mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6814 Commits
17 Branches
Tree: 57a8440db3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '57a8440db3'
${ noResults }
gitea/models/login_source.go

login_source.go 18KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/tls"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"strings"

  15. 

  16. 	"github.com/Unknwon/com"

  17. 	"github.com/go-macaron/binding"

  18. 	"github.com/go-xorm/core"

  19. 	"github.com/go-xorm/xorm"

  20. 

  21. 	"code.gitea.io/gitea/modules/auth/ldap"

  22. 	"code.gitea.io/gitea/modules/auth/oauth2"

  23. 	"code.gitea.io/gitea/modules/auth/pam"

  24. 	"code.gitea.io/gitea/modules/log"

  25. 	"code.gitea.io/gitea/modules/util"

  26. )

  27. 

  28. // LoginType represents an login type.

  29. type LoginType int

  30. 

  31. // Note: new type must append to the end of list to maintain compatibility.

  32. const (

  33. 	LoginNoType LoginType = iota

  34. 	LoginPlain            // 1

  35. 	LoginLDAP             // 2

  36. 	LoginSMTP             // 3

  37. 	LoginPAM              // 4

  38. 	LoginDLDAP            // 5

  39. 	LoginOAuth2           // 6

  40. )

  41. 

  42. // LoginNames contains the name of LoginType values.

  43. var LoginNames = map[LoginType]string{

  44. 	LoginLDAP:   "LDAP (via BindDN)",

  45. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  46. 	LoginSMTP:   "SMTP",

  47. 	LoginPAM:    "PAM",

  48. 	LoginOAuth2: "OAuth2",

  49. }

  50. 

  51. // SecurityProtocolNames contains the name of SecurityProtocol values.

  52. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  53. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  54. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  55. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  56. }

  57. 

  58. // Ensure structs implemented interface.

  59. var (

  60. 	_ core.Conversion = &LDAPConfig{}

  61. 	_ core.Conversion = &SMTPConfig{}

  62. 	_ core.Conversion = &PAMConfig{}

  63. 	_ core.Conversion = &OAuth2Config{}

  64. )

  65. 

  66. // LDAPConfig holds configuration for LDAP login source.

  67. type LDAPConfig struct {

  68. 	*ldap.Source

  69. }

  70. 

  71. // FromDB fills up a LDAPConfig from serialized format.

  72. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  73. 	return json.Unmarshal(bs, &cfg)

  74. }

  75. 

  76. // ToDB exports a LDAPConfig to a serialized format.

  77. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  78. 	return json.Marshal(cfg)

  79. }

  80. 

  81. // SecurityProtocolName returns the name of configured security

  82. // protocol.

  83. func (cfg *LDAPConfig) SecurityProtocolName() string {

  84. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  85. }

  86. 

  87. // SMTPConfig holds configuration for the SMTP login source.

  88. type SMTPConfig struct {

  89. 	Auth           string

  90. 	Host           string

  91. 	Port           int

  92. 	AllowedDomains string `xorm:"TEXT"`

  93. 	TLS            bool

  94. 	SkipVerify     bool

  95. }

  96. 

  97. // FromDB fills up an SMTPConfig from serialized format.

  98. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  99. 	return json.Unmarshal(bs, cfg)

  100. }

  101. 

  102. // ToDB exports an SMTPConfig to a serialized format.

  103. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  104. 	return json.Marshal(cfg)

  105. }

  106. 

  107. // PAMConfig holds configuration for the PAM login source.

  108. type PAMConfig struct {

  109. 	ServiceName string // pam service (e.g. system-auth)

  110. }

  111. 

  112. // FromDB fills up a PAMConfig from serialized format.

  113. func (cfg *PAMConfig) FromDB(bs []byte) error {

  114. 	return json.Unmarshal(bs, &cfg)

  115. }

  116. 

  117. // ToDB exports a PAMConfig to a serialized format.

  118. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  119. 	return json.Marshal(cfg)

  120. }

  121. 

  122. // OAuth2Config holds configuration for the OAuth2 login source.

  123. type OAuth2Config struct {

  124. 	Provider                      string

  125. 	ClientID                      string

  126. 	ClientSecret                  string

  127. 	OpenIDConnectAutoDiscoveryURL string

  128. 	CustomURLMapping              *oauth2.CustomURLMapping

  129. }

  130. 

  131. // FromDB fills up an OAuth2Config from serialized format.

  132. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  133. 	return json.Unmarshal(bs, cfg)

  134. }

  135. 

  136. // ToDB exports an SMTPConfig to a serialized format.

  137. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  138. 	return json.Marshal(cfg)

  139. }

  140. 

  141. // LoginSource represents an external way for authorizing users.

  142. type LoginSource struct {

  143. 	ID            int64 `xorm:"pk autoincr"`

  144. 	Type          LoginType

  145. 	Name          string          `xorm:"UNIQUE"`

  146. 	IsActived     bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  147. 	IsSyncEnabled bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  148. 	Cfg           core.Conversion `xorm:"TEXT"`

  149. 

  150. 	CreatedUnix util.TimeStamp `xorm:"INDEX created"`

  151. 	UpdatedUnix util.TimeStamp `xorm:"INDEX updated"`

  152. }

  153. 

  154. // Cell2Int64 converts a xorm.Cell type to int64,

  155. // and handles possible irregular cases.

  156. func Cell2Int64(val xorm.Cell) int64 {

  157. 	switch (*val).(type) {

  158. 	case []uint8:

  159. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  160. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  161. 	}

  162. 	return (*val).(int64)

  163. }

  164. 

  165. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  166. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  167. 	switch colName {

  168. 	case "type":

  169. 		switch LoginType(Cell2Int64(val)) {

  170. 		case LoginLDAP, LoginDLDAP:

  171. 			source.Cfg = new(LDAPConfig)

  172. 		case LoginSMTP:

  173. 			source.Cfg = new(SMTPConfig)

  174. 		case LoginPAM:

  175. 			source.Cfg = new(PAMConfig)

  176. 		case LoginOAuth2:

  177. 			source.Cfg = new(OAuth2Config)

  178. 		default:

  179. 			panic("unrecognized login source type: " + com.ToStr(*val))

  180. 		}

  181. 	}

  182. }

  183. 

  184. // TypeName return name of this login source type.

  185. func (source *LoginSource) TypeName() string {

  186. 	return LoginNames[source.Type]

  187. }

  188. 

  189. // IsLDAP returns true of this source is of the LDAP type.

  190. func (source *LoginSource) IsLDAP() bool {

  191. 	return source.Type == LoginLDAP

  192. }

  193. 

  194. // IsDLDAP returns true of this source is of the DLDAP type.

  195. func (source *LoginSource) IsDLDAP() bool {

  196. 	return source.Type == LoginDLDAP

  197. }

  198. 

  199. // IsSMTP returns true of this source is of the SMTP type.

  200. func (source *LoginSource) IsSMTP() bool {

  201. 	return source.Type == LoginSMTP

  202. }

  203. 

  204. // IsPAM returns true of this source is of the PAM type.

  205. func (source *LoginSource) IsPAM() bool {

  206. 	return source.Type == LoginPAM

  207. }

  208. 

  209. // IsOAuth2 returns true of this source is of the OAuth2 type.

  210. func (source *LoginSource) IsOAuth2() bool {

  211. 	return source.Type == LoginOAuth2

  212. }

  213. 

  214. // HasTLS returns true of this source supports TLS.

  215. func (source *LoginSource) HasTLS() bool {

  216. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  217. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  218. 		source.IsSMTP()

  219. }

  220. 

  221. // UseTLS returns true of this source is configured to use TLS.

  222. func (source *LoginSource) UseTLS() bool {

  223. 	switch source.Type {

  224. 	case LoginLDAP, LoginDLDAP:

  225. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  226. 	case LoginSMTP:

  227. 		return source.SMTP().TLS

  228. 	}

  229. 

  230. 	return false

  231. }

  232. 

  233. // SkipVerify returns true if this source is configured to skip SSL

  234. // verification.

  235. func (source *LoginSource) SkipVerify() bool {

  236. 	switch source.Type {

  237. 	case LoginLDAP, LoginDLDAP:

  238. 		return source.LDAP().SkipVerify

  239. 	case LoginSMTP:

  240. 		return source.SMTP().SkipVerify

  241. 	}

  242. 

  243. 	return false

  244. }

  245. 

  246. // LDAP returns LDAPConfig for this source, if of LDAP type.

  247. func (source *LoginSource) LDAP() *LDAPConfig {

  248. 	return source.Cfg.(*LDAPConfig)

  249. }

  250. 

  251. // SMTP returns SMTPConfig for this source, if of SMTP type.

  252. func (source *LoginSource) SMTP() *SMTPConfig {

  253. 	return source.Cfg.(*SMTPConfig)

  254. }

  255. 

  256. // PAM returns PAMConfig for this source, if of PAM type.

  257. func (source *LoginSource) PAM() *PAMConfig {

  258. 	return source.Cfg.(*PAMConfig)

  259. }

  260. 

  261. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  262. func (source *LoginSource) OAuth2() *OAuth2Config {

  263. 	return source.Cfg.(*OAuth2Config)

  264. }

  265. 

  266. // CreateLoginSource inserts a LoginSource in the DB if not already

  267. // existing with the given name.

  268. func CreateLoginSource(source *LoginSource) error {

  269. 	has, err := x.Get(&LoginSource{Name: source.Name})

  270. 	if err != nil {

  271. 		return err

  272. 	} else if has {

  273. 		return ErrLoginSourceAlreadyExist{source.Name}

  274. 	}

  275. 	// Synchronization is only aviable with LDAP for now

  276. 	if !source.IsLDAP() {

  277. 		source.IsSyncEnabled = false

  278. 	}

  279. 

  280. 	_, err = x.Insert(source)

  281. 	if err == nil && source.IsOAuth2() && source.IsActived {

  282. 		oAuth2Config := source.OAuth2()

  283. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  284. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  285. 

  286. 		if err != nil {

  287. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  288. 			x.Delete(source)

  289. 		}

  290. 	}

  291. 	return err

  292. }

  293. 

  294. // LoginSources returns a slice of all login sources found in DB.

  295. func LoginSources() ([]*LoginSource, error) {

  296. 	auths := make([]*LoginSource, 0, 6)

  297. 	return auths, x.Find(&auths)

  298. }

  299. 

  300. // GetLoginSourceByID returns login source by given ID.

  301. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  302. 	source := new(LoginSource)

  303. 	has, err := x.ID(id).Get(source)

  304. 	if err != nil {

  305. 		return nil, err

  306. 	} else if !has {

  307. 		return nil, ErrLoginSourceNotExist{id}

  308. 	}

  309. 	return source, nil

  310. }

  311. 

  312. // UpdateSource updates a LoginSource record in DB.

  313. func UpdateSource(source *LoginSource) error {

  314. 	var originalLoginSource *LoginSource

  315. 	if source.IsOAuth2() {

  316. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  317. 		var err error

  318. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  319. 			return err

  320. 		}

  321. 	}

  322. 

  323. 	_, err := x.ID(source.ID).AllCols().Update(source)

  324. 	if err == nil && source.IsOAuth2() && source.IsActived {

  325. 		oAuth2Config := source.OAuth2()

  326. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  327. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  328. 

  329. 		if err != nil {

  330. 			// restore original values since we cannot update the provider it self

  331. 			x.ID(source.ID).AllCols().Update(originalLoginSource)

  332. 		}

  333. 	}

  334. 	return err

  335. }

  336. 

  337. // DeleteSource deletes a LoginSource record in DB.

  338. func DeleteSource(source *LoginSource) error {

  339. 	count, err := x.Count(&User{LoginSource: source.ID})

  340. 	if err != nil {

  341. 		return err

  342. 	} else if count > 0 {

  343. 		return ErrLoginSourceInUse{source.ID}

  344. 	}

  345. 

  346. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  347. 	if err != nil {

  348. 		return err

  349. 	} else if count > 0 {

  350. 		return ErrLoginSourceInUse{source.ID}

  351. 	}

  352. 

  353. 	if source.IsOAuth2() {

  354. 		oauth2.RemoveProvider(source.Name)

  355. 	}

  356. 

  357. 	_, err = x.ID(source.ID).Delete(new(LoginSource))

  358. 	return err

  359. }

  360. 

  361. // CountLoginSources returns number of login sources.

  362. func CountLoginSources() int64 {

  363. 	count, _ := x.Count(new(LoginSource))

  364. 	return count

  365. }

  366. 

  367. // .____     ________      _____ __________

  368. // |    |    \______ \    /  _  \\______   \

  369. // |    |     |    |  \  /  /_\  \|     ___/

  370. // |    |___  |    `   \/    |    \    |

  371. // |_______ \/_______  /\____|__  /____|

  372. //         \/        \/         \/

  373. 

  374. func composeFullName(firstname, surname, username string) string {

  375. 	switch {

  376. 	case len(firstname) == 0 && len(surname) == 0:

  377. 		return username

  378. 	case len(firstname) == 0:

  379. 		return surname

  380. 	case len(surname) == 0:

  381. 		return firstname

  382. 	default:

  383. 		return firstname + " " + surname

  384. 	}

  385. }

  386. 

  387. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  388. // and create a local user if success when enabled.

  389. func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  390. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  391. 	if sr == nil {

  392. 		// User not in LDAP, do nothing

  393. 		return nil, ErrUserNotExist{0, login, 0}

  394. 	}

  395. 

  396. 	if !autoRegister {

  397. 		return user, nil

  398. 	}

  399. 

  400. 	// Fallback.

  401. 	if len(sr.Username) == 0 {

  402. 		sr.Username = login

  403. 	}

  404. 	// Validate username make sure it satisfies requirement.

  405. 	if binding.AlphaDashDotPattern.MatchString(sr.Username) {

  406. 		return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)

  407. 	}

  408. 

  409. 	if len(sr.Mail) == 0 {

  410. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  411. 	}

  412. 

  413. 	user = &User{

  414. 		LowerName:   strings.ToLower(sr.Username),

  415. 		Name:        sr.Username,

  416. 		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  417. 		Email:       sr.Mail,

  418. 		LoginType:   source.Type,

  419. 		LoginSource: source.ID,

  420. 		LoginName:   login,

  421. 		IsActive:    true,

  422. 		IsAdmin:     sr.IsAdmin,

  423. 	}

  424. 	return user, CreateUser(user)

  425. }

  426. 

  427. //   _________   __________________________

  428. //  /   _____/  /     \__    ___/\______   \

  429. //  \_____  \  /  \ /  \|    |    |     ___/

  430. //  /        \/    Y    \    |    |    |

  431. // /_______  /\____|__  /____|    |____|

  432. //         \/         \/

  433. 

  434. type smtpLoginAuth struct {

  435. 	username, password string

  436. }

  437. 

  438. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  439. 	return "LOGIN", []byte(auth.username), nil

  440. }

  441. 

  442. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  443. 	if more {

  444. 		switch string(fromServer) {

  445. 		case "Username:":

  446. 			return []byte(auth.username), nil

  447. 		case "Password:":

  448. 			return []byte(auth.password), nil

  449. 		}

  450. 	}

  451. 	return nil, nil

  452. }

  453. 

  454. // SMTP authentication type names.

  455. const (

  456. 	SMTPPlain = "PLAIN"

  457. 	SMTPLogin = "LOGIN"

  458. )

  459. 

  460. // SMTPAuths contains available SMTP authentication type names.

  461. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  462. 

  463. // SMTPAuth performs an SMTP authentication.

  464. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  465. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  466. 	if err != nil {

  467. 		return err

  468. 	}

  469. 	defer c.Close()

  470. 

  471. 	if err = c.Hello("gogs"); err != nil {

  472. 		return err

  473. 	}

  474. 

  475. 	if cfg.TLS {

  476. 		if ok, _ := c.Extension("STARTTLS"); ok {

  477. 			if err = c.StartTLS(&tls.Config{

  478. 				InsecureSkipVerify: cfg.SkipVerify,

  479. 				ServerName:         cfg.Host,

  480. 			}); err != nil {

  481. 				return err

  482. 			}

  483. 		} else {

  484. 			return errors.New("SMTP server unsupports TLS")

  485. 		}

  486. 	}

  487. 

  488. 	if ok, _ := c.Extension("AUTH"); ok {

  489. 		return c.Auth(a)

  490. 	}

  491. 	return ErrUnsupportedLoginType

  492. }

  493. 

  494. // LoginViaSMTP queries if login/password is valid against the SMTP,

  495. // and create a local user if success when enabled.

  496. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {

  497. 	// Verify allowed domains.

  498. 	if len(cfg.AllowedDomains) > 0 {

  499. 		idx := strings.Index(login, "@")

  500. 		if idx == -1 {

  501. 			return nil, ErrUserNotExist{0, login, 0}

  502. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  503. 			return nil, ErrUserNotExist{0, login, 0}

  504. 		}

  505. 	}

  506. 

  507. 	var auth smtp.Auth

  508. 	if cfg.Auth == SMTPPlain {

  509. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  510. 	} else if cfg.Auth == SMTPLogin {

  511. 		auth = &smtpLoginAuth{login, password}

  512. 	} else {

  513. 		return nil, errors.New("Unsupported SMTP auth type")

  514. 	}

  515. 

  516. 	if err := SMTPAuth(auth, cfg); err != nil {

  517. 		// Check standard error format first,

  518. 		// then fallback to worse case.

  519. 		tperr, ok := err.(*textproto.Error)

  520. 		if (ok && tperr.Code == 535) ||

  521. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  522. 			return nil, ErrUserNotExist{0, login, 0}

  523. 		}

  524. 		return nil, err

  525. 	}

  526. 

  527. 	if !autoRegister {

  528. 		return user, nil

  529. 	}

  530. 

  531. 	username := login

  532. 	idx := strings.Index(login, "@")

  533. 	if idx > -1 {

  534. 		username = login[:idx]

  535. 	}

  536. 

  537. 	user = &User{

  538. 		LowerName:   strings.ToLower(username),

  539. 		Name:        strings.ToLower(username),

  540. 		Email:       login,

  541. 		Passwd:      password,

  542. 		LoginType:   LoginSMTP,

  543. 		LoginSource: sourceID,

  544. 		LoginName:   login,

  545. 		IsActive:    true,

  546. 	}

  547. 	return user, CreateUser(user)

  548. }

  549. 

  550. // __________  _____      _____

  551. // \______   \/  _  \    /     \

  552. //  |     ___/  /_\  \  /  \ /  \

  553. //  |    |  /    |    \/    Y    \

  554. //  |____|  \____|__  /\____|__  /

  555. //                  \/         \/

  556. 

  557. // LoginViaPAM queries if login/password is valid against the PAM,

  558. // and create a local user if success when enabled.

  559. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {

  560. 	if err := pam.Auth(cfg.ServiceName, login, password); err != nil {

  561. 		if strings.Contains(err.Error(), "Authentication failure") {

  562. 			return nil, ErrUserNotExist{0, login, 0}

  563. 		}

  564. 		return nil, err

  565. 	}

  566. 

  567. 	if !autoRegister {

  568. 		return user, nil

  569. 	}

  570. 

  571. 	user = &User{

  572. 		LowerName:   strings.ToLower(login),

  573. 		Name:        login,

  574. 		Email:       login,

  575. 		Passwd:      password,

  576. 		LoginType:   LoginPAM,

  577. 		LoginSource: sourceID,

  578. 		LoginName:   login,

  579. 		IsActive:    true,

  580. 	}

  581. 	return user, CreateUser(user)

  582. }

  583. 

  584. // ExternalUserLogin attempts a login using external source types.

  585. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  586. 	if !source.IsActived {

  587. 		return nil, ErrLoginSourceNotActived

  588. 	}

  589. 

  590. 	switch source.Type {

  591. 	case LoginLDAP, LoginDLDAP:

  592. 		return LoginViaLDAP(user, login, password, source, autoRegister)

  593. 	case LoginSMTP:

  594. 		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)

  595. 	case LoginPAM:

  596. 		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)

  597. 	}

  598. 

  599. 	return nil, ErrUnsupportedLoginType

  600. }

  601. 

  602. // UserSignIn validates user name and password.

  603. func UserSignIn(username, password string) (*User, error) {

  604. 	var user *User

  605. 	if strings.Contains(username, "@") {

  606. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  607. 		// check same email

  608. 		cnt, err := x.Count(user)

  609. 		if err != nil {

  610. 			return nil, err

  611. 		}

  612. 		if cnt > 1 {

  613. 			return nil, ErrEmailAlreadyUsed{

  614. 				Email: user.Email,

  615. 			}

  616. 		}

  617. 	} else {

  618. 		trimmedUsername := strings.TrimSpace(username)

  619. 		if len(trimmedUsername) == 0 {

  620. 			return nil, ErrUserNotExist{0, username, 0}

  621. 		}

  622. 

  623. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  624. 	}

  625. 

  626. 	hasUser, err := x.Get(user)

  627. 	if err != nil {

  628. 		return nil, err

  629. 	}

  630. 

  631. 	if hasUser {

  632. 		switch user.LoginType {

  633. 		case LoginNoType, LoginPlain, LoginOAuth2:

  634. 			if user.ValidatePassword(password) {

  635. 				return user, nil

  636. 			}

  637. 

  638. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  639. 

  640. 		default:

  641. 			var source LoginSource

  642. 			hasSource, err := x.ID(user.LoginSource).Get(&source)

  643. 			if err != nil {

  644. 				return nil, err

  645. 			} else if !hasSource {

  646. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  647. 			}

  648. 

  649. 			return ExternalUserLogin(user, user.LoginName, password, &source, false)

  650. 		}

  651. 	}

  652. 

  653. 	sources := make([]*LoginSource, 0, 5)

  654. 	if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {

  655. 		return nil, err

  656. 	}

  657. 

  658. 	for _, source := range sources {

  659. 		if source.IsOAuth2() {

  660. 			// don't try to authenticate against OAuth2 sources

  661. 			continue

  662. 		}

  663. 		authUser, err := ExternalUserLogin(nil, username, password, source, true)

  664. 		if err == nil {

  665. 			return authUser, nil

  666. 		}

  667. 

  668. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  669. 	}

  670. 

  671. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  672. }