mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16496 Commits
17 Branches
Tree: fc7d3f7315
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fc7d3f7315'
${ noResults }
gitea/services/auth/source/ldap/source_authenticate.go

source_authenticate.go 3.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. // Copyright 2021 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package ldap

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"strings"

  10. 

  11. 	asymkey_model "code.gitea.io/gitea/models/asymkey"

  12. 	"code.gitea.io/gitea/models/auth"

  13. 	user_model "code.gitea.io/gitea/models/user"

  14. 	auth_module "code.gitea.io/gitea/modules/auth"

  15. 	"code.gitea.io/gitea/modules/util"

  16. 	source_service "code.gitea.io/gitea/services/auth/source"

  17. 	user_service "code.gitea.io/gitea/services/user"

  18. )

  19. 

  20. // Authenticate queries if login/password is valid against the LDAP directory pool,

  21. // and create a local user if success when enabled.

  22. func (source *Source) Authenticate(ctx context.Context, user *user_model.User, userName, password string) (*user_model.User, error) {

  23. 	loginName := userName

  24. 	if user != nil {

  25. 		loginName = user.LoginName

  26. 	}

  27. 	sr := source.SearchEntry(loginName, password, source.authSource.Type == auth.DLDAP)

  28. 	if sr == nil {

  29. 		// User not in LDAP, do nothing

  30. 		return nil, user_model.ErrUserNotExist{Name: loginName}

  31. 	}

  32. 

  33. 	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0

  34. 

  35. 	// Update User admin flag if exist

  36. 	if isExist, err := user_model.IsUserExist(ctx, 0, sr.Username); err != nil {

  37. 		return nil, err

  38. 	} else if isExist {

  39. 		if user == nil {

  40. 			user, err = user_model.GetUserByName(ctx, sr.Username)

  41. 			if err != nil {

  42. 				return nil, err

  43. 			}

  44. 		}

  45. 		if user != nil && !user.ProhibitLogin {

  46. 			cols := make([]string, 0)

  47. 			if len(source.AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {

  48. 				// Change existing admin flag only if AdminFilter option is set

  49. 				user.IsAdmin = sr.IsAdmin

  50. 				cols = append(cols, "is_admin")

  51. 			}

  52. 			if !user.IsAdmin && len(source.RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted {

  53. 				// Change existing restricted flag only if RestrictedFilter option is set

  54. 				user.IsRestricted = sr.IsRestricted

  55. 				cols = append(cols, "is_restricted")

  56. 			}

  57. 			if len(cols) > 0 {

  58. 				err = user_model.UpdateUserCols(ctx, user, cols...)

  59. 				if err != nil {

  60. 					return nil, err

  61. 				}

  62. 			}

  63. 		}

  64. 	}

  65. 

  66. 	if user != nil {

  67. 		if isAttributeSSHPublicKeySet && asymkey_model.SynchronizePublicKeys(user, source.authSource, sr.SSHPublicKey) {

  68. 			if err := asymkey_model.RewriteAllPublicKeys(ctx); err != nil {

  69. 				return user, err

  70. 			}

  71. 		}

  72. 	} else {

  73. 		// Fallback.

  74. 		if len(sr.Username) == 0 {

  75. 			sr.Username = userName

  76. 		}

  77. 

  78. 		if len(sr.Mail) == 0 {

  79. 			sr.Mail = fmt.Sprintf("%s@localhost.local", sr.Username)

  80. 		}

  81. 

  82. 		user = &user_model.User{

  83. 			LowerName:   strings.ToLower(sr.Username),

  84. 			Name:        sr.Username,

  85. 			FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  86. 			Email:       sr.Mail,

  87. 			LoginType:   source.authSource.Type,

  88. 			LoginSource: source.authSource.ID,

  89. 			LoginName:   userName,

  90. 			IsAdmin:     sr.IsAdmin,

  91. 		}

  92. 		overwriteDefault := &user_model.CreateUserOverwriteOptions{

  93. 			IsRestricted: util.OptionalBoolOf(sr.IsRestricted),

  94. 			IsActive:     util.OptionalBoolTrue,

  95. 		}

  96. 

  97. 		err := user_model.CreateUser(ctx, user, overwriteDefault)

  98. 		if err != nil {

  99. 			return user, err

  100. 		}

  101. 

  102. 		if isAttributeSSHPublicKeySet && asymkey_model.AddPublicKeysBySource(user, source.authSource, sr.SSHPublicKey) {

  103. 			if err := asymkey_model.RewriteAllPublicKeys(ctx); err != nil {

  104. 				return user, err

  105. 			}

  106. 		}

  107. 		if len(source.AttributeAvatar) > 0 {

  108. 			if err := user_service.UploadAvatar(user, sr.Avatar); err != nil {

  109. 				return user, err

  110. 			}

  111. 		}

  112. 	}

  113. 

  114. 	if source.GroupsEnabled && (source.GroupTeamMap != "" || source.GroupTeamMapRemoval) {

  115. 		groupTeamMapping, err := auth_module.UnmarshalGroupTeamMapping(source.GroupTeamMap)

  116. 		if err != nil {

  117. 			return user, err

  118. 		}

  119. 		if err := source_service.SyncGroupsToTeams(ctx, user, sr.Groups, groupTeamMapping, source.GroupTeamMapRemoval); err != nil {

  120. 			return user, err

  121. 		}

  122. 	}

  123. 

  124. 	return user, nil

  125. }

  126. 

  127. // IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication

  128. func (source *Source) IsSkipLocalTwoFA() bool {

  129. 	return source.SkipLocalTwoFA

  130. }