mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7814 Commits
17 Branches
Tree: v1.11.7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.11.7'
${ noResults }
gitea/cmd/admin_auth_ldap.go

admin_auth_ldap.go 10KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package cmd

  6. 

  7. import (

  8. 	"fmt"

  9. 	"strings"

  10. 

  11. 	"code.gitea.io/gitea/models"

  12. 	"code.gitea.io/gitea/modules/auth/ldap"

  13. 

  14. 	"github.com/urfave/cli"

  15. )

  16. 

  17. type (

  18. 	authService struct {

  19. 		initDB             func() error

  20. 		createLoginSource  func(loginSource *models.LoginSource) error

  21. 		updateLoginSource  func(loginSource *models.LoginSource) error

  22. 		getLoginSourceByID func(id int64) (*models.LoginSource, error)

  23. 	}

  24. )

  25. 

  26. var (

  27. 	commonLdapCLIFlags = []cli.Flag{

  28. 		cli.StringFlag{

  29. 			Name:  "name",

  30. 			Usage: "Authentication name.",

  31. 		},

  32. 		cli.BoolFlag{

  33. 			Name:  "not-active",

  34. 			Usage: "Deactivate the authentication source.",

  35. 		},

  36. 		cli.StringFlag{

  37. 			Name:  "security-protocol",

  38. 			Usage: "Security protocol name.",

  39. 		},

  40. 		cli.BoolFlag{

  41. 			Name:  "skip-tls-verify",

  42. 			Usage: "Disable TLS verification.",

  43. 		},

  44. 		cli.StringFlag{

  45. 			Name:  "host",

  46. 			Usage: "The address where the LDAP server can be reached.",

  47. 		},

  48. 		cli.IntFlag{

  49. 			Name:  "port",

  50. 			Usage: "The port to use when connecting to the LDAP server.",

  51. 		},

  52. 		cli.StringFlag{

  53. 			Name:  "user-search-base",

  54. 			Usage: "The LDAP base at which user accounts will be searched for.",

  55. 		},

  56. 		cli.StringFlag{

  57. 			Name:  "user-filter",

  58. 			Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",

  59. 		},

  60. 		cli.StringFlag{

  61. 			Name:  "admin-filter",

  62. 			Usage: "An LDAP filter specifying if a user should be given administrator privileges.",

  63. 		},

  64. 		cli.BoolFlag{

  65. 			Name:  "allow-deactivate-all",

  66. 			Usage: "Allow empty search results to deactivate all users.",

  67. 		},

  68. 		cli.StringFlag{

  69. 			Name:  "username-attribute",

  70. 			Usage: "The attribute of the user’s LDAP record containing the user name.",

  71. 		},

  72. 		cli.StringFlag{

  73. 			Name:  "firstname-attribute",

  74. 			Usage: "The attribute of the user’s LDAP record containing the user’s first name.",

  75. 		},

  76. 		cli.StringFlag{

  77. 			Name:  "surname-attribute",

  78. 			Usage: "The attribute of the user’s LDAP record containing the user’s surname.",

  79. 		},

  80. 		cli.StringFlag{

  81. 			Name:  "email-attribute",

  82. 			Usage: "The attribute of the user’s LDAP record containing the user’s email address.",

  83. 		},

  84. 		cli.StringFlag{

  85. 			Name:  "public-ssh-key-attribute",

  86. 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",

  87. 		},

  88. 	}

  89. 

  90. 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,

  91. 		cli.StringFlag{

  92. 			Name:  "bind-dn",

  93. 			Usage: "The DN to bind to the LDAP server with when searching for the user.",

  94. 		},

  95. 		cli.StringFlag{

  96. 			Name:  "bind-password",

  97. 			Usage: "The password for the Bind DN, if any.",

  98. 		},

  99. 		cli.BoolFlag{

  100. 			Name:  "attributes-in-bind",

  101. 			Usage: "Fetch attributes in bind DN context.",

  102. 		},

  103. 		cli.BoolFlag{

  104. 			Name:  "synchronize-users",

  105. 			Usage: "Enable user synchronization.",

  106. 		},

  107. 		cli.UintFlag{

  108. 			Name:  "page-size",

  109. 			Usage: "Search page size.",

  110. 		})

  111. 

  112. 	ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,

  113. 		cli.StringFlag{

  114. 			Name:  "user-dn",

  115. 			Usage: "The user’s DN.",

  116. 		})

  117. 

  118. 	cmdAuthAddLdapBindDn = cli.Command{

  119. 		Name:  "add-ldap",

  120. 		Usage: "Add new LDAP (via Bind DN) authentication source",

  121. 		Action: func(c *cli.Context) error {

  122. 			return newAuthService().addLdapBindDn(c)

  123. 		},

  124. 		Flags: ldapBindDnCLIFlags,

  125. 	}

  126. 

  127. 	cmdAuthUpdateLdapBindDn = cli.Command{

  128. 		Name:  "update-ldap",

  129. 		Usage: "Update existing LDAP (via Bind DN) authentication source",

  130. 		Action: func(c *cli.Context) error {

  131. 			return newAuthService().updateLdapBindDn(c)

  132. 		},

  133. 		Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),

  134. 	}

  135. 

  136. 	cmdAuthAddLdapSimpleAuth = cli.Command{

  137. 		Name:  "add-ldap-simple",

  138. 		Usage: "Add new LDAP (simple auth) authentication source",

  139. 		Action: func(c *cli.Context) error {

  140. 			return newAuthService().addLdapSimpleAuth(c)

  141. 		},

  142. 		Flags: ldapSimpleAuthCLIFlags,

  143. 	}

  144. 

  145. 	cmdAuthUpdateLdapSimpleAuth = cli.Command{

  146. 		Name:  "update-ldap-simple",

  147. 		Usage: "Update existing LDAP (simple auth) authentication source",

  148. 		Action: func(c *cli.Context) error {

  149. 			return newAuthService().updateLdapSimpleAuth(c)

  150. 		},

  151. 		Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),

  152. 	}

  153. )

  154. 

  155. // newAuthService creates a service with default functions.

  156. func newAuthService() *authService {

  157. 	return &authService{

  158. 		initDB:             initDB,

  159. 		createLoginSource:  models.CreateLoginSource,

  160. 		updateLoginSource:  models.UpdateSource,

  161. 		getLoginSourceByID: models.GetLoginSourceByID,

  162. 	}

  163. }

  164. 

  165. // parseLoginSource assigns values on loginSource according to command line flags.

  166. func parseLoginSource(c *cli.Context, loginSource *models.LoginSource) {

  167. 	if c.IsSet("name") {

  168. 		loginSource.Name = c.String("name")

  169. 	}

  170. 	if c.IsSet("not-active") {

  171. 		loginSource.IsActived = !c.Bool("not-active")

  172. 	}

  173. 	if c.IsSet("synchronize-users") {

  174. 		loginSource.IsSyncEnabled = c.Bool("synchronize-users")

  175. 	}

  176. }

  177. 

  178. // parseLdapConfig assigns values on config according to command line flags.

  179. func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error {

  180. 	if c.IsSet("name") {

  181. 		config.Source.Name = c.String("name")

  182. 	}

  183. 	if c.IsSet("host") {

  184. 		config.Source.Host = c.String("host")

  185. 	}

  186. 	if c.IsSet("port") {

  187. 		config.Source.Port = c.Int("port")

  188. 	}

  189. 	if c.IsSet("security-protocol") {

  190. 		p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))

  191. 		if !ok {

  192. 			return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol"))

  193. 		}

  194. 		config.Source.SecurityProtocol = p

  195. 	}

  196. 	if c.IsSet("skip-tls-verify") {

  197. 		config.Source.SkipVerify = c.Bool("skip-tls-verify")

  198. 	}

  199. 	if c.IsSet("bind-dn") {

  200. 		config.Source.BindDN = c.String("bind-dn")

  201. 	}

  202. 	if c.IsSet("user-dn") {

  203. 		config.Source.UserDN = c.String("user-dn")

  204. 	}

  205. 	if c.IsSet("bind-password") {

  206. 		config.Source.BindPassword = c.String("bind-password")

  207. 	}

  208. 	if c.IsSet("user-search-base") {

  209. 		config.Source.UserBase = c.String("user-search-base")

  210. 	}

  211. 	if c.IsSet("username-attribute") {

  212. 		config.Source.AttributeUsername = c.String("username-attribute")

  213. 	}

  214. 	if c.IsSet("firstname-attribute") {

  215. 		config.Source.AttributeName = c.String("firstname-attribute")

  216. 	}

  217. 	if c.IsSet("surname-attribute") {

  218. 		config.Source.AttributeSurname = c.String("surname-attribute")

  219. 	}

  220. 	if c.IsSet("email-attribute") {

  221. 		config.Source.AttributeMail = c.String("email-attribute")

  222. 	}

  223. 	if c.IsSet("attributes-in-bind") {

  224. 		config.Source.AttributesInBind = c.Bool("attributes-in-bind")

  225. 	}

  226. 	if c.IsSet("public-ssh-key-attribute") {

  227. 		config.Source.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")

  228. 	}

  229. 	if c.IsSet("page-size") {

  230. 		config.Source.SearchPageSize = uint32(c.Uint("page-size"))

  231. 	}

  232. 	if c.IsSet("user-filter") {

  233. 		config.Source.Filter = c.String("user-filter")

  234. 	}

  235. 	if c.IsSet("admin-filter") {

  236. 		config.Source.AdminFilter = c.String("admin-filter")

  237. 	}

  238. 	if c.IsSet("allow-deactivate-all") {

  239. 		config.Source.AllowDeactivateAll = c.Bool("allow-deactivate-all")

  240. 	}

  241. 	return nil

  242. }

  243. 

  244. // findLdapSecurityProtocolByName finds security protocol by its name ignoring case.

  245. // It returns the value of the security protocol and if it was found.

  246. func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {

  247. 	for i, n := range models.SecurityProtocolNames {

  248. 		if strings.EqualFold(name, n) {

  249. 			return i, true

  250. 		}

  251. 	}

  252. 	return 0, false

  253. }

  254. 

  255. // getLoginSource gets the login source by its id defined in the command line flags.

  256. // It returns an error if the id is not set, does not match any source or if the source is not of expected type.

  257. func (a *authService) getLoginSource(c *cli.Context, loginType models.LoginType) (*models.LoginSource, error) {

  258. 	if err := argsSet(c, "id"); err != nil {

  259. 		return nil, err

  260. 	}

  261. 

  262. 	loginSource, err := a.getLoginSourceByID(c.Int64("id"))

  263. 	if err != nil {

  264. 		return nil, err

  265. 	}

  266. 

  267. 	if loginSource.Type != loginType {

  268. 		return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", models.LoginNames[loginType], models.LoginNames[loginSource.Type])

  269. 	}

  270. 

  271. 	return loginSource, nil

  272. }

  273. 

  274. // addLdapBindDn adds a new LDAP via Bind DN authentication source.

  275. func (a *authService) addLdapBindDn(c *cli.Context) error {

  276. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {

  277. 		return err

  278. 	}

  279. 

  280. 	if err := a.initDB(); err != nil {

  281. 		return err

  282. 	}

  283. 

  284. 	loginSource := &models.LoginSource{

  285. 		Type:      models.LoginLDAP,

  286. 		IsActived: true, // active by default

  287. 		Cfg: &models.LDAPConfig{

  288. 			Source: &ldap.Source{

  289. 				Enabled: true, // always true

  290. 			},

  291. 		},

  292. 	}

  293. 

  294. 	parseLoginSource(c, loginSource)

  295. 	if err := parseLdapConfig(c, loginSource.LDAP()); err != nil {

  296. 		return err

  297. 	}

  298. 

  299. 	return a.createLoginSource(loginSource)

  300. }

  301. 

  302. // updateLdapBindDn updates a new LDAP via Bind DN authentication source.

  303. func (a *authService) updateLdapBindDn(c *cli.Context) error {

  304. 	if err := a.initDB(); err != nil {

  305. 		return err

  306. 	}

  307. 

  308. 	loginSource, err := a.getLoginSource(c, models.LoginLDAP)

  309. 	if err != nil {

  310. 		return err

  311. 	}

  312. 

  313. 	parseLoginSource(c, loginSource)

  314. 	if err := parseLdapConfig(c, loginSource.LDAP()); err != nil {

  315. 		return err

  316. 	}

  317. 

  318. 	return a.updateLoginSource(loginSource)

  319. }

  320. 

  321. // addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.

  322. func (a *authService) addLdapSimpleAuth(c *cli.Context) error {

  323. 	if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {

  324. 		return err

  325. 	}

  326. 

  327. 	if err := a.initDB(); err != nil {

  328. 		return err

  329. 	}

  330. 

  331. 	loginSource := &models.LoginSource{

  332. 		Type:      models.LoginDLDAP,

  333. 		IsActived: true, // active by default

  334. 		Cfg: &models.LDAPConfig{

  335. 			Source: &ldap.Source{

  336. 				Enabled: true, // always true

  337. 			},

  338. 		},

  339. 	}

  340. 

  341. 	parseLoginSource(c, loginSource)

  342. 	if err := parseLdapConfig(c, loginSource.LDAP()); err != nil {

  343. 		return err

  344. 	}

  345. 

  346. 	return a.createLoginSource(loginSource)

  347. }

  348. 

  349. // updateLdapBindDn updates a new LDAP (simple auth) authentication source.

  350. func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {

  351. 	if err := a.initDB(); err != nil {

  352. 		return err

  353. 	}

  354. 

  355. 	loginSource, err := a.getLoginSource(c, models.LoginDLDAP)

  356. 	if err != nil {

  357. 		return err

  358. 	}

  359. 

  360. 	parseLoginSource(c, loginSource)

  361. 	if err := parseLdapConfig(c, loginSource.LDAP()); err != nil {

  362. 		return err

  363. 	}

  364. 

  365. 	return a.updateLoginSource(loginSource)

  366. }