccount", err) | |||
return | |||
} | |||
} | |||
// TODO: probably we should respect 'remember' user's choice... | |||
linkAccount(ctx, user, *gothUser, true) | |||
return // user is already created here, all redirects are handled | |||
} else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin { | |||
showLinkingLogin(ctx, *gothUser) | |||
return // user will be created only after linking login | |||
} | |||
} | |||
// handle error without template | |||
if len(tpl) == 0 { | |||
ctx.ServerError("CreateUser", err) | |||
return | |||
} | |||
// handle error with template | |||
switch { | |||
case user_model.IsErrUserAlreadyExist(err): | |||
ctx.Data["Err_UserName"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, form) | |||
case user_model.IsErrEmailAlreadyUsed(err): | |||
ctx.Data["Err_Email"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, form) | |||
case user_model.IsErrEmailInvalid(err): | |||
ctx.Data["Err_Email"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tpl, form) | |||
case db.IsErrNameReserved(err): | |||
ctx.Data["Err_UserName"] = true | |||
ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(db.ErrNameReserved).Name), tpl, form) | |||
case db.IsErrNamePatternNotAllowed(err): | |||
ctx.Data["Err_UserName"] = true | |||
ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(db.ErrNamePatternNotAllowed).Pattern), tpl, form) | |||
case db.IsErrNameCharsNotAllowed(err): | |||
ctx.Data["Err_UserName"] = true | |||
ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(db.ErrNameCharsNotAllowed).Name), tpl, form) | |||
default: | |||
ctx.ServerError("CreateUser", err) | |||
} | |||
return | |||
} | |||
log.Trace("Account created: %s", u.Name) | |||
return true | |||
} | |||
// handleUserCreated does additional steps after a new user is created. | |||
// It auto-sets admin for the only user, updates the optional external user and | |||
// sends a confirmation email if required. | |||
func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) { | |||
// Auto-set admin for the only user. | |||
if user_model.CountUsers() == 1 { | |||
u.IsAdmin = true | |||
u.IsActive = true | |||
u.SetLastLogin() | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
} | |||
// update external user information | |||
if gothUser != nil { | |||
if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil { | |||
log.Error("UpdateExternalUser failed: %v", err) | |||
} | |||
} | |||
// Send confirmation email | |||
if !u.IsActive && u.ID > 1 { | |||
mailer.SendActivateAccountMail(ctx.Locale, u) | |||
ctx.Data["IsSendRegisterMail"] = true | |||
ctx.Data["Email"] = u.Email | |||
ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language()) | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil { | |||
log.Error("Set cache(MailResendLimit) fail: %v", err) | |||
} | |||
return | |||
} | |||
return true | |||
} | |||
// Activate render activate user page | |||
func Activate(ctx *context.Context) { | |||
code := ctx.FormString("code") | |||
if len(code) == 0 { | |||
ctx.Data["IsActivatePage"] = true | |||
if ctx.User == nil || ctx.User.IsActive { | |||
ctx.NotFound("invalid user", nil) | |||
return | |||
} | |||
// Resend confirmation email. | |||
if setting.Service.RegisterEmailConfirm { | |||
if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) { | |||
ctx.Data["ResendLimited"] = true | |||
} else { | |||
ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language()) | |||
mailer.SendActivateAccountMail(ctx.Locale, ctx.User) | |||
if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil { | |||
log.Error("Set cache(MailResendLimit) fail: %v", err) | |||
} | |||
} | |||
} else { | |||
ctx.Data["ServiceNotEnabled"] = true | |||
} | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
user := user_model.VerifyUserActiveCode(code) | |||
// if code is wrong | |||
if user == nil { | |||
ctx.Data["IsActivateFailed"] = true | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
// if account is local account, verify password | |||
if user.LoginSource == 0 { | |||
ctx.Data["Code"] = code | |||
ctx.Data["NeedsPassword"] = true | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
handleAccountActivation(ctx, user) | |||
} | |||
// ActivatePost handles account activation with password check | |||
func ActivatePost(ctx *context.Context) { | |||
code := ctx.FormString("code") | |||
if len(code) == 0 { | |||
ctx.Redirect(setting.AppSubURL + "/user/activate") | |||
return | |||
} | |||
user := user_model.VerifyUserActiveCode(code) | |||
// if code is wrong | |||
if user == nil { | |||
ctx.Data["IsActivateFailed"] = true | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
// if account is local account, verify password | |||
if user.LoginSource == 0 { | |||
password := ctx.FormString("password") | |||
if len(password) == 0 { | |||
ctx.Data["Code"] = code | |||
ctx.Data["NeedsPassword"] = true | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
if !user.ValidatePassword(password) { | |||
ctx.Data["IsActivateFailed"] = true | |||
ctx.HTML(http.StatusOK, TplActivate) | |||
return | |||
} | |||
} | |||
handleAccountActivation(ctx, user) | |||
} | |||
func handleAccountActivation(ctx *context.Context, user *user_model.User) { | |||
user.IsActive = true | |||
var err error | |||
if user.Rands, err = user_model.GetUserSalt(); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil { | |||
if user_model.IsErrUserNotExist(err) { | |||
ctx.NotFound("UpdateUserCols", err) | |||
} else { | |||
ctx.ServerError("UpdateUser", err) | |||
} | |||
return | |||
} | |||
if err := user_model.ActivateUserEmail(user.ID, user.Email, true); err != nil { | |||
log.Error("Unable to activate email for user: %-v with email: %s: %v", user, user.Email, err) | |||
ctx.ServerError("ActivateUserEmail", err) | |||
return | |||
} | |||
log.Trace("User activated: %s", user.Name) | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err) | |||
ctx.ServerError("ActivateUserEmail", err) | |||
return | |||
} | |||
if err := ctx.Session.Set("uid", user.ID); err != nil { | |||
log.Error("Error setting uid in session[%s]: %v", ctx.Session.ID(), err) | |||
} | |||
if err := ctx.Session.Set("uname", user.Name); err != nil { | |||
log.Error("Error setting uname in session[%s]: %v", ctx.Session.ID(), err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Error storing session[%s]: %v", ctx.Session.ID(), err) | |||
} | |||
if err := resetLocale(ctx, user); err != nil { | |||
ctx.ServerError("resetLocale", err) | |||
return | |||
} | |||
ctx.Flash.Success(ctx.Tr("auth.account_activated")) | |||
ctx.Redirect(setting.AppSubURL + "/") | |||
} | |||
// ActivateEmail render the activate email page | |||
func ActivateEmail(ctx *context.Context) { | |||
code := ctx.FormString("code") | |||
emailStr := ctx.FormString("email") | |||
// Verify code. | |||
if email := user_model.VerifyActiveEmailCode(code, emailStr); email != nil { | |||
if err := user_model.ActivateEmail(email); err != nil { | |||
ctx.ServerError("ActivateEmail", err) | |||
} | |||
log.Trace("Email activated: %s", email.Email) | |||
ctx.Flash.Success(ctx.Tr("settings.add_email_success")) | |||
if u, err := user_model.GetUserByID(email.UID); err != nil { | |||
log.Warn("GetUserByID: %d", email.UID) | |||
} else { | |||
// Allow user to validate more emails | |||
_ = ctx.Cache.Delete("MailResendLimit_" + u.LowerName) | |||
} | |||
} | |||
// FIXME: e-mail verification does not require the user to be logged in, | |||
// so this could be redirecting to the login page. | |||
// Should users be logged in automatically here? (consider 2FA requirements, etc.) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/account") | |||
} |
@@ -0,0 +1,300 @@ | |||
// Copyright 2017 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"errors" | |||
"fmt" | |||
"net/http" | |||
"strings" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/hcaptcha" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/recaptcha" | |||
"code.gitea.io/gitea/modules/session" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web" | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/externalaccount" | |||
"code.gitea.io/gitea/services/forms" | |||
"github.com/markbates/goth" | |||
) | |||
var ( | |||
tplLinkAccount base.TplName = "user/auth/link_account" | |||
) | |||
// LinkAccount shows the page where the user can decide to login or create a new account | |||
func LinkAccount(ctx *context.Context) { | |||
ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration | |||
ctx.Data["Title"] = ctx.Tr("link_account") | |||
ctx.Data["LinkAccountMode"] = true | |||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha | |||
ctx.Data["Captcha"] = context.GetImageCaptcha() | |||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType | |||
ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL | |||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey | |||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey | |||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration | |||
ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration | |||
ctx.Data["ShowRegistrationButton"] = false | |||
// use this to set the right link into the signIn and signUp templates in the link_account template | |||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin" | |||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup" | |||
gothUser := ctx.Session.Get("linkAccountGothUser") | |||
if gothUser == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session")) | |||
return | |||
} | |||
gu, _ := gothUser.(goth.User) | |||
uname := getUserName(&gu) | |||
email := gu.Email | |||
ctx.Data["user_name"] = uname | |||
ctx.Data["email"] = email | |||
if len(email) != 0 { | |||
u, err := user_model.GetUserByEmail(email) | |||
if err != nil && !user_model.IsErrUserNotExist(err) { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if u != nil { | |||
ctx.Data["user_exists"] = true | |||
} | |||
} else if len(uname) != 0 { | |||
u, err := user_model.GetUserByName(uname) | |||
if err != nil && !user_model.IsErrUserNotExist(err) { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if u != nil { | |||
ctx.Data["user_exists"] = true | |||
} | |||
} | |||
ctx.HTML(http.StatusOK, tplLinkAccount) | |||
} | |||
// LinkAccountPostSignIn handle the coupling of external account with another account using signIn | |||
func LinkAccountPostSignIn(ctx *context.Context) { | |||
signInForm := web.GetForm(ctx).(*forms.SignInForm) | |||
ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration | |||
ctx.Data["Title"] = ctx.Tr("link_account") | |||
ctx.Data["LinkAccountMode"] = true | |||
ctx.Data["LinkAccountModeSignIn"] = true | |||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha | |||
ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL | |||
ctx.Data["Captcha"] = context.GetImageCaptcha() | |||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType | |||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey | |||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey | |||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration | |||
ctx.Data["ShowRegistrationButton"] = false | |||
// use this to set the right link into the signIn and signUp templates in the link_account template | |||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin" | |||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup" | |||
gothUser := ctx.Session.Get("linkAccountGothUser") | |||
if gothUser == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session")) | |||
return | |||
} | |||
if ctx.HasError() { | |||
ctx.HTML(http.StatusOK, tplLinkAccount) | |||
return | |||
} | |||
u, _, err := auth_service.UserSignIn(signInForm.UserName, signInForm.Password) | |||
if err != nil { | |||
if user_model.IsErrUserNotExist(err) { | |||
ctx.Data["user_exists"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm) | |||
} else { | |||
ctx.ServerError("UserLinkAccount", err) | |||
} | |||
return | |||
} | |||
linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember) | |||
} | |||
func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) { | |||
updateAvatarIfNeed(gothUser.AvatarURL, u) | |||
// If this user is enrolled in 2FA, we can't sign the user in just yet. | |||
// Instead, redirect them to the 2FA authentication page. | |||
// We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here | |||
_, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil { | |||
if !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("UserLinkAccount", err) | |||
return | |||
} | |||
err = externalaccount.LinkAccountToUser(u, gothUser) | |||
if err != nil { | |||
ctx.ServerError("UserLinkAccount", err) | |||
return | |||
} | |||
handleSignIn(ctx, u, remember) | |||
return | |||
} | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("RegenerateSession", err) | |||
return | |||
} | |||
// User needs to use 2FA, save data and redirect to 2FA page. | |||
if err := ctx.Session.Set("twofaUid", u.ID); err != nil { | |||
log.Error("Error setting twofaUid in session: %v", err) | |||
} | |||
if err := ctx.Session.Set("twofaRemember", remember); err != nil { | |||
log.Error("Error setting twofaRemember in session: %v", err) | |||
} | |||
if err := ctx.Session.Set("linkAccount", true); err != nil { | |||
log.Error("Error setting linkAccount in session: %v", err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Error storing session: %v", err) | |||
} | |||
// If U2F is enrolled -> Redirect to U2F instead | |||
regs, err := auth.GetU2FRegistrationsByUID(u.ID) | |||
if err == nil && len(regs) > 0 { | |||
ctx.Redirect(setting.AppSubURL + "/user/u2f") | |||
return | |||
} | |||
ctx.Redirect(setting.AppSubURL + "/user/two_factor") | |||
} | |||
// LinkAccountPostRegister handle the creation of a new account for an external account using signUp | |||
func LinkAccountPostRegister(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.RegisterForm) | |||
// TODO Make insecure passwords optional for local accounts also, | |||
// once email-based Second-Factor Auth is available | |||
ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration | |||
ctx.Data["Title"] = ctx.Tr("link_account") | |||
ctx.Data["LinkAccountMode"] = true | |||
ctx.Data["LinkAccountModeRegister"] = true | |||
ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha | |||
ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL | |||
ctx.Data["Captcha"] = context.GetImageCaptcha() | |||
ctx.Data["CaptchaType"] = setting.Service.CaptchaType | |||
ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey | |||
ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey | |||
ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration | |||
ctx.Data["ShowRegistrationButton"] = false | |||
// use this to set the right link into the signIn and signUp templates in the link_account template | |||
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin" | |||
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup" | |||
gothUserInterface := ctx.Session.Get("linkAccountGothUser") | |||
if gothUserInterface == nil { | |||
ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session")) | |||
return | |||
} | |||
gothUser, ok := gothUserInterface.(goth.User) | |||
if !ok { | |||
ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface)) | |||
return | |||
} | |||
if ctx.HasError() { | |||
ctx.HTML(http.StatusOK, tplLinkAccount) | |||
return | |||
} | |||
if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration { | |||
ctx.Error(http.StatusForbidden) | |||
return | |||
} | |||
if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha { | |||
var valid bool | |||
var err error | |||
switch setting.Service.CaptchaType { | |||
case setting.ImageCaptcha: | |||
valid = context.GetImageCaptcha().VerifyReq(ctx.Req) | |||
case setting.ReCaptcha: | |||
valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse) | |||
case setting.HCaptcha: | |||
valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse) | |||
default: | |||
ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType)) | |||
return | |||
} | |||
if err != nil { | |||
log.Debug("%s", err.Error()) | |||
} | |||
if !valid { | |||
ctx.Data["Err_Captcha"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form) | |||
return | |||
} | |||
} | |||
if !form.IsEmailDomainAllowed() { | |||
ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplLinkAccount, &form) | |||
return | |||
} | |||
if setting.Service.AllowOnlyExternalRegistration || !setting.Service.RequireExternalRegistrationPassword { | |||
// In user_model.User an empty password is classed as not set, so we set form.Password to empty. | |||
// Eventually the database should be changed to indicate "Second Factor"-enabled accounts | |||
// (accounts that do not introduce the security vulnerabilities of a password). | |||
// If a user decides to circumvent second-factor security, and purposefully create a password, | |||
// they can still do so using the "Recover Account" option. | |||
form.Password = "" | |||
} else { | |||
if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form) | |||
return | |||
} | |||
if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form) | |||
return | |||
} | |||
} | |||
authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider) | |||
if err != nil { | |||
ctx.ServerError("CreateUser", err) | |||
return | |||
} | |||
u := &user_model.User{ | |||
Name: form.UserName, | |||
Email: form.Email, | |||
Passwd: form.Password, | |||
IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm), | |||
LoginType: auth.OAuth2, | |||
LoginSource: authSource.ID, | |||
LoginName: gothUser.UserID, | |||
} | |||
if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) { | |||
// error already handled | |||
return | |||
} | |||
handleSignIn(ctx, u, false) | |||
} |
@@ -0,0 +1,16 @@ | |||
// Copyright 2018 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"path/filepath" | |||
"testing" | |||
"code.gitea.io/gitea/models/unittest" | |||
) | |||
func TestMain(m *testing.M) { | |||
unittest.MainTest(m, filepath.Join("..", "..", "..")) | |||
} |
@@ -2,32 +2,40 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package user | |||
package auth | |||
import ( | |||
"encoding/base64" | |||
"errors" | |||
"fmt" | |||
"html" | |||
"io" | |||
"net/http" | |||
"net/url" | |||
"strings" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/json" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/session" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
"code.gitea.io/gitea/services/externalaccount" | |||
"code.gitea.io/gitea/services/forms" | |||
user_service "code.gitea.io/gitea/services/user" | |||
"gitea.com/go-chi/binding" | |||
"github.com/golang-jwt/jwt" | |||
"github.com/markbates/goth" | |||
) | |||
const ( | |||
@@ -117,7 +125,7 @@ type AccessTokenResponse struct { | |||
IDToken string `json:"id_token,omitempty"` | |||
} | |||
func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { | |||
func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { | |||
if setting.OAuth2.InvalidateRefreshTokens { | |||
if err := grant.IncreaseCounter(); err != nil { | |||
return nil, &AccessTokenError{ | |||
@@ -164,7 +172,7 @@ func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth | |||
// generate OpenID Connect id_token | |||
signedIDToken := "" | |||
if grant.ScopeContains("openid") { | |||
app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID) | |||
app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID) | |||
if err != nil { | |||
return nil, &AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeInvalidRequest, | |||
@@ -249,7 +257,7 @@ type userInfoResponse struct { | |||
// InfoOAuth manages request for userinfo endpoint | |||
func InfoOAuth(ctx *context.Context) { | |||
if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth.OAuth2{}).Name() { | |||
if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() { | |||
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`) | |||
ctx.PlainText(http.StatusUnauthorized, "no valid authorization") | |||
return | |||
@@ -315,9 +323,9 @@ func IntrospectOAuth(ctx *context.Context) { | |||
token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey) | |||
if err == nil { | |||
if token.Valid() == nil { | |||
grant, err := login.GetOAuth2GrantByID(token.GrantID) | |||
grant, err := auth.GetOAuth2GrantByID(token.GrantID) | |||
if err == nil && grant != nil { | |||
app, err := login.GetOAuth2ApplicationByID(grant.ApplicationID) | |||
app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID) | |||
if err == nil && app != nil { | |||
response.Active = true | |||
response.Scope = grant.Scope | |||
@@ -346,9 +354,9 @@ func AuthorizeOAuth(ctx *context.Context) { | |||
return | |||
} | |||
app, err := login.GetOAuth2ApplicationByClientID(form.ClientID) | |||
app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID) | |||
if err != nil { | |||
if login.IsErrOauthClientIDInvalid(err) { | |||
if auth.IsErrOauthClientIDInvalid(err) { | |||
handleAuthorizeError(ctx, AuthorizeError{ | |||
ErrorCode: ErrorCodeUnauthorizedClient, | |||
ErrorDescription: "Client ID not registered", | |||
@@ -492,7 +500,7 @@ func GrantApplicationOAuth(ctx *context.Context) { | |||
ctx.Error(http.StatusBadRequest) | |||
return | |||
} | |||
app, err := login.GetOAuth2ApplicationByClientID(form.ClientID) | |||
app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID) | |||
if err != nil { | |||
ctx.ServerError("GetOAuth2ApplicationByClientID", err) | |||
return | |||
@@ -630,7 +638,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server | |||
return | |||
} | |||
// get grant before increasing counter | |||
grant, err := login.GetOAuth2GrantByID(token.GrantID) | |||
grant, err := auth.GetOAuth2GrantByID(token.GrantID) | |||
if err != nil || grant == nil { | |||
handleAccessTokenError(ctx, AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeInvalidGrant, | |||
@@ -657,7 +665,7 @@ func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, server | |||
} | |||
func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) { | |||
app, err := login.GetOAuth2ApplicationByClientID(form.ClientID) | |||
app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID) | |||
if err != nil { | |||
handleAccessTokenError(ctx, AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeInvalidClient, | |||
@@ -679,7 +687,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s | |||
}) | |||
return | |||
} | |||
authorizationCode, err := login.GetOAuth2AuthorizationByCode(form.Code) | |||
authorizationCode, err := auth.GetOAuth2AuthorizationByCode(form.Code) | |||
if err != nil || authorizationCode == nil { | |||
handleAccessTokenError(ctx, AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeUnauthorizedClient, | |||
@@ -750,3 +758,367 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect | |||
redirect.RawQuery = q.Encode() | |||
ctx.Redirect(redirect.String(), 302) | |||
} | |||
// SignInOAuth handles the OAuth2 login buttons | |||
func SignInOAuth(ctx *context.Context) { | |||
provider := ctx.Params(":provider") | |||
authSource, err := auth.GetActiveOAuth2SourceByName(provider) | |||
if err != nil { | |||
ctx.ServerError("SignIn", err) | |||
return | |||
} | |||
// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user | |||
user, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp) | |||
if err == nil && user != nil { | |||
// we got the user without going through the whole OAuth2 authentication flow again | |||
handleOAuth2SignIn(ctx, authSource, user, gothUser) | |||
return | |||
} | |||
if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil { | |||
if strings.Contains(err.Error(), "no provider for ") { | |||
if err = oauth2.ResetOAuth2(); err != nil { | |||
ctx.ServerError("SignIn", err) | |||
return | |||
} | |||
if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil { | |||
ctx.ServerError("SignIn", err) | |||
} | |||
return | |||
} | |||
ctx.ServerError("SignIn", err) | |||
} | |||
// redirect is done in oauth2.Auth | |||
} | |||
// SignInOAuthCallback handles the callback from the given provider | |||
func SignInOAuthCallback(ctx *context.Context) { | |||
provider := ctx.Params(":provider") | |||
// first look if the provider is still active | |||
authSource, err := auth.GetActiveOAuth2SourceByName(provider) | |||
if err != nil { | |||
ctx.ServerError("SignIn", err) | |||
return | |||
} | |||
if authSource == nil { | |||
ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider")) | |||
return | |||
} | |||
u, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp) | |||
if err != nil { | |||
if user_model.IsErrUserProhibitLogin(err) { | |||
uplerr := err.(*user_model.ErrUserProhibitLogin) | |||
log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err) | |||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") | |||
ctx.HTML(http.StatusOK, "user/auth/prohibit_login") | |||
return | |||
} | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if u == nil { | |||
if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration { | |||
// create new user with details from oauth2 provider | |||
var missingFields []string | |||
if gothUser.UserID == "" { | |||
missingFields = append(missingFields, "sub") | |||
} | |||
if gothUser.Email == "" { | |||
missingFields = append(missingFields, "email") | |||
} | |||
if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname && gothUser.NickName == "" { | |||
missingFields = append(missingFields, "nickname") | |||
} | |||
if len(missingFields) > 0 { | |||
log.Error("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields) | |||
if authSource.IsOAuth2() && authSource.Cfg.(*oauth2.Source).Provider == "openidConnect" { | |||
log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields") | |||
} | |||
err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields) | |||
ctx.ServerError("CreateUser", err) | |||
return | |||
} | |||
u = &user_model.User{ | |||
Name: getUserName(&gothUser), | |||
FullName: gothUser.Name, | |||
Email: gothUser.Email, | |||
IsActive: !setting.OAuth2Client.RegisterEmailConfirm, | |||
LoginType: auth.OAuth2, | |||
LoginSource: authSource.ID, | |||
LoginName: gothUser.UserID, | |||
IsRestricted: setting.Service.DefaultUserIsRestricted, | |||
} | |||
setUserGroupClaims(authSource, u, &gothUser) | |||
if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) { | |||
// error already handled | |||
return | |||
} | |||
} else { | |||
// no existing user is found, request attach or new account | |||
showLinkingLogin(ctx, gothUser) | |||
return | |||
} | |||
} | |||
handleOAuth2SignIn(ctx, authSource, u, gothUser) | |||
} | |||
func claimValueToStringSlice(claimValue interface{}) []string { | |||
var groups []string | |||
switch rawGroup := claimValue.(type) { | |||
case []string: | |||
groups = rawGroup | |||
default: | |||
str := fmt.Sprintf("%s", rawGroup) | |||
groups = strings.Split(str, ",") | |||
} | |||
return groups | |||
} | |||
func setUserGroupClaims(loginSource *auth.Source, u *user_model.User, gothUser *goth.User) bool { | |||
source := loginSource.Cfg.(*oauth2.Source) | |||
if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") { | |||
return false | |||
} | |||
groupClaims, has := gothUser.RawData[source.GroupClaimName] | |||
if !has { | |||
return false | |||
} | |||
groups := claimValueToStringSlice(groupClaims) | |||
wasAdmin, wasRestricted := u.IsAdmin, u.IsRestricted | |||
if source.AdminGroup != "" { | |||
u.IsAdmin = false | |||
} | |||
if source.RestrictedGroup != "" { | |||
u.IsRestricted = false | |||
} | |||
for _, g := range groups { | |||
if source.AdminGroup != "" && g == source.AdminGroup { | |||
u.IsAdmin = true | |||
} else if source.RestrictedGroup != "" && g == source.RestrictedGroup { | |||
u.IsRestricted = true | |||
} | |||
} | |||
return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted | |||
} | |||
func showLinkingLogin(ctx *context.Context, gothUser goth.User) { | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("RegenerateSession", err) | |||
return | |||
} | |||
if err := ctx.Session.Set("linkAccountGothUser", gothUser); err != nil { | |||
log.Error("Error setting linkAccountGothUser in session: %v", err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Error storing session: %v", err) | |||
} | |||
ctx.Redirect(setting.AppSubURL + "/user/link_account") | |||
} | |||
func updateAvatarIfNeed(url string, u *user_model.User) { | |||
if setting.OAuth2Client.UpdateAvatar && len(url) > 0 { | |||
resp, err := http.Get(url) | |||
if err == nil { | |||
defer func() { | |||
_ = resp.Body.Close() | |||
}() | |||
} | |||
// ignore any error | |||
if err == nil && resp.StatusCode == http.StatusOK { | |||
data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1)) | |||
if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize { | |||
_ = user_service.UploadAvatar(u, data) | |||
} | |||
} | |||
} | |||
} | |||
func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) { | |||
updateAvatarIfNeed(gothUser.AvatarURL, u) | |||
needs2FA := false | |||
if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA { | |||
_, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
needs2FA = err == nil | |||
} | |||
// If this user is enrolled in 2FA and this source doesn't override it, | |||
// we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page. | |||
if !needs2FA { | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("RegenerateSession", err) | |||
return | |||
} | |||
if err := ctx.Session.Set("uid", u.ID); err != nil { | |||
log.Error("Error setting uid in session: %v", err) | |||
} | |||
if err := ctx.Session.Set("uname", u.Name); err != nil { | |||
log.Error("Error setting uname in session: %v", err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Error storing session: %v", err) | |||
} | |||
// Clear whatever CSRF has right now, force to generate a new one | |||
middleware.DeleteCSRFCookie(ctx.Resp) | |||
// Register last login | |||
u.SetLastLogin() | |||
// Update GroupClaims | |||
changed := setUserGroupClaims(source, u, &gothUser) | |||
cols := []string{"last_login_unix"} | |||
if changed { | |||
cols = append(cols, "is_admin", "is_restricted") | |||
} | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil { | |||
ctx.ServerError("UpdateUserCols", err) | |||
return | |||
} | |||
// update external user information | |||
if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil { | |||
log.Error("UpdateExternalUser failed: %v", err) | |||
} | |||
if err := resetLocale(ctx, u); err != nil { | |||
ctx.ServerError("resetLocale", err) | |||
return | |||
} | |||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 { | |||
middleware.DeleteRedirectToCookie(ctx.Resp) | |||
ctx.RedirectToFirst(redirectTo) | |||
return | |||
} | |||
ctx.Redirect(setting.AppSubURL + "/") | |||
return | |||
} | |||
changed := setUserGroupClaims(source, u, &gothUser) | |||
if changed { | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil { | |||
ctx.ServerError("UpdateUserCols", err) | |||
return | |||
} | |||
} | |||
if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil { | |||
ctx.ServerError("RegenerateSession", err) | |||
return | |||
} | |||
// User needs to use 2FA, save data and redirect to 2FA page. | |||
if err := ctx.Session.Set("twofaUid", u.ID); err != nil { | |||
log.Error("Error setting twofaUid in session: %v", err) | |||
} | |||
if err := ctx.Session.Set("twofaRemember", false); err != nil { | |||
log.Error("Error setting twofaRemember in session: %v", err) | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
log.Error("Error storing session: %v", err) | |||
} | |||
// If U2F is enrolled -> Redirect to U2F instead | |||
regs, err := auth.GetU2FRegistrationsByUID(u.ID) | |||
if err == nil && len(regs) > 0 { | |||
ctx.Redirect(setting.AppSubURL + "/user/u2f") | |||
return | |||
} | |||
ctx.Redirect(setting.AppSubURL + "/user/two_factor") | |||
} | |||
// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful | |||
// login the user | |||
func oAuth2UserLoginCallback(authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) { | |||
oauth2Source := authSource.Cfg.(*oauth2.Source) | |||
gothUser, err := oauth2Source.Callback(request, response) | |||
if err != nil { | |||
if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") { | |||
log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength) | |||
err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength) | |||
} | |||
return nil, goth.User{}, err | |||
} | |||
if oauth2Source.RequiredClaimName != "" { | |||
claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName] | |||
if !has { | |||
return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID} | |||
} | |||
if oauth2Source.RequiredClaimValue != "" { | |||
groups := claimValueToStringSlice(claimInterface) | |||
found := false | |||
for _, group := range groups { | |||
if group == oauth2Source.RequiredClaimValue { | |||
found = true | |||
break | |||
} | |||
} | |||
if !found { | |||
return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID} | |||
} | |||
} | |||
} | |||
user := &user_model.User{ | |||
LoginName: gothUser.UserID, | |||
LoginType: auth.OAuth2, | |||
LoginSource: authSource.ID, | |||
} | |||
hasUser, err := user_model.GetUser(user) | |||
if err != nil { | |||
return nil, goth.User{}, err | |||
} | |||
if hasUser { | |||
return user, gothUser, nil | |||
} | |||
// search in external linked users | |||
externalLoginUser := &user_model.ExternalLoginUser{ | |||
ExternalID: gothUser.UserID, | |||
LoginSourceID: authSource.ID, | |||
} | |||
hasUser, err = user_model.GetExternalLogin(externalLoginUser) | |||
if err != nil { | |||
return nil, goth.User{}, err | |||
} | |||
if hasUser { | |||
user, err = user_model.GetUserByID(externalLoginUser.UserID) | |||
return user, gothUser, err | |||
} | |||
// no user found to login | |||
return nil, gothUser, nil | |||
} |
@@ -2,12 +2,12 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package user | |||
package auth | |||
import ( | |||
"testing" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/unittest" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
@@ -16,7 +16,7 @@ import ( | |||
"github.com/stretchr/testify/assert" | |||
) | |||
func createAndParseToken(t *testing.T, grant *login.OAuth2Grant) *oauth2.OIDCToken { | |||
func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2.OIDCToken { | |||
signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32)) | |||
assert.NoError(t, err) | |||
assert.NotNil(t, signingKey) | |||
@@ -43,7 +43,7 @@ func createAndParseToken(t *testing.T, grant *login.OAuth2Grant) *oauth2.OIDCTok | |||
func TestNewAccessTokenResponse_OIDCToken(t *testing.T) { | |||
assert.NoError(t, unittest.PrepareTestDatabase()) | |||
grants, err := login.GetOAuth2GrantsByUserID(3) | |||
grants, err := auth.GetOAuth2GrantsByUserID(3) | |||
assert.NoError(t, err) | |||
assert.Len(t, grants, 1) | |||
@@ -59,7 +59,7 @@ func TestNewAccessTokenResponse_OIDCToken(t *testing.T) { | |||
assert.False(t, oidcToken.EmailVerified) | |||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User) | |||
grants, err = login.GetOAuth2GrantsByUserID(user.ID) | |||
grants, err = auth.GetOAuth2GrantsByUserID(user.ID) | |||
assert.NoError(t, err) | |||
assert.Len(t, grants, 1) | |||
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package user | |||
package auth | |||
import ( | |||
"fmt" |
@@ -0,0 +1,346 @@ | |||
// Copyright 2019 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"errors" | |||
"net/http" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/password" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
"code.gitea.io/gitea/routers/utils" | |||
"code.gitea.io/gitea/services/forms" | |||
"code.gitea.io/gitea/services/mailer" | |||
) | |||
var ( | |||
// tplMustChangePassword template for updating a user's password | |||
tplMustChangePassword base.TplName = "user/auth/change_passwd" | |||
tplForgotPassword base.TplName = "user/auth/forgot_passwd" | |||
tplResetPassword base.TplName = "user/auth/reset_passwd" | |||
) | |||
// ForgotPasswd render the forget password page | |||
func ForgotPasswd(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title") | |||
if setting.MailService == nil { | |||
log.Warn(ctx.Tr("auth.disable_forgot_password_mail_admin")) | |||
ctx.Data["IsResetDisable"] = true | |||
ctx.HTML(http.StatusOK, tplForgotPassword) | |||
return | |||
} | |||
ctx.Data["Email"] = ctx.FormString("email") | |||
ctx.Data["IsResetRequest"] = true | |||
ctx.HTML(http.StatusOK, tplForgotPassword) | |||
} | |||
// ForgotPasswdPost response for forget password request | |||
func ForgotPasswdPost(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title") | |||
if setting.MailService == nil { | |||
ctx.NotFound("ForgotPasswdPost", nil) | |||
return | |||
} | |||
ctx.Data["IsResetRequest"] = true | |||
email := ctx.FormString("email") | |||
ctx.Data["Email"] = email | |||
u, err := user_model.GetUserByEmail(email) | |||
if err != nil { | |||
if user_model.IsErrUserNotExist(err) { | |||
ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language()) | |||
ctx.Data["IsResetSent"] = true | |||
ctx.HTML(http.StatusOK, tplForgotPassword) | |||
return | |||
} | |||
ctx.ServerError("user.ResetPasswd(check existence)", err) | |||
return | |||
} | |||
if !u.IsLocal() && !u.IsOAuth2() { | |||
ctx.Data["Err_Email"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil) | |||
return | |||
} | |||
if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) { | |||
ctx.Data["ResendLimited"] = true | |||
ctx.HTML(http.StatusOK, tplForgotPassword) | |||
return | |||
} | |||
mailer.SendResetPasswordMail(u) | |||
if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil { | |||
log.Error("Set cache(MailResendLimit) fail: %v", err) | |||
} | |||
ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language()) | |||
ctx.Data["IsResetSent"] = true | |||
ctx.HTML(http.StatusOK, tplForgotPassword) | |||
} | |||
func commonResetPassword(ctx *context.Context) (*user_model.User, *auth.TwoFactor) { | |||
code := ctx.FormString("code") | |||
ctx.Data["Title"] = ctx.Tr("auth.reset_password") | |||
ctx.Data["Code"] = code | |||
if nil != ctx.User { | |||
ctx.Data["user_signed_in"] = true | |||
} | |||
if len(code) == 0 { | |||
ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | |||
return nil, nil | |||
} | |||
// Fail early, don't frustrate the user | |||
u := user_model.VerifyUserActiveCode(code) | |||
if u == nil { | |||
ctx.Flash.Error(ctx.Tr("auth.invalid_code")) | |||
return nil, nil | |||
} | |||
twofa, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil { | |||
if !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error()) | |||
return nil, nil | |||
} | |||
} else { | |||
ctx.Data["has_two_factor"] = true | |||
ctx.Data["scratch_code"] = ctx.FormBool("scratch_code") | |||
} | |||
// Show the user that they are affecting the account that they intended to | |||
ctx.Data["user_email"] = u.Email | |||
if nil != ctx.User && u.ID != ctx.User.ID { | |||
ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email)) | |||
return nil, nil | |||
} | |||
return u, twofa | |||
} | |||
// ResetPasswd render the account recovery page | |||
func ResetPasswd(ctx *context.Context) { | |||
ctx.Data["IsResetForm"] = true | |||
commonResetPassword(ctx) | |||
if ctx.Written() { | |||
return | |||
} | |||
ctx.HTML(http.StatusOK, tplResetPassword) | |||
} | |||
// ResetPasswdPost response from account recovery request | |||
func ResetPasswdPost(ctx *context.Context) { | |||
u, twofa := commonResetPassword(ctx) | |||
if ctx.Written() { | |||
return | |||
} | |||
if u == nil { | |||
// Flash error has been set | |||
ctx.HTML(http.StatusOK, tplResetPassword) | |||
return | |||
} | |||
// Validate password length. | |||
passwd := ctx.FormString("password") | |||
if len(passwd) < setting.MinPasswordLength { | |||
ctx.Data["IsResetForm"] = true | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil) | |||
return | |||
} else if !password.IsComplexEnough(passwd) { | |||
ctx.Data["IsResetForm"] = true | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil) | |||
return | |||
} else if pwned, err := password.IsPwned(ctx, passwd); pwned || err != nil { | |||
errMsg := ctx.Tr("auth.password_pwned") | |||
if err != nil { | |||
log.Error(err.Error()) | |||
errMsg = ctx.Tr("auth.password_pwned_err") | |||
} | |||
ctx.Data["IsResetForm"] = true | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(errMsg, tplResetPassword, nil) | |||
return | |||
} | |||
// Handle two-factor | |||
regenerateScratchToken := false | |||
if twofa != nil { | |||
if ctx.FormBool("scratch_code") { | |||
if !twofa.VerifyScratchToken(ctx.FormString("token")) { | |||
ctx.Data["IsResetForm"] = true | |||
ctx.Data["Err_Token"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil) | |||
return | |||
} | |||
regenerateScratchToken = true | |||
} else { | |||
passcode := ctx.FormString("passcode") | |||
ok, err := twofa.ValidateTOTP(passcode) | |||
if err != nil { | |||
ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error()) | |||
return | |||
} | |||
if !ok || twofa.LastUsedPasscode == passcode { | |||
ctx.Data["IsResetForm"] = true | |||
ctx.Data["Err_Passcode"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil) | |||
return | |||
} | |||
twofa.LastUsedPasscode = passcode | |||
if err = auth.UpdateTwoFactor(twofa); err != nil { | |||
ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err) | |||
return | |||
} | |||
} | |||
} | |||
var err error | |||
if u.Rands, err = user_model.GetUserSalt(); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
if err = u.SetPassword(passwd); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
u.MustChangePassword = false | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
log.Trace("User password reset: %s", u.Name) | |||
ctx.Data["IsResetFailed"] = true | |||
remember := len(ctx.FormString("remember")) != 0 | |||
if regenerateScratchToken { | |||
// Invalidate the scratch token. | |||
_, err = twofa.GenerateScratchToken() | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if err = auth.UpdateTwoFactor(twofa); err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
handleSignInFull(ctx, u, remember, false) | |||
if ctx.Written() { | |||
return | |||
} | |||
ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
return | |||
} | |||
handleSignIn(ctx, u, remember) | |||
} | |||
// MustChangePassword renders the page to change a user's password | |||
func MustChangePassword(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password") | |||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password" | |||
ctx.Data["MustChangePassword"] = true | |||
ctx.HTML(http.StatusOK, tplMustChangePassword) | |||
} | |||
// MustChangePasswordPost response for updating a user's password after his/her | |||
// account was created by an admin | |||
func MustChangePasswordPost(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.MustChangePasswordForm) | |||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password") | |||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password" | |||
if ctx.HasError() { | |||
ctx.HTML(http.StatusOK, tplMustChangePassword) | |||
return | |||
} | |||
u := ctx.User | |||
// Make sure only requests for users who are eligible to change their password via | |||
// this method passes through | |||
if !u.MustChangePassword { | |||
ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page")) | |||
return | |||
} | |||
if form.Password != form.Retype { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form) | |||
return | |||
} | |||
if len(form.Password) < setting.MinPasswordLength { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form) | |||
return | |||
} | |||
if !password.IsComplexEnough(form.Password) { | |||
ctx.Data["Err_Password"] = true | |||
ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form) | |||
return | |||
} | |||
pwned, err := password.IsPwned(ctx, form.Password) | |||
if pwned { | |||
ctx.Data["Err_Password"] = true | |||
errMsg := ctx.Tr("auth.password_pwned") | |||
if err != nil { | |||
log.Error(err.Error()) | |||
errMsg = ctx.Tr("auth.password_pwned_err") | |||
} | |||
ctx.RenderWithErr(errMsg, tplMustChangePassword, &form) | |||
return | |||
} | |||
if err = u.SetPassword(form.Password); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
u.MustChangePassword = false | |||
if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil { | |||
ctx.ServerError("UpdateUser", err) | |||
return | |||
} | |||
ctx.Flash.Success(ctx.Tr("settings.change_password_success")) | |||
log.Trace("User updated password: %s", u.Name) | |||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) { | |||
middleware.DeleteRedirectToCookie(ctx.Resp) | |||
ctx.RedirectToFirst(redirectTo) | |||
return | |||
} | |||
ctx.Redirect(setting.AppSubURL + "/") | |||
} |
@@ -0,0 +1,136 @@ | |||
// Copyright 2017 The Gitea Authors. All rights reserved. | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package auth | |||
import ( | |||
"errors" | |||
"net/http" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/services/externalaccount" | |||
"github.com/tstranex/u2f" | |||
) | |||
var tplU2F base.TplName = "user/auth/u2f" | |||
// U2F shows the U2F login page | |||
func U2F(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("twofa") | |||
ctx.Data["RequireU2F"] = true | |||
// Check auto-login. | |||
if checkAutoLogin(ctx) { | |||
return | |||
} | |||
// Ensure user is in a 2FA session. | |||
if ctx.Session.Get("twofaUid") == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in U2F session")) | |||
return | |||
} | |||
// See whether TOTP is also available. | |||
if ctx.Session.Get("totpEnrolled") != nil { | |||
ctx.Data["TOTPEnrolled"] = true | |||
} | |||
ctx.HTML(http.StatusOK, tplU2F) | |||
} | |||
// U2FChallenge submits a sign challenge to the browser | |||
func U2FChallenge(ctx *context.Context) { | |||
// Ensure user is in a U2F session. | |||
idSess := ctx.Session.Get("twofaUid") | |||
if idSess == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in U2F session")) | |||
return | |||
} | |||
id := idSess.(int64) | |||
regs, err := auth.GetU2FRegistrationsByUID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if len(regs) == 0 { | |||
ctx.ServerError("UserSignIn", errors.New("no device registered")) | |||
return | |||
} | |||
challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets) | |||
if err != nil { | |||
ctx.ServerError("u2f.NewChallenge", err) | |||
return | |||
} | |||
if err := ctx.Session.Set("u2fChallenge", challenge); err != nil { | |||
ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err) | |||
return | |||
} | |||
if err := ctx.Session.Release(); err != nil { | |||
ctx.ServerError("UserSignIn: unable to store session", err) | |||
} | |||
ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations())) | |||
} | |||
// U2FSign authenticates the user by signResp | |||
func U2FSign(ctx *context.Context) { | |||
signResp := web.GetForm(ctx).(*u2f.SignResponse) | |||
challSess := ctx.Session.Get("u2fChallenge") | |||
idSess := ctx.Session.Get("twofaUid") | |||
if challSess == nil || idSess == nil { | |||
ctx.ServerError("UserSignIn", errors.New("not in U2F session")) | |||
return | |||
} | |||
challenge := challSess.(*u2f.Challenge) | |||
id := idSess.(int64) | |||
regs, err := auth.GetU2FRegistrationsByUID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
for _, reg := range regs { | |||
r, err := reg.Parse() | |||
if err != nil { | |||
log.Error("parsing u2f registration: %v", err) | |||
continue | |||
} | |||
newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter) | |||
if authErr == nil { | |||
reg.Counter = newCounter | |||
user, err := user_model.GetUserByID(id) | |||
if err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
remember := ctx.Session.Get("twofaRemember").(bool) | |||
if err := reg.UpdateCounter(); err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
if ctx.Session.Get("linkAccount") != nil { | |||
if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil { | |||
ctx.ServerError("UserSignIn", err) | |||
return | |||
} | |||
} | |||
redirect := handleSignInFull(ctx, user, remember, false) | |||
if ctx.Written() { | |||
return | |||
} | |||
if redirect == "" { | |||
redirect = setting.AppSubURL + "/" | |||
} | |||
ctx.PlainText(http.StatusOK, redirect) | |||
return | |||
} | |||
} | |||
ctx.Error(http.StatusUnauthorized) | |||
} |
@@ -17,7 +17,7 @@ import ( | |||
"code.gitea.io/gitea/modules/json" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/routers/web/user" | |||
"code.gitea.io/gitea/routers/web/auth" | |||
) | |||
// Events listens for events | |||
@@ -133,7 +133,7 @@ loop: | |||
}).WriteTo(ctx.Resp) | |||
ctx.Resp.Flush() | |||
go unregister() | |||
user.HandleSignOut(ctx) | |||
auth.HandleSignOut(ctx) | |||
break loop | |||
} | |||
// Replace the event - we don't want to expose the session ID to the user |
@@ -13,6 +13,7 @@ import ( | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
"code.gitea.io/gitea/modules/web/middleware" | |||
"code.gitea.io/gitea/routers/web/auth" | |||
"code.gitea.io/gitea/routers/web/user" | |||
) | |||
@@ -26,7 +27,7 @@ func Home(ctx *context.Context) { | |||
if ctx.IsSigned { | |||
if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm { | |||
ctx.Data["Title"] = ctx.Tr("auth.active_your_account") | |||
ctx.HTML(http.StatusOK, user.TplActivate) | |||
ctx.HTML(http.StatusOK, auth.TplActivate) | |||
} else if !ctx.User.IsActive || ctx.User.ProhibitLogin { | |||
log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr()) | |||
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login") |
@@ -20,8 +20,8 @@ import ( | |||
"time" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/perm" | |||
repo_model "code.gitea.io/gitea/models/repo" | |||
"code.gitea.io/gitea/models/unit" | |||
@@ -179,12 +179,12 @@ func httpBase(ctx *context.Context) (h *serviceHandler) { | |||
} | |||
if ctx.IsBasicAuth && ctx.Data["IsApiToken"] != true { | |||
_, err = login.GetTwoFactorByUID(ctx.User.ID) | |||
_, err = auth.GetTwoFactorByUID(ctx.User.ID) | |||
if err == nil { | |||
// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented | |||
ctx.PlainText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page") | |||
return | |||
} else if !login.IsErrTwoFactorNotEnrolled(err) { | |||
} else if !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("IsErrTwoFactorNotEnrolled", err) | |||
return | |||
} |
@@ -9,7 +9,7 @@ import ( | |||
"net/http" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -93,12 +93,12 @@ func loadApplicationsData(ctx *context.Context) { | |||
ctx.Data["Tokens"] = tokens | |||
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable | |||
if setting.OAuth2.Enable { | |||
ctx.Data["Applications"], err = login.GetOAuth2ApplicationsByUserID(ctx.User.ID) | |||
ctx.Data["Applications"], err = auth.GetOAuth2ApplicationsByUserID(ctx.User.ID) | |||
if err != nil { | |||
ctx.ServerError("GetOAuth2ApplicationsByUserID", err) | |||
return | |||
} | |||
ctx.Data["Grants"], err = login.GetOAuth2GrantsByUserID(ctx.User.ID) | |||
ctx.Data["Grants"], err = auth.GetOAuth2GrantsByUserID(ctx.User.ID) | |||
if err != nil { | |||
ctx.ServerError("GetOAuth2GrantsByUserID", err) | |||
return |
@@ -216,7 +216,6 @@ func KeysPost(ctx *context.Context) { | |||
// DeleteKey response for delete user's SSH/GPG key | |||
func DeleteKey(ctx *context.Context) { | |||
switch ctx.FormString("type") { | |||
case "gpg": | |||
if err := asymkey_model.DeleteGPGKey(ctx.User, ctx.FormInt64("id")); err != nil { |
@@ -8,7 +8,7 @@ import ( | |||
"fmt" | |||
"net/http" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/log" | |||
@@ -34,7 +34,7 @@ func OAuthApplicationsPost(ctx *context.Context) { | |||
return | |||
} | |||
// TODO validate redirect URI | |||
app, err := login.CreateOAuth2Application(login.CreateOAuth2ApplicationOptions{ | |||
app, err := auth.CreateOAuth2Application(auth.CreateOAuth2ApplicationOptions{ | |||
Name: form.Name, | |||
RedirectURIs: []string{form.RedirectURI}, | |||
UserID: ctx.User.ID, | |||
@@ -67,7 +67,7 @@ func OAuthApplicationsEdit(ctx *context.Context) { | |||
} | |||
// TODO validate redirect URI | |||
var err error | |||
if ctx.Data["App"], err = login.UpdateOAuth2Application(login.UpdateOAuth2ApplicationOptions{ | |||
if ctx.Data["App"], err = auth.UpdateOAuth2Application(auth.UpdateOAuth2ApplicationOptions{ | |||
ID: ctx.ParamsInt64("id"), | |||
Name: form.Name, | |||
RedirectURIs: []string{form.RedirectURI}, | |||
@@ -85,9 +85,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("settings") | |||
ctx.Data["PageIsSettingsApplications"] = true | |||
app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id")) | |||
app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id")) | |||
if err != nil { | |||
if login.IsErrOAuthApplicationNotFound(err) { | |||
if auth.IsErrOAuthApplicationNotFound(err) { | |||
ctx.NotFound("Application not found", err) | |||
return | |||
} | |||
@@ -110,9 +110,9 @@ func OAuthApplicationsRegenerateSecret(ctx *context.Context) { | |||
// OAuth2ApplicationShow displays the given application | |||
func OAuth2ApplicationShow(ctx *context.Context) { | |||
app, err := login.GetOAuth2ApplicationByID(ctx.ParamsInt64("id")) | |||
app, err := auth.GetOAuth2ApplicationByID(ctx.ParamsInt64("id")) | |||
if err != nil { | |||
if login.IsErrOAuthApplicationNotFound(err) { | |||
if auth.IsErrOAuthApplicationNotFound(err) { | |||
ctx.NotFound("Application not found", err) | |||
return | |||
} | |||
@@ -129,7 +129,7 @@ func OAuth2ApplicationShow(ctx *context.Context) { | |||
// DeleteOAuth2Application deletes the given oauth2 application | |||
func DeleteOAuth2Application(ctx *context.Context) { | |||
if err := login.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil { | |||
if err := auth.DeleteOAuth2Application(ctx.FormInt64("id"), ctx.User.ID); err != nil { | |||
ctx.ServerError("DeleteOAuth2Application", err) | |||
return | |||
} | |||
@@ -147,7 +147,7 @@ func RevokeOAuth2Grant(ctx *context.Context) { | |||
ctx.ServerError("RevokeOAuth2Grant", fmt.Errorf("user id or grant id is zero")) | |||
return | |||
} | |||
if err := login.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil { | |||
if err := auth.RevokeOAuth2Grant(ctx.FormInt64("id"), ctx.User.ID); err != nil { | |||
ctx.ServerError("RevokeOAuth2Grant", err) | |||
return | |||
} |
@@ -3,7 +3,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package setting | |||
package security | |||
import ( | |||
"bytes" | |||
@@ -13,7 +13,7 @@ import ( | |||
"net/http" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -29,9 +29,9 @@ func RegenerateScratchTwoFactor(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("settings") | |||
ctx.Data["PageIsSettingsSecurity"] = true | |||
t, err := login.GetTwoFactorByUID(ctx.User.ID) | |||
t, err := auth.GetTwoFactorByUID(ctx.User.ID) | |||
if err != nil { | |||
if login.IsErrTwoFactorNotEnrolled(err) { | |||
if auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
} | |||
@@ -45,7 +45,7 @@ func RegenerateScratchTwoFactor(ctx *context.Context) { | |||
return | |||
} | |||
if err = login.UpdateTwoFactor(t); err != nil { | |||
if err = auth.UpdateTwoFactor(t); err != nil { | |||
ctx.ServerError("SettingsTwoFactor: Failed to UpdateTwoFactor", err) | |||
return | |||
} | |||
@@ -59,9 +59,9 @@ func DisableTwoFactor(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("settings") | |||
ctx.Data["PageIsSettingsSecurity"] = true | |||
t, err := login.GetTwoFactorByUID(ctx.User.ID) | |||
t, err := auth.GetTwoFactorByUID(ctx.User.ID) | |||
if err != nil { | |||
if login.IsErrTwoFactorNotEnrolled(err) { | |||
if auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
} | |||
@@ -69,8 +69,8 @@ func DisableTwoFactor(ctx *context.Context) { | |||
return | |||
} | |||
if err = login.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil { | |||
if login.IsErrTwoFactorNotEnrolled(err) { | |||
if err = auth.DeleteTwoFactorByID(t.ID, ctx.User.ID); err != nil { | |||
if auth.IsErrTwoFactorNotEnrolled(err) { | |||
// There is a potential DB race here - we must have been disabled by another request in the intervening period | |||
ctx.Flash.Success(ctx.Tr("settings.twofa_disabled")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
@@ -146,7 +146,7 @@ func EnrollTwoFactor(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("settings") | |||
ctx.Data["PageIsSettingsSecurity"] = true | |||
t, err := login.GetTwoFactorByUID(ctx.User.ID) | |||
t, err := auth.GetTwoFactorByUID(ctx.User.ID) | |||
if t != nil { | |||
// already enrolled - we should redirect back! | |||
log.Warn("Trying to re-enroll %-v in twofa when already enrolled", ctx.User) | |||
@@ -154,7 +154,7 @@ func EnrollTwoFactor(ctx *context.Context) { | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
return | |||
} | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("SettingsTwoFactor: GetTwoFactorByUID", err) | |||
return | |||
} | |||
@@ -172,14 +172,14 @@ func EnrollTwoFactorPost(ctx *context.Context) { | |||
ctx.Data["Title"] = ctx.Tr("settings") | |||
ctx.Data["PageIsSettingsSecurity"] = true | |||
t, err := login.GetTwoFactorByUID(ctx.User.ID) | |||
t, err := auth.GetTwoFactorByUID(ctx.User.ID) | |||
if t != nil { | |||
// already enrolled | |||
ctx.Flash.Error(ctx.Tr("settings.twofa_is_enrolled")) | |||
ctx.Redirect(setting.AppSubURL + "/user/settings/security") | |||
return | |||
} | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
ctx.ServerError("SettingsTwoFactor: Failed to check if already enrolled with GetTwoFactorByUID", err) | |||
return | |||
} | |||
@@ -209,7 +209,7 @@ func EnrollTwoFactorPost(ctx *context.Context) { | |||
return | |||
} | |||
t = &login.TwoFactor{ | |||
t = &auth.TwoFactor{ | |||
UID: ctx.User.ID, | |||
} | |||
err = t.SetSecret(secret) | |||
@@ -238,7 +238,7 @@ func EnrollTwoFactorPost(ctx *context.Context) { | |||
log.Error("Unable to save changes to the session: %v", err) | |||
} | |||
if err = login.NewTwoFactor(t); err != nil { | |||
if err = auth.NewTwoFactor(t); err != nil { | |||
// FIXME: We need to handle a unique constraint fail here it's entirely possible that another request has beaten us. | |||
// If there is a unique constraint fail we should just tolerate the error | |||
ctx.ServerError("SettingsTwoFactor: Failed to save two factor", err) |
@@ -2,7 +2,7 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package setting | |||
package security | |||
import ( | |||
"net/http" |
@@ -3,13 +3,13 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package setting | |||
package security | |||
import ( | |||
"net/http" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/context" | |||
@@ -17,8 +17,8 @@ import ( | |||
) | |||
const ( | |||
tplSettingsSecurity base.TplName = "user/settings/security" | |||
tplSettingsTwofaEnroll base.TplName = "user/settings/twofa_enroll" | |||
tplSettingsSecurity base.TplName = "user/settings/security/security" | |||
tplSettingsTwofaEnroll base.TplName = "user/settings/security/twofa_enroll" | |||
) | |||
// Security render change user's password page and 2FA | |||
@@ -56,14 +56,14 @@ func DeleteAccountLink(ctx *context.Context) { | |||
} | |||
func loadSecurityData(ctx *context.Context) { | |||
enrolled, err := login.HasTwoFactorByUID(ctx.User.ID) | |||
enrolled, err := auth.HasTwoFactorByUID(ctx.User.ID) | |||
if err != nil { | |||
ctx.ServerError("SettingsTwoFactor", err) | |||
return | |||
} | |||
ctx.Data["TOTPEnrolled"] = enrolled | |||
ctx.Data["U2FRegistrations"], err = login.GetU2FRegistrationsByUID(ctx.User.ID) | |||
ctx.Data["U2FRegistrations"], err = auth.GetU2FRegistrationsByUID(ctx.User.ID) | |||
if err != nil { | |||
ctx.ServerError("GetU2FRegistrationsByUID", err) | |||
return | |||
@@ -82,10 +82,10 @@ func loadSecurityData(ctx *context.Context) { | |||
return | |||
} | |||
// map the provider display name with the LoginSource | |||
sources := make(map[*login.Source]string) | |||
// map the provider display name with the AuthSource | |||
sources := make(map[*auth.Source]string) | |||
for _, externalAccount := range accountLinks { | |||
if loginSource, err := login.GetSourceByID(externalAccount.LoginSourceID); err == nil { | |||
if authSource, err := auth.GetSourceByID(externalAccount.LoginSourceID); err == nil { | |||
var providerDisplayName string | |||
type DisplayNamed interface { | |||
@@ -96,14 +96,14 @@ func loadSecurityData(ctx *context.Context) { | |||
Name() string | |||
} | |||
if displayNamed, ok := loginSource.Cfg.(DisplayNamed); ok { | |||
if displayNamed, ok := authSource.Cfg.(DisplayNamed); ok { | |||
providerDisplayName = displayNamed.DisplayName() | |||
} else if named, ok := loginSource.Cfg.(Named); ok { | |||
} else if named, ok := authSource.Cfg.(Named); ok { | |||
providerDisplayName = named.Name() | |||
} else { | |||
providerDisplayName = loginSource.Name | |||
providerDisplayName = authSource.Name | |||
} | |||
sources[loginSource] = providerDisplayName | |||
sources[authSource] = providerDisplayName | |||
} | |||
} | |||
ctx.Data["AccountLinks"] = sources |
@@ -2,13 +2,13 @@ | |||
// Use of this source code is governed by a MIT-style | |||
// license that can be found in the LICENSE file. | |||
package setting | |||
package security | |||
import ( | |||
"errors" | |||
"net/http" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/context" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -34,7 +34,7 @@ func U2FRegister(ctx *context.Context) { | |||
ctx.ServerError("Unable to set session key for u2fChallenge", err) | |||
return | |||
} | |||
regs, err := login.GetU2FRegistrationsByUID(ctx.User.ID) | |||
regs, err := auth.GetU2FRegistrationsByUID(ctx.User.ID) | |||
if err != nil { | |||
ctx.ServerError("GetU2FRegistrationsByUID", err) | |||
return | |||
@@ -78,7 +78,7 @@ func U2FRegisterPost(ctx *context.Context) { | |||
ctx.ServerError("u2f.Register", err) | |||
return | |||
} | |||
if _, err = login.CreateRegistration(ctx.User.ID, name, reg); err != nil { | |||
if _, err = auth.CreateRegistration(ctx.User.ID, name, reg); err != nil { | |||
ctx.ServerError("u2f.Register", err) | |||
return | |||
} | |||
@@ -88,9 +88,9 @@ func U2FRegisterPost(ctx *context.Context) { | |||
// U2FDelete deletes an security key by id | |||
func U2FDelete(ctx *context.Context) { | |||
form := web.GetForm(ctx).(*forms.U2FDeleteForm) | |||
reg, err := login.GetU2FRegistrationByID(form.ID) | |||
reg, err := auth.GetU2FRegistrationByID(form.ID) | |||
if err != nil { | |||
if login.IsErrU2FRegistrationNotExist(err) { | |||
if auth.IsErrU2FRegistrationNotExist(err) { | |||
ctx.Status(200) | |||
return | |||
} | |||
@@ -101,7 +101,7 @@ func U2FDelete(ctx *context.Context) { | |||
ctx.Status(401) | |||
return | |||
} | |||
if err := login.DeleteRegistration(reg); err != nil { | |||
if err := auth.DeleteRegistration(reg); err != nil { | |||
ctx.ServerError("DeleteRegistration", err) | |||
return | |||
} |
@@ -24,14 +24,16 @@ import ( | |||
"code.gitea.io/gitea/modules/web" | |||
"code.gitea.io/gitea/routers/api/v1/misc" | |||
"code.gitea.io/gitea/routers/web/admin" | |||
"code.gitea.io/gitea/routers/web/auth" | |||
"code.gitea.io/gitea/routers/web/dev" | |||
"code.gitea.io/gitea/routers/web/events" | |||
"code.gitea.io/gitea/routers/web/explore" | |||
"code.gitea.io/gitea/routers/web/org" | |||
"code.gitea.io/gitea/routers/web/repo" | |||
"code.gitea.io/gitea/routers/web/user" | |||
userSetting "code.gitea.io/gitea/routers/web/user/setting" | |||
"code.gitea.io/gitea/services/auth" | |||
user_setting "code.gitea.io/gitea/routers/web/user/setting" | |||
"code.gitea.io/gitea/routers/web/user/setting/security" | |||
auth_service "code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/forms" | |||
"code.gitea.io/gitea/services/lfs" | |||
"code.gitea.io/gitea/services/mailer" | |||
@@ -154,7 +156,7 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route { | |||
common = append(common, context.Contexter()) | |||
// Get user from session if logged in. | |||
common = append(common, context.Auth(auth.NewGroup(auth.Methods()...))) | |||
common = append(common, context.Auth(auth_service.NewGroup(auth_service.Methods()...))) | |||
// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route | |||
common = append(common, middleware.GetHead) | |||
@@ -233,7 +235,7 @@ func RegisterRoutes(m *web.Route) { | |||
// for health check | |||
m.Get("/", Home) | |||
m.Group("/.well-known", func() { | |||
m.Get("/openid-configuration", user.OIDCWellKnown) | |||
m.Get("/openid-configuration", auth.OIDCWellKnown) | |||
if setting.Federation.Enabled { | |||
m.Get("/nodeinfo", NodeInfoLinks) | |||
} | |||
@@ -257,42 +259,42 @@ func RegisterRoutes(m *web.Route) { | |||
// ***** START: User ***** | |||
m.Group("/user", func() { | |||
m.Get("/login", user.SignIn) | |||
m.Post("/login", bindIgnErr(forms.SignInForm{}), user.SignInPost) | |||
m.Get("/login", auth.SignIn) | |||
m.Post("/login", bindIgnErr(forms.SignInForm{}), auth.SignInPost) | |||
m.Group("", func() { | |||
m.Combo("/login/openid"). | |||
Get(user.SignInOpenID). | |||
Post(bindIgnErr(forms.SignInOpenIDForm{}), user.SignInOpenIDPost) | |||
Get(auth.SignInOpenID). | |||
Post(bindIgnErr(forms.SignInOpenIDForm{}), auth.SignInOpenIDPost) | |||
}, openIDSignInEnabled) | |||
m.Group("/openid", func() { | |||
m.Combo("/connect"). | |||
Get(user.ConnectOpenID). | |||
Post(bindIgnErr(forms.ConnectOpenIDForm{}), user.ConnectOpenIDPost) | |||
Get(auth.ConnectOpenID). | |||
Post(bindIgnErr(forms.ConnectOpenIDForm{}), auth.ConnectOpenIDPost) | |||
m.Group("/register", func() { | |||
m.Combo(""). | |||
Get(user.RegisterOpenID, openIDSignUpEnabled). | |||
Post(bindIgnErr(forms.SignUpOpenIDForm{}), user.RegisterOpenIDPost) | |||
Get(auth.RegisterOpenID, openIDSignUpEnabled). | |||
Post(bindIgnErr(forms.SignUpOpenIDForm{}), auth.RegisterOpenIDPost) | |||
}, openIDSignUpEnabled) | |||
}, openIDSignInEnabled) | |||
m.Get("/sign_up", user.SignUp) | |||
m.Post("/sign_up", bindIgnErr(forms.RegisterForm{}), user.SignUpPost) | |||
m.Get("/sign_up", auth.SignUp) | |||
m.Post("/sign_up", bindIgnErr(forms.RegisterForm{}), auth.SignUpPost) | |||
m.Group("/oauth2", func() { | |||
m.Get("/{provider}", user.SignInOAuth) | |||
m.Get("/{provider}/callback", user.SignInOAuthCallback) | |||
m.Get("/{provider}", auth.SignInOAuth) | |||
m.Get("/{provider}/callback", auth.SignInOAuthCallback) | |||
}) | |||
m.Get("/link_account", user.LinkAccount) | |||
m.Post("/link_account_signin", bindIgnErr(forms.SignInForm{}), user.LinkAccountPostSignIn) | |||
m.Post("/link_account_signup", bindIgnErr(forms.RegisterForm{}), user.LinkAccountPostRegister) | |||
m.Get("/link_account", auth.LinkAccount) | |||
m.Post("/link_account_signin", bindIgnErr(forms.SignInForm{}), auth.LinkAccountPostSignIn) | |||
m.Post("/link_account_signup", bindIgnErr(forms.RegisterForm{}), auth.LinkAccountPostRegister) | |||
m.Group("/two_factor", func() { | |||
m.Get("", user.TwoFactor) | |||
m.Post("", bindIgnErr(forms.TwoFactorAuthForm{}), user.TwoFactorPost) | |||
m.Get("/scratch", user.TwoFactorScratch) | |||
m.Post("/scratch", bindIgnErr(forms.TwoFactorScratchAuthForm{}), user.TwoFactorScratchPost) | |||
m.Get("", auth.TwoFactor) | |||
m.Post("", bindIgnErr(forms.TwoFactorAuthForm{}), auth.TwoFactorPost) | |||
m.Get("/scratch", auth.TwoFactorScratch) | |||
m.Post("/scratch", bindIgnErr(forms.TwoFactorScratchAuthForm{}), auth.TwoFactorScratchPost) | |||
}) | |||
m.Group("/u2f", func() { | |||
m.Get("", user.U2F) | |||
m.Get("/challenge", user.U2FChallenge) | |||
m.Post("/sign", bindIgnErr(u2f.SignResponse{}), user.U2FSign) | |||
m.Get("", auth.U2F) | |||
m.Get("/challenge", auth.U2FChallenge) | |||
m.Post("/sign", bindIgnErr(u2f.SignResponse{}), auth.U2FSign) | |||
}) | |||
}, reqSignOut) | |||
@@ -300,71 +302,71 @@ func RegisterRoutes(m *web.Route) { | |||
m.Any("/user/events", events.Events) | |||
m.Group("/login/oauth", func() { | |||
m.Get("/authorize", bindIgnErr(forms.AuthorizationForm{}), user.AuthorizeOAuth) | |||
m.Post("/grant", bindIgnErr(forms.GrantApplicationForm{}), user.GrantApplicationOAuth) | |||
m.Get("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth) | |||
m.Post("/grant", bindIgnErr(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth) | |||
// TODO manage redirection | |||
m.Post("/authorize", bindIgnErr(forms.AuthorizationForm{}), user.AuthorizeOAuth) | |||
m.Post("/authorize", bindIgnErr(forms.AuthorizationForm{}), auth.AuthorizeOAuth) | |||
}, ignSignInAndCsrf, reqSignIn) | |||
m.Get("/login/oauth/userinfo", ignSignInAndCsrf, user.InfoOAuth) | |||
m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, user.AccessTokenOAuth) | |||
m.Get("/login/oauth/keys", ignSignInAndCsrf, user.OIDCKeys) | |||
m.Post("/login/oauth/introspect", CorsHandler(), bindIgnErr(forms.IntrospectTokenForm{}), ignSignInAndCsrf, user.IntrospectOAuth) | |||
m.Get("/login/oauth/userinfo", ignSignInAndCsrf, auth.InfoOAuth) | |||
m.Post("/login/oauth/access_token", CorsHandler(), bindIgnErr(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth) | |||
m.Get("/login/oauth/keys", ignSignInAndCsrf, auth.OIDCKeys) | |||
m.Post("/login/oauth/introspect", CorsHandler(), bindIgnErr(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth) | |||
m.Group("/user/settings", func() { | |||
m.Get("", userSetting.Profile) | |||
m.Post("", bindIgnErr(forms.UpdateProfileForm{}), userSetting.ProfilePost) | |||
m.Get("/change_password", user.MustChangePassword) | |||
m.Post("/change_password", bindIgnErr(forms.MustChangePasswordForm{}), user.MustChangePasswordPost) | |||
m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), userSetting.AvatarPost) | |||
m.Post("/avatar/delete", userSetting.DeleteAvatar) | |||
m.Get("", user_setting.Profile) | |||
m.Post("", bindIgnErr(forms.UpdateProfileForm{}), user_setting.ProfilePost) | |||
m.Get("/change_password", auth.MustChangePassword) | |||
m.Post("/change_password", bindIgnErr(forms.MustChangePasswordForm{}), auth.MustChangePasswordPost) | |||
m.Post("/avatar", bindIgnErr(forms.AvatarForm{}), user_setting.AvatarPost) | |||
m.Post("/avatar/delete", user_setting.DeleteAvatar) | |||
m.Group("/account", func() { | |||
m.Combo("").Get(userSetting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), userSetting.AccountPost) | |||
m.Post("/email", bindIgnErr(forms.AddEmailForm{}), userSetting.EmailPost) | |||
m.Post("/email/delete", userSetting.DeleteEmail) | |||
m.Post("/delete", userSetting.DeleteAccount) | |||
m.Combo("").Get(user_setting.Account).Post(bindIgnErr(forms.ChangePasswordForm{}), user_setting.AccountPost) | |||
m.Post("/email", bindIgnErr(forms.AddEmailForm{}), user_setting.EmailPost) | |||
m.Post("/email/delete", user_setting.DeleteEmail) | |||
m.Post("/delete", user_setting.DeleteAccount) | |||
}) | |||
m.Group("/appearance", func() { | |||
m.Get("", userSetting.Appearance) | |||
m.Post("/language", bindIgnErr(forms.UpdateLanguageForm{}), userSetting.UpdateUserLang) | |||
m.Post("/theme", bindIgnErr(forms.UpdateThemeForm{}), userSetting.UpdateUIThemePost) | |||
m.Get("", user_setting.Appearance) | |||
m.Post("/language", bindIgnErr(forms.UpdateLanguageForm{}), user_setting.UpdateUserLang) | |||
m.Post("/theme", bindIgnErr(forms.UpdateThemeForm{}), user_setting.UpdateUIThemePost) | |||
}) | |||
m.Group("/security", func() { | |||
m.Get("", userSetting.Security) | |||
m.Get("", security.Security) | |||
m.Group("/two_factor", func() { | |||
m.Post("/regenerate_scratch", userSetting.RegenerateScratchTwoFactor) | |||
m.Post("/disable", userSetting.DisableTwoFactor) | |||
m.Get("/enroll", userSetting.EnrollTwoFactor) | |||
m.Post("/enroll", bindIgnErr(forms.TwoFactorAuthForm{}), userSetting.EnrollTwoFactorPost) | |||
m.Post("/regenerate_scratch", security.RegenerateScratchTwoFactor) | |||
m.Post("/disable", security.DisableTwoFactor) | |||
m.Get("/enroll", security.EnrollTwoFactor) | |||
m.Post("/enroll", bindIgnErr(forms.TwoFactorAuthForm{}), security.EnrollTwoFactorPost) | |||
}) | |||
m.Group("/u2f", func() { | |||
m.Post("/request_register", bindIgnErr(forms.U2FRegistrationForm{}), userSetting.U2FRegister) | |||
m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), userSetting.U2FRegisterPost) | |||
m.Post("/delete", bindIgnErr(forms.U2FDeleteForm{}), userSetting.U2FDelete) | |||
m.Post("/request_register", bindIgnErr(forms.U2FRegistrationForm{}), security.U2FRegister) | |||
m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), security.U2FRegisterPost) | |||
m.Post("/delete", bindIgnErr(forms.U2FDeleteForm{}), security.U2FDelete) | |||
}) | |||
m.Group("/openid", func() { | |||
m.Post("", bindIgnErr(forms.AddOpenIDForm{}), userSetting.OpenIDPost) | |||
m.Post("/delete", userSetting.DeleteOpenID) | |||
m.Post("/toggle_visibility", userSetting.ToggleOpenIDVisibility) | |||
m.Post("", bindIgnErr(forms.AddOpenIDForm{}), security.OpenIDPost) | |||
m.Post("/delete", security.DeleteOpenID) | |||
m.Post("/toggle_visibility", security.ToggleOpenIDVisibility) | |||
}, openIDSignInEnabled) | |||
m.Post("/account_link", userSetting.DeleteAccountLink) | |||
m.Post("/account_link", security.DeleteAccountLink) | |||
}) | |||
m.Group("/applications/oauth2", func() { | |||
m.Get("/{id}", userSetting.OAuth2ApplicationShow) | |||
m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), userSetting.OAuthApplicationsEdit) | |||
m.Post("/{id}/regenerate_secret", userSetting.OAuthApplicationsRegenerateSecret) | |||
m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), userSetting.OAuthApplicationsPost) | |||
m.Post("/delete", userSetting.DeleteOAuth2Application) | |||
m.Post("/revoke", userSetting.RevokeOAuth2Grant) | |||
m.Get("/{id}", user_setting.OAuth2ApplicationShow) | |||
m.Post("/{id}", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit) | |||
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret) | |||
m.Post("", bindIgnErr(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost) | |||
m.Post("/delete", user_setting.DeleteOAuth2Application) | |||
m.Post("/revoke", user_setting.RevokeOAuth2Grant) | |||
}) | |||
m.Combo("/applications").Get(userSetting.Applications). | |||
Post(bindIgnErr(forms.NewAccessTokenForm{}), userSetting.ApplicationsPost) | |||
m.Post("/applications/delete", userSetting.DeleteApplication) | |||
m.Combo("/keys").Get(userSetting.Keys). | |||
Post(bindIgnErr(forms.AddKeyForm{}), userSetting.KeysPost) | |||
m.Post("/keys/delete", userSetting.DeleteKey) | |||
m.Get("/organization", userSetting.Organization) | |||
m.Get("/repos", userSetting.Repos) | |||
m.Post("/repos/unadopted", userSetting.AdoptOrDeleteRepository) | |||
m.Combo("/applications").Get(user_setting.Applications). | |||
Post(bindIgnErr(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost) | |||
m.Post("/applications/delete", user_setting.DeleteApplication) | |||
m.Combo("/keys").Get(user_setting.Keys). | |||
Post(bindIgnErr(forms.AddKeyForm{}), user_setting.KeysPost) | |||
m.Post("/keys/delete", user_setting.DeleteKey) | |||
m.Get("/organization", user_setting.Organization) | |||
m.Get("/repos", user_setting.Repos) | |||
m.Post("/repos/unadopted", user_setting.AdoptOrDeleteRepository) | |||
}, reqSignIn, func(ctx *context.Context) { | |||
ctx.Data["PageIsUserSettings"] = true | |||
ctx.Data["AllThemes"] = setting.UI.Themes | |||
@@ -372,15 +374,15 @@ func RegisterRoutes(m *web.Route) { | |||
m.Group("/user", func() { | |||
// r.Get("/feeds", binding.Bind(auth.FeedsForm{}), user.Feeds) | |||
m.Get("/activate", user.Activate, reqSignIn) | |||
m.Post("/activate", user.ActivatePost, reqSignIn) | |||
m.Any("/activate_email", user.ActivateEmail) | |||
m.Get("/activate", auth.Activate, reqSignIn) | |||
m.Post("/activate", auth.ActivatePost, reqSignIn) | |||
m.Any("/activate_email", auth.ActivateEmail) | |||
m.Get("/avatar/{username}/{size}", user.AvatarByUserName) | |||
m.Get("/recover_account", user.ResetPasswd) | |||
m.Post("/recover_account", user.ResetPasswdPost) | |||
m.Get("/forgot_password", user.ForgotPasswd) | |||
m.Post("/forgot_password", user.ForgotPasswdPost) | |||
m.Post("/logout", user.SignOut) | |||
m.Get("/recover_account", auth.ResetPasswd) | |||
m.Post("/recover_account", auth.ResetPasswdPost) | |||
m.Get("/forgot_password", auth.ForgotPasswd) | |||
m.Post("/forgot_password", auth.ForgotPasswdPost) | |||
m.Post("/logout", auth.SignOut) | |||
m.Get("/task/{task}", user.TaskStatus) | |||
}) | |||
// ***** END: User ***** |
@@ -10,8 +10,8 @@ import ( | |||
"code.gitea.io/gitea/models" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/git" | |||
"code.gitea.io/gitea/modules/log" | |||
@@ -150,8 +150,8 @@ Loop: | |||
return false, "", nil, &ErrWontSign{pubkey} | |||
} | |||
case twofa: | |||
twofaModel, err := login.GetTwoFactorByUID(u.ID) | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
twofaModel, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
return false, "", nil, err | |||
} | |||
if twofaModel == nil { | |||
@@ -186,8 +186,8 @@ Loop: | |||
return false, "", nil, &ErrWontSign{pubkey} | |||
} | |||
case twofa: | |||
twofaModel, err := login.GetTwoFactorByUID(u.ID) | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
twofaModel, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
return false, "", nil, err | |||
} | |||
if twofaModel == nil { | |||
@@ -239,8 +239,8 @@ Loop: | |||
return false, "", nil, &ErrWontSign{pubkey} | |||
} | |||
case twofa: | |||
twofaModel, err := login.GetTwoFactorByUID(u.ID) | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
twofaModel, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
return false, "", nil, err | |||
} | |||
if twofaModel == nil { | |||
@@ -301,8 +301,8 @@ Loop: | |||
return false, "", nil, &ErrWontSign{pubkey} | |||
} | |||
case twofa: | |||
twofaModel, err := login.GetTwoFactorByUID(u.ID) | |||
if err != nil && !login.IsErrTwoFactorNotEnrolled(err) { | |||
twofaModel, err := auth.GetTwoFactorByUID(u.ID) | |||
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) { | |||
return false, "", nil, err | |||
} | |||
if twofaModel == nil { |
@@ -8,7 +8,7 @@ import ( | |||
"testing" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/unittest" | |||
user_model "code.gitea.io/gitea/models/user" | |||
@@ -19,7 +19,7 @@ func TestAddLdapSSHPublicKeys(t *testing.T) { | |||
assert.NoError(t, unittest.PrepareTestDatabase()) | |||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User) | |||
s := &login.Source{ID: 1} | |||
s := &auth.Source{ID: 1} | |||
testCases := []struct { | |||
keyString string |
@@ -11,8 +11,8 @@ import ( | |||
"time" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/timeutil" | |||
@@ -37,8 +37,8 @@ func CheckOAuthAccessToken(accessToken string) int64 { | |||
log.Trace("oauth2.ParseToken: %v", err) | |||
return 0 | |||
} | |||
var grant *login.OAuth2Grant | |||
if grant, err = login.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil { | |||
var grant *auth.OAuth2Grant | |||
if grant, err = auth.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil { | |||
return 0 | |||
} | |||
if token.Type != oauth2.TypeAccessToken { |
@@ -7,8 +7,8 @@ package auth | |||
import ( | |||
"strings" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
@@ -21,7 +21,7 @@ import ( | |||
) | |||
// UserSignIn validates user name and password. | |||
func UserSignIn(username, password string) (*user_model.User, *login.Source, error) { | |||
func UserSignIn(username, password string) (*user_model.User, *auth.Source, error) { | |||
var user *user_model.User | |||
if strings.Contains(username, "@") { | |||
user = &user_model.User{Email: strings.ToLower(strings.TrimSpace(username))} | |||
@@ -50,13 +50,13 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err | |||
} | |||
if hasUser { | |||
source, err := login.GetSourceByID(user.LoginSource) | |||
source, err := auth.GetSourceByID(user.LoginSource) | |||
if err != nil { | |||
return nil, nil, err | |||
} | |||
if !source.IsActive { | |||
return nil, nil, oauth2.ErrLoginSourceNotActived | |||
return nil, nil, oauth2.ErrAuthSourceNotActived | |||
} | |||
authenticator, ok := source.Cfg.(PasswordAuthenticator) | |||
@@ -78,7 +78,7 @@ func UserSignIn(username, password string) (*user_model.User, *login.Source, err | |||
return user, source, nil | |||
} | |||
sources, err := login.AllActiveSources() | |||
sources, err := auth.AllActiveSources() | |||
if err != nil { | |||
return nil, nil, err | |||
} |
@@ -5,18 +5,18 @@ | |||
package auth | |||
import ( | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
) | |||
// DeleteLoginSource deletes a LoginSource record in DB. | |||
func DeleteLoginSource(source *login.Source) error { | |||
// DeleteSource deletes a AuthSource record in DB. | |||
func DeleteSource(source *auth.Source) error { | |||
count, err := db.GetEngine(db.DefaultContext).Count(&user_model.User{LoginSource: source.ID}) | |||
if err != nil { | |||
return err | |||
} else if count > 0 { | |||
return login.ErrSourceInUse{ | |||
return auth.ErrSourceInUse{ | |||
ID: source.ID, | |||
} | |||
} | |||
@@ -25,17 +25,17 @@ func DeleteLoginSource(source *login.Source) error { | |||
if err != nil { | |||
return err | |||
} else if count > 0 { | |||
return login.ErrSourceInUse{ | |||
return auth.ErrSourceInUse{ | |||
ID: source.ID, | |||
} | |||
} | |||
if registerableSource, ok := source.Cfg.(login.RegisterableSource); ok { | |||
if registerableSource, ok := source.Cfg.(auth.RegisterableSource); ok { | |||
if err := registerableSource.UnregisterSource(); err != nil { | |||
return err | |||
} | |||
} | |||
_, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(login.Source)) | |||
_, err = db.GetEngine(db.DefaultContext).ID(source.ID).Delete(new(auth.Source)) | |||
return err | |||
} |
@@ -5,7 +5,7 @@ | |||
package db_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/db" | |||
) | |||
@@ -15,7 +15,7 @@ import ( | |||
type sourceInterface interface { | |||
auth.PasswordAuthenticator | |||
login.Config | |||
auth_model.Config | |||
} | |||
var _ (sourceInterface) = &db.Source{} |
@@ -5,7 +5,7 @@ | |||
package db | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
) | |||
@@ -29,6 +29,6 @@ func (source *Source) Authenticate(user *user_model.User, login, password string | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.NoType, &Source{}) | |||
login.RegisterTypeConfig(login.Plain, &Source{}) | |||
auth.RegisterTypeConfig(auth.NoType, &Source{}) | |||
auth.RegisterTypeConfig(auth.Plain, &Source{}) | |||
} |
@@ -5,7 +5,7 @@ | |||
package ldap_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/ldap" | |||
) | |||
@@ -17,12 +17,12 @@ type sourceInterface interface { | |||
auth.PasswordAuthenticator | |||
auth.SynchronizableSource | |||
auth.LocalTwoFASkipper | |||
login.SSHKeyProvider | |||
login.Config | |||
login.SkipVerifiable | |||
login.HasTLSer | |||
login.UseTLSer | |||
login.SourceSettable | |||
auth_model.SSHKeyProvider | |||
auth_model.Config | |||
auth_model.SkipVerifiable | |||
auth_model.HasTLSer | |||
auth_model.UseTLSer | |||
auth_model.SourceSettable | |||
} | |||
var _ (sourceInterface) = &ldap.Source{} |
@@ -7,7 +7,7 @@ package ldap | |||
import ( | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/json" | |||
"code.gitea.io/gitea/modules/secret" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -55,8 +55,8 @@ type Source struct { | |||
UserUID string // User Attribute listed in Group | |||
SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source | |||
// reference to the loginSource | |||
loginSource *login.Source | |||
// reference to the authSource | |||
authSource *auth.Source | |||
} | |||
// FromDB fills up a LDAPConfig from serialized format. | |||
@@ -109,12 +109,12 @@ func (source *Source) ProvidesSSHKeys() bool { | |||
return len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 | |||
} | |||
// SetLoginSource sets the related LoginSource | |||
func (source *Source) SetLoginSource(loginSource *login.Source) { | |||
source.loginSource = loginSource | |||
// SetAuthSource sets the related AuthSource | |||
func (source *Source) SetAuthSource(authSource *auth.Source) { | |||
source.authSource = authSource | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.LDAP, &Source{}) | |||
login.RegisterTypeConfig(login.DLDAP, &Source{}) | |||
auth.RegisterTypeConfig(auth.LDAP, &Source{}) | |||
auth.RegisterTypeConfig(auth.DLDAP, &Source{}) | |||
} |
@@ -9,8 +9,8 @@ import ( | |||
"strings" | |||
asymkey_model "code.gitea.io/gitea/models/asymkey" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/services/mailer" | |||
user_service "code.gitea.io/gitea/services/user" | |||
@@ -19,7 +19,7 @@ import ( | |||
// Authenticate queries if login/password is valid against the LDAP directory pool, | |||
// and create a local user if success when enabled. | |||
func (source *Source) Authenticate(user *user_model.User, userName, password string) (*user_model.User, error) { | |||
sr := source.SearchEntry(userName, password, source.loginSource.Type == login.DLDAP) | |||
sr := source.SearchEntry(userName, password, source.authSource.Type == auth.DLDAP) | |||
if sr == nil { | |||
// User not in LDAP, do nothing | |||
return nil, user_model.ErrUserNotExist{Name: userName} | |||
@@ -59,7 +59,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str | |||
} | |||
if user != nil { | |||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.loginSource, sr.SSHPublicKey) { | |||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.authSource, sr.SSHPublicKey) { | |||
return user, asymkey_model.RewriteAllPublicKeys() | |||
} | |||
@@ -80,8 +80,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str | |||
Name: sr.Username, | |||
FullName: composeFullName(sr.Name, sr.Surname, sr.Username), | |||
Email: sr.Mail, | |||
LoginType: source.loginSource.Type, | |||
LoginSource: source.loginSource.ID, | |||
LoginType: source.authSource.Type, | |||
LoginSource: source.authSource.ID, | |||
LoginName: userName, | |||
IsActive: true, | |||
IsAdmin: sr.IsAdmin, | |||
@@ -95,7 +95,7 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str | |||
mailer.SendRegisterNotifyMail(user) | |||
if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.loginSource, sr.SSHPublicKey) { | |||
if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.authSource, sr.SSHPublicKey) { | |||
err = asymkey_model.RewriteAllPublicKeys() | |||
} | |||
@@ -19,22 +19,22 @@ import ( | |||
// Sync causes this ldap source to synchronize its users with the db | |||
func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
log.Trace("Doing: SyncExternalUsers[%s]", source.loginSource.Name) | |||
log.Trace("Doing: SyncExternalUsers[%s]", source.authSource.Name) | |||
var existingUsers []int | |||
isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0 | |||
var sshKeysNeedUpdate bool | |||
// Find all users with this login type - FIXME: Should this be an iterator? | |||
users, err := user_model.GetUsersBySource(source.loginSource) | |||
users, err := user_model.GetUsersBySource(source.authSource) | |||
if err != nil { | |||
log.Error("SyncExternalUsers: %v", err) | |||
return err | |||
} | |||
select { | |||
case <-ctx.Done(): | |||
log.Warn("SyncExternalUsers: Cancelled before update of %s", source.loginSource.Name) | |||
return db.ErrCancelledf("Before update of %s", source.loginSource.Name) | |||
log.Warn("SyncExternalUsers: Cancelled before update of %s", source.authSource.Name) | |||
return db.ErrCancelledf("Before update of %s", source.authSource.Name) | |||
default: | |||
} | |||
@@ -44,7 +44,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
sr, err := source.SearchEntries() | |||
if err != nil { | |||
log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.loginSource.Name) | |||
log.Error("SyncExternalUsers LDAP source failure [%s], skipped", source.authSource.Name) | |||
return nil | |||
} | |||
@@ -65,7 +65,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
for _, su := range sr { | |||
select { | |||
case <-ctx.Done(): | |||
log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.loginSource.Name) | |||
log.Warn("SyncExternalUsers: Cancelled at update of %s before completed update of users", source.authSource.Name) | |||
// Rewrite authorized_keys file if LDAP Public SSH Key attribute is set and any key was added or removed | |||
if sshKeysNeedUpdate { | |||
err = asymkey_model.RewriteAllPublicKeys() | |||
@@ -73,7 +73,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
log.Error("RewriteAllPublicKeys: %v", err) | |||
} | |||
} | |||
return db.ErrCancelledf("During update of %s before completed update of users", source.loginSource.Name) | |||
return db.ErrCancelledf("During update of %s before completed update of users", source.authSource.Name) | |||
default: | |||
} | |||
if len(su.Username) == 0 { | |||
@@ -96,14 +96,14 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
fullName := composeFullName(su.Name, su.Surname, su.Username) | |||
// If no existing user found, create one | |||
if usr == nil { | |||
log.Trace("SyncExternalUsers[%s]: Creating user %s", source.loginSource.Name, su.Username) | |||
log.Trace("SyncExternalUsers[%s]: Creating user %s", source.authSource.Name, su.Username) | |||
usr = &user_model.User{ | |||
LowerName: su.LowerName, | |||
Name: su.Username, | |||
FullName: fullName, | |||
LoginType: source.loginSource.Type, | |||
LoginSource: source.loginSource.ID, | |||
LoginType: source.authSource.Type, | |||
LoginSource: source.authSource.ID, | |||
LoginName: su.Username, | |||
Email: su.Mail, | |||
IsAdmin: su.IsAdmin, | |||
@@ -114,12 +114,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
err = user_model.CreateUser(usr) | |||
if err != nil { | |||
log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.loginSource.Name, su.Username, err) | |||
log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.authSource.Name, su.Username, err) | |||
} | |||
if err == nil && isAttributeSSHPublicKeySet { | |||
log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.loginSource.Name, usr.Name) | |||
if asymkey_model.AddPublicKeysBySource(usr, source.loginSource, su.SSHPublicKey) { | |||
log.Trace("SyncExternalUsers[%s]: Adding LDAP Public SSH Keys for user %s", source.authSource.Name, usr.Name) | |||
if asymkey_model.AddPublicKeysBySource(usr, source.authSource, su.SSHPublicKey) { | |||
sshKeysNeedUpdate = true | |||
} | |||
} | |||
@@ -129,7 +129,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
} | |||
} else if updateExisting { | |||
// Synchronize SSH Public Key if that attribute is set | |||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.loginSource, su.SSHPublicKey) { | |||
if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(usr, source.authSource, su.SSHPublicKey) { | |||
sshKeysNeedUpdate = true | |||
} | |||
@@ -140,7 +140,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
usr.FullName != fullName || | |||
!usr.IsActive { | |||
log.Trace("SyncExternalUsers[%s]: Updating user %s", source.loginSource.Name, usr.Name) | |||
log.Trace("SyncExternalUsers[%s]: Updating user %s", source.authSource.Name, usr.Name) | |||
usr.FullName = fullName | |||
usr.Email = su.Mail | |||
@@ -156,7 +156,7 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
err = user_model.UpdateUserCols(db.DefaultContext, usr, "full_name", "email", "is_admin", "is_restricted", "is_active") | |||
if err != nil { | |||
log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.loginSource.Name, usr.Name, err) | |||
log.Error("SyncExternalUsers[%s]: Error updating user %s: %v", source.authSource.Name, usr.Name, err) | |||
} | |||
} | |||
@@ -179,8 +179,8 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
select { | |||
case <-ctx.Done(): | |||
log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.loginSource.Name) | |||
return db.ErrCancelledf("During update of %s before delete users", source.loginSource.Name) | |||
log.Warn("SyncExternalUsers: Cancelled during update of %s before delete users", source.authSource.Name) | |||
return db.ErrCancelledf("During update of %s before delete users", source.authSource.Name) | |||
default: | |||
} | |||
@@ -192,12 +192,12 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error { | |||
existPos++ | |||
} | |||
if usr.IsActive && (existPos >= len(existingUsers) || i < existingUsers[existPos]) { | |||
log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.loginSource.Name, usr.Name) | |||
log.Trace("SyncExternalUsers[%s]: Deactivating user %s", source.authSource.Name, usr.Name) | |||
usr.IsActive = false | |||
err = user_model.UpdateUserCols(db.DefaultContext, usr, "is_active") | |||
if err != nil { | |||
log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.loginSource.Name, usr.Name, err) | |||
log.Error("SyncExternalUsers[%s]: Error deactivating user %s: %v", source.authSource.Name, usr.Name, err) | |||
} | |||
} | |||
} |
@@ -5,7 +5,7 @@ | |||
package oauth2_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/oauth2" | |||
) | |||
@@ -14,9 +14,9 @@ import ( | |||
// It tightly binds the interfaces and implementation without breaking go import cycles | |||
type sourceInterface interface { | |||
login.Config | |||
login.SourceSettable | |||
login.RegisterableSource | |||
auth_model.Config | |||
auth_model.SourceSettable | |||
auth_model.RegisterableSource | |||
auth.PasswordAuthenticator | |||
} | |||
@@ -9,7 +9,7 @@ import ( | |||
"net/http" | |||
"sync" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -52,19 +52,19 @@ func Init() error { | |||
// Unlock our mutex | |||
gothRWMutex.Unlock() | |||
return initOAuth2LoginSources() | |||
return initOAuth2Sources() | |||
} | |||
// ResetOAuth2 clears existing OAuth2 providers and loads them from DB | |||
func ResetOAuth2() error { | |||
ClearProviders() | |||
return initOAuth2LoginSources() | |||
return initOAuth2Sources() | |||
} | |||
// initOAuth2LoginSources is used to load and register all active OAuth2 providers | |||
func initOAuth2LoginSources() error { | |||
loginSources, _ := login.GetActiveOAuth2ProviderLoginSources() | |||
for _, source := range loginSources { | |||
// initOAuth2Sources is used to load and register all active OAuth2 providers | |||
func initOAuth2Sources() error { | |||
authSources, _ := auth.GetActiveOAuth2ProviderSources() | |||
for _, source := range authSources { | |||
oauth2Source, ok := source.Cfg.(*Source) | |||
if !ok { | |||
continue |
@@ -9,7 +9,7 @@ import ( | |||
"net/url" | |||
"sort" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/log" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -55,7 +55,7 @@ func NewImagedProvider(image string, provider GothProvider) *ImagedProvider { | |||
} | |||
// Providers contains the map of registered OAuth2 providers in Gitea (based on goth) | |||
// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider) | |||
// key is used to map the OAuth2Provider with the goth provider type (also in AuthSource.OAuth2Config.Provider) | |||
// value is used to store display data | |||
var gothProviders = map[string]GothProvider{} | |||
@@ -88,14 +88,14 @@ func GetOAuth2Providers() []Provider { | |||
func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) { | |||
// Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type | |||
loginSources, err := login.GetActiveOAuth2ProviderLoginSources() | |||
authSources, err := auth.GetActiveOAuth2ProviderSources() | |||
if err != nil { | |||
return nil, nil, err | |||
} | |||
var orderedKeys []string | |||
providers := make(map[string]Provider) | |||
for _, source := range loginSources { | |||
for _, source := range authSources { | |||
prov := gothProviders[source.Cfg.(*Source).Provider] | |||
if source.Cfg.(*Source).IconURL != "" { | |||
prov = &ImagedProvider{prov, source.Cfg.(*Source).IconURL} | |||
@@ -140,8 +140,8 @@ func ClearProviders() { | |||
} | |||
var ( | |||
// ErrLoginSourceNotActived login source is not actived error | |||
ErrLoginSourceNotActived = errors.New("Login source is not actived") | |||
// ErrAuthSourceNotActived login source is not actived error | |||
ErrAuthSourceNotActived = errors.New("auth source is not actived") | |||
) | |||
// used to create different types of goth providers | |||
@@ -153,7 +153,7 @@ func createProvider(providerName string, source *Source) (goth.Provider, error) | |||
p, ok := gothProviders[source.Provider] | |||
if !ok { | |||
return nil, ErrLoginSourceNotActived | |||
return nil, ErrAuthSourceNotActived | |||
} | |||
provider, err = p.CreateGothProvider(providerName, callbackURL, source) |
@@ -5,7 +5,7 @@ | |||
package oauth2 | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/json" | |||
) | |||
@@ -33,8 +33,8 @@ type Source struct { | |||
RestrictedGroup string | |||
SkipLocalTwoFA bool `json:",omitempty"` | |||
// reference to the loginSource | |||
loginSource *login.Source | |||
// reference to the authSource | |||
authSource *auth.Source | |||
} | |||
// FromDB fills up an OAuth2Config from serialized format. | |||
@@ -47,11 +47,11 @@ func (source *Source) ToDB() ([]byte, error) { | |||
return json.Marshal(source) | |||
} | |||
// SetLoginSource sets the related LoginSource | |||
func (source *Source) SetLoginSource(loginSource *login.Source) { | |||
source.loginSource = loginSource | |||
// SetAuthSource sets the related AuthSource | |||
func (source *Source) SetAuthSource(authSource *auth.Source) { | |||
source.authSource = authSource | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.OAuth2, &Source{}) | |||
auth.RegisterTypeConfig(auth.OAuth2, &Source{}) | |||
} |
@@ -14,7 +14,7 @@ import ( | |||
// Callout redirects request/response pair to authenticate against the provider | |||
func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error { | |||
// not sure if goth is thread safe (?) when using multiple providers | |||
request.Header.Set(ProviderHeaderKey, source.loginSource.Name) | |||
request.Header.Set(ProviderHeaderKey, source.authSource.Name) | |||
// don't use the default gothic begin handler to prevent issues when some error occurs | |||
// normally the gothic library will write some custom stuff to the response instead of our own nice error page | |||
@@ -34,7 +34,7 @@ func (source *Source) Callout(request *http.Request, response http.ResponseWrite | |||
// this will trigger a new authentication request, but because we save it in the session we can use that | |||
func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) { | |||
// not sure if goth is thread safe (?) when using multiple providers | |||
request.Header.Set(ProviderHeaderKey, source.loginSource.Name) | |||
request.Header.Set(ProviderHeaderKey, source.authSource.Name) | |||
gothRWMutex.RLock() | |||
defer gothRWMutex.RUnlock() |
@@ -10,13 +10,13 @@ import ( | |||
// RegisterSource causes an OAuth2 configuration to be registered | |||
func (source *Source) RegisterSource() error { | |||
err := RegisterProviderWithGothic(source.loginSource.Name, source) | |||
return wrapOpenIDConnectInitializeError(err, source.loginSource.Name, source) | |||
err := RegisterProviderWithGothic(source.authSource.Name, source) | |||
return wrapOpenIDConnectInitializeError(err, source.authSource.Name, source) | |||
} | |||
// UnregisterSource causes an OAuth2 configuration to be unregistered | |||
func (source *Source) UnregisterSource() error { | |||
RemoveProviderFromGothic(source.loginSource.Name) | |||
RemoveProviderFromGothic(source.authSource.Name) | |||
return nil | |||
} | |||
@@ -5,7 +5,7 @@ | |||
package pam_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/pam" | |||
) | |||
@@ -15,8 +15,8 @@ import ( | |||
type sourceInterface interface { | |||
auth.PasswordAuthenticator | |||
login.Config | |||
login.SourceSettable | |||
auth_model.Config | |||
auth_model.SourceSettable | |||
} | |||
var _ (sourceInterface) = &pam.Source{} |
@@ -5,7 +5,7 @@ | |||
package pam | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/json" | |||
) | |||
@@ -22,8 +22,8 @@ type Source struct { | |||
EmailDomain string | |||
SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source | |||
// reference to the loginSource | |||
loginSource *login.Source | |||
// reference to the authSource | |||
authSource *auth.Source | |||
} | |||
// FromDB fills up a PAMConfig from serialized format. | |||
@@ -36,11 +36,11 @@ func (source *Source) ToDB() ([]byte, error) { | |||
return json.Marshal(source) | |||
} | |||
// SetLoginSource sets the related LoginSource | |||
func (source *Source) SetLoginSource(loginSource *login.Source) { | |||
source.loginSource = loginSource | |||
// SetAuthSource sets the related AuthSource | |||
func (source *Source) SetAuthSource(authSource *auth.Source) { | |||
source.authSource = authSource | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.PAM, &Source{}) | |||
auth.RegisterTypeConfig(auth.PAM, &Source{}) | |||
} |
@@ -8,7 +8,7 @@ import ( | |||
"fmt" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/auth/pam" | |||
"code.gitea.io/gitea/modules/setting" | |||
@@ -55,8 +55,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str | |||
Name: username, | |||
Email: email, | |||
Passwd: password, | |||
LoginType: login.PAM, | |||
LoginSource: source.loginSource.ID, | |||
LoginType: auth.PAM, | |||
LoginSource: source.authSource.ID, | |||
LoginName: userName, // This is what the user typed in | |||
IsActive: true, | |||
} |
@@ -5,7 +5,7 @@ | |||
package smtp_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth" | |||
"code.gitea.io/gitea/services/auth/source/smtp" | |||
) | |||
@@ -15,11 +15,11 @@ import ( | |||
type sourceInterface interface { | |||
auth.PasswordAuthenticator | |||
login.Config | |||
login.SkipVerifiable | |||
login.HasTLSer | |||
login.UseTLSer | |||
login.SourceSettable | |||
auth_model.Config | |||
auth_model.SkipVerifiable | |||
auth_model.HasTLSer | |||
auth_model.UseTLSer | |||
auth_model.SourceSettable | |||
} | |||
var _ (sourceInterface) = &smtp.Source{} |
@@ -5,7 +5,7 @@ | |||
package smtp | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/json" | |||
) | |||
@@ -28,8 +28,8 @@ type Source struct { | |||
DisableHelo bool | |||
SkipLocalTwoFA bool `json:",omitempty"` | |||
// reference to the loginSource | |||
loginSource *login.Source | |||
// reference to the authSource | |||
authSource *auth.Source | |||
} | |||
// FromDB fills up an SMTPConfig from serialized format. | |||
@@ -57,11 +57,11 @@ func (source *Source) UseTLS() bool { | |||
return source.ForceSMTPS || source.Port == 465 | |||
} | |||
// SetLoginSource sets the related LoginSource | |||
func (source *Source) SetLoginSource(loginSource *login.Source) { | |||
source.loginSource = loginSource | |||
// SetAuthSource sets the related AuthSource | |||
func (source *Source) SetAuthSource(authSource *auth.Source) { | |||
source.authSource = authSource | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.SMTP, &Source{}) | |||
auth.RegisterTypeConfig(auth.SMTP, &Source{}) | |||
} |
@@ -10,7 +10,7 @@ import ( | |||
"net/textproto" | |||
"strings" | |||
"code.gitea.io/gitea/models/login" | |||
auth_model "code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/util" | |||
"code.gitea.io/gitea/services/mailer" | |||
@@ -71,8 +71,8 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str | |||
Name: strings.ToLower(username), | |||
Email: userName, | |||
Passwd: password, | |||
LoginType: login.SMTP, | |||
LoginSource: source.loginSource.ID, | |||
LoginType: auth_model.SMTP, | |||
LoginSource: source.authSource.ID, | |||
LoginName: userName, | |||
IsActive: true, | |||
} |
@@ -5,7 +5,7 @@ | |||
package sspi_test | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/services/auth/source/sspi" | |||
) | |||
@@ -13,7 +13,7 @@ import ( | |||
// It tightly binds the interfaces and implementation without breaking go import cycles | |||
type sourceInterface interface { | |||
login.Config | |||
auth.Config | |||
} | |||
var _ (sourceInterface) = &sspi.Source{} |
@@ -5,7 +5,7 @@ | |||
package sspi | |||
import ( | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/modules/json" | |||
) | |||
@@ -36,5 +36,5 @@ func (cfg *Source) ToDB() ([]byte, error) { | |||
} | |||
func init() { | |||
login.RegisterTypeConfig(login.SSPI, &Source{}) | |||
auth.RegisterTypeConfig(auth.SSPI, &Source{}) | |||
} |
@@ -9,8 +9,8 @@ import ( | |||
"net/http" | |||
"strings" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/avatars" | |||
"code.gitea.io/gitea/models/login" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/base" | |||
"code.gitea.io/gitea/modules/log" | |||
@@ -154,7 +154,7 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, | |||
// getConfig retrieves the SSPI configuration from login sources | |||
func (s *SSPI) getConfig() (*sspi.Source, error) { | |||
sources, err := login.ActiveSources(login.SSPI) | |||
sources, err := auth.ActiveSources(auth.SSPI) | |||
if err != nil { | |||
return nil, err | |||
} | |||
@@ -250,7 +250,7 @@ func sanitizeUsername(username string, cfg *sspi.Source) string { | |||
// fails (or if negotiation should continue), which would prevent other authentication methods | |||
// to execute at all. | |||
func specialInit() { | |||
if login.IsSSPIEnabled() { | |||
if auth.IsSSPIEnabled() { | |||
Register(&SSPI{}) | |||
} | |||
} |
@@ -7,8 +7,8 @@ package auth | |||
import ( | |||
"context" | |||
"code.gitea.io/gitea/models/auth" | |||
"code.gitea.io/gitea/models/db" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/modules/log" | |||
) | |||
@@ -16,7 +16,7 @@ import ( | |||
func SyncExternalUsers(ctx context.Context, updateExisting bool) error { | |||
log.Trace("Doing: SyncExternalUsers") | |||
ls, err := login.Sources() | |||
ls, err := auth.Sources() | |||
if err != nil { | |||
log.Error("SyncExternalUsers: %v", err) | |||
return err |
@@ -8,7 +8,7 @@ import ( | |||
"strings" | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/models/login" | |||
"code.gitea.io/gitea/models/auth" | |||
user_model "code.gitea.io/gitea/models/user" | |||
"code.gitea.io/gitea/modules/structs" | |||
@@ -16,14 +16,14 @@ import ( | |||
) | |||
func toExternalLoginUser(user *user_model.User, gothUser goth.User) (*user_model.ExternalLoginUser, error) { | |||
loginSource, err := login.GetActiveOAuth2LoginSourceByName(gothUser.Provider) | |||
authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider) | |||
if err != nil { | |||
return nil, err | |||
} | |||
return &user_model.ExternalLoginUser{ | |||
ExternalID: gothUser.UserID, | |||
UserID: user.ID, | |||
LoginSourceID: loginSource.ID, | |||
LoginSourceID: authSource.ID, | |||
RawData: gothUser.RawData, | |||
Provider: gothUser.Provider, | |||
Email: gothUser.Email, |
@@ -3,11 +3,11 @@ | |||
{{template "user/settings/navbar" .}} | |||
<div class="ui container"> | |||
{{template "base/alert" .}} | |||
{{template "user/settings/security_twofa" .}} | |||
{{template "user/settings/security_u2f" .}} | |||
{{template "user/settings/security_accountlinks" .}} | |||
{{template "user/settings/security/twofa" .}} | |||
{{template "user/settings/security/u2f" .}} | |||
{{template "user/settings/security/accountlinks" .}} | |||
{{if .EnableOpenIDSignIn}} | |||
{{template "user/settings/security_openid" .}} | |||
{{template "user/settings/security/openid" .}} | |||
{{end}} | |||
</div> | |||
</div> |