mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7867 Commits
17 Branches
Tree: 85202d4784
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '85202d4784'
${ noResults }
gitea/modules/auth/auth.go

auth.go 9.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package auth

  7. 

  8. import (

  9. 	"reflect"

  10. 	"strings"

  11. 	"time"

  12. 

  13. 	"github.com/Unknwon/com"

  14. 	"github.com/go-macaron/binding"

  15. 	"github.com/go-macaron/session"

  16. 	gouuid "github.com/satori/go.uuid"

  17. 	"gopkg.in/macaron.v1"

  18. 

  19. 	"code.gitea.io/gitea/models"

  20. 	"code.gitea.io/gitea/modules/base"

  21. 	"code.gitea.io/gitea/modules/log"

  22. 	"code.gitea.io/gitea/modules/setting"

  23. 	"code.gitea.io/gitea/modules/timeutil"

  24. 	"code.gitea.io/gitea/modules/validation"

  25. )

  26. 

  27. // IsAPIPath if URL is an api path

  28. func IsAPIPath(url string) bool {

  29. 	return strings.HasPrefix(url, "/api/")

  30. }

  31. 

  32. // SignedInID returns the id of signed in user.

  33. func SignedInID(ctx *macaron.Context, sess session.Store) int64 {

  34. 	if !models.HasEngine {

  35. 		return 0

  36. 	}

  37. 

  38. 	// Check access token.

  39. 	if IsAPIPath(ctx.Req.URL.Path) {

  40. 		tokenSHA := ctx.Query("token")

  41. 		if len(tokenSHA) == 0 {

  42. 			tokenSHA = ctx.Query("access_token")

  43. 		}

  44. 		if len(tokenSHA) == 0 {

  45. 			// Well, check with header again.

  46. 			auHead := ctx.Req.Header.Get("Authorization")

  47. 			if len(auHead) > 0 {

  48. 				auths := strings.Fields(auHead)

  49. 				if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {

  50. 					tokenSHA = auths[1]

  51. 				}

  52. 			}

  53. 		}

  54. 

  55. 		// Let's see if token is valid.

  56. 		if len(tokenSHA) > 0 {

  57. 			if strings.Contains(tokenSHA, ".") {

  58. 				uid := CheckOAuthAccessToken(tokenSHA)

  59. 				if uid != 0 {

  60. 					ctx.Data["IsApiToken"] = true

  61. 				}

  62. 				return uid

  63. 			}

  64. 			t, err := models.GetAccessTokenBySHA(tokenSHA)

  65. 			if err != nil {

  66. 				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {

  67. 					log.Error("GetAccessTokenBySHA: %v", err)

  68. 				}

  69. 				return 0

  70. 			}

  71. 			t.UpdatedUnix = timeutil.TimeStampNow()

  72. 			if err = models.UpdateAccessToken(t); err != nil {

  73. 				log.Error("UpdateAccessToken: %v", err)

  74. 			}

  75. 			ctx.Data["IsApiToken"] = true

  76. 			return t.UID

  77. 		}

  78. 	}

  79. 

  80. 	uid := sess.Get("uid")

  81. 	if uid == nil {

  82. 		return 0

  83. 	} else if id, ok := uid.(int64); ok {

  84. 		return id

  85. 	}

  86. 	return 0

  87. }

  88. 

  89. // CheckOAuthAccessToken returns uid of user from oauth token token

  90. func CheckOAuthAccessToken(accessToken string) int64 {

  91. 	// JWT tokens require a "."

  92. 	if !strings.Contains(accessToken, ".") {

  93. 		return 0

  94. 	}

  95. 	token, err := models.ParseOAuth2Token(accessToken)

  96. 	if err != nil {

  97. 		log.Trace("ParseOAuth2Token: %v", err)

  98. 		return 0

  99. 	}

  100. 	var grant *models.OAuth2Grant

  101. 	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {

  102. 		return 0

  103. 	}

  104. 	if token.Type != models.TypeAccessToken {

  105. 		return 0

  106. 	}

  107. 	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {

  108. 		return 0

  109. 	}

  110. 	return grant.UserID

  111. }

  112. 

  113. // SignedInUser returns the user object of signed user.

  114. // It returns a bool value to indicate whether user uses basic auth or not.

  115. func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) {

  116. 	if !models.HasEngine {

  117. 		return nil, false

  118. 	}

  119. 

  120. 	if uid := SignedInID(ctx, sess); uid > 0 {

  121. 		user, err := models.GetUserByID(uid)

  122. 		if err == nil {

  123. 			return user, false

  124. 		} else if !models.IsErrUserNotExist(err) {

  125. 			log.Error("GetUserById: %v", err)

  126. 		}

  127. 	}

  128. 

  129. 	if setting.Service.EnableReverseProxyAuth {

  130. 		webAuthUser := ctx.Req.Header.Get(setting.ReverseProxyAuthUser)

  131. 		if len(webAuthUser) > 0 {

  132. 			u, err := models.GetUserByName(webAuthUser)

  133. 			if err != nil {

  134. 				if !models.IsErrUserNotExist(err) {

  135. 					log.Error("GetUserByName: %v", err)

  136. 					return nil, false

  137. 				}

  138. 

  139. 				// Check if enabled auto-registration.

  140. 				if setting.Service.EnableReverseProxyAutoRegister {

  141. 					email := gouuid.NewV4().String() + "@localhost"

  142. 					if setting.Service.EnableReverseProxyEmail {

  143. 						webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)

  144. 						if len(webAuthEmail) > 0 {

  145. 							email = webAuthEmail

  146. 						}

  147. 					}

  148. 					u := &models.User{

  149. 						Name:     webAuthUser,

  150. 						Email:    email,

  151. 						Passwd:   webAuthUser,

  152. 						IsActive: true,

  153. 					}

  154. 					if err = models.CreateUser(u); err != nil {

  155. 						// FIXME: should I create a system notice?

  156. 						log.Error("CreateUser: %v", err)

  157. 						return nil, false

  158. 					}

  159. 					return u, false

  160. 				}

  161. 			}

  162. 			return u, false

  163. 		}

  164. 	}

  165. 

  166. 	// Check with basic auth.

  167. 	baHead := ctx.Req.Header.Get("Authorization")

  168. 	if len(baHead) > 0 {

  169. 		auths := strings.Fields(baHead)

  170. 		if len(auths) == 2 && auths[0] == "Basic" {

  171. 			var u *models.User

  172. 

  173. 			uname, passwd, _ := base.BasicAuthDecode(auths[1])

  174. 

  175. 			// Check if username or password is a token

  176. 			isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"

  177. 			// Assume username is token

  178. 			authToken := uname

  179. 			if !isUsernameToken {

  180. 				// Assume password is token

  181. 				authToken = passwd

  182. 			}

  183. 

  184. 			uid := CheckOAuthAccessToken(authToken)

  185. 			if uid != 0 {

  186. 				var err error

  187. 				ctx.Data["IsApiToken"] = true

  188. 

  189. 				u, err = models.GetUserByID(uid)

  190. 				if err != nil {

  191. 					log.Error("GetUserByID:  %v", err)

  192. 					return nil, false

  193. 				}

  194. 			}

  195. 			token, err := models.GetAccessTokenBySHA(authToken)

  196. 			if err == nil {

  197. 				if isUsernameToken {

  198. 					u, err = models.GetUserByID(token.UID)

  199. 					if err != nil {

  200. 						log.Error("GetUserByID:  %v", err)

  201. 						return nil, false

  202. 					}

  203. 				} else {

  204. 					u, err = models.GetUserByName(uname)

  205. 					if err != nil {

  206. 						log.Error("GetUserByID:  %v", err)

  207. 						return nil, false

  208. 					}

  209. 					if u.ID != token.UID {

  210. 						return nil, false

  211. 					}

  212. 				}

  213. 				token.UpdatedUnix = timeutil.TimeStampNow()

  214. 				if err = models.UpdateAccessToken(token); err != nil {

  215. 					log.Error("UpdateAccessToken:  %v", err)

  216. 				}

  217. 			} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {

  218. 				log.Error("GetAccessTokenBySha: %v", err)

  219. 			}

  220. 

  221. 			if u == nil {

  222. 				u, err = models.UserSignIn(uname, passwd)

  223. 				if err != nil {

  224. 					if !models.IsErrUserNotExist(err) {

  225. 						log.Error("UserSignIn: %v", err)

  226. 					}

  227. 					return nil, false

  228. 				}

  229. 			} else {

  230. 				ctx.Data["IsApiToken"] = true

  231. 			}

  232. 

  233. 			return u, true

  234. 		}

  235. 	}

  236. 	return nil, false

  237. }

  238. 

  239. // Form form binding interface

  240. type Form interface {

  241. 	binding.Validator

  242. }

  243. 

  244. func init() {

  245. 	binding.SetNameMapper(com.ToSnakeCase)

  246. }

  247. 

  248. // AssignForm assign form values back to the template data.

  249. func AssignForm(form interface{}, data map[string]interface{}) {

  250. 	typ := reflect.TypeOf(form)

  251. 	val := reflect.ValueOf(form)

  252. 

  253. 	if typ.Kind() == reflect.Ptr {

  254. 		typ = typ.Elem()

  255. 		val = val.Elem()

  256. 	}

  257. 

  258. 	for i := 0; i < typ.NumField(); i++ {

  259. 		field := typ.Field(i)

  260. 

  261. 		fieldName := field.Tag.Get("form")

  262. 		// Allow ignored fields in the struct

  263. 		if fieldName == "-" {

  264. 			continue

  265. 		} else if len(fieldName) == 0 {

  266. 			fieldName = com.ToSnakeCase(field.Name)

  267. 		}

  268. 

  269. 		data[fieldName] = val.Field(i).Interface()

  270. 	}

  271. }

  272. 

  273. func getRuleBody(field reflect.StructField, prefix string) string {

  274. 	for _, rule := range strings.Split(field.Tag.Get("binding"), ";") {

  275. 		if strings.HasPrefix(rule, prefix) {

  276. 			return rule[len(prefix) : len(rule)-1]

  277. 		}

  278. 	}

  279. 	return ""

  280. }

  281. 

  282. // GetSize get size int form tag

  283. func GetSize(field reflect.StructField) string {

  284. 	return getRuleBody(field, "Size(")

  285. }

  286. 

  287. // GetMinSize get minimal size in form tag

  288. func GetMinSize(field reflect.StructField) string {

  289. 	return getRuleBody(field, "MinSize(")

  290. }

  291. 

  292. // GetMaxSize get max size in form tag

  293. func GetMaxSize(field reflect.StructField) string {

  294. 	return getRuleBody(field, "MaxSize(")

  295. }

  296. 

  297. // GetInclude get include in form tag

  298. func GetInclude(field reflect.StructField) string {

  299. 	return getRuleBody(field, "Include(")

  300. }

  301. 

  302. func validate(errs binding.Errors, data map[string]interface{}, f Form, l macaron.Locale) binding.Errors {

  303. 	if errs.Len() == 0 {

  304. 		return errs

  305. 	}

  306. 

  307. 	data["HasError"] = true

  308. 	AssignForm(f, data)

  309. 

  310. 	typ := reflect.TypeOf(f)

  311. 	val := reflect.ValueOf(f)

  312. 

  313. 	if typ.Kind() == reflect.Ptr {

  314. 		typ = typ.Elem()

  315. 		val = val.Elem()

  316. 	}

  317. 

  318. 	for i := 0; i < typ.NumField(); i++ {

  319. 		field := typ.Field(i)

  320. 

  321. 		fieldName := field.Tag.Get("form")

  322. 		// Allow ignored fields in the struct

  323. 		if fieldName == "-" {

  324. 			continue

  325. 		}

  326. 

  327. 		if errs[0].FieldNames[0] == field.Name {

  328. 			data["Err_"+field.Name] = true

  329. 

  330. 			trName := field.Tag.Get("locale")

  331. 			if len(trName) == 0 {

  332. 				trName = l.Tr("form." + field.Name)

  333. 			} else {

  334. 				trName = l.Tr(trName)

  335. 			}

  336. 

  337. 			switch errs[0].Classification {

  338. 			case binding.ERR_REQUIRED:

  339. 				data["ErrorMsg"] = trName + l.Tr("form.require_error")

  340. 			case binding.ERR_ALPHA_DASH:

  341. 				data["ErrorMsg"] = trName + l.Tr("form.alpha_dash_error")

  342. 			case binding.ERR_ALPHA_DASH_DOT:

  343. 				data["ErrorMsg"] = trName + l.Tr("form.alpha_dash_dot_error")

  344. 			case validation.ErrGitRefName:

  345. 				data["ErrorMsg"] = trName + l.Tr("form.git_ref_name_error")

  346. 			case binding.ERR_SIZE:

  347. 				data["ErrorMsg"] = trName + l.Tr("form.size_error", GetSize(field))

  348. 			case binding.ERR_MIN_SIZE:

  349. 				data["ErrorMsg"] = trName + l.Tr("form.min_size_error", GetMinSize(field))

  350. 			case binding.ERR_MAX_SIZE:

  351. 				data["ErrorMsg"] = trName + l.Tr("form.max_size_error", GetMaxSize(field))

  352. 			case binding.ERR_EMAIL:

  353. 				data["ErrorMsg"] = trName + l.Tr("form.email_error")

  354. 			case binding.ERR_URL:

  355. 				data["ErrorMsg"] = trName + l.Tr("form.url_error")

  356. 			case binding.ERR_INCLUDE:

  357. 				data["ErrorMsg"] = trName + l.Tr("form.include_error", GetInclude(field))

  358. 			default:

  359. 				data["ErrorMsg"] = l.Tr("form.unknown_error") + " " + errs[0].Classification

  360. 			}

  361. 			return errs

  362. 		}

  363. 	}

  364. 	return errs

  365. }