mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 209 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7605 Commits
16 Branches
Tree: f9ec2f89f2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f9ec2f89f2'
${ noResults }
gitea/models/login_source.go

login_source.go 19KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/tls"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"regexp"

  15. 	"strings"

  16. 

  17. 	"github.com/Unknwon/com"

  18. 	"github.com/go-xorm/core"

  19. 	"github.com/go-xorm/xorm"

  20. 

  21. 	"code.gitea.io/gitea/modules/auth/ldap"

  22. 	"code.gitea.io/gitea/modules/auth/oauth2"

  23. 	"code.gitea.io/gitea/modules/auth/pam"

  24. 	"code.gitea.io/gitea/modules/log"

  25. 	"code.gitea.io/gitea/modules/util"

  26. )

  27. 

  28. // LoginType represents an login type.

  29. type LoginType int

  30. 

  31. // Note: new type must append to the end of list to maintain compatibility.

  32. const (

  33. 	LoginNoType LoginType = iota

  34. 	LoginPlain            // 1

  35. 	LoginLDAP             // 2

  36. 	LoginSMTP             // 3

  37. 	LoginPAM              // 4

  38. 	LoginDLDAP            // 5

  39. 	LoginOAuth2           // 6

  40. )

  41. 

  42. // LoginNames contains the name of LoginType values.

  43. var LoginNames = map[LoginType]string{

  44. 	LoginLDAP:   "LDAP (via BindDN)",

  45. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  46. 	LoginSMTP:   "SMTP",

  47. 	LoginPAM:    "PAM",

  48. 	LoginOAuth2: "OAuth2",

  49. }

  50. 

  51. // SecurityProtocolNames contains the name of SecurityProtocol values.

  52. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  53. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  54. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  55. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  56. }

  57. 

  58. // Ensure structs implemented interface.

  59. var (

  60. 	_ core.Conversion = &LDAPConfig{}

  61. 	_ core.Conversion = &SMTPConfig{}

  62. 	_ core.Conversion = &PAMConfig{}

  63. 	_ core.Conversion = &OAuth2Config{}

  64. )

  65. 

  66. // LDAPConfig holds configuration for LDAP login source.

  67. type LDAPConfig struct {

  68. 	*ldap.Source

  69. }

  70. 

  71. // FromDB fills up a LDAPConfig from serialized format.

  72. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  73. 	return json.Unmarshal(bs, &cfg)

  74. }

  75. 

  76. // ToDB exports a LDAPConfig to a serialized format.

  77. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  78. 	return json.Marshal(cfg)

  79. }

  80. 

  81. // SecurityProtocolName returns the name of configured security

  82. // protocol.

  83. func (cfg *LDAPConfig) SecurityProtocolName() string {

  84. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  85. }

  86. 

  87. // SMTPConfig holds configuration for the SMTP login source.

  88. type SMTPConfig struct {

  89. 	Auth           string

  90. 	Host           string

  91. 	Port           int

  92. 	AllowedDomains string `xorm:"TEXT"`

  93. 	TLS            bool

  94. 	SkipVerify     bool

  95. }

  96. 

  97. // FromDB fills up an SMTPConfig from serialized format.

  98. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  99. 	return json.Unmarshal(bs, cfg)

  100. }

  101. 

  102. // ToDB exports an SMTPConfig to a serialized format.

  103. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  104. 	return json.Marshal(cfg)

  105. }

  106. 

  107. // PAMConfig holds configuration for the PAM login source.

  108. type PAMConfig struct {

  109. 	ServiceName string // pam service (e.g. system-auth)

  110. }

  111. 

  112. // FromDB fills up a PAMConfig from serialized format.

  113. func (cfg *PAMConfig) FromDB(bs []byte) error {

  114. 	return json.Unmarshal(bs, &cfg)

  115. }

  116. 

  117. // ToDB exports a PAMConfig to a serialized format.

  118. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  119. 	return json.Marshal(cfg)

  120. }

  121. 

  122. // OAuth2Config holds configuration for the OAuth2 login source.

  123. type OAuth2Config struct {

  124. 	Provider                      string

  125. 	ClientID                      string

  126. 	ClientSecret                  string

  127. 	OpenIDConnectAutoDiscoveryURL string

  128. 	CustomURLMapping              *oauth2.CustomURLMapping

  129. }

  130. 

  131. // FromDB fills up an OAuth2Config from serialized format.

  132. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  133. 	return json.Unmarshal(bs, cfg)

  134. }

  135. 

  136. // ToDB exports an SMTPConfig to a serialized format.

  137. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  138. 	return json.Marshal(cfg)

  139. }

  140. 

  141. // LoginSource represents an external way for authorizing users.

  142. type LoginSource struct {

  143. 	ID            int64 `xorm:"pk autoincr"`

  144. 	Type          LoginType

  145. 	Name          string          `xorm:"UNIQUE"`

  146. 	IsActived     bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  147. 	IsSyncEnabled bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  148. 	Cfg           core.Conversion `xorm:"TEXT"`

  149. 

  150. 	CreatedUnix util.TimeStamp `xorm:"INDEX created"`

  151. 	UpdatedUnix util.TimeStamp `xorm:"INDEX updated"`

  152. }

  153. 

  154. // Cell2Int64 converts a xorm.Cell type to int64,

  155. // and handles possible irregular cases.

  156. func Cell2Int64(val xorm.Cell) int64 {

  157. 	switch (*val).(type) {

  158. 	case []uint8:

  159. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  160. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  161. 	}

  162. 	return (*val).(int64)

  163. }

  164. 

  165. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  166. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  167. 	if colName == "type" {

  168. 		switch LoginType(Cell2Int64(val)) {

  169. 		case LoginLDAP, LoginDLDAP:

  170. 			source.Cfg = new(LDAPConfig)

  171. 		case LoginSMTP:

  172. 			source.Cfg = new(SMTPConfig)

  173. 		case LoginPAM:

  174. 			source.Cfg = new(PAMConfig)

  175. 		case LoginOAuth2:

  176. 			source.Cfg = new(OAuth2Config)

  177. 		default:

  178. 			panic("unrecognized login source type: " + com.ToStr(*val))

  179. 		}

  180. 	}

  181. }

  182. 

  183. // TypeName return name of this login source type.

  184. func (source *LoginSource) TypeName() string {

  185. 	return LoginNames[source.Type]

  186. }

  187. 

  188. // IsLDAP returns true of this source is of the LDAP type.

  189. func (source *LoginSource) IsLDAP() bool {

  190. 	return source.Type == LoginLDAP

  191. }

  192. 

  193. // IsDLDAP returns true of this source is of the DLDAP type.

  194. func (source *LoginSource) IsDLDAP() bool {

  195. 	return source.Type == LoginDLDAP

  196. }

  197. 

  198. // IsSMTP returns true of this source is of the SMTP type.

  199. func (source *LoginSource) IsSMTP() bool {

  200. 	return source.Type == LoginSMTP

  201. }

  202. 

  203. // IsPAM returns true of this source is of the PAM type.

  204. func (source *LoginSource) IsPAM() bool {

  205. 	return source.Type == LoginPAM

  206. }

  207. 

  208. // IsOAuth2 returns true of this source is of the OAuth2 type.

  209. func (source *LoginSource) IsOAuth2() bool {

  210. 	return source.Type == LoginOAuth2

  211. }

  212. 

  213. // HasTLS returns true of this source supports TLS.

  214. func (source *LoginSource) HasTLS() bool {

  215. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  216. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  217. 		source.IsSMTP()

  218. }

  219. 

  220. // UseTLS returns true of this source is configured to use TLS.

  221. func (source *LoginSource) UseTLS() bool {

  222. 	switch source.Type {

  223. 	case LoginLDAP, LoginDLDAP:

  224. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  225. 	case LoginSMTP:

  226. 		return source.SMTP().TLS

  227. 	}

  228. 

  229. 	return false

  230. }

  231. 

  232. // SkipVerify returns true if this source is configured to skip SSL

  233. // verification.

  234. func (source *LoginSource) SkipVerify() bool {

  235. 	switch source.Type {

  236. 	case LoginLDAP, LoginDLDAP:

  237. 		return source.LDAP().SkipVerify

  238. 	case LoginSMTP:

  239. 		return source.SMTP().SkipVerify

  240. 	}

  241. 

  242. 	return false

  243. }

  244. 

  245. // LDAP returns LDAPConfig for this source, if of LDAP type.

  246. func (source *LoginSource) LDAP() *LDAPConfig {

  247. 	return source.Cfg.(*LDAPConfig)

  248. }

  249. 

  250. // SMTP returns SMTPConfig for this source, if of SMTP type.

  251. func (source *LoginSource) SMTP() *SMTPConfig {

  252. 	return source.Cfg.(*SMTPConfig)

  253. }

  254. 

  255. // PAM returns PAMConfig for this source, if of PAM type.

  256. func (source *LoginSource) PAM() *PAMConfig {

  257. 	return source.Cfg.(*PAMConfig)

  258. }

  259. 

  260. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  261. func (source *LoginSource) OAuth2() *OAuth2Config {

  262. 	return source.Cfg.(*OAuth2Config)

  263. }

  264. 

  265. // CreateLoginSource inserts a LoginSource in the DB if not already

  266. // existing with the given name.

  267. func CreateLoginSource(source *LoginSource) error {

  268. 	has, err := x.Get(&LoginSource{Name: source.Name})

  269. 	if err != nil {

  270. 		return err

  271. 	} else if has {

  272. 		return ErrLoginSourceAlreadyExist{source.Name}

  273. 	}

  274. 	// Synchronization is only aviable with LDAP for now

  275. 	if !source.IsLDAP() {

  276. 		source.IsSyncEnabled = false

  277. 	}

  278. 

  279. 	_, err = x.Insert(source)

  280. 	if err == nil && source.IsOAuth2() && source.IsActived {

  281. 		oAuth2Config := source.OAuth2()

  282. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  283. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  284. 		if err != nil {

  285. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  286. 			if _, err := x.Delete(source); err != nil {

  287. 				log.Error("CreateLoginSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  288. 			}

  289. 			return err

  290. 		}

  291. 	}

  292. 	return err

  293. }

  294. 

  295. // LoginSources returns a slice of all login sources found in DB.

  296. func LoginSources() ([]*LoginSource, error) {

  297. 	auths := make([]*LoginSource, 0, 6)

  298. 	return auths, x.Find(&auths)

  299. }

  300. 

  301. // GetLoginSourceByID returns login source by given ID.

  302. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  303. 	source := new(LoginSource)

  304. 	has, err := x.ID(id).Get(source)

  305. 	if err != nil {

  306. 		return nil, err

  307. 	} else if !has {

  308. 		return nil, ErrLoginSourceNotExist{id}

  309. 	}

  310. 	return source, nil

  311. }

  312. 

  313. // UpdateSource updates a LoginSource record in DB.

  314. func UpdateSource(source *LoginSource) error {

  315. 	var originalLoginSource *LoginSource

  316. 	if source.IsOAuth2() {

  317. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  318. 		var err error

  319. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  320. 			return err

  321. 		}

  322. 	}

  323. 

  324. 	_, err := x.ID(source.ID).AllCols().Update(source)

  325. 	if err == nil && source.IsOAuth2() && source.IsActived {

  326. 		oAuth2Config := source.OAuth2()

  327. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  328. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  329. 		if err != nil {

  330. 			// restore original values since we cannot update the provider it self

  331. 			if _, err := x.ID(source.ID).AllCols().Update(originalLoginSource); err != nil {

  332. 				log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)

  333. 			}

  334. 			return err

  335. 		}

  336. 	}

  337. 	return err

  338. }

  339. 

  340. // DeleteSource deletes a LoginSource record in DB.

  341. func DeleteSource(source *LoginSource) error {

  342. 	count, err := x.Count(&User{LoginSource: source.ID})

  343. 	if err != nil {

  344. 		return err

  345. 	} else if count > 0 {

  346. 		return ErrLoginSourceInUse{source.ID}

  347. 	}

  348. 

  349. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  350. 	if err != nil {

  351. 		return err

  352. 	} else if count > 0 {

  353. 		return ErrLoginSourceInUse{source.ID}

  354. 	}

  355. 

  356. 	if source.IsOAuth2() {

  357. 		oauth2.RemoveProvider(source.Name)

  358. 	}

  359. 

  360. 	_, err = x.ID(source.ID).Delete(new(LoginSource))

  361. 	return err

  362. }

  363. 

  364. // CountLoginSources returns number of login sources.

  365. func CountLoginSources() int64 {

  366. 	count, _ := x.Count(new(LoginSource))

  367. 	return count

  368. }

  369. 

  370. // .____     ________      _____ __________

  371. // |    |    \______ \    /  _  \\______   \

  372. // |    |     |    |  \  /  /_\  \|     ___/

  373. // |    |___  |    `   \/    |    \    |

  374. // |_______ \/_______  /\____|__  /____|

  375. //         \/        \/         \/

  376. 

  377. func composeFullName(firstname, surname, username string) string {

  378. 	switch {

  379. 	case len(firstname) == 0 && len(surname) == 0:

  380. 		return username

  381. 	case len(firstname) == 0:

  382. 		return surname

  383. 	case len(surname) == 0:

  384. 		return firstname

  385. 	default:

  386. 		return firstname + " " + surname

  387. 	}

  388. }

  389. 

  390. var (

  391. 	alphaDashDotPattern = regexp.MustCompile(`[^\w-\.]`)

  392. )

  393. 

  394. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  395. // and create a local user if success when enabled.

  396. func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  397. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  398. 	if sr == nil {

  399. 		// User not in LDAP, do nothing

  400. 		return nil, ErrUserNotExist{0, login, 0}

  401. 	}

  402. 

  403. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0

  404. 

  405. 	if !autoRegister {

  406. 		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  407. 			return user, RewriteAllPublicKeys()

  408. 		}

  409. 

  410. 		return user, nil

  411. 	}

  412. 

  413. 	// Fallback.

  414. 	if len(sr.Username) == 0 {

  415. 		sr.Username = login

  416. 	}

  417. 	// Validate username make sure it satisfies requirement.

  418. 	if alphaDashDotPattern.MatchString(sr.Username) {

  419. 		return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)

  420. 	}

  421. 

  422. 	if len(sr.Mail) == 0 {

  423. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  424. 	}

  425. 

  426. 	user = &User{

  427. 		LowerName:   strings.ToLower(sr.Username),

  428. 		Name:        sr.Username,

  429. 		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  430. 		Email:       sr.Mail,

  431. 		LoginType:   source.Type,

  432. 		LoginSource: source.ID,

  433. 		LoginName:   login,

  434. 		IsActive:    true,

  435. 		IsAdmin:     sr.IsAdmin,

  436. 	}

  437. 

  438. 	err := CreateUser(user)

  439. 

  440. 	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {

  441. 		err = RewriteAllPublicKeys()

  442. 	}

  443. 

  444. 	return user, err

  445. }

  446. 

  447. //   _________   __________________________

  448. //  /   _____/  /     \__    ___/\______   \

  449. //  \_____  \  /  \ /  \|    |    |     ___/

  450. //  /        \/    Y    \    |    |    |

  451. // /_______  /\____|__  /____|    |____|

  452. //         \/         \/

  453. 

  454. type smtpLoginAuth struct {

  455. 	username, password string

  456. }

  457. 

  458. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  459. 	return "LOGIN", []byte(auth.username), nil

  460. }

  461. 

  462. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  463. 	if more {

  464. 		switch string(fromServer) {

  465. 		case "Username:":

  466. 			return []byte(auth.username), nil

  467. 		case "Password:":

  468. 			return []byte(auth.password), nil

  469. 		}

  470. 	}

  471. 	return nil, nil

  472. }

  473. 

  474. // SMTP authentication type names.

  475. const (

  476. 	SMTPPlain = "PLAIN"

  477. 	SMTPLogin = "LOGIN"

  478. )

  479. 

  480. // SMTPAuths contains available SMTP authentication type names.

  481. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  482. 

  483. // SMTPAuth performs an SMTP authentication.

  484. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  485. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  486. 	if err != nil {

  487. 		return err

  488. 	}

  489. 	defer c.Close()

  490. 

  491. 	if err = c.Hello("gogs"); err != nil {

  492. 		return err

  493. 	}

  494. 

  495. 	if cfg.TLS {

  496. 		if ok, _ := c.Extension("STARTTLS"); ok {

  497. 			if err = c.StartTLS(&tls.Config{

  498. 				InsecureSkipVerify: cfg.SkipVerify,

  499. 				ServerName:         cfg.Host,

  500. 			}); err != nil {

  501. 				return err

  502. 			}

  503. 		} else {

  504. 			return errors.New("SMTP server unsupports TLS")

  505. 		}

  506. 	}

  507. 

  508. 	if ok, _ := c.Extension("AUTH"); ok {

  509. 		return c.Auth(a)

  510. 	}

  511. 	return ErrUnsupportedLoginType

  512. }

  513. 

  514. // LoginViaSMTP queries if login/password is valid against the SMTP,

  515. // and create a local user if success when enabled.

  516. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {

  517. 	// Verify allowed domains.

  518. 	if len(cfg.AllowedDomains) > 0 {

  519. 		idx := strings.Index(login, "@")

  520. 		if idx == -1 {

  521. 			return nil, ErrUserNotExist{0, login, 0}

  522. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  523. 			return nil, ErrUserNotExist{0, login, 0}

  524. 		}

  525. 	}

  526. 

  527. 	var auth smtp.Auth

  528. 	if cfg.Auth == SMTPPlain {

  529. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  530. 	} else if cfg.Auth == SMTPLogin {

  531. 		auth = &smtpLoginAuth{login, password}

  532. 	} else {

  533. 		return nil, errors.New("Unsupported SMTP auth type")

  534. 	}

  535. 

  536. 	if err := SMTPAuth(auth, cfg); err != nil {

  537. 		// Check standard error format first,

  538. 		// then fallback to worse case.

  539. 		tperr, ok := err.(*textproto.Error)

  540. 		if (ok && tperr.Code == 535) ||

  541. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  542. 			return nil, ErrUserNotExist{0, login, 0}

  543. 		}

  544. 		return nil, err

  545. 	}

  546. 

  547. 	if !autoRegister {

  548. 		return user, nil

  549. 	}

  550. 

  551. 	username := login

  552. 	idx := strings.Index(login, "@")

  553. 	if idx > -1 {

  554. 		username = login[:idx]

  555. 	}

  556. 

  557. 	user = &User{

  558. 		LowerName:   strings.ToLower(username),

  559. 		Name:        strings.ToLower(username),

  560. 		Email:       login,

  561. 		Passwd:      password,

  562. 		LoginType:   LoginSMTP,

  563. 		LoginSource: sourceID,

  564. 		LoginName:   login,

  565. 		IsActive:    true,

  566. 	}

  567. 	return user, CreateUser(user)

  568. }

  569. 

  570. // __________  _____      _____

  571. // \______   \/  _  \    /     \

  572. //  |     ___/  /_\  \  /  \ /  \

  573. //  |    |  /    |    \/    Y    \

  574. //  |____|  \____|__  /\____|__  /

  575. //                  \/         \/

  576. 

  577. // LoginViaPAM queries if login/password is valid against the PAM,

  578. // and create a local user if success when enabled.

  579. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {

  580. 	if err := pam.Auth(cfg.ServiceName, login, password); err != nil {

  581. 		if strings.Contains(err.Error(), "Authentication failure") {

  582. 			return nil, ErrUserNotExist{0, login, 0}

  583. 		}

  584. 		return nil, err

  585. 	}

  586. 

  587. 	if !autoRegister {

  588. 		return user, nil

  589. 	}

  590. 

  591. 	user = &User{

  592. 		LowerName:   strings.ToLower(login),

  593. 		Name:        login,

  594. 		Email:       login,

  595. 		Passwd:      password,

  596. 		LoginType:   LoginPAM,

  597. 		LoginSource: sourceID,

  598. 		LoginName:   login,

  599. 		IsActive:    true,

  600. 	}

  601. 	return user, CreateUser(user)

  602. }

  603. 

  604. // ExternalUserLogin attempts a login using external source types.

  605. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  606. 	if !source.IsActived {

  607. 		return nil, ErrLoginSourceNotActived

  608. 	}

  609. 

  610. 	var err error

  611. 	switch source.Type {

  612. 	case LoginLDAP, LoginDLDAP:

  613. 		user, err = LoginViaLDAP(user, login, password, source, autoRegister)

  614. 	case LoginSMTP:

  615. 		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)

  616. 	case LoginPAM:

  617. 		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)

  618. 	default:

  619. 		return nil, ErrUnsupportedLoginType

  620. 	}

  621. 

  622. 	if err != nil {

  623. 		return nil, err

  624. 	}

  625. 

  626. 	// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  627. 	// user could be hint to resend confirm email.

  628. 	if user.ProhibitLogin {

  629. 		return nil, ErrUserProhibitLogin{user.ID, user.Name}

  630. 	}

  631. 

  632. 	return user, nil

  633. }

  634. 

  635. // UserSignIn validates user name and password.

  636. func UserSignIn(username, password string) (*User, error) {

  637. 	var user *User

  638. 	if strings.Contains(username, "@") {

  639. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  640. 		// check same email

  641. 		cnt, err := x.Count(user)

  642. 		if err != nil {

  643. 			return nil, err

  644. 		}

  645. 		if cnt > 1 {

  646. 			return nil, ErrEmailAlreadyUsed{

  647. 				Email: user.Email,

  648. 			}

  649. 		}

  650. 	} else {

  651. 		trimmedUsername := strings.TrimSpace(username)

  652. 		if len(trimmedUsername) == 0 {

  653. 			return nil, ErrUserNotExist{0, username, 0}

  654. 		}

  655. 

  656. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  657. 	}

  658. 

  659. 	hasUser, err := x.Get(user)

  660. 	if err != nil {

  661. 		return nil, err

  662. 	}

  663. 

  664. 	if hasUser {

  665. 		switch user.LoginType {

  666. 		case LoginNoType, LoginPlain, LoginOAuth2:

  667. 			if user.IsPasswordSet() && user.ValidatePassword(password) {

  668. 				// WARN: DON'T check user.IsActive, that will be checked on reqSign so that

  669. 				// user could be hint to resend confirm email.

  670. 				if user.ProhibitLogin {

  671. 					return nil, ErrUserProhibitLogin{user.ID, user.Name}

  672. 				}

  673. 

  674. 				return user, nil

  675. 			}

  676. 

  677. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  678. 

  679. 		default:

  680. 			var source LoginSource

  681. 			hasSource, err := x.ID(user.LoginSource).Get(&source)

  682. 			if err != nil {

  683. 				return nil, err

  684. 			} else if !hasSource {

  685. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  686. 			}

  687. 

  688. 			return ExternalUserLogin(user, user.LoginName, password, &source, false)

  689. 		}

  690. 	}

  691. 

  692. 	sources := make([]*LoginSource, 0, 5)

  693. 	if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {

  694. 		return nil, err

  695. 	}

  696. 

  697. 	for _, source := range sources {

  698. 		if source.IsOAuth2() {

  699. 			// don't try to authenticate against OAuth2 sources

  700. 			continue

  701. 		}

  702. 		authUser, err := ExternalUserLogin(nil, username, password, source, true)

  703. 		if err == nil {

  704. 			return authUser, nil

  705. 		}

  706. 

  707. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  708. 	}

  709. 

  710. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  711. }