123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 |
- // Copyright 2019 The Gitea Authors. All rights reserved.
- // SPDX-License-Identifier: MIT
-
- package auth
-
- import (
- "context"
- "errors"
- "net/http"
- "strings"
-
- "code.gitea.io/gitea/models/auth"
- "code.gitea.io/gitea/models/avatars"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/templates"
- "code.gitea.io/gitea/modules/util"
- "code.gitea.io/gitea/modules/web/middleware"
- "code.gitea.io/gitea/services/auth/source/sspi"
- "code.gitea.io/gitea/services/mailer"
-
- gouuid "github.com/google/uuid"
- "github.com/quasoft/websspi"
- "github.com/unrolled/render"
- )
-
- const (
- tplSignIn base.TplName = "user/auth/signin"
- )
-
- var (
- // sspiAuth is a global instance of the websspi authentication package,
- // which is used to avoid acquiring the server credential handle on
- // every request
- sspiAuth *websspi.Authenticator
-
- // Ensure the struct implements the interface.
- _ Method = &SSPI{}
- _ Named = &SSPI{}
- _ Initializable = &SSPI{}
- _ Freeable = &SSPI{}
- )
-
- // SSPI implements the SingleSignOn interface and authenticates requests
- // via the built-in SSPI module in Windows for SPNEGO authentication.
- // On successful authentication returns a valid user object.
- // Returns nil if authentication fails.
- type SSPI struct {
- rnd *render.Render
- }
-
- // Init creates a new global websspi.Authenticator object
- func (s *SSPI) Init(ctx context.Context) error {
- config := websspi.NewConfig()
- var err error
- sspiAuth, err = websspi.New(config)
- if err != nil {
- return err
- }
- _, s.rnd = templates.HTMLRenderer(ctx)
- return nil
- }
-
- // Name represents the name of auth method
- func (s *SSPI) Name() string {
- return "sspi"
- }
-
- // Free releases resources used by the global websspi.Authenticator object
- func (s *SSPI) Free() error {
- return sspiAuth.Free()
- }
-
- // Verify uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
- // If authentication is successful, returns the corresponding user object.
- // If negotiation should continue or authentication fails, immediately returns a 401 HTTP
- // response code, as required by the SPNEGO protocol.
- func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
- if !s.shouldAuthenticate(req) {
- return nil, nil
- }
-
- cfg, err := s.getConfig()
- if err != nil {
- log.Error("could not get SSPI config: %v", err)
- return nil, err
- }
-
- log.Trace("SSPI Authorization: Attempting to authenticate")
- userInfo, outToken, err := sspiAuth.Authenticate(req, w)
- if err != nil {
- log.Warn("Authentication failed with error: %v\n", err)
- sspiAuth.AppendAuthenticateHeader(w, outToken)
-
- // Include the user login page in the 401 response to allow the user
- // to login with another authentication method if SSPI authentication
- // fails
- store.GetData()["Flash"] = map[string]string{
- "ErrorMsg": err.Error(),
- }
- store.GetData()["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
- store.GetData()["EnableSSPI"] = true
-
- err := s.rnd.HTML(w, http.StatusUnauthorized, string(tplSignIn), templates.BaseVars().Merge(store.GetData()))
- if err != nil {
- log.Error("%v", err)
- }
-
- return nil, err
- }
- if outToken != "" {
- sspiAuth.AppendAuthenticateHeader(w, outToken)
- }
-
- username := sanitizeUsername(userInfo.Username, cfg)
- if len(username) == 0 {
- return nil, nil
- }
- log.Info("Authenticated as %s\n", username)
-
- user, err := user_model.GetUserByName(req.Context(), username)
- if err != nil {
- if !user_model.IsErrUserNotExist(err) {
- log.Error("GetUserByName: %v", err)
- return nil, err
- }
- if !cfg.AutoCreateUsers {
- log.Error("User '%s' not found", username)
- return nil, nil
- }
- user, err = s.newUser(username, cfg)
- if err != nil {
- log.Error("CreateUser: %v", err)
- return nil, err
- }
- }
-
- // Make sure requests to API paths and PWA resources do not create a new session
- if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
- handleSignIn(w, req, sess, user)
- }
-
- log.Trace("SSPI Authorization: Logged in user %-v", user)
- return user, nil
- }
-
- // getConfig retrieves the SSPI configuration from login sources
- func (s *SSPI) getConfig() (*sspi.Source, error) {
- sources, err := auth.ActiveSources(auth.SSPI)
- if err != nil {
- return nil, err
- }
- if len(sources) == 0 {
- return nil, errors.New("no active login sources of type SSPI found")
- }
- if len(sources) > 1 {
- return nil, errors.New("more than one active login source of type SSPI found")
- }
- return sources[0].Cfg.(*sspi.Source), nil
- }
-
- func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
- shouldAuth = false
- path := strings.TrimSuffix(req.URL.Path, "/")
- if path == "/user/login" {
- if req.FormValue("user_name") != "" && req.FormValue("password") != "" {
- shouldAuth = false
- } else if req.FormValue("auth_with_sspi") == "1" {
- shouldAuth = true
- }
- } else if middleware.IsAPIPath(req) || isAttachmentDownload(req) {
- shouldAuth = true
- }
- return shouldAuth
- }
-
- // newUser creates a new user object for the purpose of automatic registration
- // and populates its name and email with the information present in request headers.
- func (s *SSPI) newUser(username string, cfg *sspi.Source) (*user_model.User, error) {
- email := gouuid.New().String() + "@localhost.localdomain"
- user := &user_model.User{
- Name: username,
- Email: email,
- Passwd: gouuid.New().String(),
- Language: cfg.DefaultLanguage,
- UseCustomAvatar: true,
- Avatar: avatars.DefaultAvatarLink(),
- }
- emailNotificationPreference := user_model.EmailNotificationsDisabled
- overwriteDefault := &user_model.CreateUserOverwriteOptions{
- IsActive: util.OptionalBoolOf(cfg.AutoActivateUsers),
- KeepEmailPrivate: util.OptionalBoolTrue,
- EmailNotificationsPreference: &emailNotificationPreference,
- }
- if err := user_model.CreateUser(user, overwriteDefault); err != nil {
- return nil, err
- }
-
- mailer.SendRegisterNotifyMail(user)
-
- return user, nil
- }
-
- // stripDomainNames removes NETBIOS domain name and separator from down-level logon names
- // (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
- // from UPNs (eg. "user@domain.local" becomes "user")
- func stripDomainNames(username string) string {
- if strings.Contains(username, "\\") {
- parts := strings.SplitN(username, "\\", 2)
- if len(parts) > 1 {
- username = parts[1]
- }
- } else if strings.Contains(username, "@") {
- parts := strings.Split(username, "@")
- if len(parts) > 1 {
- username = parts[0]
- }
- }
- return username
- }
-
- func replaceSeparators(username string, cfg *sspi.Source) string {
- newSep := cfg.SeparatorReplacement
- username = strings.ReplaceAll(username, "\\", newSep)
- username = strings.ReplaceAll(username, "/", newSep)
- username = strings.ReplaceAll(username, "@", newSep)
- return username
- }
-
- func sanitizeUsername(username string, cfg *sspi.Source) string {
- if len(username) == 0 {
- return ""
- }
- if cfg.StripDomainNames {
- username = stripDomainNames(username)
- }
- // Replace separators even if we have already stripped the domain name part,
- // as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
- username = replaceSeparators(username, cfg)
- return username
- }
|