mirrors
/
gitea
peilaus alkaen https://github.com/go-gitea/gitea.git
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Julkaisut 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8876 Commitit
17 Branchit
Puu: c6edb25fe2
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'c6edb25fe2'
${ noResults }
gitea/models/login_source.go

login_source.go 22KB
Raaka Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package models

  7. 

  8. import (

  9. 	"crypto/tls"

  10. 	"encoding/json"

  11. 	"errors"

  12. 	"fmt"

  13. 	"net/smtp"

  14. 	"net/textproto"

  15. 	"regexp"

  16. 	"strings"

  17. 

  18. 	"code.gitea.io/gitea/modules/auth/ldap"

  19. 	"code.gitea.io/gitea/modules/auth/oauth2"

  20. 	"code.gitea.io/gitea/modules/auth/pam"

  21. 	"code.gitea.io/gitea/modules/log"

  22. 	"code.gitea.io/gitea/modules/setting"

  23. 	"code.gitea.io/gitea/modules/timeutil"

  24. 

  25. 	"github.com/unknwon/com"

  26. 	"xorm.io/core"

  27. 	"xorm.io/xorm"

  28. )

  29. 

  30. // LoginType represents an login type.

  31. type LoginType int

  32. 

  33. // Note: new type must append to the end of list to maintain compatibility.

  34. const (

  35. 	LoginNoType LoginType = iota

  36. 	LoginPlain            // 1

  37. 	LoginLDAP             // 2

  38. 	LoginSMTP             // 3

  39. 	LoginPAM              // 4

  40. 	LoginDLDAP            // 5

  41. 	LoginOAuth2           // 6

  42. 	LoginSSPI             // 7

  43. )

  44. 

  45. // LoginNames contains the name of LoginType values.

  46. var LoginNames = map[LoginType]string{

  47. 	LoginLDAP:   "LDAP (via BindDN)",

  48. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  49. 	LoginSMTP:   "SMTP",

  50. 	LoginPAM:    "PAM",

  51. 	LoginOAuth2: "OAuth2",

  52. 	LoginSSPI:   "SPNEGO with SSPI",

  53. }

  54. 

  55. // SecurityProtocolNames contains the name of SecurityProtocol values.

  56. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  57. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  58. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  59. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  60. }

  61. 

  62. // Ensure structs implemented interface.

  63. var (

  64. 	_ core.Conversion = &LDAPConfig{}

  65. 	_ core.Conversion = &SMTPConfig{}

  66. 	_ core.Conversion = &PAMConfig{}

  67. 	_ core.Conversion = &OAuth2Config{}

  68. 	_ core.Conversion = &SSPIConfig{}

  69. )

  70. 

  71. // LDAPConfig holds configuration for LDAP login source.

  72. type LDAPConfig struct {

  73. 	*ldap.Source

  74. }

  75. 

  76. // FromDB fills up a LDAPConfig from serialized format.

  77. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  78. 	return json.Unmarshal(bs, &cfg)

  79. }

  80. 

  81. // ToDB exports a LDAPConfig to a serialized format.

  82. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  83. 	return json.Marshal(cfg)

  84. }

  85. 

  86. // SecurityProtocolName returns the name of configured security

  87. // protocol.

  88. func (cfg *LDAPConfig) SecurityProtocolName() string {

  89. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  90. }

  91. 

  92. // SMTPConfig holds configuration for the SMTP login source.

  93. type SMTPConfig struct {

  94. 	Auth           string

  95. 	Host           string

  96. 	Port           int

  97. 	AllowedDomains string `xorm:"TEXT"`

  98. 	TLS            bool

  99. 	SkipVerify     bool

  100. }

  101. 

  102. // FromDB fills up an SMTPConfig from serialized format.

  103. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  104. 	return json.Unmarshal(bs, cfg)

  105. }

  106. 

  107. // ToDB exports an SMTPConfig to a serialized format.

  108. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  109. 	return json.Marshal(cfg)

  110. }

  111. 

  112. // PAMConfig holds configuration for the PAM login source.

  113. type PAMConfig struct {

  114. 	ServiceName string // pam service (e.g. system-auth)

  115. }

  116. 

  117. // FromDB fills up a PAMConfig from serialized format.

  118. func (cfg *PAMConfig) FromDB(bs []byte) error {

  119. 	return json.Unmarshal(bs, &cfg)

  120. }

  121. 

  122. // ToDB exports a PAMConfig to a serialized format.

  123. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  124. 	return json.Marshal(cfg)

  125. }

  126. 

  127. // OAuth2Config holds configuration for the OAuth2 login source.

  128. type OAuth2Config struct {

  129. 	Provider                      string

  130. 	ClientID                      string

  131. 	ClientSecret                  string

  132. 	OpenIDConnectAutoDiscoveryURL string

  133. 	CustomURLMapping              *oauth2.CustomURLMapping

  134. }

  135. 

  136. // FromDB fills up an OAuth2Config from serialized format.

  137. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  138. 	return json.Unmarshal(bs, cfg)

  139. }

  140. 

  141. // ToDB exports an SMTPConfig to a serialized format.

  142. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  143. 	return json.Marshal(cfg)

  144. }

  145. 

  146. // SSPIConfig holds configuration for SSPI single sign-on.

  147. type SSPIConfig struct {

  148. 	AutoCreateUsers      bool

  149. 	AutoActivateUsers    bool

  150. 	StripDomainNames     bool

  151. 	SeparatorReplacement string

  152. 	DefaultLanguage      string

  153. }

  154. 

  155. // FromDB fills up an SSPIConfig from serialized format.

  156. func (cfg *SSPIConfig) FromDB(bs []byte) error {

  157. 	return json.Unmarshal(bs, cfg)

  158. }

  159. 

  160. // ToDB exports an SSPIConfig to a serialized format.

  161. func (cfg *SSPIConfig) ToDB() ([]byte, error) {

  162. 	return json.Marshal(cfg)

  163. }

  164. 

  165. // LoginSource represents an external way for authorizing users.

  166. type LoginSource struct {

  167. 	ID            int64 `xorm:"pk autoincr"`

  168. 	Type          LoginType

  169. 	Name          string          `xorm:"UNIQUE"`

  170. 	IsActived     bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  171. 	IsSyncEnabled bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  172. 	Cfg           core.Conversion `xorm:"TEXT"`

  173. 

  174. 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`

  175. 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`

  176. }

  177. 

  178. // Cell2Int64 converts a xorm.Cell type to int64,

  179. // and handles possible irregular cases.

  180. func Cell2Int64(val xorm.Cell) int64 {

  181. 	switch (*val).(type) {

  182. 	case []uint8:

  183. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  184. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  185. 	}

  186. 	return (*val).(int64)

  187. }

  188. 

  189. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  190. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  191. 	if colName == "type" {

  192. 		switch LoginType(Cell2Int64(val)) {

  193. 		case LoginLDAP, LoginDLDAP:

  194. 			source.Cfg = new(LDAPConfig)

  195. 		case LoginSMTP:

  196. 			source.Cfg = new(SMTPConfig)

  197. 		case LoginPAM:

  198. 			source.Cfg = new(PAMConfig)

  199. 		case LoginOAuth2:

  200. 			source.Cfg = new(OAuth2Config)

  201. 		case LoginSSPI:

  202. 			source.Cfg = new(SSPIConfig)

  203. 		default:

  204. 			panic("unrecognized login source type: " + com.ToStr(*val))

  205. 		}

  206. 	}

  207. }

  208. 

  209. // TypeName return name of this login source type.

  210. func (source *LoginSource) TypeName() string {

  211. 	return LoginNames[source.Type]

  212. }

  213. 

  214. // IsLDAP returns true of this source is of the LDAP type.

  215. func (source *LoginSource) IsLDAP() bool {

  216. 	return source.Type == LoginLDAP

  217. }

  218. 

  219. // IsDLDAP returns true of this source is of the DLDAP type.

  220. func (source *LoginSource) IsDLDAP() bool {

  221. 	return source.Type == LoginDLDAP

  222. }

  223. 

  224. // IsSMTP returns true of this source is of the SMTP type.

  225. func (source *LoginSource) IsSMTP() bool {

  226. 	return source.Type == LoginSMTP

  227. }

  228. 

  229. // IsPAM returns true of this source is of the PAM type.

  230. func (source *LoginSource) IsPAM() bool {

  231. 	return source.Type == LoginPAM

  232. }

  233. 

  234. // IsOAuth2 returns true of this source is of the OAuth2 type.

  235. func (source *LoginSource) IsOAuth2() bool {

  236. 	return source.Type == LoginOAuth2

  237. }

  238. 

  239. // IsSSPI returns true of this source is of the SSPI type.

  240. func (source *LoginSource) IsSSPI() bool {

  241. 	return source.Type == LoginSSPI

  242. }

  243. 

  244. // HasTLS returns true of this source supports TLS.

  245. func (source *LoginSource) HasTLS() bool {

  246. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  247. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  248. 		source.IsSMTP()

  249. }

  250. 

  251. // UseTLS returns true of this source is configured to use TLS.

  252. func (source *LoginSource) UseTLS() bool {

  253. 	switch source.Type {

  254. 	case LoginLDAP, LoginDLDAP:

  255. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  256. 	case LoginSMTP:

  257. 		return source.SMTP().TLS

  258. 	}

  259. 

  260. 	return false

  261. }

  262. 

  263. // SkipVerify returns true if this source is configured to skip SSL

  264. // verification.

  265. func (source *LoginSource) SkipVerify() bool {

  266. 	switch source.Type {

  267. 	case LoginLDAP, LoginDLDAP:

  268. 		return source.LDAP().SkipVerify

  269. 	case LoginSMTP:

  270. 		return source.SMTP().SkipVerify

  271. 	}

  272. 

  273. 	return false

  274. }

  275. 

  276. // LDAP returns LDAPConfig for this source, if of LDAP type.

  277. func (source *LoginSource) LDAP() *LDAPConfig {

  278. 	return source.Cfg.(*LDAPConfig)

  279. }

  280. 

  281. // SMTP returns SMTPConfig for this source, if of SMTP type.

  282. func (source *LoginSource) SMTP() *SMTPConfig {

  283. 	return source.Cfg.(*SMTPConfig)

  284. }

  285. 

  286. // PAM returns PAMConfig for this source, if of PAM type.

  287. func (source *LoginSource) PAM() *PAMConfig {

  288. 	return source.Cfg.(*PAMConfig)

  289. }

  290. 

  291. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  292. func (source *LoginSource) OAuth2() *OAuth2Config {

  293. 	return source.Cfg.(*OAuth2Config)

  294. }

  295. 

  296. // SSPI returns SSPIConfig for this source, if of SSPI type.

  297. func (source *LoginSource) SSPI() *SSPIConfig {

  298. 	return source.Cfg.(*SSPIConfig)

  299. }

  300. 

  301. // CreateLoginSource inserts a LoginSource in the DB if not already

  302. // existing with the given name.

  303. func CreateLoginSource(source *LoginSource) error {

  304. 	has, err := x.Get(&LoginSource{Name: source.Name})

  305. 	if err != nil {

  306. 		return err

  307. 	} else if has {

  308. 		return ErrLoginSourceAlreadyExist{source.Name}

  309. 	}

  310. 	// Synchronization is only aviable with LDAP for now

  311. 	if !source.IsLDAP() {

  312. 		source.IsSyncEnabled = false

  313. 	}

  314. 

  315. 	_, err = x.Insert(source)

  316. 	if err == nil && source.IsOAuth2() && source.IsActived {

  317. 		oAuth2Config := source.OAuth2()

  318. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  319. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  320. 		if err != nil {

  321. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  322. 			if _, err := x.Delete(source); err != nil {

  323. 				log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  324. 			}

  325. 			return err

  326. 		}

  327. 	}

  328. 	return err

  329. }

  330. 

  331. // LoginSources returns a slice of all login sources found in DB.

  332. func LoginSources() ([]*LoginSource, error) {

  333. 	auths := make([]*LoginSource, 0, 6)

  334. 	return auths, x.Find(&auths)

  335. }

  336. 

  337. // LoginSourcesByType returns all sources of the specified type

  338. func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) {

  339. 	sources := make([]*LoginSource, 0, 1)

  340. 	if err := x.Where("type = ?", loginType).Find(&sources); err != nil {

  341. 		return nil, err

  342. 	}

  343. 	return sources, nil

  344. }

  345. 

  346. // ActiveLoginSources returns all active sources of the specified type

  347. func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) {

  348. 	sources := make([]*LoginSource, 0, 1)

  349. 	if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil {

  350. 		return nil, err

  351. 	}

  352. 	return sources, nil

  353. }

  354. 

  355. // IsSSPIEnabled returns true if there is at least one activated login

  356. // source of type LoginSSPI

  357. func IsSSPIEnabled() bool {

  358. 	if !HasEngine {

  359. 		return false

  360. 	}

  361. 	sources, err := ActiveLoginSources(LoginSSPI)

  362. 	if err != nil {

  363. 		log.Error("ActiveLoginSources: %v", err)

  364. 		return false

  365. 	}

  366. 	return len(sources) > 0

  367. }

  368. 

  369. // GetLoginSourceByID returns login source by given ID.

  370. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  371. 	source := new(LoginSource)

  372. 	has, err := x.ID(id).Get(source)

  373. 	if err != nil {

  374. 		return nil, err

  375. 	} else if !has {

  376. 		return nil, ErrLoginSourceNotExist{id}

  377. 	}

  378. 	return source, nil

  379. }

  380. 

  381. // UpdateSource updates a LoginSource record in DB.

  382. func UpdateSource(source *LoginSource) error {

  383. 	var originalLoginSource *LoginSource

  384. 	if source.IsOAuth2() {

  385. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  386. 		var err error

  387. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  388. 			return err

  389. 		}

  390. 	}

  391. 

  392. 	_, err := x.ID(source.ID).AllCols().Update(source)

  393. 	if err == nil && source.IsOAuth2() && source.IsActived {

  394. 		oAuth2Config := source.OAuth2()

  395. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  396. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  397. 		if err != nil {

  398. 			// restore original values since we cannot update the provider it self

  399. 			if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil {

  400. 				log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  401. 			}

  402. 			return err

  403. 		}

  404. 	}

  405. 	return err

  406. }

  407. 

  408. // DeleteSource deletes a LoginSource record in DB.

  409. func DeleteSource(source *LoginSource) error {

  410. 	count, err := x.Count(&User{LoginSource: source.ID})

  411. 	if err != nil {

  412. 		return err

  413. 	} else if count > 0 {

  414. 		return ErrLoginSourceInUse{source.ID}

  415. 	}

  416. 

  417. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  418. 	if err != nil {

  419. 		return err

  420. 	} else if count > 0 {

  421. 		return ErrLoginSourceInUse{source.ID}

  422. 	}

  423. 

  424. 	if source.IsOAuth2() {

  425. 		oauth2.RemoveProvider(source.Name)

  426. 	}

  427. 

  428. 	_, err = x.ID(source.ID).Delete(new(LoginSource))

  429. 	return err

  430. }

  431. 

  432. // CountLoginSources returns number of login sources.

  433. func CountLoginSources() int64 {

  434. 	count, _ := x.Count(new(LoginSource))

  435. 	return count

  436. }

  437. 

  438. // .____     ________      _____ __________

  439. // |    |    \______ \    /  _  \\______   \

  440. // |    |     |    |  \  /  /_\  \|     ___/

  441. // |    |___  |    `   \/    |    \    |

  442. // |_______ \/_______  /\____|__  /____|

  443. //         \/        \/         \/

  444. 

  445. func composeFullName(firstname, surname, username string) string {

  446. 	switch {

  447. 	case len(firstname) == 0 && len(surname) == 0:

  448. 		return username

  449. 	case len(firstname) == 0:

  450. 		return surname

  451. 	case len(surname) == 0:

  452. 		return firstname

  453. 	default:

  454. 		return firstname + " " + surname

  455. 	}

  456. }

  457. 

  458. var (

  459. 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)

  460. )

  461. 

  462. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  463. // and create a local user if success when enabled.

  464. func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) {

  465. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  466. 	if sr == nil {

  467. 		// User not in LDAP, do nothing

  468. 		return nil, ErrUserNotExist{0, login, 0}

  469. 	}

  470. 

  471. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0

  472. 

  473. 	// Update User admin flag if exist

  474. 	if isExist, err := IsUserExist(0, sr.Username); err != nil {

  475. 		return nil, err

  476. 	} else if isExist {

  477. 		if user == nil {

  478. 			user, err = GetUserByName(sr.Username)

  479. 			if err != nil {

  480. 				return nil, err

  481. 			}

  482. 		}

  483. 		if user != nil &&

  484. 			!user.ProhibitLogin && len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {

  485. 			// Change existing admin flag only if AdminFilter option is set

  486. 			user.IsAdmin = sr.IsAdmin

  487. 			err = UpdateUserCols(user, "is_admin")

  488. 			if err != nil {

  489. 				return nil, err

  490. 			}

  491. 		}

  492. 	}

  493. 

  494. 	if user != nil {

  495. 		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  496. 			return user, RewriteAllPublicKeys()

  497. 		}

  498. 

  499. 		return user, nil

  500. 	}

  501. 

  502. 	// Fallback.

  503. 	if len(sr.Username) == 0 {

  504. 		sr.Username = login

  505. 	}

  506. 	// Validate username make sure it satisfies requirement.

  507. 	if alphaDashDotPattern.MatchString(sr.Username) {

  508. 		return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)

  509. 	}

  510. 

  511. 	if len(sr.Mail) == 0 {

  512. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  513. 	}

  514. 

  515. 	user = &User{

  516. 		LowerName:   strings.ToLower(sr.Username),

  517. 		Name:        sr.Username,

  518. 		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  519. 		Email:       sr.Mail,

  520. 		LoginType:   source.Type,

  521. 		LoginSource: source.ID,

  522. 		LoginName:   login,

  523. 		IsActive:    true,

  524. 		IsAdmin:     sr.IsAdmin,

  525. 	}

  526. 

  527. 	err := CreateUser(user)

  528. 

  529. 	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  530. 		err = RewriteAllPublicKeys()

  531. 	}

  532. 

  533. 	return user, err

  534. }

  535. 

  536. //   _________   __________________________

  537. //  /   _____/  /     \__    ___/\______   \

  538. //  \_____  \  /  \ /  \|    |    |     ___/

  539. //  /        \/    Y    \    |    |    |

  540. // /_______  /\____|__  /____|    |____|

  541. //         \/         \/

  542. 

  543. type smtpLoginAuth struct {

  544. 	username, password string

  545. }

  546. 

  547. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  548. 	return "LOGIN", []byte(auth.username), nil

  549. }

  550. 

  551. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  552. 	if more {

  553. 		switch string(fromServer) {

  554. 		case "Username:":

  555. 			return []byte(auth.username), nil

  556. 		case "Password:":

  557. 			return []byte(auth.password), nil

  558. 		}

  559. 	}

  560. 	return nil, nil

  561. }

  562. 

  563. // SMTP authentication type names.

  564. const (

  565. 	SMTPPlain = "PLAIN"

  566. 	SMTPLogin = "LOGIN"

  567. )

  568. 

  569. // SMTPAuths contains available SMTP authentication type names.

  570. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  571. 

  572. // SMTPAuth performs an SMTP authentication.

  573. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  574. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  575. 	if err != nil {

  576. 		return err

  577. 	}

  578. 	defer c.Close()

  579. 

  580. 	if err = c.Hello("gogs"); err != nil {

  581. 		return err

  582. 	}

  583. 

  584. 	if cfg.TLS {

  585. 		if ok, _ := c.Extension("STARTTLS"); ok {

  586. 			if err = c.StartTLS(&tls.Config{

  587. 				InsecureSkipVerify: cfg.SkipVerify,

  588. 				ServerName:         cfg.Host,

  589. 			}); err != nil {

  590. 				return err

  591. 			}

  592. 		} else {

  593. 			return errors.New("SMTP server unsupports TLS")

  594. 		}

  595. 	}

  596. 

  597. 	if ok, _ := c.Extension("AUTH"); ok {

  598. 		return c.Auth(a)

  599. 	}

  600. 	return ErrUnsupportedLoginType

  601. }

  602. 

  603. // LoginViaSMTP queries if login/password is valid against the SMTP,

  604. // and create a local user if success when enabled.

  605. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) {

  606. 	// Verify allowed domains.

  607. 	if len(cfg.AllowedDomains) > 0 {

  608. 		idx := strings.Index(login, "@")

  609. 		if idx == -1 {

  610. 			return nil, ErrUserNotExist{0, login, 0}

  611. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  612. 			return nil, ErrUserNotExist{0, login, 0}

  613. 		}

  614. 	}

  615. 

  616. 	var auth smtp.Auth

  617. 	if cfg.Auth == SMTPPlain {

  618. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  619. 	} else if cfg.Auth == SMTPLogin {

  620. 		auth = &smtpLoginAuth{login, password}

  621. 	} else {

  622. 		return nil, errors.New("Unsupported SMTP auth type")

  623. 	}

  624. 

  625. 	if err := SMTPAuth(auth, cfg); err != nil {

  626. 		// Check standard error format first,

  627. 		// then fallback to worse case.

  628. 		tperr, ok := err.(*textproto.Error)

  629. 		if (ok && tperr.Code == 535) ||

  630. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  631. 			return nil, ErrUserNotExist{0, login, 0}

  632. 		}

  633. 		return nil, err

  634. 	}

  635. 

  636. 	if user != nil {

  637. 		return user, nil

  638. 	}

  639. 

  640. 	username := login

  641. 	idx := strings.Index(login, "@")

  642. 	if idx > -1 {

  643. 		username = login[:idx]

  644. 	}

  645. 

  646. 	user = &User{

  647. 		LowerName:   strings.ToLower(username),

  648. 		Name:        strings.ToLower(username),

  649. 		Email:       login,

  650. 		Passwd:      password,

  651. 		LoginType:   LoginSMTP,

  652. 		LoginSource: sourceID,

  653. 		LoginName:   login,

  654. 		IsActive:    true,

  655. 	}

  656. 	return user, CreateUser(user)

  657. }

  658. 

  659. // __________  _____      _____

  660. // \______   \/  _  \    /     \

  661. //  |     ___/  /_\  \  /  \ /  \

  662. //  |    |  /    |    \/    Y    \

  663. //  |____|  \____|__  /\____|__  /

  664. //                  \/         \/

  665. 

  666. // LoginViaPAM queries if login/password is valid against the PAM,

  667. // and create a local user if success when enabled.

  668. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) {

  669. 	if err := pam.Auth(cfg.ServiceName, login, password); err != nil {

  670. 		if strings.Contains(err.Error(), "Authentication failure") {

  671. 			return nil, ErrUserNotExist{0, login, 0}

  672. 		}

  673. 		return nil, err

  674. 	}

  675. 

  676. 	if user != nil {

  677. 		return user, nil

  678. 	}

  679. 

  680. 	user = &User{

  681. 		LowerName:   strings.ToLower(login),

  682. 		Name:        login,

  683. 		Email:       login,

  684. 		Passwd:      password,

  685. 		LoginType:   LoginPAM,

  686. 		LoginSource: sourceID,

  687. 		LoginName:   login,

  688. 		IsActive:    true,

  689. 	}

  690. 	return user, CreateUser(user)

  691. }

  692. 

  693. // ExternalUserLogin attempts a login using external source types.

  694. func ExternalUserLogin(user *User, login, password string, source *LoginSource) (*User, error) {

  695. 	if !source.IsActived {

  696. 		return nil, ErrLoginSourceNotActived

  697. 	}

  698. 

  699. 	var err error

  700. 	switch source.Type {

  701. 	case LoginLDAP, LoginDLDAP:

  702. 		user, err = LoginViaLDAP(user, login, password, source)

  703. 	case LoginSMTP:

  704. 		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig))

  705. 	case LoginPAM:

  706. 		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig))

  707. 	default:

  708. 		return nil, ErrUnsupportedLoginType

  709. 	}

  710. 

  711. 	if err != nil {

  712. 		return nil, err

  713. 	}

  714. 

  715. 	// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  716. 	// user could be hint to resend confirm email.

  717. 	if user.ProhibitLogin {

  718. 		return nil, ErrUserProhibitLogin{user.ID, user.Name}

  719. 	}

  720. 

  721. 	return user, nil

  722. }

  723. 

  724. // UserSignIn validates user name and password.

  725. func UserSignIn(username, password string) (*User, error) {

  726. 	var user *User

  727. 	if strings.Contains(username, "@") {

  728. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  729. 		// check same email

  730. 		cnt, err := x.Count(user)

  731. 		if err != nil {

  732. 			return nil, err

  733. 		}

  734. 		if cnt > 1 {

  735. 			return nil, ErrEmailAlreadyUsed{

  736. 				Email: user.Email,

  737. 			}

  738. 		}

  739. 	} else {

  740. 		trimmedUsername := strings.TrimSpace(username)

  741. 		if len(trimmedUsername) == 0 {

  742. 			return nil, ErrUserNotExist{0, username, 0}

  743. 		}

  744. 

  745. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  746. 	}

  747. 

  748. 	hasUser, err := x.Get(user)

  749. 	if err != nil {

  750. 		return nil, err

  751. 	}

  752. 

  753. 	if hasUser {

  754. 		switch user.LoginType {

  755. 		case LoginNoType, LoginPlain, LoginOAuth2:

  756. 			if user.IsPasswordSet() && user.ValidatePassword(password) {

  757. 

  758. 				// Update password hash if server password hash algorithm have changed

  759. 				if user.PasswdHashAlgo != setting.PasswordHashAlgo {

  760. 					user.HashPassword(password)

  761. 					if err := UpdateUserCols(user, "passwd", "passwd_hash_algo"); err != nil {

  762. 						return nil, err

  763. 					}

  764. 				}

  765. 

  766. 				// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  767. 				// user could be hint to resend confirm email.

  768. 				if user.ProhibitLogin {

  769. 					return nil, ErrUserProhibitLogin{user.ID, user.Name}

  770. 				}

  771. 

  772. 				return user, nil

  773. 			}

  774. 

  775. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  776. 

  777. 		default:

  778. 			var source LoginSource

  779. 			hasSource, err := x.ID(user.LoginSource).Get(&source)

  780. 			if err != nil {

  781. 				return nil, err

  782. 			} else if !hasSource {

  783. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  784. 			}

  785. 

  786. 			return ExternalUserLogin(user, user.LoginName, password, &source)

  787. 		}

  788. 	}

  789. 

  790. 	sources := make([]*LoginSource, 0, 5)

  791. 	if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {

  792. 		return nil, err

  793. 	}

  794. 

  795. 	for _, source := range sources {

  796. 		if source.IsOAuth2() || source.IsSSPI() {

  797. 			// don't try to authenticate against OAuth2 and SSPI sources here

  798. 			continue

  799. 		}

  800. 		authUser, err := ExternalUserLogin(nil, username, password, source)

  801. 		if err == nil {

  802. 			return authUser, nil

  803. 		}

  804. 

  805. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  806. 	}

  807. 

  808. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  809. }