mirrors
/
gitea
kopia lustrzana https://github.com/go-gitea/gitea.git
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Wydania 211 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11311 Commity
17 Gałęzie
Drzewo: 6d2866f20c
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '6d2866f20c'
${ noResults }
gitea/models/login_source.go

login_source.go 23KB
Czysty Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package models

  7. 

  8. import (

  9. 	"crypto/tls"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"strconv"

  15. 	"strings"

  16. 

  17. 	"code.gitea.io/gitea/modules/auth/ldap"

  18. 	"code.gitea.io/gitea/modules/auth/oauth2"

  19. 	"code.gitea.io/gitea/modules/auth/pam"

  20. 	"code.gitea.io/gitea/modules/log"

  21. 	"code.gitea.io/gitea/modules/setting"

  22. 	"code.gitea.io/gitea/modules/timeutil"

  23. 	"code.gitea.io/gitea/modules/util"

  24. 	jsoniter "github.com/json-iterator/go"

  25. 

  26. 	"xorm.io/xorm"

  27. 	"xorm.io/xorm/convert"

  28. )

  29. 

  30. // LoginType represents an login type.

  31. type LoginType int

  32. 

  33. // Note: new type must append to the end of list to maintain compatibility.

  34. const (

  35. 	LoginNoType LoginType = iota

  36. 	LoginPlain            // 1

  37. 	LoginLDAP             // 2

  38. 	LoginSMTP             // 3

  39. 	LoginPAM              // 4

  40. 	LoginDLDAP            // 5

  41. 	LoginOAuth2           // 6

  42. 	LoginSSPI             // 7

  43. )

  44. 

  45. // LoginNames contains the name of LoginType values.

  46. var LoginNames = map[LoginType]string{

  47. 	LoginLDAP:   "LDAP (via BindDN)",

  48. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  49. 	LoginSMTP:   "SMTP",

  50. 	LoginPAM:    "PAM",

  51. 	LoginOAuth2: "OAuth2",

  52. 	LoginSSPI:   "SPNEGO with SSPI",

  53. }

  54. 

  55. // SecurityProtocolNames contains the name of SecurityProtocol values.

  56. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  57. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  58. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  59. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  60. }

  61. 

  62. // Ensure structs implemented interface.

  63. var (

  64. 	_ convert.Conversion = &LDAPConfig{}

  65. 	_ convert.Conversion = &SMTPConfig{}

  66. 	_ convert.Conversion = &PAMConfig{}

  67. 	_ convert.Conversion = &OAuth2Config{}

  68. 	_ convert.Conversion = &SSPIConfig{}

  69. )

  70. 

  71. // LDAPConfig holds configuration for LDAP login source.

  72. type LDAPConfig struct {

  73. 	*ldap.Source

  74. }

  75. 

  76. // FromDB fills up a LDAPConfig from serialized format.

  77. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  78. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  79. 	return json.Unmarshal(bs, &cfg)

  80. }

  81. 

  82. // ToDB exports a LDAPConfig to a serialized format.

  83. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  84. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  85. 	return json.Marshal(cfg)

  86. }

  87. 

  88. // SecurityProtocolName returns the name of configured security

  89. // protocol.

  90. func (cfg *LDAPConfig) SecurityProtocolName() string {

  91. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  92. }

  93. 

  94. // SMTPConfig holds configuration for the SMTP login source.

  95. type SMTPConfig struct {

  96. 	Auth           string

  97. 	Host           string

  98. 	Port           int

  99. 	AllowedDomains string `xorm:"TEXT"`

  100. 	TLS            bool

  101. 	SkipVerify     bool

  102. }

  103. 

  104. // FromDB fills up an SMTPConfig from serialized format.

  105. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  106. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  107. 	return json.Unmarshal(bs, cfg)

  108. }

  109. 

  110. // ToDB exports an SMTPConfig to a serialized format.

  111. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  112. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  113. 	return json.Marshal(cfg)

  114. }

  115. 

  116. // PAMConfig holds configuration for the PAM login source.

  117. type PAMConfig struct {

  118. 	ServiceName string // pam service (e.g. system-auth)

  119. }

  120. 

  121. // FromDB fills up a PAMConfig from serialized format.

  122. func (cfg *PAMConfig) FromDB(bs []byte) error {

  123. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  124. 	return json.Unmarshal(bs, &cfg)

  125. }

  126. 

  127. // ToDB exports a PAMConfig to a serialized format.

  128. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  129. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  130. 	return json.Marshal(cfg)

  131. }

  132. 

  133. // OAuth2Config holds configuration for the OAuth2 login source.

  134. type OAuth2Config struct {

  135. 	Provider                      string

  136. 	ClientID                      string

  137. 	ClientSecret                  string

  138. 	OpenIDConnectAutoDiscoveryURL string

  139. 	CustomURLMapping              *oauth2.CustomURLMapping

  140. 	IconURL                       string

  141. }

  142. 

  143. // FromDB fills up an OAuth2Config from serialized format.

  144. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  145. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  146. 	return json.Unmarshal(bs, cfg)

  147. }

  148. 

  149. // ToDB exports an SMTPConfig to a serialized format.

  150. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  151. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  152. 	return json.Marshal(cfg)

  153. }

  154. 

  155. // SSPIConfig holds configuration for SSPI single sign-on.

  156. type SSPIConfig struct {

  157. 	AutoCreateUsers      bool

  158. 	AutoActivateUsers    bool

  159. 	StripDomainNames     bool

  160. 	SeparatorReplacement string

  161. 	DefaultLanguage      string

  162. }

  163. 

  164. // FromDB fills up an SSPIConfig from serialized format.

  165. func (cfg *SSPIConfig) FromDB(bs []byte) error {

  166. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  167. 	return json.Unmarshal(bs, cfg)

  168. }

  169. 

  170. // ToDB exports an SSPIConfig to a serialized format.

  171. func (cfg *SSPIConfig) ToDB() ([]byte, error) {

  172. 	json := jsoniter.ConfigCompatibleWithStandardLibrary

  173. 	return json.Marshal(cfg)

  174. }

  175. 

  176. // LoginSource represents an external way for authorizing users.

  177. type LoginSource struct {

  178. 	ID            int64 `xorm:"pk autoincr"`

  179. 	Type          LoginType

  180. 	Name          string             `xorm:"UNIQUE"`

  181. 	IsActived     bool               `xorm:"INDEX NOT NULL DEFAULT false"`

  182. 	IsSyncEnabled bool               `xorm:"INDEX NOT NULL DEFAULT false"`

  183. 	Cfg           convert.Conversion `xorm:"TEXT"`

  184. 

  185. 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`

  186. 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`

  187. }

  188. 

  189. // Cell2Int64 converts a xorm.Cell type to int64,

  190. // and handles possible irregular cases.

  191. func Cell2Int64(val xorm.Cell) int64 {

  192. 	switch (*val).(type) {

  193. 	case []uint8:

  194. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  195. 

  196. 		v, _ := strconv.ParseInt(string((*val).([]uint8)), 10, 64)

  197. 		return v

  198. 	}

  199. 	return (*val).(int64)

  200. }

  201. 

  202. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  203. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  204. 	if colName == "type" {

  205. 		switch LoginType(Cell2Int64(val)) {

  206. 		case LoginLDAP, LoginDLDAP:

  207. 			source.Cfg = new(LDAPConfig)

  208. 		case LoginSMTP:

  209. 			source.Cfg = new(SMTPConfig)

  210. 		case LoginPAM:

  211. 			source.Cfg = new(PAMConfig)

  212. 		case LoginOAuth2:

  213. 			source.Cfg = new(OAuth2Config)

  214. 		case LoginSSPI:

  215. 			source.Cfg = new(SSPIConfig)

  216. 		default:

  217. 			panic(fmt.Sprintf("unrecognized login source type: %v", *val))

  218. 		}

  219. 	}

  220. }

  221. 

  222. // TypeName return name of this login source type.

  223. func (source *LoginSource) TypeName() string {

  224. 	return LoginNames[source.Type]

  225. }

  226. 

  227. // IsLDAP returns true of this source is of the LDAP type.

  228. func (source *LoginSource) IsLDAP() bool {

  229. 	return source.Type == LoginLDAP

  230. }

  231. 

  232. // IsDLDAP returns true of this source is of the DLDAP type.

  233. func (source *LoginSource) IsDLDAP() bool {

  234. 	return source.Type == LoginDLDAP

  235. }

  236. 

  237. // IsSMTP returns true of this source is of the SMTP type.

  238. func (source *LoginSource) IsSMTP() bool {

  239. 	return source.Type == LoginSMTP

  240. }

  241. 

  242. // IsPAM returns true of this source is of the PAM type.

  243. func (source *LoginSource) IsPAM() bool {

  244. 	return source.Type == LoginPAM

  245. }

  246. 

  247. // IsOAuth2 returns true of this source is of the OAuth2 type.

  248. func (source *LoginSource) IsOAuth2() bool {

  249. 	return source.Type == LoginOAuth2

  250. }

  251. 

  252. // IsSSPI returns true of this source is of the SSPI type.

  253. func (source *LoginSource) IsSSPI() bool {

  254. 	return source.Type == LoginSSPI

  255. }

  256. 

  257. // HasTLS returns true of this source supports TLS.

  258. func (source *LoginSource) HasTLS() bool {

  259. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  260. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  261. 		source.IsSMTP()

  262. }

  263. 

  264. // UseTLS returns true of this source is configured to use TLS.

  265. func (source *LoginSource) UseTLS() bool {

  266. 	switch source.Type {

  267. 	case LoginLDAP, LoginDLDAP:

  268. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  269. 	case LoginSMTP:

  270. 		return source.SMTP().TLS

  271. 	}

  272. 

  273. 	return false

  274. }

  275. 

  276. // SkipVerify returns true if this source is configured to skip SSL

  277. // verification.

  278. func (source *LoginSource) SkipVerify() bool {

  279. 	switch source.Type {

  280. 	case LoginLDAP, LoginDLDAP:

  281. 		return source.LDAP().SkipVerify

  282. 	case LoginSMTP:

  283. 		return source.SMTP().SkipVerify

  284. 	}

  285. 

  286. 	return false

  287. }

  288. 

  289. // LDAP returns LDAPConfig for this source, if of LDAP type.

  290. func (source *LoginSource) LDAP() *LDAPConfig {

  291. 	return source.Cfg.(*LDAPConfig)

  292. }

  293. 

  294. // SMTP returns SMTPConfig for this source, if of SMTP type.

  295. func (source *LoginSource) SMTP() *SMTPConfig {

  296. 	return source.Cfg.(*SMTPConfig)

  297. }

  298. 

  299. // PAM returns PAMConfig for this source, if of PAM type.

  300. func (source *LoginSource) PAM() *PAMConfig {

  301. 	return source.Cfg.(*PAMConfig)

  302. }

  303. 

  304. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  305. func (source *LoginSource) OAuth2() *OAuth2Config {

  306. 	return source.Cfg.(*OAuth2Config)

  307. }

  308. 

  309. // SSPI returns SSPIConfig for this source, if of SSPI type.

  310. func (source *LoginSource) SSPI() *SSPIConfig {

  311. 	return source.Cfg.(*SSPIConfig)

  312. }

  313. 

  314. // CreateLoginSource inserts a LoginSource in the DB if not already

  315. // existing with the given name.

  316. func CreateLoginSource(source *LoginSource) error {

  317. 	has, err := x.Where("name=?", source.Name).Exist(new(LoginSource))

  318. 	if err != nil {

  319. 		return err

  320. 	} else if has {

  321. 		return ErrLoginSourceAlreadyExist{source.Name}

  322. 	}

  323. 	// Synchronization is only aviable with LDAP for now

  324. 	if !source.IsLDAP() {

  325. 		source.IsSyncEnabled = false

  326. 	}

  327. 

  328. 	_, err = x.Insert(source)

  329. 	if err == nil && source.IsOAuth2() && source.IsActived {

  330. 		oAuth2Config := source.OAuth2()

  331. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  332. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  333. 		if err != nil {

  334. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  335. 			if _, err := x.Delete(source); err != nil {

  336. 				log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  337. 			}

  338. 			return err

  339. 		}

  340. 	}

  341. 	return err

  342. }

  343. 

  344. // LoginSources returns a slice of all login sources found in DB.

  345. func LoginSources() ([]*LoginSource, error) {

  346. 	auths := make([]*LoginSource, 0, 6)

  347. 	return auths, x.Find(&auths)

  348. }

  349. 

  350. // LoginSourcesByType returns all sources of the specified type

  351. func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) {

  352. 	sources := make([]*LoginSource, 0, 1)

  353. 	if err := x.Where("type = ?", loginType).Find(&sources); err != nil {

  354. 		return nil, err

  355. 	}

  356. 	return sources, nil

  357. }

  358. 

  359. // ActiveLoginSources returns all active sources of the specified type

  360. func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) {

  361. 	sources := make([]*LoginSource, 0, 1)

  362. 	if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil {

  363. 		return nil, err

  364. 	}

  365. 	return sources, nil

  366. }

  367. 

  368. // IsSSPIEnabled returns true if there is at least one activated login

  369. // source of type LoginSSPI

  370. func IsSSPIEnabled() bool {

  371. 	if !HasEngine {

  372. 		return false

  373. 	}

  374. 	sources, err := ActiveLoginSources(LoginSSPI)

  375. 	if err != nil {

  376. 		log.Error("ActiveLoginSources: %v", err)

  377. 		return false

  378. 	}

  379. 	return len(sources) > 0

  380. }

  381. 

  382. // GetLoginSourceByID returns login source by given ID.

  383. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  384. 	source := new(LoginSource)

  385. 	has, err := x.ID(id).Get(source)

  386. 	if err != nil {

  387. 		return nil, err

  388. 	} else if !has {

  389. 		return nil, ErrLoginSourceNotExist{id}

  390. 	}

  391. 	return source, nil

  392. }

  393. 

  394. // UpdateSource updates a LoginSource record in DB.

  395. func UpdateSource(source *LoginSource) error {

  396. 	var originalLoginSource *LoginSource

  397. 	if source.IsOAuth2() {

  398. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  399. 		var err error

  400. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  401. 			return err

  402. 		}

  403. 	}

  404. 

  405. 	_, err := x.ID(source.ID).AllCols().Update(source)

  406. 	if err == nil && source.IsOAuth2() && source.IsActived {

  407. 		oAuth2Config := source.OAuth2()

  408. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  409. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  410. 		if err != nil {

  411. 			// restore original values since we cannot update the provider it self

  412. 			if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil {

  413. 				log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  414. 			}

  415. 			return err

  416. 		}

  417. 	}

  418. 	return err

  419. }

  420. 

  421. // DeleteSource deletes a LoginSource record in DB.

  422. func DeleteSource(source *LoginSource) error {

  423. 	count, err := x.Count(&User{LoginSource: source.ID})

  424. 	if err != nil {

  425. 		return err

  426. 	} else if count > 0 {

  427. 		return ErrLoginSourceInUse{source.ID}

  428. 	}

  429. 

  430. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  431. 	if err != nil {

  432. 		return err

  433. 	} else if count > 0 {

  434. 		return ErrLoginSourceInUse{source.ID}

  435. 	}

  436. 

  437. 	if source.IsOAuth2() {

  438. 		oauth2.RemoveProvider(source.Name)

  439. 	}

  440. 

  441. 	_, err = x.ID(source.ID).Delete(new(LoginSource))

  442. 	return err

  443. }

  444. 

  445. // CountLoginSources returns number of login sources.

  446. func CountLoginSources() int64 {

  447. 	count, _ := x.Count(new(LoginSource))

  448. 	return count

  449. }

  450. 

  451. // .____     ________      _____ __________

  452. // |    |    \______ \    /  _  \\______   \

  453. // |    |     |    |  \  /  /_\  \|     ___/

  454. // |    |___  |    `   \/    |    \    |

  455. // |_______ \/_______  /\____|__  /____|

  456. //         \/        \/         \/

  457. 

  458. func composeFullName(firstname, surname, username string) string {

  459. 	switch {

  460. 	case len(firstname) == 0 && len(surname) == 0:

  461. 		return username

  462. 	case len(firstname) == 0:

  463. 		return surname

  464. 	case len(surname) == 0:

  465. 		return firstname

  466. 	default:

  467. 		return firstname + " " + surname

  468. 	}

  469. }

  470. 

  471. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  472. // and create a local user if success when enabled.

  473. func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) {

  474. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  475. 	if sr == nil {

  476. 		// User not in LDAP, do nothing

  477. 		return nil, ErrUserNotExist{0, login, 0}

  478. 	}

  479. 

  480. 	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0

  481. 

  482. 	// Update User admin flag if exist

  483. 	if isExist, err := IsUserExist(0, sr.Username); err != nil {

  484. 		return nil, err

  485. 	} else if isExist {

  486. 		if user == nil {

  487. 			user, err = GetUserByName(sr.Username)

  488. 			if err != nil {

  489. 				return nil, err

  490. 			}

  491. 		}

  492. 		if user != nil && !user.ProhibitLogin {

  493. 			cols := make([]string, 0)

  494. 			if len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {

  495. 				// Change existing admin flag only if AdminFilter option is set

  496. 				user.IsAdmin = sr.IsAdmin

  497. 				cols = append(cols, "is_admin")

  498. 			}

  499. 			if !user.IsAdmin && len(source.LDAP().RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted {

  500. 				// Change existing restricted flag only if RestrictedFilter option is set

  501. 				user.IsRestricted = sr.IsRestricted

  502. 				cols = append(cols, "is_restricted")

  503. 			}

  504. 			if len(cols) > 0 {

  505. 				err = UpdateUserCols(user, cols...)

  506. 				if err != nil {

  507. 					return nil, err

  508. 				}

  509. 			}

  510. 		}

  511. 	}

  512. 

  513. 	if user != nil {

  514. 		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  515. 			return user, RewriteAllPublicKeys()

  516. 		}

  517. 

  518. 		return user, nil

  519. 	}

  520. 

  521. 	// Fallback.

  522. 	if len(sr.Username) == 0 {

  523. 		sr.Username = login

  524. 	}

  525. 

  526. 	if len(sr.Mail) == 0 {

  527. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  528. 	}

  529. 

  530. 	user = &User{

  531. 		LowerName:    strings.ToLower(sr.Username),

  532. 		Name:         sr.Username,

  533. 		FullName:     composeFullName(sr.Name, sr.Surname, sr.Username),

  534. 		Email:        sr.Mail,

  535. 		LoginType:    source.Type,

  536. 		LoginSource:  source.ID,

  537. 		LoginName:    login,

  538. 		IsActive:     true,

  539. 		IsAdmin:      sr.IsAdmin,

  540. 		IsRestricted: sr.IsRestricted,

  541. 	}

  542. 

  543. 	err := CreateUser(user)

  544. 

  545. 	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  546. 		err = RewriteAllPublicKeys()

  547. 	}

  548. 

  549. 	return user, err

  550. }

  551. 

  552. //   _________   __________________________

  553. //  /   _____/  /     \__    ___/\______   \

  554. //  \_____  \  /  \ /  \|    |    |     ___/

  555. //  /        \/    Y    \    |    |    |

  556. // /_______  /\____|__  /____|    |____|

  557. //         \/         \/

  558. 

  559. type smtpLoginAuth struct {

  560. 	username, password string

  561. }

  562. 

  563. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  564. 	return "LOGIN", []byte(auth.username), nil

  565. }

  566. 

  567. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  568. 	if more {

  569. 		switch string(fromServer) {

  570. 		case "Username:":

  571. 			return []byte(auth.username), nil

  572. 		case "Password:":

  573. 			return []byte(auth.password), nil

  574. 		}

  575. 	}

  576. 	return nil, nil

  577. }

  578. 

  579. // SMTP authentication type names.

  580. const (

  581. 	SMTPPlain = "PLAIN"

  582. 	SMTPLogin = "LOGIN"

  583. )

  584. 

  585. // SMTPAuths contains available SMTP authentication type names.

  586. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  587. 

  588. // SMTPAuth performs an SMTP authentication.

  589. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  590. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  591. 	if err != nil {

  592. 		return err

  593. 	}

  594. 	defer c.Close()

  595. 

  596. 	if err = c.Hello("gogs"); err != nil {

  597. 		return err

  598. 	}

  599. 

  600. 	if cfg.TLS {

  601. 		if ok, _ := c.Extension("STARTTLS"); ok {

  602. 			if err = c.StartTLS(&tls.Config{

  603. 				InsecureSkipVerify: cfg.SkipVerify,

  604. 				ServerName:         cfg.Host,

  605. 			}); err != nil {

  606. 				return err

  607. 			}

  608. 		} else {

  609. 			return errors.New("SMTP server unsupports TLS")

  610. 		}

  611. 	}

  612. 

  613. 	if ok, _ := c.Extension("AUTH"); ok {

  614. 		return c.Auth(a)

  615. 	}

  616. 	return ErrUnsupportedLoginType

  617. }

  618. 

  619. // LoginViaSMTP queries if login/password is valid against the SMTP,

  620. // and create a local user if success when enabled.

  621. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) {

  622. 	// Verify allowed domains.

  623. 	if len(cfg.AllowedDomains) > 0 {

  624. 		idx := strings.Index(login, "@")

  625. 		if idx == -1 {

  626. 			return nil, ErrUserNotExist{0, login, 0}

  627. 		} else if !util.IsStringInSlice(login[idx+1:], strings.Split(cfg.AllowedDomains, ","), true) {

  628. 			return nil, ErrUserNotExist{0, login, 0}

  629. 		}

  630. 	}

  631. 

  632. 	var auth smtp.Auth

  633. 	if cfg.Auth == SMTPPlain {

  634. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  635. 	} else if cfg.Auth == SMTPLogin {

  636. 		auth = &smtpLoginAuth{login, password}

  637. 	} else {

  638. 		return nil, errors.New("Unsupported SMTP auth type")

  639. 	}

  640. 

  641. 	if err := SMTPAuth(auth, cfg); err != nil {

  642. 		// Check standard error format first,

  643. 		// then fallback to worse case.

  644. 		tperr, ok := err.(*textproto.Error)

  645. 		if (ok && tperr.Code == 535) ||

  646. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  647. 			return nil, ErrUserNotExist{0, login, 0}

  648. 		}

  649. 		return nil, err

  650. 	}

  651. 

  652. 	if user != nil {

  653. 		return user, nil

  654. 	}

  655. 

  656. 	username := login

  657. 	idx := strings.Index(login, "@")

  658. 	if idx > -1 {

  659. 		username = login[:idx]

  660. 	}

  661. 

  662. 	user = &User{

  663. 		LowerName:   strings.ToLower(username),

  664. 		Name:        strings.ToLower(username),

  665. 		Email:       login,

  666. 		Passwd:      password,

  667. 		LoginType:   LoginSMTP,

  668. 		LoginSource: sourceID,

  669. 		LoginName:   login,

  670. 		IsActive:    true,

  671. 	}

  672. 	return user, CreateUser(user)

  673. }

  674. 

  675. // __________  _____      _____

  676. // \______   \/  _  \    /     \

  677. //  |     ___/  /_\  \  /  \ /  \

  678. //  |    |  /    |    \/    Y    \

  679. //  |____|  \____|__  /\____|__  /

  680. //                  \/         \/

  681. 

  682. // LoginViaPAM queries if login/password is valid against the PAM,

  683. // and create a local user if success when enabled.

  684. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) {

  685. 	pamLogin, err := pam.Auth(cfg.ServiceName, login, password)

  686. 	if err != nil {

  687. 		if strings.Contains(err.Error(), "Authentication failure") {

  688. 			return nil, ErrUserNotExist{0, login, 0}

  689. 		}

  690. 		return nil, err

  691. 	}

  692. 

  693. 	if user != nil {

  694. 		return user, nil

  695. 	}

  696. 

  697. 	// Allow PAM sources with `@` in their name, like from Active Directory

  698. 	username := pamLogin

  699. 	idx := strings.Index(pamLogin, "@")

  700. 	if idx > -1 {

  701. 		username = pamLogin[:idx]

  702. 	}

  703. 

  704. 	user = &User{

  705. 		LowerName:   strings.ToLower(username),

  706. 		Name:        username,

  707. 		Email:       pamLogin,

  708. 		Passwd:      password,

  709. 		LoginType:   LoginPAM,

  710. 		LoginSource: sourceID,

  711. 		LoginName:   login, // This is what the user typed in

  712. 		IsActive:    true,

  713. 	}

  714. 	return user, CreateUser(user)

  715. }

  716. 

  717. // ExternalUserLogin attempts a login using external source types.

  718. func ExternalUserLogin(user *User, login, password string, source *LoginSource) (*User, error) {

  719. 	if !source.IsActived {

  720. 		return nil, ErrLoginSourceNotActived

  721. 	}

  722. 

  723. 	var err error

  724. 	switch source.Type {

  725. 	case LoginLDAP, LoginDLDAP:

  726. 		user, err = LoginViaLDAP(user, login, password, source)

  727. 	case LoginSMTP:

  728. 		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig))

  729. 	case LoginPAM:

  730. 		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig))

  731. 	default:

  732. 		return nil, ErrUnsupportedLoginType

  733. 	}

  734. 

  735. 	if err != nil {

  736. 		return nil, err

  737. 	}

  738. 

  739. 	// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  740. 	// user could be hint to resend confirm email.

  741. 	if user.ProhibitLogin {

  742. 		return nil, ErrUserProhibitLogin{user.ID, user.Name}

  743. 	}

  744. 

  745. 	return user, nil

  746. }

  747. 

  748. // UserSignIn validates user name and password.

  749. func UserSignIn(username, password string) (*User, error) {

  750. 	var user *User

  751. 	if strings.Contains(username, "@") {

  752. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  753. 		// check same email

  754. 		cnt, err := x.Count(user)

  755. 		if err != nil {

  756. 			return nil, err

  757. 		}

  758. 		if cnt > 1 {

  759. 			return nil, ErrEmailAlreadyUsed{

  760. 				Email: user.Email,

  761. 			}

  762. 		}

  763. 	} else {

  764. 		trimmedUsername := strings.TrimSpace(username)

  765. 		if len(trimmedUsername) == 0 {

  766. 			return nil, ErrUserNotExist{0, username, 0}

  767. 		}

  768. 

  769. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  770. 	}

  771. 

  772. 	hasUser, err := x.Get(user)

  773. 	if err != nil {

  774. 		return nil, err

  775. 	}

  776. 

  777. 	if hasUser {

  778. 		switch user.LoginType {

  779. 		case LoginNoType, LoginPlain, LoginOAuth2:

  780. 			if user.IsPasswordSet() && user.ValidatePassword(password) {

  781. 

  782. 				// Update password hash if server password hash algorithm have changed

  783. 				if user.PasswdHashAlgo != setting.PasswordHashAlgo {

  784. 					if err = user.SetPassword(password); err != nil {

  785. 						return nil, err

  786. 					}

  787. 					if err = UpdateUserCols(user, "passwd", "passwd_hash_algo", "salt"); err != nil {

  788. 						return nil, err

  789. 					}

  790. 				}

  791. 

  792. 				// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  793. 				// user could be hint to resend confirm email.

  794. 				if user.ProhibitLogin {

  795. 					return nil, ErrUserProhibitLogin{user.ID, user.Name}

  796. 				}

  797. 

  798. 				return user, nil

  799. 			}

  800. 

  801. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  802. 

  803. 		default:

  804. 			var source LoginSource

  805. 			hasSource, err := x.ID(user.LoginSource).Get(&source)

  806. 			if err != nil {

  807. 				return nil, err

  808. 			} else if !hasSource {

  809. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  810. 			}

  811. 

  812. 			return ExternalUserLogin(user, user.LoginName, password, &source)

  813. 		}

  814. 	}

  815. 

  816. 	sources := make([]*LoginSource, 0, 5)

  817. 	if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {

  818. 		return nil, err

  819. 	}

  820. 

  821. 	for _, source := range sources {

  822. 		if source.IsOAuth2() || source.IsSSPI() {

  823. 			// don't try to authenticate against OAuth2 and SSPI sources here

  824. 			continue

  825. 		}

  826. 		authUser, err := ExternalUserLogin(nil, username, password, source)

  827. 		if err == nil {

  828. 			return authUser, nil

  829. 		}

  830. 

  831. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  832. 	}

  833. 

  834. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  835. }