mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4361 Commits
17 Branches
Tree: 4247304f5a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4247304f5a'
${ noResults }
gitea/models/login_source.go

login_source.go 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/tls"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"strings"

  15. 	"time"

  16. 

  17. 	"github.com/Unknwon/com"

  18. 	"github.com/go-macaron/binding"

  19. 	"github.com/go-xorm/core"

  20. 	"github.com/go-xorm/xorm"

  21. 

  22. 	"code.gitea.io/gitea/modules/auth/ldap"

  23. 	"code.gitea.io/gitea/modules/auth/pam"

  24. 	"code.gitea.io/gitea/modules/log"

  25. )

  26. 

  27. type LoginType int

  28. 

  29. // Note: new type must append to the end of list to maintain compatibility.

  30. const (

  31. 	LoginNoType LoginType = iota

  32. 	LoginPlain            // 1

  33. 	LoginLDAP             // 2

  34. 	LoginSMTP             // 3

  35. 	LoginPAM              // 4

  36. 	LoginDLDAP            // 5

  37. )

  38. 

  39. var LoginNames = map[LoginType]string{

  40. 	LoginLDAP:  "LDAP (via BindDN)",

  41. 	LoginDLDAP: "LDAP (simple auth)", // Via direct bind

  42. 	LoginSMTP:  "SMTP",

  43. 	LoginPAM:   "PAM",

  44. }

  45. 

  46. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  47. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  48. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  49. 	ldap.SecurityProtocolStartTLS:   "StartTLS",

  50. }

  51. 

  52. // Ensure structs implemented interface.

  53. var (

  54. 	_ core.Conversion = &LDAPConfig{}

  55. 	_ core.Conversion = &SMTPConfig{}

  56. 	_ core.Conversion = &PAMConfig{}

  57. )

  58. 

  59. type LDAPConfig struct {

  60. 	*ldap.Source

  61. }

  62. 

  63. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  64. 	return json.Unmarshal(bs, &cfg)

  65. }

  66. 

  67. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  68. 	return json.Marshal(cfg)

  69. }

  70. 

  71. func (cfg *LDAPConfig) SecurityProtocolName() string {

  72. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  73. }

  74. 

  75. type SMTPConfig struct {

  76. 	Auth           string

  77. 	Host           string

  78. 	Port           int

  79. 	AllowedDomains string `xorm:"TEXT"`

  80. 	TLS            bool

  81. 	SkipVerify     bool

  82. }

  83. 

  84. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  85. 	return json.Unmarshal(bs, cfg)

  86. }

  87. 

  88. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  89. 	return json.Marshal(cfg)

  90. }

  91. 

  92. type PAMConfig struct {

  93. 	ServiceName string // pam service (e.g. system-auth)

  94. }

  95. 

  96. func (cfg *PAMConfig) FromDB(bs []byte) error {

  97. 	return json.Unmarshal(bs, &cfg)

  98. }

  99. 

  100. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  101. 	return json.Marshal(cfg)

  102. }

  103. 

  104. // LoginSource represents an external way for authorizing users.

  105. type LoginSource struct {

  106. 	ID        int64 `xorm:"pk autoincr"`

  107. 	Type      LoginType

  108. 	Name      string          `xorm:"UNIQUE"`

  109. 	IsActived bool            `xorm:"NOT NULL DEFAULT false"`

  110. 	Cfg       core.Conversion `xorm:"TEXT"`

  111. 

  112. 	Created     time.Time `xorm:"-"`

  113. 	CreatedUnix int64

  114. 	Updated     time.Time `xorm:"-"`

  115. 	UpdatedUnix int64

  116. }

  117. 

  118. func (s *LoginSource) BeforeInsert() {

  119. 	s.CreatedUnix = time.Now().Unix()

  120. 	s.UpdatedUnix = s.CreatedUnix

  121. }

  122. 

  123. func (s *LoginSource) BeforeUpdate() {

  124. 	s.UpdatedUnix = time.Now().Unix()

  125. }

  126. 

  127. // Cell2Int64 converts a xorm.Cell type to int64,

  128. // and handles possible irregular cases.

  129. func Cell2Int64(val xorm.Cell) int64 {

  130. 	switch (*val).(type) {

  131. 	case []uint8:

  132. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  133. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  134. 	}

  135. 	return (*val).(int64)

  136. }

  137. 

  138. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  139. 	switch colName {

  140. 	case "type":

  141. 		switch LoginType(Cell2Int64(val)) {

  142. 		case LoginLDAP, LoginDLDAP:

  143. 			source.Cfg = new(LDAPConfig)

  144. 		case LoginSMTP:

  145. 			source.Cfg = new(SMTPConfig)

  146. 		case LoginPAM:

  147. 			source.Cfg = new(PAMConfig)

  148. 		default:

  149. 			panic("unrecognized login source type: " + com.ToStr(*val))

  150. 		}

  151. 	}

  152. }

  153. 

  154. func (s *LoginSource) AfterSet(colName string, _ xorm.Cell) {

  155. 	switch colName {

  156. 	case "created_unix":

  157. 		s.Created = time.Unix(s.CreatedUnix, 0).Local()

  158. 	case "updated_unix":

  159. 		s.Updated = time.Unix(s.UpdatedUnix, 0).Local()

  160. 	}

  161. }

  162. 

  163. func (source *LoginSource) TypeName() string {

  164. 	return LoginNames[source.Type]

  165. }

  166. 

  167. func (source *LoginSource) IsLDAP() bool {

  168. 	return source.Type == LoginLDAP

  169. }

  170. 

  171. func (source *LoginSource) IsDLDAP() bool {

  172. 	return source.Type == LoginDLDAP

  173. }

  174. 

  175. func (source *LoginSource) IsSMTP() bool {

  176. 	return source.Type == LoginSMTP

  177. }

  178. 

  179. func (source *LoginSource) IsPAM() bool {

  180. 	return source.Type == LoginPAM

  181. }

  182. 

  183. func (source *LoginSource) HasTLS() bool {

  184. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  185. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  186. 		source.IsSMTP()

  187. }

  188. 

  189. func (source *LoginSource) UseTLS() bool {

  190. 	switch source.Type {

  191. 	case LoginLDAP, LoginDLDAP:

  192. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  193. 	case LoginSMTP:

  194. 		return source.SMTP().TLS

  195. 	}

  196. 

  197. 	return false

  198. }

  199. 

  200. func (source *LoginSource) SkipVerify() bool {

  201. 	switch source.Type {

  202. 	case LoginLDAP, LoginDLDAP:

  203. 		return source.LDAP().SkipVerify

  204. 	case LoginSMTP:

  205. 		return source.SMTP().SkipVerify

  206. 	}

  207. 

  208. 	return false

  209. }

  210. 

  211. func (source *LoginSource) LDAP() *LDAPConfig {

  212. 	return source.Cfg.(*LDAPConfig)

  213. }

  214. 

  215. func (source *LoginSource) SMTP() *SMTPConfig {

  216. 	return source.Cfg.(*SMTPConfig)

  217. }

  218. 

  219. func (source *LoginSource) PAM() *PAMConfig {

  220. 	return source.Cfg.(*PAMConfig)

  221. }

  222. func CreateLoginSource(source *LoginSource) error {

  223. 	has, err := x.Get(&LoginSource{Name: source.Name})

  224. 	if err != nil {

  225. 		return err

  226. 	} else if has {

  227. 		return ErrLoginSourceAlreadyExist{source.Name}

  228. 	}

  229. 

  230. 	_, err = x.Insert(source)

  231. 	return err

  232. }

  233. 

  234. func LoginSources() ([]*LoginSource, error) {

  235. 	auths := make([]*LoginSource, 0, 5)

  236. 	return auths, x.Find(&auths)

  237. }

  238. 

  239. // GetLoginSourceByID returns login source by given ID.

  240. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  241. 	source := new(LoginSource)

  242. 	has, err := x.Id(id).Get(source)

  243. 	if err != nil {

  244. 		return nil, err

  245. 	} else if !has {

  246. 		return nil, ErrLoginSourceNotExist{id}

  247. 	}

  248. 	return source, nil

  249. }

  250. 

  251. func UpdateSource(source *LoginSource) error {

  252. 	_, err := x.Id(source.ID).AllCols().Update(source)

  253. 	return err

  254. }

  255. 

  256. func DeleteSource(source *LoginSource) error {

  257. 	count, err := x.Count(&User{LoginSource: source.ID})

  258. 	if err != nil {

  259. 		return err

  260. 	} else if count > 0 {

  261. 		return ErrLoginSourceInUse{source.ID}

  262. 	}

  263. 	_, err = x.Id(source.ID).Delete(new(LoginSource))

  264. 	return err

  265. }

  266. 

  267. // CountLoginSources returns number of login sources.

  268. func CountLoginSources() int64 {

  269. 	count, _ := x.Count(new(LoginSource))

  270. 	return count

  271. }

  272. 

  273. // .____     ________      _____ __________

  274. // |    |    \______ \    /  _  \\______   \

  275. // |    |     |    |  \  /  /_\  \|     ___/

  276. // |    |___  |    `   \/    |    \    |

  277. // |_______ \/_______  /\____|__  /____|

  278. //         \/        \/         \/

  279. 

  280. func composeFullName(firstname, surname, username string) string {

  281. 	switch {

  282. 	case len(firstname) == 0 && len(surname) == 0:

  283. 		return username

  284. 	case len(firstname) == 0:

  285. 		return surname

  286. 	case len(surname) == 0:

  287. 		return firstname

  288. 	default:

  289. 		return firstname + " " + surname

  290. 	}

  291. }

  292. 

  293. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  294. // and create a local user if success when enabled.

  295. func LoginViaLDAP(user *User, login, passowrd string, source *LoginSource, autoRegister bool) (*User, error) {

  296. 	username, fn, sn, mail, isAdmin, succeed := source.Cfg.(*LDAPConfig).SearchEntry(login, passowrd, source.Type == LoginDLDAP)

  297. 	if !succeed {

  298. 		// User not in LDAP, do nothing

  299. 		return nil, ErrUserNotExist{0, login}

  300. 	}

  301. 

  302. 	if !autoRegister {

  303. 		return user, nil

  304. 	}

  305. 

  306. 	// Fallback.

  307. 	if len(username) == 0 {

  308. 		username = login

  309. 	}

  310. 	// Validate username make sure it satisfies requirement.

  311. 	if binding.AlphaDashDotPattern.MatchString(username) {

  312. 		return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", username)

  313. 	}

  314. 

  315. 	if len(mail) == 0 {

  316. 		mail = fmt.Sprintf("%s@localhost", username)

  317. 	}

  318. 

  319. 	user = &User{

  320. 		LowerName:   strings.ToLower(username),

  321. 		Name:        username,

  322. 		FullName:    composeFullName(fn, sn, username),

  323. 		Email:       mail,

  324. 		LoginType:   source.Type,

  325. 		LoginSource: source.ID,

  326. 		LoginName:   login,

  327. 		IsActive:    true,

  328. 		IsAdmin:     isAdmin,

  329. 	}

  330. 	return user, CreateUser(user)

  331. }

  332. 

  333. //   _________   __________________________

  334. //  /   _____/  /     \__    ___/\______   \

  335. //  \_____  \  /  \ /  \|    |    |     ___/

  336. //  /        \/    Y    \    |    |    |

  337. // /_______  /\____|__  /____|    |____|

  338. //         \/         \/

  339. 

  340. type smtpLoginAuth struct {

  341. 	username, password string

  342. }

  343. 

  344. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  345. 	return "LOGIN", []byte(auth.username), nil

  346. }

  347. 

  348. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  349. 	if more {

  350. 		switch string(fromServer) {

  351. 		case "Username:":

  352. 			return []byte(auth.username), nil

  353. 		case "Password:":

  354. 			return []byte(auth.password), nil

  355. 		}

  356. 	}

  357. 	return nil, nil

  358. }

  359. 

  360. const (

  361. 	SMTPPlain = "PLAIN"

  362. 	SMTPLogin = "LOGIN"

  363. )

  364. 

  365. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  366. 

  367. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  368. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  369. 	if err != nil {

  370. 		return err

  371. 	}

  372. 	defer c.Close()

  373. 

  374. 	if err = c.Hello("gogs"); err != nil {

  375. 		return err

  376. 	}

  377. 

  378. 	if cfg.TLS {

  379. 		if ok, _ := c.Extension("STARTTLS"); ok {

  380. 			if err = c.StartTLS(&tls.Config{

  381. 				InsecureSkipVerify: cfg.SkipVerify,

  382. 				ServerName:         cfg.Host,

  383. 			}); err != nil {

  384. 				return err

  385. 			}

  386. 		} else {

  387. 			return errors.New("SMTP server unsupports TLS")

  388. 		}

  389. 	}

  390. 

  391. 	if ok, _ := c.Extension("AUTH"); ok {

  392. 		if err = c.Auth(a); err != nil {

  393. 			return err

  394. 		}

  395. 		return nil

  396. 	}

  397. 	return ErrUnsupportedLoginType

  398. }

  399. 

  400. // LoginViaSMTP queries if login/password is valid against the SMTP,

  401. // and create a local user if success when enabled.

  402. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {

  403. 	// Verify allowed domains.

  404. 	if len(cfg.AllowedDomains) > 0 {

  405. 		idx := strings.Index(login, "@")

  406. 		if idx == -1 {

  407. 			return nil, ErrUserNotExist{0, login}

  408. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  409. 			return nil, ErrUserNotExist{0, login}

  410. 		}

  411. 	}

  412. 

  413. 	var auth smtp.Auth

  414. 	if cfg.Auth == SMTPPlain {

  415. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  416. 	} else if cfg.Auth == SMTPLogin {

  417. 		auth = &smtpLoginAuth{login, password}

  418. 	} else {

  419. 		return nil, errors.New("Unsupported SMTP auth type")

  420. 	}

  421. 

  422. 	if err := SMTPAuth(auth, cfg); err != nil {

  423. 		// Check standard error format first,

  424. 		// then fallback to worse case.

  425. 		tperr, ok := err.(*textproto.Error)

  426. 		if (ok && tperr.Code == 535) ||

  427. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  428. 			return nil, ErrUserNotExist{0, login}

  429. 		}

  430. 		return nil, err

  431. 	}

  432. 

  433. 	if !autoRegister {

  434. 		return user, nil

  435. 	}

  436. 

  437. 	username := login

  438. 	idx := strings.Index(login, "@")

  439. 	if idx > -1 {

  440. 		username = login[:idx]

  441. 	}

  442. 

  443. 	user = &User{

  444. 		LowerName:   strings.ToLower(username),

  445. 		Name:        strings.ToLower(username),

  446. 		Email:       login,

  447. 		Passwd:      password,

  448. 		LoginType:   LoginSMTP,

  449. 		LoginSource: sourceID,

  450. 		LoginName:   login,

  451. 		IsActive:    true,

  452. 	}

  453. 	return user, CreateUser(user)

  454. }

  455. 

  456. // __________  _____      _____

  457. // \______   \/  _  \    /     \

  458. //  |     ___/  /_\  \  /  \ /  \

  459. //  |    |  /    |    \/    Y    \

  460. //  |____|  \____|__  /\____|__  /

  461. //                  \/         \/

  462. 

  463. // LoginViaPAM queries if login/password is valid against the PAM,

  464. // and create a local user if success when enabled.

  465. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {

  466. 	if err := pam.PAMAuth(cfg.ServiceName, login, password); err != nil {

  467. 		if strings.Contains(err.Error(), "Authentication failure") {

  468. 			return nil, ErrUserNotExist{0, login}

  469. 		}

  470. 		return nil, err

  471. 	}

  472. 

  473. 	if !autoRegister {

  474. 		return user, nil

  475. 	}

  476. 

  477. 	user = &User{

  478. 		LowerName:   strings.ToLower(login),

  479. 		Name:        login,

  480. 		Email:       login,

  481. 		Passwd:      password,

  482. 		LoginType:   LoginPAM,

  483. 		LoginSource: sourceID,

  484. 		LoginName:   login,

  485. 		IsActive:    true,

  486. 	}

  487. 	return user, CreateUser(user)

  488. }

  489. 

  490. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  491. 	if !source.IsActived {

  492. 		return nil, ErrLoginSourceNotActived

  493. 	}

  494. 

  495. 	switch source.Type {

  496. 	case LoginLDAP, LoginDLDAP:

  497. 		return LoginViaLDAP(user, login, password, source, autoRegister)

  498. 	case LoginSMTP:

  499. 		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)

  500. 	case LoginPAM:

  501. 		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)

  502. 	}

  503. 

  504. 	return nil, ErrUnsupportedLoginType

  505. }

  506. 

  507. // UserSignIn validates user name and password.

  508. func UserSignIn(username, passowrd string) (*User, error) {

  509. 	var user *User

  510. 	if strings.Contains(username, "@") {

  511. 		user = &User{Email: strings.ToLower(username)}

  512. 	} else {

  513. 		user = &User{LowerName: strings.ToLower(username)}

  514. 	}

  515. 

  516. 	hasUser, err := x.Get(user)

  517. 	if err != nil {

  518. 		return nil, err

  519. 	}

  520. 

  521. 	if hasUser {

  522. 		switch user.LoginType {

  523. 		case LoginNoType, LoginPlain:

  524. 			if user.ValidatePassword(passowrd) {

  525. 				return user, nil

  526. 			}

  527. 

  528. 			return nil, ErrUserNotExist{user.ID, user.Name}

  529. 

  530. 		default:

  531. 			var source LoginSource

  532. 			hasSource, err := x.Id(user.LoginSource).Get(&source)

  533. 			if err != nil {

  534. 				return nil, err

  535. 			} else if !hasSource {

  536. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  537. 			}

  538. 

  539. 			return ExternalUserLogin(user, user.LoginName, passowrd, &source, false)

  540. 		}

  541. 	}

  542. 

  543. 	sources := make([]*LoginSource, 0, 3)

  544. 	if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {

  545. 		return nil, err

  546. 	}

  547. 

  548. 	for _, source := range sources {

  549. 		authUser, err := ExternalUserLogin(nil, username, passowrd, source, true)

  550. 		if err == nil {

  551. 			return authUser, nil

  552. 		}

  553. 

  554. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  555. 	}

  556. 

  557. 	return nil, ErrUserNotExist{user.ID, user.Name}

  558. }