mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3424 Commits
17 Branches
Tree: c199703e2a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c199703e2a'
${ noResults }
gitea/models/login.go

login.go 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/tls"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"strings"

  15. 	"time"

  16. 

  17. 	"github.com/Unknwon/com"

  18. 	"github.com/go-xorm/core"

  19. 	"github.com/go-xorm/xorm"

  20. 

  21. 	"github.com/gogits/gogs/modules/auth/ldap"

  22. 	"github.com/gogits/gogs/modules/auth/pam"

  23. 	"github.com/gogits/gogs/modules/log"

  24. )

  25. 

  26. type LoginType int

  27. 

  28. // Note: new type must be added at the end of list to maintain compatibility.

  29. const (

  30. 	LOGIN_NOTYPE LoginType = iota

  31. 	LOGIN_PLAIN

  32. 	LOGIN_LDAP

  33. 	LOGIN_SMTP

  34. 	LOGIN_PAM

  35. 	LOGIN_DLDAP

  36. )

  37. 

  38. var (

  39. 	ErrAuthenticationAlreadyExist = errors.New("Authentication already exist")

  40. 	ErrAuthenticationUserUsed     = errors.New("Authentication has been used by some users")

  41. )

  42. 

  43. var LoginNames = map[LoginType]string{

  44. 	LOGIN_LDAP:  "LDAP (via BindDN)",

  45. 	LOGIN_DLDAP: "LDAP (simple auth)",

  46. 	LOGIN_SMTP:  "SMTP",

  47. 	LOGIN_PAM:   "PAM",

  48. }

  49. 

  50. // Ensure structs implemented interface.

  51. var (

  52. 	_ core.Conversion = &LDAPConfig{}

  53. 	_ core.Conversion = &SMTPConfig{}

  54. 	_ core.Conversion = &PAMConfig{}

  55. )

  56. 

  57. type LDAPConfig struct {

  58. 	*ldap.Source

  59. }

  60. 

  61. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  62. 	return json.Unmarshal(bs, &cfg)

  63. }

  64. 

  65. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  66. 	return json.Marshal(cfg)

  67. }

  68. 

  69. type SMTPConfig struct {

  70. 	Auth           string

  71. 	Host           string

  72. 	Port           int

  73. 	AllowedDomains string `xorm:"TEXT"`

  74. 	TLS            bool

  75. 	SkipVerify     bool

  76. }

  77. 

  78. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  79. 	return json.Unmarshal(bs, cfg)

  80. }

  81. 

  82. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  83. 	return json.Marshal(cfg)

  84. }

  85. 

  86. type PAMConfig struct {

  87. 	ServiceName string // pam service (e.g. system-auth)

  88. }

  89. 

  90. func (cfg *PAMConfig) FromDB(bs []byte) error {

  91. 	return json.Unmarshal(bs, &cfg)

  92. }

  93. 

  94. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  95. 	return json.Marshal(cfg)

  96. }

  97. 

  98. type LoginSource struct {

  99. 	ID        int64 `xorm:"pk autoincr"`

  100. 	Type      LoginType

  101. 	Name      string          `xorm:"UNIQUE"`

  102. 	IsActived bool            `xorm:"NOT NULL DEFAULT false"`

  103. 	Cfg       core.Conversion `xorm:"TEXT"`

  104. 	Created   time.Time       `xorm:"CREATED"`

  105. 	Updated   time.Time       `xorm:"UPDATED"`

  106. }

  107. 

  108. // Cell2Int64 converts a xorm.Cell type to int64,

  109. // and handles possible irregular cases.

  110. func Cell2Int64(val xorm.Cell) int64 {

  111. 	switch (*val).(type) {

  112. 	case []uint8:

  113. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  114. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  115. 	}

  116. 	return (*val).(int64)

  117. }

  118. 

  119. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  120. 	switch colName {

  121. 	case "type":

  122. 		switch LoginType(Cell2Int64(val)) {

  123. 		case LOGIN_LDAP, LOGIN_DLDAP:

  124. 			source.Cfg = new(LDAPConfig)

  125. 		case LOGIN_SMTP:

  126. 			source.Cfg = new(SMTPConfig)

  127. 		case LOGIN_PAM:

  128. 			source.Cfg = new(PAMConfig)

  129. 		default:

  130. 			panic("unrecognized login source type: " + com.ToStr(*val))

  131. 		}

  132. 	}

  133. }

  134. 

  135. func (source *LoginSource) TypeName() string {

  136. 	return LoginNames[source.Type]

  137. }

  138. 

  139. func (source *LoginSource) IsLDAP() bool {

  140. 	return source.Type == LOGIN_LDAP

  141. }

  142. 

  143. func (source *LoginSource) IsDLDAP() bool {

  144. 	return source.Type == LOGIN_DLDAP

  145. }

  146. 

  147. func (source *LoginSource) IsSMTP() bool {

  148. 	return source.Type == LOGIN_SMTP

  149. }

  150. 

  151. func (source *LoginSource) IsPAM() bool {

  152. 	return source.Type == LOGIN_PAM

  153. }

  154. 

  155. func (source *LoginSource) UseTLS() bool {

  156. 	switch source.Type {

  157. 	case LOGIN_LDAP, LOGIN_DLDAP:

  158. 		return source.LDAP().UseSSL

  159. 	case LOGIN_SMTP:

  160. 		return source.SMTP().TLS

  161. 	}

  162. 

  163. 	return false

  164. }

  165. 

  166. func (source *LoginSource) SkipVerify() bool {

  167. 	switch source.Type {

  168. 	case LOGIN_LDAP, LOGIN_DLDAP:

  169. 		return source.LDAP().SkipVerify

  170. 	case LOGIN_SMTP:

  171. 		return source.SMTP().SkipVerify

  172. 	}

  173. 

  174. 	return false

  175. }

  176. 

  177. func (source *LoginSource) LDAP() *LDAPConfig {

  178. 	return source.Cfg.(*LDAPConfig)

  179. }

  180. 

  181. func (source *LoginSource) SMTP() *SMTPConfig {

  182. 	return source.Cfg.(*SMTPConfig)

  183. }

  184. 

  185. func (source *LoginSource) PAM() *PAMConfig {

  186. 	return source.Cfg.(*PAMConfig)

  187. }

  188. 

  189. // CountLoginSources returns number of login sources.

  190. func CountLoginSources() int64 {

  191. 	count, _ := x.Count(new(LoginSource))

  192. 	return count

  193. }

  194. 

  195. func CreateSource(source *LoginSource) error {

  196. 	_, err := x.Insert(source)

  197. 	return err

  198. }

  199. 

  200. func LoginSources() ([]*LoginSource, error) {

  201. 	auths := make([]*LoginSource, 0, 5)

  202. 	return auths, x.Find(&auths)

  203. }

  204. 

  205. // GetLoginSourceByID returns login source by given ID.

  206. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  207. 	source := new(LoginSource)

  208. 	has, err := x.Id(id).Get(source)

  209. 	if err != nil {

  210. 		return nil, err

  211. 	} else if !has {

  212. 		return nil, ErrAuthenticationNotExist{id}

  213. 	}

  214. 	return source, nil

  215. }

  216. 

  217. func UpdateSource(source *LoginSource) error {

  218. 	_, err := x.Id(source.ID).AllCols().Update(source)

  219. 	return err

  220. }

  221. 

  222. func DeleteSource(source *LoginSource) error {

  223. 	count, err := x.Count(&User{LoginSource: source.ID})

  224. 	if err != nil {

  225. 		return err

  226. 	} else if count > 0 {

  227. 		return ErrAuthenticationUserUsed

  228. 	}

  229. 	_, err = x.Id(source.ID).Delete(new(LoginSource))

  230. 	return err

  231. }

  232. 

  233. // .____     ________      _____ __________

  234. // |    |    \______ \    /  _  \\______   \

  235. // |    |     |    |  \  /  /_\  \|     ___/

  236. // |    |___  |    `   \/    |    \    |

  237. // |_______ \/_______  /\____|__  /____|

  238. //         \/        \/         \/

  239. 

  240. // LoginUserLDAPSource queries if loginName/passwd can login against the LDAP directory pool,

  241. // and create a local user if success when enabled.

  242. // It returns the same LoginUserPlain semantic.

  243. func LoginUserLDAPSource(u *User, loginName, passwd string, source *LoginSource, autoRegister bool) (*User, error) {

  244. 	cfg := source.Cfg.(*LDAPConfig)

  245. 	directBind := (source.Type == LOGIN_DLDAP)

  246. 	name, fn, sn, mail, admin, logged := cfg.SearchEntry(loginName, passwd, directBind)

  247. 	if !logged {

  248. 		// User not in LDAP, do nothing

  249. 		return nil, ErrUserNotExist{0, loginName}

  250. 	}

  251. 

  252. 	if !autoRegister {

  253. 		return u, nil

  254. 	}

  255. 

  256. 	// Fallback.

  257. 	if len(name) == 0 {

  258. 		name = loginName

  259. 	}

  260. 	if len(mail) == 0 {

  261. 		mail = fmt.Sprintf("%s@localhost", name)

  262. 	}

  263. 

  264. 	u = &User{

  265. 		LowerName:   strings.ToLower(name),

  266. 		Name:        name,

  267. 		FullName:    composeFullName(fn, sn, name),

  268. 		LoginType:   source.Type,

  269. 		LoginSource: source.ID,

  270. 		LoginName:   loginName,

  271. 		Email:       mail,

  272. 		IsAdmin:     admin,

  273. 		IsActive:    true,

  274. 	}

  275. 	return u, CreateUser(u)

  276. }

  277. 

  278. func composeFullName(firstName, surename, userName string) string {

  279. 	switch {

  280. 	case len(firstName) == 0 && len(surename) == 0:

  281. 		return userName

  282. 	case len(firstName) == 0:

  283. 		return surename

  284. 	case len(surename) == 0:

  285. 		return firstName

  286. 	default:

  287. 		return firstName + " " + surename

  288. 	}

  289. }

  290. 

  291. //   _________   __________________________

  292. //  /   _____/  /     \__    ___/\______   \

  293. //  \_____  \  /  \ /  \|    |    |     ___/

  294. //  /        \/    Y    \    |    |    |

  295. // /_______  /\____|__  /____|    |____|

  296. //         \/         \/

  297. 

  298. type loginAuth struct {

  299. 	username, password string

  300. }

  301. 

  302. func LoginAuth(username, password string) smtp.Auth {

  303. 	return &loginAuth{username, password}

  304. }

  305. 

  306. func (a *loginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  307. 	return "LOGIN", []byte(a.username), nil

  308. }

  309. 

  310. func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  311. 	if more {

  312. 		switch string(fromServer) {

  313. 		case "Username:":

  314. 			return []byte(a.username), nil

  315. 		case "Password:":

  316. 			return []byte(a.password), nil

  317. 		}

  318. 	}

  319. 	return nil, nil

  320. }

  321. 

  322. const (

  323. 	SMTP_PLAIN = "PLAIN"

  324. 	SMTP_LOGIN = "LOGIN"

  325. )

  326. 

  327. var SMTPAuths = []string{SMTP_PLAIN, SMTP_LOGIN}

  328. 

  329. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  330. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  331. 	if err != nil {

  332. 		return err

  333. 	}

  334. 	defer c.Close()

  335. 

  336. 	if err = c.Hello("gogs"); err != nil {

  337. 		return err

  338. 	}

  339. 

  340. 	if cfg.TLS {

  341. 		if ok, _ := c.Extension("STARTTLS"); ok {

  342. 			if err = c.StartTLS(&tls.Config{

  343. 				InsecureSkipVerify: cfg.SkipVerify,

  344. 				ServerName:         cfg.Host,

  345. 			}); err != nil {

  346. 				return err

  347. 			}

  348. 		} else {

  349. 			return errors.New("SMTP server unsupports TLS")

  350. 		}

  351. 	}

  352. 

  353. 	if ok, _ := c.Extension("AUTH"); ok {

  354. 		if err = c.Auth(a); err != nil {

  355. 			return err

  356. 		}

  357. 		return nil

  358. 	}

  359. 	return ErrUnsupportedLoginType

  360. }

  361. 

  362. // Query if name/passwd can login against the LDAP directory pool

  363. // Create a local user if success

  364. // Return the same LoginUserPlain semantic

  365. func LoginUserSMTPSource(u *User, name, passwd string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {

  366. 	// Verify allowed domains.

  367. 	if len(cfg.AllowedDomains) > 0 {

  368. 		idx := strings.Index(name, "@")

  369. 		if idx == -1 {

  370. 			return nil, ErrUserNotExist{0, name}

  371. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), name[idx+1:]) {

  372. 			return nil, ErrUserNotExist{0, name}

  373. 		}

  374. 	}

  375. 

  376. 	var auth smtp.Auth

  377. 	if cfg.Auth == SMTP_PLAIN {

  378. 		auth = smtp.PlainAuth("", name, passwd, cfg.Host)

  379. 	} else if cfg.Auth == SMTP_LOGIN {

  380. 		auth = LoginAuth(name, passwd)

  381. 	} else {

  382. 		return nil, errors.New("Unsupported SMTP auth type")

  383. 	}

  384. 

  385. 	if err := SMTPAuth(auth, cfg); err != nil {

  386. 		// Check standard error format first,

  387. 		// then fallback to worse case.

  388. 		tperr, ok := err.(*textproto.Error)

  389. 		if (ok && tperr.Code == 535) ||

  390. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  391. 			return nil, ErrUserNotExist{0, name}

  392. 		}

  393. 		return nil, err

  394. 	}

  395. 

  396. 	if !autoRegister {

  397. 		return u, nil

  398. 	}

  399. 

  400. 	var loginName = name

  401. 	idx := strings.Index(name, "@")

  402. 	if idx > -1 {

  403. 		loginName = name[:idx]

  404. 	}

  405. 	// fake a local user creation

  406. 	u = &User{

  407. 		LowerName:   strings.ToLower(loginName),

  408. 		Name:        strings.ToLower(loginName),

  409. 		LoginType:   LOGIN_SMTP,

  410. 		LoginSource: sourceID,

  411. 		LoginName:   name,

  412. 		IsActive:    true,

  413. 		Passwd:      passwd,

  414. 		Email:       name,

  415. 	}

  416. 	err := CreateUser(u)

  417. 	return u, err

  418. }

  419. 

  420. // __________  _____      _____

  421. // \______   \/  _  \    /     \

  422. //  |     ___/  /_\  \  /  \ /  \

  423. //  |    |  /    |    \/    Y    \

  424. //  |____|  \____|__  /\____|__  /

  425. //                  \/         \/

  426. 

  427. // Query if name/passwd can login against PAM

  428. // Create a local user if success

  429. // Return the same LoginUserPlain semantic

  430. func LoginUserPAMSource(u *User, name, passwd string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {

  431. 	if err := pam.PAMAuth(cfg.ServiceName, name, passwd); err != nil {

  432. 		if strings.Contains(err.Error(), "Authentication failure") {

  433. 			return nil, ErrUserNotExist{0, name}

  434. 		}

  435. 		return nil, err

  436. 	}

  437. 

  438. 	if !autoRegister {

  439. 		return u, nil

  440. 	}

  441. 

  442. 	// fake a local user creation

  443. 	u = &User{

  444. 		LowerName:   strings.ToLower(name),

  445. 		Name:        name,

  446. 		LoginType:   LOGIN_PAM,

  447. 		LoginSource: sourceID,

  448. 		LoginName:   name,

  449. 		IsActive:    true,

  450. 		Passwd:      passwd,

  451. 		Email:       name,

  452. 	}

  453. 	return u, CreateUser(u)

  454. }

  455. 

  456. func ExternalUserLogin(u *User, name, passwd string, source *LoginSource, autoRegister bool) (*User, error) {

  457. 	if !source.IsActived {

  458. 		return nil, ErrLoginSourceNotActived

  459. 	}

  460. 

  461. 	switch source.Type {

  462. 	case LOGIN_LDAP, LOGIN_DLDAP:

  463. 		return LoginUserLDAPSource(u, name, passwd, source, autoRegister)

  464. 	case LOGIN_SMTP:

  465. 		return LoginUserSMTPSource(u, name, passwd, source.ID, source.Cfg.(*SMTPConfig), autoRegister)

  466. 	case LOGIN_PAM:

  467. 		return LoginUserPAMSource(u, name, passwd, source.ID, source.Cfg.(*PAMConfig), autoRegister)

  468. 	}

  469. 

  470. 	return nil, ErrUnsupportedLoginType

  471. }

  472. 

  473. // UserSignIn validates user name and password.

  474. func UserSignIn(uname, passwd string) (*User, error) {

  475. 	var u *User

  476. 	if strings.Contains(uname, "@") {

  477. 		u = &User{Email: strings.ToLower(uname)}

  478. 	} else {

  479. 		u = &User{LowerName: strings.ToLower(uname)}

  480. 	}

  481. 

  482. 	userExists, err := x.Get(u)

  483. 	if err != nil {

  484. 		return nil, err

  485. 	}

  486. 

  487. 	if userExists {

  488. 		switch u.LoginType {

  489. 		case LOGIN_NOTYPE, LOGIN_PLAIN:

  490. 			if u.ValidatePassword(passwd) {

  491. 				return u, nil

  492. 			}

  493. 

  494. 			return nil, ErrUserNotExist{u.Id, u.Name}

  495. 

  496. 		default:

  497. 			var source LoginSource

  498. 			hasSource, err := x.Id(u.LoginSource).Get(&source)

  499. 			if err != nil {

  500. 				return nil, err

  501. 			} else if !hasSource {

  502. 				return nil, ErrLoginSourceNotExist

  503. 			}

  504. 

  505. 			return ExternalUserLogin(u, u.LoginName, passwd, &source, false)

  506. 		}

  507. 	}

  508. 

  509. 	var sources []LoginSource

  510. 	if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {

  511. 		return nil, err

  512. 	}

  513. 

  514. 	for _, source := range sources {

  515. 		u, err := ExternalUserLogin(nil, uname, passwd, &source, true)

  516. 		if err == nil {

  517. 			return u, nil

  518. 		}

  519. 

  520. 		log.Warn("Failed to login '%s' via '%s': %v", uname, source.Name, err)

  521. 	}

  522. 

  523. 	return nil, ErrUserNotExist{u.Id, u.Name}

  524. }