mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5335 Commits
17 Branches
Tree: ff7424179e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ff7424179e'
${ noResults }
gitea/models/login_source.go

login_source.go 19KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"crypto/tls"

  9. 	"encoding/json"

  10. 	"errors"

  11. 	"fmt"

  12. 	"net/smtp"

  13. 	"net/textproto"

  14. 	"strings"

  15. 	"time"

  16. 

  17. 	"github.com/Unknwon/com"

  18. 	"github.com/go-macaron/binding"

  19. 	"github.com/go-xorm/core"

  20. 	"github.com/go-xorm/xorm"

  21. 

  22. 	"code.gitea.io/gitea/modules/auth/ldap"

  23. 	"code.gitea.io/gitea/modules/auth/oauth2"

  24. 	"code.gitea.io/gitea/modules/auth/pam"

  25. 	"code.gitea.io/gitea/modules/log"

  26. )

  27. 

  28. // LoginType represents an login type.

  29. type LoginType int

  30. 

  31. // Note: new type must append to the end of list to maintain compatibility.

  32. const (

  33. 	LoginNoType LoginType = iota

  34. 	LoginPlain            // 1

  35. 	LoginLDAP             // 2

  36. 	LoginSMTP             // 3

  37. 	LoginPAM              // 4

  38. 	LoginDLDAP            // 5

  39. 	LoginOAuth2           // 6

  40. )

  41. 

  42. // LoginNames contains the name of LoginType values.

  43. var LoginNames = map[LoginType]string{

  44. 	LoginLDAP:   "LDAP (via BindDN)",

  45. 	LoginDLDAP:  "LDAP (simple auth)", // Via direct bind

  46. 	LoginSMTP:   "SMTP",

  47. 	LoginPAM:    "PAM",

  48. 	LoginOAuth2: "OAuth2",

  49. }

  50. 

  51. // SecurityProtocolNames contains the name of SecurityProtocol values.

  52. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{

  53. 	ldap.SecurityProtocolUnencrypted: "Unencrypted",

  54. 	ldap.SecurityProtocolLDAPS:       "LDAPS",

  55. 	ldap.SecurityProtocolStartTLS:    "StartTLS",

  56. }

  57. 

  58. // Ensure structs implemented interface.

  59. var (

  60. 	_ core.Conversion = &LDAPConfig{}

  61. 	_ core.Conversion = &SMTPConfig{}

  62. 	_ core.Conversion = &PAMConfig{}

  63. 	_ core.Conversion = &OAuth2Config{}

  64. )

  65. 

  66. // LDAPConfig holds configuration for LDAP login source.

  67. type LDAPConfig struct {

  68. 	*ldap.Source

  69. }

  70. 

  71. // FromDB fills up a LDAPConfig from serialized format.

  72. func (cfg *LDAPConfig) FromDB(bs []byte) error {

  73. 	return json.Unmarshal(bs, &cfg)

  74. }

  75. 

  76. // ToDB exports a LDAPConfig to a serialized format.

  77. func (cfg *LDAPConfig) ToDB() ([]byte, error) {

  78. 	return json.Marshal(cfg)

  79. }

  80. 

  81. // SecurityProtocolName returns the name of configured security

  82. // protocol.

  83. func (cfg *LDAPConfig) SecurityProtocolName() string {

  84. 	return SecurityProtocolNames[cfg.SecurityProtocol]

  85. }

  86. 

  87. // SMTPConfig holds configuration for the SMTP login source.

  88. type SMTPConfig struct {

  89. 	Auth           string

  90. 	Host           string

  91. 	Port           int

  92. 	AllowedDomains string `xorm:"TEXT"`

  93. 	TLS            bool

  94. 	SkipVerify     bool

  95. }

  96. 

  97. // FromDB fills up an SMTPConfig from serialized format.

  98. func (cfg *SMTPConfig) FromDB(bs []byte) error {

  99. 	return json.Unmarshal(bs, cfg)

  100. }

  101. 

  102. // ToDB exports an SMTPConfig to a serialized format.

  103. func (cfg *SMTPConfig) ToDB() ([]byte, error) {

  104. 	return json.Marshal(cfg)

  105. }

  106. 

  107. // PAMConfig holds configuration for the PAM login source.

  108. type PAMConfig struct {

  109. 	ServiceName string // pam service (e.g. system-auth)

  110. }

  111. 

  112. // FromDB fills up a PAMConfig from serialized format.

  113. func (cfg *PAMConfig) FromDB(bs []byte) error {

  114. 	return json.Unmarshal(bs, &cfg)

  115. }

  116. 

  117. // ToDB exports a PAMConfig to a serialized format.

  118. func (cfg *PAMConfig) ToDB() ([]byte, error) {

  119. 	return json.Marshal(cfg)

  120. }

  121. 

  122. // OAuth2Config holds configuration for the OAuth2 login source.

  123. type OAuth2Config struct {

  124. 	Provider                      string

  125. 	ClientID                      string

  126. 	ClientSecret                  string

  127. 	OpenIDConnectAutoDiscoveryURL string

  128. 	CustomURLMapping              *oauth2.CustomURLMapping

  129. }

  130. 

  131. // FromDB fills up an OAuth2Config from serialized format.

  132. func (cfg *OAuth2Config) FromDB(bs []byte) error {

  133. 	return json.Unmarshal(bs, cfg)

  134. }

  135. 

  136. // ToDB exports an SMTPConfig to a serialized format.

  137. func (cfg *OAuth2Config) ToDB() ([]byte, error) {

  138. 	return json.Marshal(cfg)

  139. }

  140. 

  141. // LoginSource represents an external way for authorizing users.

  142. type LoginSource struct {

  143. 	ID            int64 `xorm:"pk autoincr"`

  144. 	Type          LoginType

  145. 	Name          string          `xorm:"UNIQUE"`

  146. 	IsActived     bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  147. 	IsSyncEnabled bool            `xorm:"INDEX NOT NULL DEFAULT false"`

  148. 	Cfg           core.Conversion `xorm:"TEXT"`

  149. 

  150. 	Created     time.Time `xorm:"-"`

  151. 	CreatedUnix int64     `xorm:"INDEX"`

  152. 	Updated     time.Time `xorm:"-"`

  153. 	UpdatedUnix int64     `xorm:"INDEX"`

  154. }

  155. 

  156. // BeforeInsert is invoked from XORM before inserting an object of this type.

  157. func (source *LoginSource) BeforeInsert() {

  158. 	source.CreatedUnix = time.Now().Unix()

  159. 	source.UpdatedUnix = source.CreatedUnix

  160. }

  161. 

  162. // BeforeUpdate is invoked from XORM before updating this object.

  163. func (source *LoginSource) BeforeUpdate() {

  164. 	source.UpdatedUnix = time.Now().Unix()

  165. }

  166. 

  167. // Cell2Int64 converts a xorm.Cell type to int64,

  168. // and handles possible irregular cases.

  169. func Cell2Int64(val xorm.Cell) int64 {

  170. 	switch (*val).(type) {

  171. 	case []uint8:

  172. 		log.Trace("Cell2Int64 ([]uint8): %v", *val)

  173. 		return com.StrTo(string((*val).([]uint8))).MustInt64()

  174. 	}

  175. 	return (*val).(int64)

  176. }

  177. 

  178. // BeforeSet is invoked from XORM before setting the value of a field of this object.

  179. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {

  180. 	switch colName {

  181. 	case "type":

  182. 		switch LoginType(Cell2Int64(val)) {

  183. 		case LoginLDAP, LoginDLDAP:

  184. 			source.Cfg = new(LDAPConfig)

  185. 		case LoginSMTP:

  186. 			source.Cfg = new(SMTPConfig)

  187. 		case LoginPAM:

  188. 			source.Cfg = new(PAMConfig)

  189. 		case LoginOAuth2:

  190. 			source.Cfg = new(OAuth2Config)

  191. 		default:

  192. 			panic("unrecognized login source type: " + com.ToStr(*val))

  193. 		}

  194. 	}

  195. }

  196. 

  197. // AfterSet is invoked from XORM after setting the value of a field of this object.

  198. func (source *LoginSource) AfterSet(colName string, _ xorm.Cell) {

  199. 	switch colName {

  200. 	case "created_unix":

  201. 		source.Created = time.Unix(source.CreatedUnix, 0).Local()

  202. 	case "updated_unix":

  203. 		source.Updated = time.Unix(source.UpdatedUnix, 0).Local()

  204. 	}

  205. }

  206. 

  207. // TypeName return name of this login source type.

  208. func (source *LoginSource) TypeName() string {

  209. 	return LoginNames[source.Type]

  210. }

  211. 

  212. // IsLDAP returns true of this source is of the LDAP type.

  213. func (source *LoginSource) IsLDAP() bool {

  214. 	return source.Type == LoginLDAP

  215. }

  216. 

  217. // IsDLDAP returns true of this source is of the DLDAP type.

  218. func (source *LoginSource) IsDLDAP() bool {

  219. 	return source.Type == LoginDLDAP

  220. }

  221. 

  222. // IsSMTP returns true of this source is of the SMTP type.

  223. func (source *LoginSource) IsSMTP() bool {

  224. 	return source.Type == LoginSMTP

  225. }

  226. 

  227. // IsPAM returns true of this source is of the PAM type.

  228. func (source *LoginSource) IsPAM() bool {

  229. 	return source.Type == LoginPAM

  230. }

  231. 

  232. // IsOAuth2 returns true of this source is of the OAuth2 type.

  233. func (source *LoginSource) IsOAuth2() bool {

  234. 	return source.Type == LoginOAuth2

  235. }

  236. 

  237. // HasTLS returns true of this source supports TLS.

  238. func (source *LoginSource) HasTLS() bool {

  239. 	return ((source.IsLDAP() || source.IsDLDAP()) &&

  240. 		source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||

  241. 		source.IsSMTP()

  242. }

  243. 

  244. // UseTLS returns true of this source is configured to use TLS.

  245. func (source *LoginSource) UseTLS() bool {

  246. 	switch source.Type {

  247. 	case LoginLDAP, LoginDLDAP:

  248. 		return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted

  249. 	case LoginSMTP:

  250. 		return source.SMTP().TLS

  251. 	}

  252. 

  253. 	return false

  254. }

  255. 

  256. // SkipVerify returns true if this source is configured to skip SSL

  257. // verification.

  258. func (source *LoginSource) SkipVerify() bool {

  259. 	switch source.Type {

  260. 	case LoginLDAP, LoginDLDAP:

  261. 		return source.LDAP().SkipVerify

  262. 	case LoginSMTP:

  263. 		return source.SMTP().SkipVerify

  264. 	}

  265. 

  266. 	return false

  267. }

  268. 

  269. // LDAP returns LDAPConfig for this source, if of LDAP type.

  270. func (source *LoginSource) LDAP() *LDAPConfig {

  271. 	return source.Cfg.(*LDAPConfig)

  272. }

  273. 

  274. // SMTP returns SMTPConfig for this source, if of SMTP type.

  275. func (source *LoginSource) SMTP() *SMTPConfig {

  276. 	return source.Cfg.(*SMTPConfig)

  277. }

  278. 

  279. // PAM returns PAMConfig for this source, if of PAM type.

  280. func (source *LoginSource) PAM() *PAMConfig {

  281. 	return source.Cfg.(*PAMConfig)

  282. }

  283. 

  284. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.

  285. func (source *LoginSource) OAuth2() *OAuth2Config {

  286. 	return source.Cfg.(*OAuth2Config)

  287. }

  288. 

  289. // CreateLoginSource inserts a LoginSource in the DB if not already

  290. // existing with the given name.

  291. func CreateLoginSource(source *LoginSource) error {

  292. 	has, err := x.Get(&LoginSource{Name: source.Name})

  293. 	if err != nil {

  294. 		return err

  295. 	} else if has {

  296. 		return ErrLoginSourceAlreadyExist{source.Name}

  297. 	}

  298. 	// Synchronization is only aviable with LDAP for now

  299. 	if !source.IsLDAP() {

  300. 		source.IsSyncEnabled = false

  301. 	}

  302. 

  303. 	_, err = x.Insert(source)

  304. 	if err == nil && source.IsOAuth2() && source.IsActived {

  305. 		oAuth2Config := source.OAuth2()

  306. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  307. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  308. 

  309. 		if err != nil {

  310. 			// remove the LoginSource in case of errors while registering OAuth2 providers

  311. 			x.Delete(source)

  312. 		}

  313. 	}

  314. 	return err

  315. }

  316. 

  317. // LoginSources returns a slice of all login sources found in DB.

  318. func LoginSources() ([]*LoginSource, error) {

  319. 	auths := make([]*LoginSource, 0, 6)

  320. 	return auths, x.Find(&auths)

  321. }

  322. 

  323. // GetLoginSourceByID returns login source by given ID.

  324. func GetLoginSourceByID(id int64) (*LoginSource, error) {

  325. 	source := new(LoginSource)

  326. 	has, err := x.Id(id).Get(source)

  327. 	if err != nil {

  328. 		return nil, err

  329. 	} else if !has {

  330. 		return nil, ErrLoginSourceNotExist{id}

  331. 	}

  332. 	return source, nil

  333. }

  334. 

  335. // UpdateSource updates a LoginSource record in DB.

  336. func UpdateSource(source *LoginSource) error {

  337. 	var originalLoginSource *LoginSource

  338. 	if source.IsOAuth2() {

  339. 		// keep track of the original values so we can restore in case of errors while registering OAuth2 providers

  340. 		var err error

  341. 		if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {

  342. 			return err

  343. 		}

  344. 	}

  345. 

  346. 	_, err := x.Id(source.ID).AllCols().Update(source)

  347. 	if err == nil && source.IsOAuth2() && source.IsActived {

  348. 		oAuth2Config := source.OAuth2()

  349. 		err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)

  350. 		err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)

  351. 

  352. 		if err != nil {

  353. 			// restore original values since we cannot update the provider it self

  354. 			x.Id(source.ID).AllCols().Update(originalLoginSource)

  355. 		}

  356. 	}

  357. 	return err

  358. }

  359. 

  360. // DeleteSource deletes a LoginSource record in DB.

  361. func DeleteSource(source *LoginSource) error {

  362. 	count, err := x.Count(&User{LoginSource: source.ID})

  363. 	if err != nil {

  364. 		return err

  365. 	} else if count > 0 {

  366. 		return ErrLoginSourceInUse{source.ID}

  367. 	}

  368. 

  369. 	count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})

  370. 	if err != nil {

  371. 		return err

  372. 	} else if count > 0 {

  373. 		return ErrLoginSourceInUse{source.ID}

  374. 	}

  375. 

  376. 	if source.IsOAuth2() {

  377. 		oauth2.RemoveProvider(source.Name)

  378. 	}

  379. 

  380. 	_, err = x.Id(source.ID).Delete(new(LoginSource))

  381. 	return err

  382. }

  383. 

  384. // CountLoginSources returns number of login sources.

  385. func CountLoginSources() int64 {

  386. 	count, _ := x.Count(new(LoginSource))

  387. 	return count

  388. }

  389. 

  390. // .____     ________      _____ __________

  391. // |    |    \______ \    /  _  \\______   \

  392. // |    |     |    |  \  /  /_\  \|     ___/

  393. // |    |___  |    `   \/    |    \    |

  394. // |_______ \/_______  /\____|__  /____|

  395. //         \/        \/         \/

  396. 

  397. func composeFullName(firstname, surname, username string) string {

  398. 	switch {

  399. 	case len(firstname) == 0 && len(surname) == 0:

  400. 		return username

  401. 	case len(firstname) == 0:

  402. 		return surname

  403. 	case len(surname) == 0:

  404. 		return firstname

  405. 	default:

  406. 		return firstname + " " + surname

  407. 	}

  408. }

  409. 

  410. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,

  411. // and create a local user if success when enabled.

  412. func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  413. 	sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)

  414. 	if sr == nil {

  415. 		// User not in LDAP, do nothing

  416. 		return nil, ErrUserNotExist{0, login, 0}

  417. 	}

  418. 

  419. 	if !autoRegister {

  420. 		return user, nil

  421. 	}

  422. 

  423. 	// Fallback.

  424. 	if len(sr.Username) == 0 {

  425. 		sr.Username = login

  426. 	}

  427. 	// Validate username make sure it satisfies requirement.

  428. 	if binding.AlphaDashDotPattern.MatchString(sr.Username) {

  429. 		return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)

  430. 	}

  431. 

  432. 	if len(sr.Mail) == 0 {

  433. 		sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)

  434. 	}

  435. 

  436. 	user = &User{

  437. 		LowerName:   strings.ToLower(sr.Username),

  438. 		Name:        sr.Username,

  439. 		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),

  440. 		Email:       sr.Mail,

  441. 		LoginType:   source.Type,

  442. 		LoginSource: source.ID,

  443. 		LoginName:   login,

  444. 		IsActive:    true,

  445. 		IsAdmin:     sr.IsAdmin,

  446. 	}

  447. 	return user, CreateUser(user)

  448. }

  449. 

  450. //   _________   __________________________

  451. //  /   _____/  /     \__    ___/\______   \

  452. //  \_____  \  /  \ /  \|    |    |     ___/

  453. //  /        \/    Y    \    |    |    |

  454. // /_______  /\____|__  /____|    |____|

  455. //         \/         \/

  456. 

  457. type smtpLoginAuth struct {

  458. 	username, password string

  459. }

  460. 

  461. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {

  462. 	return "LOGIN", []byte(auth.username), nil

  463. }

  464. 

  465. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {

  466. 	if more {

  467. 		switch string(fromServer) {

  468. 		case "Username:":

  469. 			return []byte(auth.username), nil

  470. 		case "Password:":

  471. 			return []byte(auth.password), nil

  472. 		}

  473. 	}

  474. 	return nil, nil

  475. }

  476. 

  477. // SMTP authentication type names.

  478. const (

  479. 	SMTPPlain = "PLAIN"

  480. 	SMTPLogin = "LOGIN"

  481. )

  482. 

  483. // SMTPAuths contains available SMTP authentication type names.

  484. var SMTPAuths = []string{SMTPPlain, SMTPLogin}

  485. 

  486. // SMTPAuth performs an SMTP authentication.

  487. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {

  488. 	c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))

  489. 	if err != nil {

  490. 		return err

  491. 	}

  492. 	defer c.Close()

  493. 

  494. 	if err = c.Hello("gogs"); err != nil {

  495. 		return err

  496. 	}

  497. 

  498. 	if cfg.TLS {

  499. 		if ok, _ := c.Extension("STARTTLS"); ok {

  500. 			if err = c.StartTLS(&tls.Config{

  501. 				InsecureSkipVerify: cfg.SkipVerify,

  502. 				ServerName:         cfg.Host,

  503. 			}); err != nil {

  504. 				return err

  505. 			}

  506. 		} else {

  507. 			return errors.New("SMTP server unsupports TLS")

  508. 		}

  509. 	}

  510. 

  511. 	if ok, _ := c.Extension("AUTH"); ok {

  512. 		if err = c.Auth(a); err != nil {

  513. 			return err

  514. 		}

  515. 		return nil

  516. 	}

  517. 	return ErrUnsupportedLoginType

  518. }

  519. 

  520. // LoginViaSMTP queries if login/password is valid against the SMTP,

  521. // and create a local user if success when enabled.

  522. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {

  523. 	// Verify allowed domains.

  524. 	if len(cfg.AllowedDomains) > 0 {

  525. 		idx := strings.Index(login, "@")

  526. 		if idx == -1 {

  527. 			return nil, ErrUserNotExist{0, login, 0}

  528. 		} else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {

  529. 			return nil, ErrUserNotExist{0, login, 0}

  530. 		}

  531. 	}

  532. 

  533. 	var auth smtp.Auth

  534. 	if cfg.Auth == SMTPPlain {

  535. 		auth = smtp.PlainAuth("", login, password, cfg.Host)

  536. 	} else if cfg.Auth == SMTPLogin {

  537. 		auth = &smtpLoginAuth{login, password}

  538. 	} else {

  539. 		return nil, errors.New("Unsupported SMTP auth type")

  540. 	}

  541. 

  542. 	if err := SMTPAuth(auth, cfg); err != nil {

  543. 		// Check standard error format first,

  544. 		// then fallback to worse case.

  545. 		tperr, ok := err.(*textproto.Error)

  546. 		if (ok && tperr.Code == 535) ||

  547. 			strings.Contains(err.Error(), "Username and Password not accepted") {

  548. 			return nil, ErrUserNotExist{0, login, 0}

  549. 		}

  550. 		return nil, err

  551. 	}

  552. 

  553. 	if !autoRegister {

  554. 		return user, nil

  555. 	}

  556. 

  557. 	username := login

  558. 	idx := strings.Index(login, "@")

  559. 	if idx > -1 {

  560. 		username = login[:idx]

  561. 	}

  562. 

  563. 	user = &User{

  564. 		LowerName:   strings.ToLower(username),

  565. 		Name:        strings.ToLower(username),

  566. 		Email:       login,

  567. 		Passwd:      password,

  568. 		LoginType:   LoginSMTP,

  569. 		LoginSource: sourceID,

  570. 		LoginName:   login,

  571. 		IsActive:    true,

  572. 	}

  573. 	return user, CreateUser(user)

  574. }

  575. 

  576. // __________  _____      _____

  577. // \______   \/  _  \    /     \

  578. //  |     ___/  /_\  \  /  \ /  \

  579. //  |    |  /    |    \/    Y    \

  580. //  |____|  \____|__  /\____|__  /

  581. //                  \/         \/

  582. 

  583. // LoginViaPAM queries if login/password is valid against the PAM,

  584. // and create a local user if success when enabled.

  585. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {

  586. 	if err := pam.Auth(cfg.ServiceName, login, password); err != nil {

  587. 		if strings.Contains(err.Error(), "Authentication failure") {

  588. 			return nil, ErrUserNotExist{0, login, 0}

  589. 		}

  590. 		return nil, err

  591. 	}

  592. 

  593. 	if !autoRegister {

  594. 		return user, nil

  595. 	}

  596. 

  597. 	user = &User{

  598. 		LowerName:   strings.ToLower(login),

  599. 		Name:        login,

  600. 		Email:       login,

  601. 		Passwd:      password,

  602. 		LoginType:   LoginPAM,

  603. 		LoginSource: sourceID,

  604. 		LoginName:   login,

  605. 		IsActive:    true,

  606. 	}

  607. 	return user, CreateUser(user)

  608. }

  609. 

  610. // ExternalUserLogin attempts a login using external source types.

  611. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {

  612. 	if !source.IsActived {

  613. 		return nil, ErrLoginSourceNotActived

  614. 	}

  615. 

  616. 	switch source.Type {

  617. 	case LoginLDAP, LoginDLDAP:

  618. 		return LoginViaLDAP(user, login, password, source, autoRegister)

  619. 	case LoginSMTP:

  620. 		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)

  621. 	case LoginPAM:

  622. 		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)

  623. 	}

  624. 

  625. 	return nil, ErrUnsupportedLoginType

  626. }

  627. 

  628. // UserSignIn validates user name and password.

  629. func UserSignIn(username, password string) (*User, error) {

  630. 	var user *User

  631. 	if strings.Contains(username, "@") {

  632. 		user = &User{Email: strings.ToLower(strings.TrimSpace(username))}

  633. 		// check same email

  634. 		cnt, err := x.Count(user)

  635. 		if err != nil {

  636. 			return nil, err

  637. 		}

  638. 		if cnt > 1 {

  639. 			return nil, ErrEmailAlreadyUsed{

  640. 				Email: user.Email,

  641. 			}

  642. 		}

  643. 	} else {

  644. 		trimmedUsername := strings.TrimSpace(username)

  645. 		if len(trimmedUsername) == 0 {

  646. 			return nil, ErrUserNotExist{0, username, 0}

  647. 		}

  648. 

  649. 		user = &User{LowerName: strings.ToLower(trimmedUsername)}

  650. 	}

  651. 

  652. 	hasUser, err := x.Get(user)

  653. 	if err != nil {

  654. 		return nil, err

  655. 	}

  656. 

  657. 	if hasUser {

  658. 		switch user.LoginType {

  659. 		case LoginNoType, LoginPlain, LoginOAuth2:

  660. 			if user.ValidatePassword(password) {

  661. 				return user, nil

  662. 			}

  663. 

  664. 			return nil, ErrUserNotExist{user.ID, user.Name, 0}

  665. 

  666. 		default:

  667. 			var source LoginSource

  668. 			hasSource, err := x.Id(user.LoginSource).Get(&source)

  669. 			if err != nil {

  670. 				return nil, err

  671. 			} else if !hasSource {

  672. 				return nil, ErrLoginSourceNotExist{user.LoginSource}

  673. 			}

  674. 

  675. 			return ExternalUserLogin(user, user.LoginName, password, &source, false)

  676. 		}

  677. 	}

  678. 

  679. 	sources := make([]*LoginSource, 0, 5)

  680. 	if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {

  681. 		return nil, err

  682. 	}

  683. 

  684. 	for _, source := range sources {

  685. 		if source.IsOAuth2() {

  686. 			// don't try to authenticate against OAuth2 sources

  687. 			continue

  688. 		}

  689. 		authUser, err := ExternalUserLogin(nil, username, password, source, true)

  690. 		if err == nil {

  691. 			return authUser, nil

  692. 		}

  693. 

  694. 		log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)

  695. 	}

  696. 

  697. 	return nil, ErrUserNotExist{user.ID, user.Name, 0}

  698. }