mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11351 Commits
17 Branches
Tree: 7417628f8d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7417628f8d'
${ noResults }
gitea/routers/user/auth_openid.go

auth_openid.go 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"fmt"

  9. 	"net/http"

  10. 	"net/url"

  11. 

  12. 	"code.gitea.io/gitea/models"

  13. 	"code.gitea.io/gitea/modules/auth/openid"

  14. 	"code.gitea.io/gitea/modules/base"

  15. 	"code.gitea.io/gitea/modules/context"

  16. 	"code.gitea.io/gitea/modules/generate"

  17. 	"code.gitea.io/gitea/modules/hcaptcha"

  18. 	"code.gitea.io/gitea/modules/log"

  19. 	"code.gitea.io/gitea/modules/recaptcha"

  20. 	"code.gitea.io/gitea/modules/setting"

  21. 	"code.gitea.io/gitea/modules/web"

  22. 	"code.gitea.io/gitea/modules/web/middleware"

  23. 	"code.gitea.io/gitea/services/forms"

  24. )

  25. 

  26. const (

  27. 	tplSignInOpenID base.TplName = "user/auth/signin_openid"

  28. 	tplConnectOID   base.TplName = "user/auth/signup_openid_connect"

  29. 	tplSignUpOID    base.TplName = "user/auth/signup_openid_register"

  30. )

  31. 

  32. // SignInOpenID render sign in page

  33. func SignInOpenID(ctx *context.Context) {

  34. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  35. 

  36. 	if ctx.Query("openid.return_to") != "" {

  37. 		signInOpenIDVerify(ctx)

  38. 		return

  39. 	}

  40. 

  41. 	// Check auto-login.

  42. 	isSucceed, err := AutoSignIn(ctx)

  43. 	if err != nil {

  44. 		ctx.ServerError("AutoSignIn", err)

  45. 		return

  46. 	}

  47. 

  48. 	redirectTo := ctx.Query("redirect_to")

  49. 	if len(redirectTo) > 0 {

  50. 		middleware.SetRedirectToCookie(ctx.Resp, redirectTo)

  51. 	} else {

  52. 		redirectTo = ctx.GetCookie("redirect_to")

  53. 	}

  54. 

  55. 	if isSucceed {

  56. 		middleware.DeleteRedirectToCookie(ctx.Resp)

  57. 		ctx.RedirectToFirst(redirectTo)

  58. 		return

  59. 	}

  60. 

  61. 	ctx.Data["PageIsSignIn"] = true

  62. 	ctx.Data["PageIsLoginOpenID"] = true

  63. 	ctx.HTML(http.StatusOK, tplSignInOpenID)

  64. }

  65. 

  66. // Check if the given OpenID URI is allowed by blacklist/whitelist

  67. func allowedOpenIDURI(uri string) (err error) {

  68. 

  69. 	// In case a Whitelist is present, URI must be in it

  70. 	// in order to be accepted

  71. 	if len(setting.Service.OpenIDWhitelist) != 0 {

  72. 		for _, pat := range setting.Service.OpenIDWhitelist {

  73. 			if pat.MatchString(uri) {

  74. 				return nil // pass

  75. 			}

  76. 		}

  77. 		// must match one of this or be refused

  78. 		return fmt.Errorf("URI not allowed by whitelist")

  79. 	}

  80. 

  81. 	// A blacklist match expliclty forbids

  82. 	for _, pat := range setting.Service.OpenIDBlacklist {

  83. 		if pat.MatchString(uri) {

  84. 			return fmt.Errorf("URI forbidden by blacklist")

  85. 		}

  86. 	}

  87. 

  88. 	return nil

  89. }

  90. 

  91. // SignInOpenIDPost response for openid sign in request

  92. func SignInOpenIDPost(ctx *context.Context) {

  93. 	form := web.GetForm(ctx).(*forms.SignInOpenIDForm)

  94. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  95. 	ctx.Data["PageIsSignIn"] = true

  96. 	ctx.Data["PageIsLoginOpenID"] = true

  97. 

  98. 	if ctx.HasError() {

  99. 		ctx.HTML(http.StatusOK, tplSignInOpenID)

  100. 		return

  101. 	}

  102. 

  103. 	id, err := openid.Normalize(form.Openid)

  104. 	if err != nil {

  105. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  106. 		return

  107. 	}

  108. 	form.Openid = id

  109. 

  110. 	log.Trace("OpenID uri: " + id)

  111. 

  112. 	err = allowedOpenIDURI(id)

  113. 	if err != nil {

  114. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  115. 		return

  116. 	}

  117. 

  118. 	redirectTo := setting.AppURL + "user/login/openid"

  119. 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)

  120. 	if err != nil {

  121. 		log.Error("Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())

  122. 		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)

  123. 		return

  124. 	}

  125. 

  126. 	// Request optional nickname and email info

  127. 	// NOTE: change to `openid.sreg.required` to require it

  128. 	url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"

  129. 	url += "&openid.sreg.optional=nickname%2Cemail"

  130. 

  131. 	log.Trace("Form-passed openid-remember: %t", form.Remember)

  132. 

  133. 	if err := ctx.Session.Set("openid_signin_remember", form.Remember); err != nil {

  134. 		log.Error("SignInOpenIDPost: Could not set openid_signin_remember in session: %v", err)

  135. 	}

  136. 	if err := ctx.Session.Release(); err != nil {

  137. 		log.Error("SignInOpenIDPost: Unable to save changes to the session: %v", err)

  138. 	}

  139. 

  140. 	ctx.Redirect(url)

  141. }

  142. 

  143. // signInOpenIDVerify handles response from OpenID provider

  144. func signInOpenIDVerify(ctx *context.Context) {

  145. 

  146. 	log.Trace("Incoming call to: " + ctx.Req.URL.String())

  147. 

  148. 	fullURL := setting.AppURL + ctx.Req.URL.String()[1:]

  149. 	log.Trace("Full URL: " + fullURL)

  150. 

  151. 	var id, err = openid.Verify(fullURL)

  152. 	if err != nil {

  153. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  154. 			Openid: id,

  155. 		})

  156. 		return

  157. 	}

  158. 

  159. 	log.Trace("Verified ID: " + id)

  160. 

  161. 	/* Now we should seek for the user and log him in, or prompt

  162. 	 * to register if not found */

  163. 

  164. 	u, err := models.GetUserByOpenID(id)

  165. 	if err != nil {

  166. 		if !models.IsErrUserNotExist(err) {

  167. 			ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  168. 				Openid: id,

  169. 			})

  170. 			return

  171. 		}

  172. 		log.Error("signInOpenIDVerify: %v", err)

  173. 	}

  174. 	if u != nil {

  175. 		log.Trace("User exists, logging in")

  176. 		remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  177. 		log.Trace("Session stored openid-remember: %t", remember)

  178. 		handleSignIn(ctx, u, remember)

  179. 		return

  180. 	}

  181. 

  182. 	log.Trace("User with openid " + id + " does not exist, should connect or register")

  183. 

  184. 	parsedURL, err := url.Parse(fullURL)

  185. 	if err != nil {

  186. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  187. 			Openid: id,

  188. 		})

  189. 		return

  190. 	}

  191. 	values, err := url.ParseQuery(parsedURL.RawQuery)

  192. 	if err != nil {

  193. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  194. 			Openid: id,

  195. 		})

  196. 		return

  197. 	}

  198. 	email := values.Get("openid.sreg.email")

  199. 	nickname := values.Get("openid.sreg.nickname")

  200. 

  201. 	log.Trace("User has email=" + email + " and nickname=" + nickname)

  202. 

  203. 	if email != "" {

  204. 		u, err = models.GetUserByEmail(email)

  205. 		if err != nil {

  206. 			if !models.IsErrUserNotExist(err) {

  207. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  208. 					Openid: id,

  209. 				})

  210. 				return

  211. 			}

  212. 			log.Error("signInOpenIDVerify: %v", err)

  213. 		}

  214. 		if u != nil {

  215. 			log.Trace("Local user " + u.LowerName + " has OpenID provided email " + email)

  216. 		}

  217. 	}

  218. 

  219. 	if u == nil && nickname != "" {

  220. 		u, _ = models.GetUserByName(nickname)

  221. 		if err != nil {

  222. 			if !models.IsErrUserNotExist(err) {

  223. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{

  224. 					Openid: id,

  225. 				})

  226. 				return

  227. 			}

  228. 		}

  229. 		if u != nil {

  230. 			log.Trace("Local user " + u.LowerName + " has OpenID provided nickname " + nickname)

  231. 		}

  232. 	}

  233. 

  234. 	if err := ctx.Session.Set("openid_verified_uri", id); err != nil {

  235. 		log.Error("signInOpenIDVerify: Could not set openid_verified_uri in session: %v", err)

  236. 	}

  237. 	if err := ctx.Session.Set("openid_determined_email", email); err != nil {

  238. 		log.Error("signInOpenIDVerify: Could not set openid_determined_email in session: %v", err)

  239. 	}

  240. 

  241. 	if u != nil {

  242. 		nickname = u.LowerName

  243. 	}

  244. 

  245. 	if err := ctx.Session.Set("openid_determined_username", nickname); err != nil {

  246. 		log.Error("signInOpenIDVerify: Could not set openid_determined_username in session: %v", err)

  247. 	}

  248. 	if err := ctx.Session.Release(); err != nil {

  249. 		log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)

  250. 	}

  251. 

  252. 	if u != nil || !setting.Service.EnableOpenIDSignUp {

  253. 		ctx.Redirect(setting.AppSubURL + "/user/openid/connect")

  254. 	} else {

  255. 		ctx.Redirect(setting.AppSubURL + "/user/openid/register")

  256. 	}

  257. }

  258. 

  259. // ConnectOpenID shows a form to connect an OpenID URI to an existing account

  260. func ConnectOpenID(ctx *context.Context) {

  261. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  262. 	if oid == "" {

  263. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  264. 		return

  265. 	}

  266. 	ctx.Data["Title"] = "OpenID connect"

  267. 	ctx.Data["PageIsSignIn"] = true

  268. 	ctx.Data["PageIsOpenIDConnect"] = true

  269. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  270. 	ctx.Data["OpenID"] = oid

  271. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  272. 	if userName != "" {

  273. 		ctx.Data["user_name"] = userName

  274. 	}

  275. 	ctx.HTML(http.StatusOK, tplConnectOID)

  276. }

  277. 

  278. // ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account

  279. func ConnectOpenIDPost(ctx *context.Context) {

  280. 	form := web.GetForm(ctx).(*forms.ConnectOpenIDForm)

  281. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  282. 	if oid == "" {

  283. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  284. 		return

  285. 	}

  286. 	ctx.Data["Title"] = "OpenID connect"

  287. 	ctx.Data["PageIsSignIn"] = true

  288. 	ctx.Data["PageIsOpenIDConnect"] = true

  289. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  290. 	ctx.Data["OpenID"] = oid

  291. 

  292. 	u, err := models.UserSignIn(form.UserName, form.Password)

  293. 	if err != nil {

  294. 		if models.IsErrUserNotExist(err) {

  295. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)

  296. 		} else {

  297. 			ctx.ServerError("ConnectOpenIDPost", err)

  298. 		}

  299. 		return

  300. 	}

  301. 

  302. 	// add OpenID for the user

  303. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  304. 	if err = models.AddUserOpenID(userOID); err != nil {

  305. 		if models.IsErrOpenIDAlreadyUsed(err) {

  306. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)

  307. 			return

  308. 		}

  309. 		ctx.ServerError("AddUserOpenID", err)

  310. 		return

  311. 	}

  312. 

  313. 	ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))

  314. 

  315. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  316. 	log.Trace("Session stored openid-remember: %t", remember)

  317. 	handleSignIn(ctx, u, remember)

  318. }

  319. 

  320. // RegisterOpenID shows a form to create a new user authenticated via an OpenID URI

  321. func RegisterOpenID(ctx *context.Context) {

  322. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  323. 	if oid == "" {

  324. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  325. 		return

  326. 	}

  327. 	ctx.Data["Title"] = "OpenID signup"

  328. 	ctx.Data["PageIsSignIn"] = true

  329. 	ctx.Data["PageIsOpenIDRegister"] = true

  330. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  331. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  332. 	ctx.Data["Captcha"] = context.GetImageCaptcha()

  333. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  334. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  335. 	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey

  336. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  337. 	ctx.Data["OpenID"] = oid

  338. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  339. 	if userName != "" {

  340. 		ctx.Data["user_name"] = userName

  341. 	}

  342. 	email, _ := ctx.Session.Get("openid_determined_email").(string)

  343. 	if email != "" {

  344. 		ctx.Data["email"] = email

  345. 	}

  346. 	ctx.HTML(http.StatusOK, tplSignUpOID)

  347. }

  348. 

  349. // RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI

  350. func RegisterOpenIDPost(ctx *context.Context) {

  351. 	form := web.GetForm(ctx).(*forms.SignUpOpenIDForm)

  352. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  353. 	if oid == "" {

  354. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  355. 		return

  356. 	}

  357. 

  358. 	ctx.Data["Title"] = "OpenID signup"

  359. 	ctx.Data["PageIsSignIn"] = true

  360. 	ctx.Data["PageIsOpenIDRegister"] = true

  361. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  362. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  363. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  364. 	ctx.Data["Captcha"] = context.GetImageCaptcha()

  365. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  366. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  367. 	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey

  368. 	ctx.Data["OpenID"] = oid

  369. 

  370. 	if setting.Service.EnableCaptcha {

  371. 		var valid bool

  372. 		var err error

  373. 		switch setting.Service.CaptchaType {

  374. 		case setting.ImageCaptcha:

  375. 			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)

  376. 		case setting.ReCaptcha:

  377. 			if err := ctx.Req.ParseForm(); err != nil {

  378. 				ctx.ServerError("", err)

  379. 				return

  380. 			}

  381. 			valid, err = recaptcha.Verify(ctx.Req.Context(), form.GRecaptchaResponse)

  382. 		case setting.HCaptcha:

  383. 			if err := ctx.Req.ParseForm(); err != nil {

  384. 				ctx.ServerError("", err)

  385. 				return

  386. 			}

  387. 			valid, err = hcaptcha.Verify(ctx.Req.Context(), form.HcaptchaResponse)

  388. 		default:

  389. 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))

  390. 			return

  391. 		}

  392. 		if err != nil {

  393. 			log.Debug("%s", err.Error())

  394. 		}

  395. 

  396. 		if !valid {

  397. 			ctx.Data["Err_Captcha"] = true

  398. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)

  399. 			return

  400. 		}

  401. 	}

  402. 

  403. 	length := setting.MinPasswordLength

  404. 	if length < 256 {

  405. 		length = 256

  406. 	}

  407. 	password, err := generate.GetRandomString(length)

  408. 	if err != nil {

  409. 		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)

  410. 		return

  411. 	}

  412. 

  413. 	u := &models.User{

  414. 		Name:     form.UserName,

  415. 		Email:    form.Email,

  416. 		Passwd:   password,

  417. 		IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),

  418. 	}

  419. 	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, false) {

  420. 		// error already handled

  421. 		return

  422. 	}

  423. 

  424. 	// add OpenID for the user

  425. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  426. 	if err = models.AddUserOpenID(userOID); err != nil {

  427. 		if models.IsErrOpenIDAlreadyUsed(err) {

  428. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)

  429. 			return

  430. 		}

  431. 		ctx.ServerError("AddUserOpenID", err)

  432. 		return

  433. 	}

  434. 

  435. 	if !handleUserCreated(ctx, u, nil) {

  436. 		// error already handled

  437. 		return

  438. 	}

  439. 

  440. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  441. 	log.Trace("Session stored openid-remember: %t", remember)

  442. 	handleSignIn(ctx, u, remember)

  443. }