mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12423 Commits
17 Branches
Tree: 957c3fcb59
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '957c3fcb59'
${ noResults }
gitea/cmd/admin_auth_ldap.go

admin_auth_ldap.go 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package cmd

  6. 

  7. import (

  8. 	"context"

  9. 	"fmt"

  10. 	"strings"

  11. 

  12. 	"code.gitea.io/gitea/models/login"

  13. 	"code.gitea.io/gitea/services/auth/source/ldap"

  14. 

  15. 	"github.com/urfave/cli"

  16. )

  17. 

  18. type (

  19. 	authService struct {

  20. 		initDB             func(ctx context.Context) error

  21. 		createLoginSource  func(loginSource *login.Source) error

  22. 		updateLoginSource  func(loginSource *login.Source) error

  23. 		getLoginSourceByID func(id int64) (*login.Source, error)

  24. 	}

  25. )

  26. 

  27. var (

  28. 	commonLdapCLIFlags = []cli.Flag{

  29. 		cli.StringFlag{

  30. 			Name:  "name",

  31. 			Usage: "Authentication name.",

  32. 		},

  33. 		cli.BoolFlag{

  34. 			Name:  "not-active",

  35. 			Usage: "Deactivate the authentication source.",

  36. 		},

  37. 		cli.StringFlag{

  38. 			Name:  "security-protocol",

  39. 			Usage: "Security protocol name.",

  40. 		},

  41. 		cli.BoolFlag{

  42. 			Name:  "skip-tls-verify",

  43. 			Usage: "Disable TLS verification.",

  44. 		},

  45. 		cli.StringFlag{

  46. 			Name:  "host",

  47. 			Usage: "The address where the LDAP server can be reached.",

  48. 		},

  49. 		cli.IntFlag{

  50. 			Name:  "port",

  51. 			Usage: "The port to use when connecting to the LDAP server.",

  52. 		},

  53. 		cli.StringFlag{

  54. 			Name:  "user-search-base",

  55. 			Usage: "The LDAP base at which user accounts will be searched for.",

  56. 		},

  57. 		cli.StringFlag{

  58. 			Name:  "user-filter",

  59. 			Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",

  60. 		},

  61. 		cli.StringFlag{

  62. 			Name:  "admin-filter",

  63. 			Usage: "An LDAP filter specifying if a user should be given administrator privileges.",

  64. 		},

  65. 		cli.StringFlag{

  66. 			Name:  "restricted-filter",

  67. 			Usage: "An LDAP filter specifying if a user should be given restricted status.",

  68. 		},

  69. 		cli.BoolFlag{

  70. 			Name:  "allow-deactivate-all",

  71. 			Usage: "Allow empty search results to deactivate all users.",

  72. 		},

  73. 		cli.StringFlag{

  74. 			Name:  "username-attribute",

  75. 			Usage: "The attribute of the user’s LDAP record containing the user name.",

  76. 		},

  77. 		cli.StringFlag{

  78. 			Name:  "firstname-attribute",

  79. 			Usage: "The attribute of the user’s LDAP record containing the user’s first name.",

  80. 		},

  81. 		cli.StringFlag{

  82. 			Name:  "surname-attribute",

  83. 			Usage: "The attribute of the user’s LDAP record containing the user’s surname.",

  84. 		},

  85. 		cli.StringFlag{

  86. 			Name:  "email-attribute",

  87. 			Usage: "The attribute of the user’s LDAP record containing the user’s email address.",

  88. 		},

  89. 		cli.StringFlag{

  90. 			Name:  "public-ssh-key-attribute",

  91. 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",

  92. 		},

  93. 		cli.BoolFlag{

  94. 			Name:  "skip-local-2fa",

  95. 			Usage: "Set to true to skip local 2fa for users authenticated by this source",

  96. 		},

  97. 		cli.StringFlag{

  98. 			Name:  "avatar-attribute",

  99. 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",

  100. 		},

  101. 	}

  102. 

  103. 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,

  104. 		cli.StringFlag{

  105. 			Name:  "bind-dn",

  106. 			Usage: "The DN to bind to the LDAP server with when searching for the user.",

  107. 		},

  108. 		cli.StringFlag{

  109. 			Name:  "bind-password",

  110. 			Usage: "The password for the Bind DN, if any.",

  111. 		},

  112. 		cli.BoolFlag{

  113. 			Name:  "attributes-in-bind",

  114. 			Usage: "Fetch attributes in bind DN context.",

  115. 		},

  116. 		cli.BoolFlag{

  117. 			Name:  "synchronize-users",

  118. 			Usage: "Enable user synchronization.",

  119. 		},

  120. 		cli.UintFlag{

  121. 			Name:  "page-size",

  122. 			Usage: "Search page size.",

  123. 		})

  124. 

  125. 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,

  126. 		cli.StringFlag{

  127. 			Name:  "user-dn",

  128. 			Usage: "The user’s DN.",

  129. 		})

  130. 

  131. 	cmdAuthAddLdapBindDn = cli.Command{

  132. 		Name:  "add-ldap",

  133. 		Usage: "Add new LDAP (via Bind DN) authentication source",

  134. 		Action: func(c *cli.Context) error {

  135. 			return newAuthService().addLdapBindDn(c)

  136. 		},

  137. 		Flags: ldapBindDnCLIFlags,

  138. 	}

  139. 

  140. 	cmdAuthUpdateLdapBindDn = cli.Command{

  141. 		Name:  "update-ldap",

  142. 		Usage: "Update existing LDAP (via Bind DN) authentication source",

  143. 		Action: func(c *cli.Context) error {

  144. 			return newAuthService().updateLdapBindDn(c)

  145. 		},

  146. 		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),

  147. 	}

  148. 

  149. 	cmdAuthAddLdapSimpleAuth = cli.Command{

  150. 		Name:  "add-ldap-simple",

  151. 		Usage: "Add new LDAP (simple auth) authentication source",

  152. 		Action: func(c *cli.Context) error {

  153. 			return newAuthService().addLdapSimpleAuth(c)

  154. 		},

  155. 		Flags: ldapSimpleAuthCLIFlags,

  156. 	}

  157. 

  158. 	cmdAuthUpdateLdapSimpleAuth = cli.Command{

  159. 		Name:  "update-ldap-simple",

  160. 		Usage: "Update existing LDAP (simple auth) authentication source",

  161. 		Action: func(c *cli.Context) error {

  162. 			return newAuthService().updateLdapSimpleAuth(c)

  163. 		},

  164. 		Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),

  165. 	}

  166. )

  167. 

  168. // newAuthService creates a service with default functions.

  169. func newAuthService() *authService {

  170. 	return &authService{

  171. 		initDB:             initDB,

  172. 		createLoginSource:  login.CreateSource,

  173. 		updateLoginSource:  login.UpdateSource,

  174. 		getLoginSourceByID: login.GetSourceByID,

  175. 	}

  176. }

  177. 

  178. // parseLoginSource assigns values on loginSource according to command line flags.

  179. func parseLoginSource(c *cli.Context, loginSource *login.Source) {

  180. 	if c.IsSet("name") {

  181. 		loginSource.Name = c.String("name")

  182. 	}

  183. 	if c.IsSet("not-active") {

  184. 		loginSource.IsActive = !c.Bool("not-active")

  185. 	}

  186. 	if c.IsSet("synchronize-users") {

  187. 		loginSource.IsSyncEnabled = c.Bool("synchronize-users")

  188. 	}

  189. }

  190. 

  191. // parseLdapConfig assigns values on config according to command line flags.

  192. func parseLdapConfig(c *cli.Context, config *ldap.Source) error {

  193. 	if c.IsSet("name") {

  194. 		config.Name = c.String("name")

  195. 	}

  196. 	if c.IsSet("host") {

  197. 		config.Host = c.String("host")

  198. 	}

  199. 	if c.IsSet("port") {

  200. 		config.Port = c.Int("port")

  201. 	}

  202. 	if c.IsSet("security-protocol") {

  203. 		p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))

  204. 		if !ok {

  205. 			return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol"))

  206. 		}

  207. 		config.SecurityProtocol = p

  208. 	}

  209. 	if c.IsSet("skip-tls-verify") {

  210. 		config.SkipVerify = c.Bool("skip-tls-verify")

  211. 	}

  212. 	if c.IsSet("bind-dn") {

  213. 		config.BindDN = c.String("bind-dn")

  214. 	}

  215. 	if c.IsSet("user-dn") {

  216. 		config.UserDN = c.String("user-dn")

  217. 	}

  218. 	if c.IsSet("bind-password") {

  219. 		config.BindPassword = c.String("bind-password")

  220. 	}

  221. 	if c.IsSet("user-search-base") {

  222. 		config.UserBase = c.String("user-search-base")

  223. 	}

  224. 	if c.IsSet("username-attribute") {

  225. 		config.AttributeUsername = c.String("username-attribute")

  226. 	}

  227. 	if c.IsSet("firstname-attribute") {

  228. 		config.AttributeName = c.String("firstname-attribute")

  229. 	}

  230. 	if c.IsSet("surname-attribute") {

  231. 		config.AttributeSurname = c.String("surname-attribute")

  232. 	}

  233. 	if c.IsSet("email-attribute") {

  234. 		config.AttributeMail = c.String("email-attribute")

  235. 	}

  236. 	if c.IsSet("attributes-in-bind") {

  237. 		config.AttributesInBind = c.Bool("attributes-in-bind")

  238. 	}

  239. 	if c.IsSet("public-ssh-key-attribute") {

  240. 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")

  241. 	}

  242. 	if c.IsSet("avatar-attribute") {

  243. 		config.AttributeAvatar = c.String("avatar-attribute")

  244. 	}

  245. 	if c.IsSet("page-size") {

  246. 		config.SearchPageSize = uint32(c.Uint("page-size"))

  247. 	}

  248. 	if c.IsSet("user-filter") {

  249. 		config.Filter = c.String("user-filter")

  250. 	}

  251. 	if c.IsSet("admin-filter") {

  252. 		config.AdminFilter = c.String("admin-filter")

  253. 	}

  254. 	if c.IsSet("restricted-filter") {

  255. 		config.RestrictedFilter = c.String("restricted-filter")

  256. 	}

  257. 	if c.IsSet("allow-deactivate-all") {

  258. 		config.AllowDeactivateAll = c.Bool("allow-deactivate-all")

  259. 	}

  260. 	if c.IsSet("skip-local-2fa") {

  261. 		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")

  262. 	}

  263. 

  264. 	return nil

  265. }

  266. 

  267. // findLdapSecurityProtocolByName finds security protocol by its name ignoring case.

  268. // It returns the value of the security protocol and if it was found.

  269. func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {

  270. 	for i, n := range ldap.SecurityProtocolNames {

  271. 		if strings.EqualFold(name, n) {

  272. 			return i, true

  273. 		}

  274. 	}

  275. 	return 0, false

  276. }

  277. 

  278. // getLoginSource gets the login source by its id defined in the command line flags.

  279. // It returns an error if the id is not set, does not match any source or if the source is not of expected type.

  280. func (a *authService) getLoginSource(c *cli.Context, loginType login.Type) (*login.Source, error) {

  281. 	if err := argsSet(c, "id"); err != nil {

  282. 		return nil, err

  283. 	}

  284. 

  285. 	loginSource, err := a.getLoginSourceByID(c.Int64("id"))

  286. 	if err != nil {

  287. 		return nil, err

  288. 	}

  289. 

  290. 	if loginSource.Type != loginType {

  291. 		return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", loginType.String(), loginSource.Type.String())

  292. 	}

  293. 

  294. 	return loginSource, nil

  295. }

  296. 

  297. // addLdapBindDn adds a new LDAP via Bind DN authentication source.

  298. func (a *authService) addLdapBindDn(c *cli.Context) error {

  299. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {

  300. 		return err

  301. 	}

  302. 

  303. 	ctx, cancel := installSignals()

  304. 	defer cancel()

  305. 

  306. 	if err := a.initDB(ctx); err != nil {

  307. 		return err

  308. 	}

  309. 

  310. 	loginSource := &login.Source{

  311. 		Type:     login.LDAP,

  312. 		IsActive: true, // active by default

  313. 		Cfg: &ldap.Source{

  314. 			Enabled: true, // always true

  315. 		},

  316. 	}

  317. 

  318. 	parseLoginSource(c, loginSource)

  319. 	if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {

  320. 		return err

  321. 	}

  322. 

  323. 	return a.createLoginSource(loginSource)

  324. }

  325. 

  326. // updateLdapBindDn updates a new LDAP via Bind DN authentication source.

  327. func (a *authService) updateLdapBindDn(c *cli.Context) error {

  328. 	ctx, cancel := installSignals()

  329. 	defer cancel()

  330. 

  331. 	if err := a.initDB(ctx); err != nil {

  332. 		return err

  333. 	}

  334. 

  335. 	loginSource, err := a.getLoginSource(c, login.LDAP)

  336. 	if err != nil {

  337. 		return err

  338. 	}

  339. 

  340. 	parseLoginSource(c, loginSource)

  341. 	if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {

  342. 		return err

  343. 	}

  344. 

  345. 	return a.updateLoginSource(loginSource)

  346. }

  347. 

  348. // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.

  349. func (a *authService) addLdapSimpleAuth(c *cli.Context) error {

  350. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {

  351. 		return err

  352. 	}

  353. 

  354. 	ctx, cancel := installSignals()

  355. 	defer cancel()

  356. 

  357. 	if err := a.initDB(ctx); err != nil {

  358. 		return err

  359. 	}

  360. 

  361. 	loginSource := &login.Source{

  362. 		Type:     login.DLDAP,

  363. 		IsActive: true, // active by default

  364. 		Cfg: &ldap.Source{

  365. 			Enabled: true, // always true

  366. 		},

  367. 	}

  368. 

  369. 	parseLoginSource(c, loginSource)

  370. 	if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {

  371. 		return err

  372. 	}

  373. 

  374. 	return a.createLoginSource(loginSource)

  375. }

  376. 

  377. // updateLdapBindDn updates a new LDAP (simple auth) authentication source.

  378. func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {

  379. 	ctx, cancel := installSignals()

  380. 	defer cancel()

  381. 

  382. 	if err := a.initDB(ctx); err != nil {

  383. 		return err

  384. 	}

  385. 

  386. 	loginSource, err := a.getLoginSource(c, login.DLDAP)

  387. 	if err != nil {

  388. 		return err

  389. 	}

  390. 

  391. 	parseLoginSource(c, loginSource)

  392. 	if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {

  393. 		return err

  394. 	}

  395. 

  396. 	return a.updateLoginSource(loginSource)

  397. }