mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13586 Commits
17 Branches
Tree: ae52df6a64
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae52df6a64'
${ noResults }
gitea/cmd/admin_auth_ldap.go

admin_auth_ldap.go 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package cmd

  6. 

  7. import (

  8. 	"context"

  9. 	"fmt"

  10. 	"strings"

  11. 

  12. 	"code.gitea.io/gitea/models/auth"

  13. 	"code.gitea.io/gitea/services/auth/source/ldap"

  14. 

  15. 	"github.com/urfave/cli"

  16. )

  17. 

  18. type (

  19. 	authService struct {

  20. 		initDB            func(ctx context.Context) error

  21. 		createAuthSource  func(*auth.Source) error

  22. 		updateAuthSource  func(*auth.Source) error

  23. 		getAuthSourceByID func(id int64) (*auth.Source, error)

  24. 	}

  25. )

  26. 

  27. var (

  28. 	commonLdapCLIFlags = []cli.Flag{

  29. 		cli.StringFlag{

  30. 			Name:  "name",

  31. 			Usage: "Authentication name.",

  32. 		},

  33. 		cli.BoolFlag{

  34. 			Name:  "not-active",

  35. 			Usage: "Deactivate the authentication source.",

  36. 		},

  37. 		cli.BoolFlag{

  38. 			Name:  "active",

  39. 			Usage: "Activate the authentication source.",

  40. 		},

  41. 		cli.StringFlag{

  42. 			Name:  "security-protocol",

  43. 			Usage: "Security protocol name.",

  44. 		},

  45. 		cli.BoolFlag{

  46. 			Name:  "skip-tls-verify",

  47. 			Usage: "Disable TLS verification.",

  48. 		},

  49. 		cli.StringFlag{

  50. 			Name:  "host",

  51. 			Usage: "The address where the LDAP server can be reached.",

  52. 		},

  53. 		cli.IntFlag{

  54. 			Name:  "port",

  55. 			Usage: "The port to use when connecting to the LDAP server.",

  56. 		},

  57. 		cli.StringFlag{

  58. 			Name:  "user-search-base",

  59. 			Usage: "The LDAP base at which user accounts will be searched for.",

  60. 		},

  61. 		cli.StringFlag{

  62. 			Name:  "user-filter",

  63. 			Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",

  64. 		},

  65. 		cli.StringFlag{

  66. 			Name:  "admin-filter",

  67. 			Usage: "An LDAP filter specifying if a user should be given administrator privileges.",

  68. 		},

  69. 		cli.StringFlag{

  70. 			Name:  "restricted-filter",

  71. 			Usage: "An LDAP filter specifying if a user should be given restricted status.",

  72. 		},

  73. 		cli.BoolFlag{

  74. 			Name:  "allow-deactivate-all",

  75. 			Usage: "Allow empty search results to deactivate all users.",

  76. 		},

  77. 		cli.StringFlag{

  78. 			Name:  "username-attribute",

  79. 			Usage: "The attribute of the user’s LDAP record containing the user name.",

  80. 		},

  81. 		cli.StringFlag{

  82. 			Name:  "firstname-attribute",

  83. 			Usage: "The attribute of the user’s LDAP record containing the user’s first name.",

  84. 		},

  85. 		cli.StringFlag{

  86. 			Name:  "surname-attribute",

  87. 			Usage: "The attribute of the user’s LDAP record containing the user’s surname.",

  88. 		},

  89. 		cli.StringFlag{

  90. 			Name:  "email-attribute",

  91. 			Usage: "The attribute of the user’s LDAP record containing the user’s email address.",

  92. 		},

  93. 		cli.StringFlag{

  94. 			Name:  "public-ssh-key-attribute",

  95. 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",

  96. 		},

  97. 		cli.BoolFlag{

  98. 			Name:  "skip-local-2fa",

  99. 			Usage: "Set to true to skip local 2fa for users authenticated by this source",

  100. 		},

  101. 		cli.StringFlag{

  102. 			Name:  "avatar-attribute",

  103. 			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",

  104. 		},

  105. 	}

  106. 

  107. 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,

  108. 		cli.StringFlag{

  109. 			Name:  "bind-dn",

  110. 			Usage: "The DN to bind to the LDAP server with when searching for the user.",

  111. 		},

  112. 		cli.StringFlag{

  113. 			Name:  "bind-password",

  114. 			Usage: "The password for the Bind DN, if any.",

  115. 		},

  116. 		cli.BoolFlag{

  117. 			Name:  "attributes-in-bind",

  118. 			Usage: "Fetch attributes in bind DN context.",

  119. 		},

  120. 		cli.BoolFlag{

  121. 			Name:  "synchronize-users",

  122. 			Usage: "Enable user synchronization.",

  123. 		},

  124. 		cli.BoolFlag{

  125. 			Name:  "disable-synchronize-users",

  126. 			Usage: "Disable user synchronization.",

  127. 		},

  128. 		cli.UintFlag{

  129. 			Name:  "page-size",

  130. 			Usage: "Search page size.",

  131. 		})

  132. 

  133. 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,

  134. 		cli.StringFlag{

  135. 			Name:  "user-dn",

  136. 			Usage: "The user’s DN.",

  137. 		})

  138. 

  139. 	cmdAuthAddLdapBindDn = cli.Command{

  140. 		Name:  "add-ldap",

  141. 		Usage: "Add new LDAP (via Bind DN) authentication source",

  142. 		Action: func(c *cli.Context) error {

  143. 			return newAuthService().addLdapBindDn(c)

  144. 		},

  145. 		Flags: ldapBindDnCLIFlags,

  146. 	}

  147. 

  148. 	cmdAuthUpdateLdapBindDn = cli.Command{

  149. 		Name:  "update-ldap",

  150. 		Usage: "Update existing LDAP (via Bind DN) authentication source",

  151. 		Action: func(c *cli.Context) error {

  152. 			return newAuthService().updateLdapBindDn(c)

  153. 		},

  154. 		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),

  155. 	}

  156. 

  157. 	cmdAuthAddLdapSimpleAuth = cli.Command{

  158. 		Name:  "add-ldap-simple",

  159. 		Usage: "Add new LDAP (simple auth) authentication source",

  160. 		Action: func(c *cli.Context) error {

  161. 			return newAuthService().addLdapSimpleAuth(c)

  162. 		},

  163. 		Flags: ldapSimpleAuthCLIFlags,

  164. 	}

  165. 

  166. 	cmdAuthUpdateLdapSimpleAuth = cli.Command{

  167. 		Name:  "update-ldap-simple",

  168. 		Usage: "Update existing LDAP (simple auth) authentication source",

  169. 		Action: func(c *cli.Context) error {

  170. 			return newAuthService().updateLdapSimpleAuth(c)

  171. 		},

  172. 		Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),

  173. 	}

  174. )

  175. 

  176. // newAuthService creates a service with default functions.

  177. func newAuthService() *authService {

  178. 	return &authService{

  179. 		initDB:            initDB,

  180. 		createAuthSource:  auth.CreateSource,

  181. 		updateAuthSource:  auth.UpdateSource,

  182. 		getAuthSourceByID: auth.GetSourceByID,

  183. 	}

  184. }

  185. 

  186. // parseAuthSource assigns values on authSource according to command line flags.

  187. func parseAuthSource(c *cli.Context, authSource *auth.Source) {

  188. 	if c.IsSet("name") {

  189. 		authSource.Name = c.String("name")

  190. 	}

  191. 	if c.IsSet("not-active") {

  192. 		authSource.IsActive = !c.Bool("not-active")

  193. 	}

  194. 	if c.IsSet("active") {

  195. 		authSource.IsActive = c.Bool("active")

  196. 	}

  197. 	if c.IsSet("synchronize-users") {

  198. 		authSource.IsSyncEnabled = c.Bool("synchronize-users")

  199. 	}

  200. 	if c.IsSet("disable-synchronize-users") {

  201. 		authSource.IsSyncEnabled = !c.Bool("disable-synchronize-users")

  202. 	}

  203. }

  204. 

  205. // parseLdapConfig assigns values on config according to command line flags.

  206. func parseLdapConfig(c *cli.Context, config *ldap.Source) error {

  207. 	if c.IsSet("name") {

  208. 		config.Name = c.String("name")

  209. 	}

  210. 	if c.IsSet("host") {

  211. 		config.Host = c.String("host")

  212. 	}

  213. 	if c.IsSet("port") {

  214. 		config.Port = c.Int("port")

  215. 	}

  216. 	if c.IsSet("security-protocol") {

  217. 		p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))

  218. 		if !ok {

  219. 			return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol"))

  220. 		}

  221. 		config.SecurityProtocol = p

  222. 	}

  223. 	if c.IsSet("skip-tls-verify") {

  224. 		config.SkipVerify = c.Bool("skip-tls-verify")

  225. 	}

  226. 	if c.IsSet("bind-dn") {

  227. 		config.BindDN = c.String("bind-dn")

  228. 	}

  229. 	if c.IsSet("user-dn") {

  230. 		config.UserDN = c.String("user-dn")

  231. 	}

  232. 	if c.IsSet("bind-password") {

  233. 		config.BindPassword = c.String("bind-password")

  234. 	}

  235. 	if c.IsSet("user-search-base") {

  236. 		config.UserBase = c.String("user-search-base")

  237. 	}

  238. 	if c.IsSet("username-attribute") {

  239. 		config.AttributeUsername = c.String("username-attribute")

  240. 	}

  241. 	if c.IsSet("firstname-attribute") {

  242. 		config.AttributeName = c.String("firstname-attribute")

  243. 	}

  244. 	if c.IsSet("surname-attribute") {

  245. 		config.AttributeSurname = c.String("surname-attribute")

  246. 	}

  247. 	if c.IsSet("email-attribute") {

  248. 		config.AttributeMail = c.String("email-attribute")

  249. 	}

  250. 	if c.IsSet("attributes-in-bind") {

  251. 		config.AttributesInBind = c.Bool("attributes-in-bind")

  252. 	}

  253. 	if c.IsSet("public-ssh-key-attribute") {

  254. 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")

  255. 	}

  256. 	if c.IsSet("avatar-attribute") {

  257. 		config.AttributeAvatar = c.String("avatar-attribute")

  258. 	}

  259. 	if c.IsSet("page-size") {

  260. 		config.SearchPageSize = uint32(c.Uint("page-size"))

  261. 	}

  262. 	if c.IsSet("user-filter") {

  263. 		config.Filter = c.String("user-filter")

  264. 	}

  265. 	if c.IsSet("admin-filter") {

  266. 		config.AdminFilter = c.String("admin-filter")

  267. 	}

  268. 	if c.IsSet("restricted-filter") {

  269. 		config.RestrictedFilter = c.String("restricted-filter")

  270. 	}

  271. 	if c.IsSet("allow-deactivate-all") {

  272. 		config.AllowDeactivateAll = c.Bool("allow-deactivate-all")

  273. 	}

  274. 	if c.IsSet("skip-local-2fa") {

  275. 		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")

  276. 	}

  277. 	return nil

  278. }

  279. 

  280. // findLdapSecurityProtocolByName finds security protocol by its name ignoring case.

  281. // It returns the value of the security protocol and if it was found.

  282. func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {

  283. 	for i, n := range ldap.SecurityProtocolNames {

  284. 		if strings.EqualFold(name, n) {

  285. 			return i, true

  286. 		}

  287. 	}

  288. 	return 0, false

  289. }

  290. 

  291. // getAuthSource gets the login source by its id defined in the command line flags.

  292. // It returns an error if the id is not set, does not match any source or if the source is not of expected type.

  293. func (a *authService) getAuthSource(c *cli.Context, authType auth.Type) (*auth.Source, error) {

  294. 	if err := argsSet(c, "id"); err != nil {

  295. 		return nil, err

  296. 	}

  297. 

  298. 	authSource, err := a.getAuthSourceByID(c.Int64("id"))

  299. 	if err != nil {

  300. 		return nil, err

  301. 	}

  302. 

  303. 	if authSource.Type != authType {

  304. 		return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", authType.String(), authSource.Type.String())

  305. 	}

  306. 

  307. 	return authSource, nil

  308. }

  309. 

  310. // addLdapBindDn adds a new LDAP via Bind DN authentication source.

  311. func (a *authService) addLdapBindDn(c *cli.Context) error {

  312. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {

  313. 		return err

  314. 	}

  315. 

  316. 	ctx, cancel := installSignals()

  317. 	defer cancel()

  318. 

  319. 	if err := a.initDB(ctx); err != nil {

  320. 		return err

  321. 	}

  322. 

  323. 	authSource := &auth.Source{

  324. 		Type:     auth.LDAP,

  325. 		IsActive: true, // active by default

  326. 		Cfg: &ldap.Source{

  327. 			Enabled: true, // always true

  328. 		},

  329. 	}

  330. 

  331. 	parseAuthSource(c, authSource)

  332. 	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {

  333. 		return err

  334. 	}

  335. 

  336. 	return a.createAuthSource(authSource)

  337. }

  338. 

  339. // updateLdapBindDn updates a new LDAP via Bind DN authentication source.

  340. func (a *authService) updateLdapBindDn(c *cli.Context) error {

  341. 	ctx, cancel := installSignals()

  342. 	defer cancel()

  343. 

  344. 	if err := a.initDB(ctx); err != nil {

  345. 		return err

  346. 	}

  347. 

  348. 	authSource, err := a.getAuthSource(c, auth.LDAP)

  349. 	if err != nil {

  350. 		return err

  351. 	}

  352. 

  353. 	parseAuthSource(c, authSource)

  354. 	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {

  355. 		return err

  356. 	}

  357. 

  358. 	return a.updateAuthSource(authSource)

  359. }

  360. 

  361. // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.

  362. func (a *authService) addLdapSimpleAuth(c *cli.Context) error {

  363. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {

  364. 		return err

  365. 	}

  366. 

  367. 	ctx, cancel := installSignals()

  368. 	defer cancel()

  369. 

  370. 	if err := a.initDB(ctx); err != nil {

  371. 		return err

  372. 	}

  373. 

  374. 	authSource := &auth.Source{

  375. 		Type:     auth.DLDAP,

  376. 		IsActive: true, // active by default

  377. 		Cfg: &ldap.Source{

  378. 			Enabled: true, // always true

  379. 		},

  380. 	}

  381. 

  382. 	parseAuthSource(c, authSource)

  383. 	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {

  384. 		return err

  385. 	}

  386. 

  387. 	return a.createAuthSource(authSource)

  388. }

  389. 

  390. // updateLdapBindDn updates a new LDAP (simple auth) authentication source.

  391. func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {

  392. 	ctx, cancel := installSignals()

  393. 	defer cancel()

  394. 

  395. 	if err := a.initDB(ctx); err != nil {

  396. 		return err

  397. 	}

  398. 

  399. 	authSource, err := a.getAuthSource(c, auth.DLDAP)

  400. 	if err != nil {

  401. 		return err

  402. 	}

  403. 

  404. 	parseAuthSource(c, authSource)

  405. 	if err := parseLdapConfig(c, authSource.Cfg.(*ldap.Source)); err != nil {

  406. 		return err

  407. 	}

  408. 

  409. 	return a.updateAuthSource(authSource)

  410. }