mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17397 Commits
17 Branches
Tree: e2277d07ca
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e2277d07ca'
${ noResults }
gitea/services/auth/source/ldap/source_authenticate.go

source_authenticate.go 3.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package ldap

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"strings"

  10. 

  11. 	asymkey_model "code.gitea.io/gitea/models/asymkey"

  12. 	"code.gitea.io/gitea/models/auth"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	auth_module "code.gitea.io/gitea/modules/auth"

  15. 	"code.gitea.io/gitea/modules/optional"

  16. 	asymkey_service "code.gitea.io/gitea/services/asymkey"

  17. 	source_service "code.gitea.io/gitea/services/auth/source"

  18. 	user_service "code.gitea.io/gitea/services/user"

  19. )

  20. 

  21. // Authenticate queries if login/password is valid against the LDAP directory pool,

  22. // and create a local user if success when enabled.

  23. func (source *Source) Authenticate(ctx context.Context, user *user_model.User, userName, password string) (*user_model.User, error) {

  24. 	loginName := userName

  25. 	if user != nil {

  26. 		loginName = user.LoginName

  27. 	}

  28. 	sr := source.SearchEntry(loginName, password, source.authSource.Type == auth.DLDAP)

  29. 	if sr == nil {

  30. 		// User not in LDAP, do nothing

  31. 		return nil, user_model.ErrUserNotExist{Name: loginName}

  32. 	}

  33. 	// Fallback.

  34. 	if len(sr.Username) == 0 {

  35. 		sr.Username = userName

  36. 	}

  37. 	if len(sr.Mail) == 0 {

  38. 		sr.Mail = fmt.Sprintf("%s@localhost.local", sr.Username)

  39. 	}

  40. 	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0

  41. 

  42. 	// Update User admin flag if exist

  43. 	if isExist, err := user_model.IsUserExist(ctx, 0, sr.Username); err != nil {

  44. 		return nil, err

  45. 	} else if isExist {

  46. 		if user == nil {

  47. 			user, err = user_model.GetUserByName(ctx, sr.Username)

  48. 			if err != nil {

  49. 				return nil, err

  50. 			}

  51. 		}

  52. 		if user != nil && !user.ProhibitLogin {

  53. 			opts := &user_service.UpdateOptions{}

  54. 			if len(source.AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {

  55. 				// Change existing admin flag only if AdminFilter option is set

  56. 				opts.IsAdmin = optional.Some(sr.IsAdmin)

  57. 			}

  58. 			if !sr.IsAdmin && len(source.RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted {

  59. 				// Change existing restricted flag only if RestrictedFilter option is set

  60. 				opts.IsRestricted = optional.Some(sr.IsRestricted)

  61. 			}

  62. 			if opts.IsAdmin.Has() || opts.IsRestricted.Has() {

  63. 				if err := user_service.UpdateUser(ctx, user, opts); err != nil {

  64. 					return nil, err

  65. 				}

  66. 			}

  67. 		}

  68. 	}

  69. 

  70. 	if user != nil {

  71. 		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(ctx, user, source.authSource, sr.SSHPublicKey) {

  72. 			if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {

  73. 				return user, err

  74. 			}

  75. 		}

  76. 	} else {

  77. 		user = &user_model.User{

  78. 			LowerName:   strings.ToLower(sr.Username),

  79. 			Name:        sr.Username,

  80. 			FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  81. 			Email:       sr.Mail,

  82. 			LoginType:   source.authSource.Type,

  83. 			LoginSource: source.authSource.ID,

  84. 			LoginName:   userName,

  85. 			IsAdmin:     sr.IsAdmin,

  86. 		}

  87. 		overwriteDefault := &user_model.CreateUserOverwriteOptions{

  88. 			IsRestricted: optional.Some(sr.IsRestricted),

  89. 			IsActive:     optional.Some(true),

  90. 		}

  91. 

  92. 		err := user_model.CreateUser(ctx, user, overwriteDefault)

  93. 		if err != nil {

  94. 			return user, err

  95. 		}

  96. 

  97. 		if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(ctx, user, source.authSource, sr.SSHPublicKey) {

  98. 			if err := asymkey_service.RewriteAllPublicKeys(ctx); err != nil {

  99. 				return user, err

  100. 			}

  101. 		}

  102. 		if len(source.AttributeAvatar) > 0 {

  103. 			if err := user_service.UploadAvatar(ctx, user, sr.Avatar); err != nil {

  104. 				return user, err

  105. 			}

  106. 		}

  107. 	}

  108. 

  109. 	if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {

  110. 		groupTeamMapping, err := auth_module.UnmarshalGroupTeamMapping(source.GroupTeamMap)

  111. 		if err != nil {

  112. 			return user, err

  113. 		}

  114. 		if err := source_service.SyncGroupsToTeams(ctx, user, sr.Groups, groupTeamMapping, source.GroupTeamMapRemoval); err != nil {

  115. 			return user, err

  116. 		}

  117. 	}

  118. 

  119. 	return user, nil

  120. }

  121. 

  122. // IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication

  123. func (source *Source) IsSkipLocalTwoFA() bool {

  124. 	return source.SkipLocalTwoFA

  125. }