mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8895 Commits
17 Branches
Tree: dbe9c11238
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dbe9c11238'
${ noResults }
gitea/models/login_source.go

login_source.go 22KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package models

  7. 

  8. import (

  9. 	"crypto/tls"

  10. 	"encoding/json"

  11. 	"errors"

  12. 	"fmt"

  13. 	"net/smtp"

  14. 	"net/textproto"

  15. 	"strings"

  16. 

  17. 	"code.gitea.io/gitea/modules/auth/ldap"

  18. 	"code.gitea.io/gitea/modules/auth/oauth2"

  19. 	"code.gitea.io/gitea/modules/auth/pam"

  20. 	"code.gitea.io/gitea/modules/log"

  21. 	"code.gitea.io/gitea/modules/setting"

  22. 	"code.gitea.io/gitea/modules/timeutil"

  23. 

  24. 	"github.com/unknwon/com"

  25. 	"xorm.io/core"

  26. 	"xorm.io/xorm"

  27. )

  28. 

  29. // LoginType represents an login type.

  30. type LoginType int

  31. 

  32. // Note: new type must append to the end of list to maintain compatibility.

  33. const (

  34. 	LoginNoType LoginType = iota

  35. 	LoginPlain            // 1

  36. 	LoginLDAP             // 2

  37. 	LoginSMTP             // 3

  38. 	LoginPAM              // 4

  39. 	LoginDLDAP            // 5

  40. 	LoginOAuth2           // 6

  41. 	LoginSSPI             // 7

  42. )

  43. 

  44. // LoginNames contains the name of LoginType values.

  45. var LoginNames = map[LoginType]string{

  46. 	LoginLDAP:   "LDAP (via BindDN)",

  47. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  48. 	LoginSMTP:   "SMTP",

  49. 	LoginPAM:    "PAM",

  50. 	LoginOAuth2: "OAuth2",

  51. 	LoginSSPI:   "SPNEGO with SSPI",

  52. }

  53. 

  54. // SecurityProtocolNames contains the name of SecurityProtocol values.

  55. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  56. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  57. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  58. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  59. }

  60. 

  61. // Ensure structs implemented interface.

  62. var (

  63. 	_ core.Conversion = &LDAPConfig{}

  64. 	_ core.Conversion = &SMTPConfig{}

  65. 	_ core.Conversion = &PAMConfig{}

  66. 	_ core.Conversion = &OAuth2Config{}

  67. 	_ core.Conversion = &SSPIConfig{}

  68. )

  69. 

  70. // LDAPConfig holds configuration for LDAP login source.

  71. type LDAPConfig struct {

  72. 	*ldap.Source

  73. }

  74. 

  75. // FromDB fills up a LDAPConfig from serialized format.

  76. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  77. 	return json.Unmarshal(bs, &cfg)

  78. }

  79. 

  80. // ToDB exports a LDAPConfig to a serialized format.

  81. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  82. 	return json.Marshal(cfg)

  83. }

  84. 

  85. // SecurityProtocolName returns the name of configured security

  86. // protocol.

  87. func (cfg *LDAPConfig) SecurityProtocolName() string {

  88. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  89. }

  90. 

  91. // SMTPConfig holds configuration for the SMTP login source.

  92. type SMTPConfig struct {

  93. 	Auth           string

  94. 	Host           string

  95. 	Port           int

  96. 	AllowedDomains string `xorm:"TEXT"`

  97. 	TLS            bool

  98. 	SkipVerify     bool

  99. }

  100. 

  101. // FromDB fills up an SMTPConfig from serialized format.

  102. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  103. 	return json.Unmarshal(bs, cfg)

  104. }

  105. 

  106. // ToDB exports an SMTPConfig to a serialized format.

  107. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  108. 	return json.Marshal(cfg)

  109. }

  110. 

  111. // PAMConfig holds configuration for the PAM login source.

  112. type PAMConfig struct {

  113. 	ServiceName string // pam service (e.g. system-auth)

  114. }

  115. 

  116. // FromDB fills up a PAMConfig from serialized format.

  117. func (cfg *PAMConfig) FromDB(bs []byte) error {

  118. 	return json.Unmarshal(bs, &cfg)

  119. }

  120. 

  121. // ToDB exports a PAMConfig to a serialized format.

  122. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  123. 	return json.Marshal(cfg)

  124. }

  125. 

  126. // OAuth2Config holds configuration for the OAuth2 login source.

  127. type OAuth2Config struct {

  128. 	Provider                      string

  129. 	ClientID                      string

  130. 	ClientSecret                  string

  131. 	OpenIDConnectAutoDiscoveryURL string

  132. 	CustomURLMapping              *oauth2.CustomURLMapping

  133. }

  134. 

  135. // FromDB fills up an OAuth2Config from serialized format.

  136. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  137. 	return json.Unmarshal(bs, cfg)

  138. }

  139. 

  140. // ToDB exports an SMTPConfig to a serialized format.

  141. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  142. 	return json.Marshal(cfg)

  143. }

  144. 

  145. // SSPIConfig holds configuration for SSPI single sign-on.

  146. type SSPIConfig struct {

  147. 	AutoCreateUsers      bool

  148. 	AutoActivateUsers    bool

  149. 	StripDomainNames     bool

  150. 	SeparatorReplacement string

  151. 	DefaultLanguage      string

  152. }

  153. 

  154. // FromDB fills up an SSPIConfig from serialized format.

  155. func (cfg *SSPIConfig) FromDB(bs []byte) error {

  156. 	return json.Unmarshal(bs, cfg)

  157. }

  158. 

  159. // ToDB exports an SSPIConfig to a serialized format.

  160. func (cfg *SSPIConfig) ToDB() ([]byte, error) {

  161. 	return json.Marshal(cfg)

  162. }

  163. 

  164. // LoginSource represents an external way for authorizing users.

  165. type LoginSource struct {

  166. 	ID            int64 `xorm:"pk autoincr"`

  167. 	Type          LoginType

  168. 	Name          string          `xorm:"UNIQUE"`

  169. 	IsActived     bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  170. 	IsSyncEnabled bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  171. 	Cfg           core.Conversion `xorm:"TEXT"`

  172. 

  173. 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"`

  174. 	UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`

  175. }

  176. 

  177. // Cell2Int64 converts a xorm.Cell type to int64,

  178. // and handles possible irregular cases.

  179. func Cell2Int64(val xorm.Cell) int64 {

  180. 	switch (*val).(type) {

  181. 	case []uint8:

  182. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  183. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  184. 	}

  185. 	return (*val).(int64)

  186. }

  187. 

  188. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  189. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  190. 	if colName == "type" {

  191. 		switch LoginType(Cell2Int64(val)) {

  192. 		case LoginLDAP, LoginDLDAP:

  193. 			source.Cfg = new(LDAPConfig)

  194. 		case LoginSMTP:

  195. 			source.Cfg = new(SMTPConfig)

  196. 		case LoginPAM:

  197. 			source.Cfg = new(PAMConfig)

  198. 		case LoginOAuth2:

  199. 			source.Cfg = new(OAuth2Config)

  200. 		case LoginSSPI:

  201. 			source.Cfg = new(SSPIConfig)

  202. 		default:

  203. 			panic("unrecognized login source type: " + com.ToStr(*val))

  204. 		}

  205. 	}

  206. }

  207. 

  208. // TypeName return name of this login source type.

  209. func (source *LoginSource) TypeName() string {

  210. 	return LoginNames[source.Type]

  211. }

  212. 

  213. // IsLDAP returns true of this source is of the LDAP type.

  214. func (source *LoginSource) IsLDAP() bool {

  215. 	return source.Type == LoginLDAP

  216. }

  217. 

  218. // IsDLDAP returns true of this source is of the DLDAP type.

  219. func (source *LoginSource) IsDLDAP() bool {

  220. 	return source.Type == LoginDLDAP

  221. }

  222. 

  223. // IsSMTP returns true of this source is of the SMTP type.

  224. func (source *LoginSource) IsSMTP() bool {

  225. 	return source.Type == LoginSMTP

  226. }

  227. 

  228. // IsPAM returns true of this source is of the PAM type.

  229. func (source *LoginSource) IsPAM() bool {

  230. 	return source.Type == LoginPAM

  231. }

  232. 

  233. // IsOAuth2 returns true of this source is of the OAuth2 type.

  234. func (source *LoginSource) IsOAuth2() bool {

  235. 	return source.Type == LoginOAuth2

  236. }

  237. 

  238. // IsSSPI returns true of this source is of the SSPI type.

  239. func (source *LoginSource) IsSSPI() bool {

  240. 	return source.Type == LoginSSPI

  241. }

  242. 

  243. // HasTLS returns true of this source supports TLS.

  244. func (source *LoginSource) HasTLS() bool {

  245. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  246. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  247. 		source.IsSMTP()

  248. }

  249. 

  250. // UseTLS returns true of this source is configured to use TLS.

  251. func (source *LoginSource) UseTLS() bool {

  252. 	switch source.Type {

  253. 	case LoginLDAP, LoginDLDAP:

  254. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  255. 	case LoginSMTP:

  256. 		return source.SMTP().TLS

  257. 	}

  258. 

  259. 	return false

  260. }

  261. 

  262. // SkipVerify returns true if this source is configured to skip SSL

  263. // verification.

  264. func (source *LoginSource) SkipVerify() bool {

  265. 	switch source.Type {

  266. 	case LoginLDAP, LoginDLDAP:

  267. 		return source.LDAP().SkipVerify

  268. 	case LoginSMTP:

  269. 		return source.SMTP().SkipVerify

  270. 	}

  271. 

  272. 	return false

  273. }

  274. 

  275. // LDAP returns LDAPConfig for this source, if of LDAP type.

  276. func (source *LoginSource) LDAP() *LDAPConfig {

  277. 	return source.Cfg.(*LDAPConfig)

  278. }

  279. 

  280. // SMTP returns SMTPConfig for this source, if of SMTP type.

  281. func (source *LoginSource) SMTP() *SMTPConfig {

  282. 	return source.Cfg.(*SMTPConfig)

  283. }

  284. 

  285. // PAM returns PAMConfig for this source, if of PAM type.

  286. func (source *LoginSource) PAM() *PAMConfig {

  287. 	return source.Cfg.(*PAMConfig)

  288. }

  289. 

  290. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  291. func (source *LoginSource) OAuth2() *OAuth2Config {

  292. 	return source.Cfg.(*OAuth2Config)

  293. }

  294. 

  295. // SSPI returns SSPIConfig for this source, if of SSPI type.

  296. func (source *LoginSource) SSPI() *SSPIConfig {

  297. 	return source.Cfg.(*SSPIConfig)

  298. }

  299. 

  300. // CreateLoginSource inserts a LoginSource in the DB if not already

  301. // existing with the given name.

  302. func CreateLoginSource(source *LoginSource) error {

  303. 	has, err := x.Where("name=?", source.Name).Exist(new(LoginSource))

  304. 	if err != nil {

  305. 		return err

  306. 	} else if has {

  307. 		return ErrLoginSourceAlreadyExist{source.Name}

  308. 	}

  309. 	// Synchronization is only aviable with LDAP for now

  310. 	if !source.IsLDAP() {

  311. 		source.IsSyncEnabled = false

  312. 	}

  313. 

  314. 	_, err = x.Insert(source)

  315. 	if err == nil && source.IsOAuth2() && source.IsActived {

  316. 		oAuth2Config := source.OAuth2()

  317. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  318. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  319. 		if err != nil {

  320. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  321. 			if _, err := x.Delete(source); err != nil {

  322. 				log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  323. 			}

  324. 			return err

  325. 		}

  326. 	}

  327. 	return err

  328. }

  329. 

  330. // LoginSources returns a slice of all login sources found in DB.

  331. func LoginSources() ([]*LoginSource, error) {

  332. 	auths := make([]*LoginSource, 0, 6)

  333. 	return auths, x.Find(&auths)

  334. }

  335. 

  336. // LoginSourcesByType returns all sources of the specified type

  337. func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) {

  338. 	sources := make([]*LoginSource, 0, 1)

  339. 	if err := x.Where("type = ?", loginType).Find(&sources); err != nil {

  340. 		return nil, err

  341. 	}

  342. 	return sources, nil

  343. }

  344. 

  345. // ActiveLoginSources returns all active sources of the specified type

  346. func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) {

  347. 	sources := make([]*LoginSource, 0, 1)

  348. 	if err := x.Where("is_actived = ? and type = ?", true, loginType).Find(&sources); err != nil {

  349. 		return nil, err

  350. 	}

  351. 	return sources, nil

  352. }

  353. 

  354. // IsSSPIEnabled returns true if there is at least one activated login

  355. // source of type LoginSSPI

  356. func IsSSPIEnabled() bool {

  357. 	if !HasEngine {

  358. 		return false

  359. 	}

  360. 	sources, err := ActiveLoginSources(LoginSSPI)

  361. 	if err != nil {

  362. 		log.Error("ActiveLoginSources: %v", err)

  363. 		return false

  364. 	}

  365. 	return len(sources) > 0

  366. }

  367. 

  368. // GetLoginSourceByID returns login source by given ID.

  369. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  370. 	source := new(LoginSource)

  371. 	has, err := x.ID(id).Get(source)

  372. 	if err != nil {

  373. 		return nil, err

  374. 	} else if !has {

  375. 		return nil, ErrLoginSourceNotExist{id}

  376. 	}

  377. 	return source, nil

  378. }

  379. 

  380. // UpdateSource updates a LoginSource record in DB.

  381. func UpdateSource(source *LoginSource) error {

  382. 	var originalLoginSource *LoginSource

  383. 	if source.IsOAuth2() {

  384. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  385. 		var err error

  386. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  387. 			return err

  388. 		}

  389. 	}

  390. 

  391. 	_, err := x.ID(source.ID).AllCols().Update(source)

  392. 	if err == nil && source.IsOAuth2() && source.IsActived {

  393. 		oAuth2Config := source.OAuth2()

  394. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  395. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  396. 		if err != nil {

  397. 			// restore original values since we cannot update the provider it self

  398. 			if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil {

  399. 				log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  400. 			}

  401. 			return err

  402. 		}

  403. 	}

  404. 	return err

  405. }

  406. 

  407. // DeleteSource deletes a LoginSource record in DB.

  408. func DeleteSource(source *LoginSource) error {

  409. 	count, err := x.Count(&User{LoginSource: source.ID})

  410. 	if err != nil {

  411. 		return err

  412. 	} else if count > 0 {

  413. 		return ErrLoginSourceInUse{source.ID}

  414. 	}

  415. 

  416. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  417. 	if err != nil {

  418. 		return err

  419. 	} else if count > 0 {

  420. 		return ErrLoginSourceInUse{source.ID}

  421. 	}

  422. 

  423. 	if source.IsOAuth2() {

  424. 		oauth2.RemoveProvider(source.Name)

  425. 	}

  426. 

  427. 	_, err = x.ID(source.ID).Delete(new(LoginSource))

  428. 	return err

  429. }

  430. 

  431. // CountLoginSources returns number of login sources.

  432. func CountLoginSources() int64 {

  433. 	count, _ := x.Count(new(LoginSource))

  434. 	return count

  435. }

  436. 

  437. // .____     ________      _____ __________

  438. // |    |    \______ \    /  _  \\______   \

  439. // |    |     |    |  \  /  /_\  \|     ___/

  440. // |    |___  |    `   \/    |    \    |

  441. // |_______ \/_______  /\____|__  /____|

  442. //         \/        \/         \/

  443. 

  444. func composeFullName(firstname, surname, username string) string {

  445. 	switch {

  446. 	case len(firstname) == 0 && len(surname) == 0:

  447. 		return username

  448. 	case len(firstname) == 0:

  449. 		return surname

  450. 	case len(surname) == 0:

  451. 		return firstname

  452. 	default:

  453. 		return firstname + " " + surname

  454. 	}

  455. }

  456. 

  457. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  458. // and create a local user if success when enabled.

  459. func LoginViaLDAP(user *User, login, password string, source *LoginSource) (*User, error) {

  460. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  461. 	if sr == nil {

  462. 		// User not in LDAP, do nothing

  463. 		return nil, ErrUserNotExist{0, login, 0}

  464. 	}

  465. 

  466. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0

  467. 

  468. 	// Update User admin flag if exist

  469. 	if isExist, err := IsUserExist(0, sr.Username); err != nil {

  470. 		return nil, err

  471. 	} else if isExist {

  472. 		if user == nil {

  473. 			user, err = GetUserByName(sr.Username)

  474. 			if err != nil {

  475. 				return nil, err

  476. 			}

  477. 		}

  478. 		if user != nil &&

  479. 			!user.ProhibitLogin && len(source.LDAP().AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {

  480. 			// Change existing admin flag only if AdminFilter option is set

  481. 			user.IsAdmin = sr.IsAdmin

  482. 			err = UpdateUserCols(user, "is_admin")

  483. 			if err != nil {

  484. 				return nil, err

  485. 			}

  486. 		}

  487. 	}

  488. 

  489. 	if user != nil {

  490. 		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  491. 			return user, RewriteAllPublicKeys()

  492. 		}

  493. 

  494. 		return user, nil

  495. 	}

  496. 

  497. 	// Fallback.

  498. 	if len(sr.Username) == 0 {

  499. 		sr.Username = login

  500. 	}

  501. 

  502. 	if len(sr.Mail) == 0 {

  503. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  504. 	}

  505. 

  506. 	user = &User{

  507. 		LowerName:   strings.ToLower(sr.Username),

  508. 		Name:        sr.Username,

  509. 		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  510. 		Email:       sr.Mail,

  511. 		LoginType:   source.Type,

  512. 		LoginSource: source.ID,

  513. 		LoginName:   login,

  514. 		IsActive:    true,

  515. 		IsAdmin:     sr.IsAdmin,

  516. 	}

  517. 

  518. 	err := CreateUser(user)

  519. 

  520. 	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  521. 		err = RewriteAllPublicKeys()

  522. 	}

  523. 

  524. 	return user, err

  525. }

  526. 

  527. //   _________   __________________________

  528. //  /   _____/  /     \__    ___/\______   \

  529. //  \_____  \  /  \ /  \|    |    |     ___/

  530. //  /        \/    Y    \    |    |    |

  531. // /_______  /\____|__  /____|    |____|

  532. //         \/         \/

  533. 

  534. type smtpLoginAuth struct {

  535. 	username, password string

  536. }

  537. 

  538. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  539. 	return "LOGIN", []byte(auth.username), nil

  540. }

  541. 

  542. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  543. 	if more {

  544. 		switch string(fromServer) {

  545. 		case "Username:":

  546. 			return []byte(auth.username), nil

  547. 		case "Password:":

  548. 			return []byte(auth.password), nil

  549. 		}

  550. 	}

  551. 	return nil, nil

  552. }

  553. 

  554. // SMTP authentication type names.

  555. const (

  556. 	SMTPPlain = "PLAIN"

  557. 	SMTPLogin = "LOGIN"

  558. )

  559. 

  560. // SMTPAuths contains available SMTP authentication type names.

  561. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  562. 

  563. // SMTPAuth performs an SMTP authentication.

  564. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  565. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  566. 	if err != nil {

  567. 		return err

  568. 	}

  569. 	defer c.Close()

  570. 

  571. 	if err = c.Hello("gogs"); err != nil {

  572. 		return err

  573. 	}

  574. 

  575. 	if cfg.TLS {

  576. 		if ok, _ := c.Extension("STARTTLS"); ok {

  577. 			if err = c.StartTLS(&tls.Config{

  578. 				InsecureSkipVerify: cfg.SkipVerify,

  579. 				ServerName:         cfg.Host,

  580. 			}); err != nil {

  581. 				return err

  582. 			}

  583. 		} else {

  584. 			return errors.New("SMTP server unsupports TLS")

  585. 		}

  586. 	}

  587. 

  588. 	if ok, _ := c.Extension("AUTH"); ok {

  589. 		return c.Auth(a)

  590. 	}

  591. 	return ErrUnsupportedLoginType

  592. }

  593. 

  594. // LoginViaSMTP queries if login/password is valid against the SMTP,

  595. // and create a local user if success when enabled.

  596. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig) (*User, error) {

  597. 	// Verify allowed domains.

  598. 	if len(cfg.AllowedDomains) > 0 {

  599. 		idx := strings.Index(login, "@")

  600. 		if idx == -1 {

  601. 			return nil, ErrUserNotExist{0, login, 0}

  602. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  603. 			return nil, ErrUserNotExist{0, login, 0}

  604. 		}

  605. 	}

  606. 

  607. 	var auth smtp.Auth

  608. 	if cfg.Auth == SMTPPlain {

  609. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  610. 	} else if cfg.Auth == SMTPLogin {

  611. 		auth = &smtpLoginAuth{login, password}

  612. 	} else {

  613. 		return nil, errors.New("Unsupported SMTP auth type")

  614. 	}

  615. 

  616. 	if err := SMTPAuth(auth, cfg); err != nil {

  617. 		// Check standard error format first,

  618. 		// then fallback to worse case.

  619. 		tperr, ok := err.(*textproto.Error)

  620. 		if (ok && tperr.Code == 535) ||

  621. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  622. 			return nil, ErrUserNotExist{0, login, 0}

  623. 		}

  624. 		return nil, err

  625. 	}

  626. 

  627. 	if user != nil {

  628. 		return user, nil

  629. 	}

  630. 

  631. 	username := login

  632. 	idx := strings.Index(login, "@")

  633. 	if idx > -1 {

  634. 		username = login[:idx]

  635. 	}

  636. 

  637. 	user = &User{

  638. 		LowerName:   strings.ToLower(username),

  639. 		Name:        strings.ToLower(username),

  640. 		Email:       login,

  641. 		Passwd:      password,

  642. 		LoginType:   LoginSMTP,

  643. 		LoginSource: sourceID,

  644. 		LoginName:   login,

  645. 		IsActive:    true,

  646. 	}

  647. 	return user, CreateUser(user)

  648. }

  649. 

  650. // __________  _____      _____

  651. // \______   \/  _  \    /     \

  652. //  |     ___/  /_\  \  /  \ /  \

  653. //  |    |  /    |    \/    Y    \

  654. //  |____|  \____|__  /\____|__  /

  655. //                  \/         \/

  656. 

  657. // LoginViaPAM queries if login/password is valid against the PAM,

  658. // and create a local user if success when enabled.

  659. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig) (*User, error) {

  660. 	pamLogin, err := pam.Auth(cfg.ServiceName, login, password)

  661. 	if err != nil {

  662. 		if strings.Contains(err.Error(), "Authentication failure") {

  663. 			return nil, ErrUserNotExist{0, login, 0}

  664. 		}

  665. 		return nil, err

  666. 	}

  667. 

  668. 	if user != nil {

  669. 		return user, nil

  670. 	}

  671. 

  672. 	// Allow PAM sources with `@` in their name, like from Active Directory

  673. 	username := pamLogin

  674. 	idx := strings.Index(pamLogin, "@")

  675. 	if idx > -1 {

  676. 		username = pamLogin[:idx]

  677. 	}

  678. 

  679. 	user = &User{

  680. 		LowerName:   strings.ToLower(username),

  681. 		Name:        username,

  682. 		Email:       pamLogin,

  683. 		Passwd:      password,

  684. 		LoginType:   LoginPAM,

  685. 		LoginSource: sourceID,

  686. 		LoginName:   login, // This is what the user typed in

  687. 		IsActive:    true,

  688. 	}

  689. 	return user, CreateUser(user)

  690. }

  691. 

  692. // ExternalUserLogin attempts a login using external source types.

  693. func ExternalUserLogin(user *User, login, password string, source *LoginSource) (*User, error) {

  694. 	if !source.IsActived {

  695. 		return nil, ErrLoginSourceNotActived

  696. 	}

  697. 

  698. 	var err error

  699. 	switch source.Type {

  700. 	case LoginLDAP, LoginDLDAP:

  701. 		user, err = LoginViaLDAP(user, login, password, source)

  702. 	case LoginSMTP:

  703. 		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig))

  704. 	case LoginPAM:

  705. 		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig))

  706. 	default:

  707. 		return nil, ErrUnsupportedLoginType

  708. 	}

  709. 

  710. 	if err != nil {

  711. 		return nil, err

  712. 	}

  713. 

  714. 	// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  715. 	// user could be hint to resend confirm email.

  716. 	if user.ProhibitLogin {

  717. 		return nil, ErrUserProhibitLogin{user.ID, user.Name}

  718. 	}

  719. 

  720. 	return user, nil

  721. }

  722. 

  723. // UserSignIn validates user name and password.

  724. func UserSignIn(username, password string) (*User, error) {

  725. 	var user *User

  726. 	if strings.Contains(username, "@") {

  727. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  728. 		// check same email

  729. 		cnt, err := x.Count(user)

  730. 		if err != nil {

  731. 			return nil, err

  732. 		}

  733. 		if cnt > 1 {

  734. 			return nil, ErrEmailAlreadyUsed{

  735. 				Email: user.Email,

  736. 			}

  737. 		}

  738. 	} else {

  739. 		trimmedUsername := strings.TrimSpace(username)

  740. 		if len(trimmedUsername) == 0 {

  741. 			return nil, ErrUserNotExist{0, username, 0}

  742. 		}

  743. 

  744. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  745. 	}

  746. 

  747. 	hasUser, err := x.Get(user)

  748. 	if err != nil {

  749. 		return nil, err

  750. 	}

  751. 

  752. 	if hasUser {

  753. 		switch user.LoginType {

  754. 		case LoginNoType, LoginPlain, LoginOAuth2:

  755. 			if user.IsPasswordSet() && user.ValidatePassword(password) {

  756. 

  757. 				// Update password hash if server password hash algorithm have changed

  758. 				if user.PasswdHashAlgo != setting.PasswordHashAlgo {

  759. 					user.HashPassword(password)

  760. 					if err := UpdateUserCols(user, "passwd", "passwd_hash_algo"); err != nil {

  761. 						return nil, err

  762. 					}

  763. 				}

  764. 

  765. 				// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  766. 				// user could be hint to resend confirm email.

  767. 				if user.ProhibitLogin {

  768. 					return nil, ErrUserProhibitLogin{user.ID, user.Name}

  769. 				}

  770. 

  771. 				return user, nil

  772. 			}

  773. 

  774. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  775. 

  776. 		default:

  777. 			var source LoginSource

  778. 			hasSource, err := x.ID(user.LoginSource).Get(&source)

  779. 			if err != nil {

  780. 				return nil, err

  781. 			} else if !hasSource {

  782. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  783. 			}

  784. 

  785. 			return ExternalUserLogin(user, user.LoginName, password, &source)

  786. 		}

  787. 	}

  788. 

  789. 	sources := make([]*LoginSource, 0, 5)

  790. 	if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {

  791. 		return nil, err

  792. 	}

  793. 

  794. 	for _, source := range sources {

  795. 		if source.IsOAuth2() || source.IsSSPI() {

  796. 			// don't try to authenticate against OAuth2 and SSPI sources here

  797. 			continue

  798. 		}

  799. 		authUser, err := ExternalUserLogin(nil, username, password, source)

  800. 		if err == nil {

  801. 			return authUser, nil

  802. 		}

  803. 

  804. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  805. 	}

  806. 

  807. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  808. }