12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 |
- // Copyright 2021 The Gitea Authors. All rights reserved.
- // Use of this source code is governed by a MIT-style
- // license that can be found in the LICENSE file.
-
- package pam
-
- import (
- "fmt"
- "strings"
-
- "code.gitea.io/gitea/models/auth"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/auth/pam"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/services/mailer"
-
- "github.com/google/uuid"
- )
-
- // Authenticate queries if login/password is valid against the PAM,
- // and create a local user if success when enabled.
- func (source *Source) Authenticate(user *user_model.User, userName, password string) (*user_model.User, error) {
- pamLogin, err := pam.Auth(source.ServiceName, userName, password)
- if err != nil {
- if strings.Contains(err.Error(), "Authentication failure") {
- return nil, user_model.ErrUserNotExist{Name: userName}
- }
- return nil, err
- }
-
- if user != nil {
- return user, nil
- }
-
- // Allow PAM sources with `@` in their name, like from Active Directory
- username := pamLogin
- email := pamLogin
- idx := strings.Index(pamLogin, "@")
- if idx > -1 {
- username = pamLogin[:idx]
- }
- if user_model.ValidateEmail(email) != nil {
- if source.EmailDomain != "" {
- email = fmt.Sprintf("%s@%s", username, source.EmailDomain)
- } else {
- email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress)
- }
- if user_model.ValidateEmail(email) != nil {
- email = uuid.New().String() + "@localhost"
- }
- }
-
- user = &user_model.User{
- LowerName: strings.ToLower(username),
- Name: username,
- Email: email,
- Passwd: password,
- LoginType: auth.PAM,
- LoginSource: source.authSource.ID,
- LoginName: userName, // This is what the user typed in
- IsActive: true,
- }
-
- if err := user_model.CreateUser(user); err != nil {
- return user, err
- }
-
- mailer.SendRegisterNotifyMail(user)
-
- return user, nil
- }
-
- // IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
- func (source *Source) IsSkipLocalTwoFA() bool {
- return source.SkipLocalTwoFA
- }
|