mirrors
/
gitea
зеркало из https://github.com/go-gitea/gitea.git
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Релизы 211 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
17279 коммитов
17 Ветки
Дерево: 875f5ea6d8
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из '875f5ea6d8'
${ noResults }
gitea/services/auth/source/saml/source_callout.go

source_callout.go 2.6KB
Исходник Blame История

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. // Copyright 2023 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package saml

  5. 

  6. import (

  7. 	"fmt"

  8. 	"net/http"

  9. 	"strings"

  10. 

  11. 	"github.com/markbates/goth"

  12. )

  13. 

  14. // Callout redirects request/response pair to authenticate against the provider

  15. func (source *Source) Callout(request *http.Request, response http.ResponseWriter) error {

  16. 	samlRWMutex.RLock()

  17. 	defer samlRWMutex.RUnlock()

  18. 	if _, ok := providers[source.authSource.Name]; !ok {

  19. 		return fmt.Errorf("no provider for this saml")

  20. 	}

  21. 

  22. 	authURL, err := providers[source.authSource.Name].samlSP.BuildAuthURL("")

  23. 	if err == nil {

  24. 		http.Redirect(response, request, authURL, http.StatusTemporaryRedirect)

  25. 	}

  26. 	return err

  27. }

  28. 

  29. // Callback handles SAML callback, resolve to a goth user and send back to original url

  30. // this will trigger a new authentication request, but because we save it in the session we can use that

  31. func (source *Source) Callback(request *http.Request, response http.ResponseWriter) (goth.User, error) {

  32. 	samlRWMutex.RLock()

  33. 	defer samlRWMutex.RUnlock()

  34. 

  35. 	user := goth.User{

  36. 		Provider: source.authSource.Name,

  37. 	}

  38. 	samlResponse := request.FormValue("SAMLResponse")

  39. 	assertions, err := source.samlSP.RetrieveAssertionInfo(samlResponse)

  40. 	if err != nil {

  41. 		return user, err

  42. 	}

  43. 

  44. 	if assertions.WarningInfo.OneTimeUse {

  45. 		return user, fmt.Errorf("SAML response contains one time use warning")

  46. 	}

  47. 

  48. 	if assertions.WarningInfo.ProxyRestriction != nil {

  49. 		return user, fmt.Errorf("SAML response contains proxy restriction warning: %v", assertions.WarningInfo.ProxyRestriction)

  50. 	}

  51. 

  52. 	if assertions.WarningInfo.NotInAudience {

  53. 		return user, fmt.Errorf("SAML response contains audience warning")

  54. 	}

  55. 

  56. 	if assertions.WarningInfo.InvalidTime {

  57. 		return user, fmt.Errorf("SAML response contains invalid time warning")

  58. 	}

  59. 

  60. 	samlMap := make(map[string]string)

  61. 	for key, value := range assertions.Values {

  62. 		keyParsed := strings.ToLower(key[strings.LastIndex(key, "/")+1:]) // Uses the trailing slug as the key name.

  63. 		valueParsed := value.Values[0].Value

  64. 		samlMap[keyParsed] = valueParsed

  65. 

  66. 	}

  67. 

  68. 	user.UserID = assertions.NameID

  69. 	if user.UserID == "" {

  70. 		return user, fmt.Errorf("no nameID found in SAML response")

  71. 	}

  72. 

  73. 	// email

  74. 	if _, ok := samlMap[source.EmailAssertionKey]; !ok {

  75. 		user.Email = samlMap[source.EmailAssertionKey]

  76. 	}

  77. 	// name

  78. 	if _, ok := samlMap[source.NameAssertionKey]; !ok {

  79. 		user.NickName = samlMap[source.NameAssertionKey]

  80. 	}

  81. 	// username

  82. 	if _, ok := samlMap[source.UsernameAssertionKey]; !ok {

  83. 		user.Name = samlMap[source.UsernameAssertionKey]

  84. 	}

  85. 

  86. 	// TODO: utilize groups once mapping is supported

  87. 

  88. 	return user, nil

  89. }