mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10355 Commits
17 Branches
Tree: v1.12.0-rc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.12.0-rc'
${ noResults }
gitea/routers/user/auth_openid.go

auth_openid.go 14KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"fmt"

  9. 	"net/url"

  10. 

  11. 	"code.gitea.io/gitea/models"

  12. 	"code.gitea.io/gitea/modules/auth"

  13. 	"code.gitea.io/gitea/modules/auth/openid"

  14. 	"code.gitea.io/gitea/modules/base"

  15. 	"code.gitea.io/gitea/modules/context"

  16. 	"code.gitea.io/gitea/modules/generate"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/recaptcha"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 	"code.gitea.io/gitea/modules/timeutil"

  21. 	"code.gitea.io/gitea/services/mailer"

  22. 

  23. 	"gitea.com/macaron/captcha"

  24. )

  25. 

  26. const (

  27. 	tplSignInOpenID base.TplName = "user/auth/signin_openid"

  28. 	tplConnectOID   base.TplName = "user/auth/signup_openid_connect"

  29. 	tplSignUpOID    base.TplName = "user/auth/signup_openid_register"

  30. )

  31. 

  32. // SignInOpenID render sign in page

  33. func SignInOpenID(ctx *context.Context) {

  34. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  35. 

  36. 	if ctx.Query("openid.return_to") != "" {

  37. 		signInOpenIDVerify(ctx)

  38. 		return

  39. 	}

  40. 

  41. 	// Check auto-login.

  42. 	isSucceed, err := AutoSignIn(ctx)

  43. 	if err != nil {

  44. 		ctx.ServerError("AutoSignIn", err)

  45. 		return

  46. 	}

  47. 

  48. 	redirectTo := ctx.Query("redirect_to")

  49. 	if len(redirectTo) > 0 {

  50. 		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)

  51. 	} else {

  52. 		redirectTo = ctx.GetCookie("redirect_to")

  53. 	}

  54. 

  55. 	if isSucceed {

  56. 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)

  57. 		ctx.RedirectToFirst(redirectTo)

  58. 		return

  59. 	}

  60. 

  61. 	ctx.Data["PageIsSignIn"] = true

  62. 	ctx.Data["PageIsLoginOpenID"] = true

  63. 	ctx.HTML(200, tplSignInOpenID)

  64. }

  65. 

  66. // Check if the given OpenID URI is allowed by blacklist/whitelist

  67. func allowedOpenIDURI(uri string) (err error) {

  68. 

  69. 	// In case a Whitelist is present, URI must be in it

  70. 	// in order to be accepted

  71. 	if len(setting.Service.OpenIDWhitelist) != 0 {

  72. 		for _, pat := range setting.Service.OpenIDWhitelist {

  73. 			if pat.MatchString(uri) {

  74. 				return nil // pass

  75. 			}

  76. 		}

  77. 		// must match one of this or be refused

  78. 		return fmt.Errorf("URI not allowed by whitelist")

  79. 	}

  80. 

  81. 	// A blacklist match expliclty forbids

  82. 	for _, pat := range setting.Service.OpenIDBlacklist {

  83. 		if pat.MatchString(uri) {

  84. 			return fmt.Errorf("URI forbidden by blacklist")

  85. 		}

  86. 	}

  87. 

  88. 	return nil

  89. }

  90. 

  91. // SignInOpenIDPost response for openid sign in request

  92. func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {

  93. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  94. 	ctx.Data["PageIsSignIn"] = true

  95. 	ctx.Data["PageIsLoginOpenID"] = true

  96. 

  97. 	if ctx.HasError() {

  98. 		ctx.HTML(200, tplSignInOpenID)

  99. 		return

  100. 	}

  101. 

  102. 	id, err := openid.Normalize(form.Openid)

  103. 	if err != nil {

  104. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  105. 		return

  106. 	}

  107. 	form.Openid = id

  108. 

  109. 	log.Trace("OpenID uri: " + id)

  110. 

  111. 	err = allowedOpenIDURI(id)

  112. 	if err != nil {

  113. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  114. 		return

  115. 	}

  116. 

  117. 	redirectTo := setting.AppURL + "user/login/openid"

  118. 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)

  119. 	if err != nil {

  120. 		log.Error("Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())

  121. 		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)

  122. 		return

  123. 	}

  124. 

  125. 	// Request optional nickname and email info

  126. 	// NOTE: change to `openid.sreg.required` to require it

  127. 	url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"

  128. 	url += "&openid.sreg.optional=nickname%2Cemail"

  129. 

  130. 	log.Trace("Form-passed openid-remember: %t", form.Remember)

  131. 

  132. 	if err := ctx.Session.Set("openid_signin_remember", form.Remember); err != nil {

  133. 		log.Error("SignInOpenIDPost: Could not set openid_signin_remember in session: %v", err)

  134. 	}

  135. 	if err := ctx.Session.Release(); err != nil {

  136. 		log.Error("SignInOpenIDPost: Unable to save changes to the session: %v", err)

  137. 	}

  138. 

  139. 	ctx.Redirect(url)

  140. }

  141. 

  142. // signInOpenIDVerify handles response from OpenID provider

  143. func signInOpenIDVerify(ctx *context.Context) {

  144. 

  145. 	log.Trace("Incoming call to: " + ctx.Req.Request.URL.String())

  146. 

  147. 	fullURL := setting.AppURL + ctx.Req.Request.URL.String()[1:]

  148. 	log.Trace("Full URL: " + fullURL)

  149. 

  150. 	var id, err = openid.Verify(fullURL)

  151. 	if err != nil {

  152. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  153. 			Openid: id,

  154. 		})

  155. 		return

  156. 	}

  157. 

  158. 	log.Trace("Verified ID: " + id)

  159. 

  160. 	/* Now we should seek for the user and log him in, or prompt

  161. 	 * to register if not found */

  162. 

  163. 	u, err := models.GetUserByOpenID(id)

  164. 	if err != nil {

  165. 		if !models.IsErrUserNotExist(err) {

  166. 			ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  167. 				Openid: id,

  168. 			})

  169. 			return

  170. 		}

  171. 		log.Error("signInOpenIDVerify: %v", err)

  172. 	}

  173. 	if u != nil {

  174. 		log.Trace("User exists, logging in")

  175. 		remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  176. 		log.Trace("Session stored openid-remember: %t", remember)

  177. 		handleSignIn(ctx, u, remember)

  178. 		return

  179. 	}

  180. 

  181. 	log.Trace("User with openid " + id + " does not exist, should connect or register")

  182. 

  183. 	parsedURL, err := url.Parse(fullURL)

  184. 	if err != nil {

  185. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  186. 			Openid: id,

  187. 		})

  188. 		return

  189. 	}

  190. 	values, err := url.ParseQuery(parsedURL.RawQuery)

  191. 	if err != nil {

  192. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  193. 			Openid: id,

  194. 		})

  195. 		return

  196. 	}

  197. 	email := values.Get("openid.sreg.email")

  198. 	nickname := values.Get("openid.sreg.nickname")

  199. 

  200. 	log.Trace("User has email=" + email + " and nickname=" + nickname)

  201. 

  202. 	if email != "" {

  203. 		u, err = models.GetUserByEmail(email)

  204. 		if err != nil {

  205. 			if !models.IsErrUserNotExist(err) {

  206. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  207. 					Openid: id,

  208. 				})

  209. 				return

  210. 			}

  211. 			log.Error("signInOpenIDVerify: %v", err)

  212. 		}

  213. 		if u != nil {

  214. 			log.Trace("Local user " + u.LowerName + " has OpenID provided email " + email)

  215. 		}

  216. 	}

  217. 

  218. 	if u == nil && nickname != "" {

  219. 		u, _ = models.GetUserByName(nickname)

  220. 		if err != nil {

  221. 			if !models.IsErrUserNotExist(err) {

  222. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  223. 					Openid: id,

  224. 				})

  225. 				return

  226. 			}

  227. 		}

  228. 		if u != nil {

  229. 			log.Trace("Local user " + u.LowerName + " has OpenID provided nickname " + nickname)

  230. 		}

  231. 	}

  232. 

  233. 	if err := ctx.Session.Set("openid_verified_uri", id); err != nil {

  234. 		log.Error("signInOpenIDVerify: Could not set openid_verified_uri in session: %v", err)

  235. 	}

  236. 	if err := ctx.Session.Set("openid_determined_email", email); err != nil {

  237. 		log.Error("signInOpenIDVerify: Could not set openid_determined_email in session: %v", err)

  238. 	}

  239. 

  240. 	if u != nil {

  241. 		nickname = u.LowerName

  242. 	}

  243. 

  244. 	if err := ctx.Session.Set("openid_determined_username", nickname); err != nil {

  245. 		log.Error("signInOpenIDVerify: Could not set openid_determined_username in session: %v", err)

  246. 	}

  247. 	if err := ctx.Session.Release(); err != nil {

  248. 		log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)

  249. 	}

  250. 

  251. 	if u != nil || !setting.Service.EnableOpenIDSignUp {

  252. 		ctx.Redirect(setting.AppSubURL + "/user/openid/connect")

  253. 	} else {

  254. 		ctx.Redirect(setting.AppSubURL + "/user/openid/register")

  255. 	}

  256. }

  257. 

  258. // ConnectOpenID shows a form to connect an OpenID URI to an existing account

  259. func ConnectOpenID(ctx *context.Context) {

  260. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  261. 	if oid == "" {

  262. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  263. 		return

  264. 	}

  265. 	ctx.Data["Title"] = "OpenID connect"

  266. 	ctx.Data["PageIsSignIn"] = true

  267. 	ctx.Data["PageIsOpenIDConnect"] = true

  268. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  269. 	ctx.Data["OpenID"] = oid

  270. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  271. 	if userName != "" {

  272. 		ctx.Data["user_name"] = userName

  273. 	}

  274. 	ctx.HTML(200, tplConnectOID)

  275. }

  276. 

  277. // ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account

  278. func ConnectOpenIDPost(ctx *context.Context, form auth.ConnectOpenIDForm) {

  279. 

  280. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  281. 	if oid == "" {

  282. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  283. 		return

  284. 	}

  285. 	ctx.Data["Title"] = "OpenID connect"

  286. 	ctx.Data["PageIsSignIn"] = true

  287. 	ctx.Data["PageIsOpenIDConnect"] = true

  288. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  289. 	ctx.Data["OpenID"] = oid

  290. 

  291. 	u, err := models.UserSignIn(form.UserName, form.Password)

  292. 	if err != nil {

  293. 		if models.IsErrUserNotExist(err) {

  294. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)

  295. 		} else {

  296. 			ctx.ServerError("ConnectOpenIDPost", err)

  297. 		}

  298. 		return

  299. 	}

  300. 

  301. 	// add OpenID for the user

  302. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  303. 	if err = models.AddUserOpenID(userOID); err != nil {

  304. 		if models.IsErrOpenIDAlreadyUsed(err) {

  305. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)

  306. 			return

  307. 		}

  308. 		ctx.ServerError("AddUserOpenID", err)

  309. 		return

  310. 	}

  311. 

  312. 	ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))

  313. 

  314. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  315. 	log.Trace("Session stored openid-remember: %t", remember)

  316. 	handleSignIn(ctx, u, remember)

  317. }

  318. 

  319. // RegisterOpenID shows a form to create a new user authenticated via an OpenID URI

  320. func RegisterOpenID(ctx *context.Context) {

  321. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  322. 	if oid == "" {

  323. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  324. 		return

  325. 	}

  326. 	ctx.Data["Title"] = "OpenID signup"

  327. 	ctx.Data["PageIsSignIn"] = true

  328. 	ctx.Data["PageIsOpenIDRegister"] = true

  329. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  330. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  331. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  332. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  333. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  334. 	ctx.Data["OpenID"] = oid

  335. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  336. 	if userName != "" {

  337. 		ctx.Data["user_name"] = userName

  338. 	}

  339. 	email, _ := ctx.Session.Get("openid_determined_email").(string)

  340. 	if email != "" {

  341. 		ctx.Data["email"] = email

  342. 	}

  343. 	ctx.HTML(200, tplSignUpOID)

  344. }

  345. 

  346. // RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI

  347. func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.SignUpOpenIDForm) {

  348. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  349. 	if oid == "" {

  350. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  351. 		return

  352. 	}

  353. 

  354. 	ctx.Data["Title"] = "OpenID signup"

  355. 	ctx.Data["PageIsSignIn"] = true

  356. 	ctx.Data["PageIsOpenIDRegister"] = true

  357. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  358. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  359. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  360. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  361. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  362. 	ctx.Data["OpenID"] = oid

  363. 

  364. 	if setting.Service.EnableCaptcha {

  365. 		var valid bool

  366. 		switch setting.Service.CaptchaType {

  367. 		case setting.ImageCaptcha:

  368. 			valid = cpt.VerifyReq(ctx.Req)

  369. 		case setting.ReCaptcha:

  370. 			err := ctx.Req.ParseForm()

  371. 			if err != nil {

  372. 				ctx.ServerError("", err)

  373. 				return

  374. 			}

  375. 			valid, _ = recaptcha.Verify(form.GRecaptchaResponse)

  376. 		default:

  377. 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))

  378. 			return

  379. 		}

  380. 

  381. 		if !valid {

  382. 			ctx.Data["Err_Captcha"] = true

  383. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)

  384. 			return

  385. 		}

  386. 	}

  387. 

  388. 	length := setting.MinPasswordLength

  389. 	if length < 256 {

  390. 		length = 256

  391. 	}

  392. 	password, err := generate.GetRandomString(length)

  393. 	if err != nil {

  394. 		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)

  395. 		return

  396. 	}

  397. 

  398. 	// TODO: abstract a finalizeSignUp function ?

  399. 	u := &models.User{

  400. 		Name:     form.UserName,

  401. 		Email:    form.Email,

  402. 		Passwd:   password,

  403. 		IsActive: !setting.Service.RegisterEmailConfirm,

  404. 	}

  405. 	//nolint: dupl

  406. 	if err := models.CreateUser(u); err != nil {

  407. 		switch {

  408. 		case models.IsErrUserAlreadyExist(err):

  409. 			ctx.Data["Err_UserName"] = true

  410. 			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUpOID, &form)

  411. 		case models.IsErrEmailAlreadyUsed(err):

  412. 			ctx.Data["Err_Email"] = true

  413. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUpOID, &form)

  414. 		case models.IsErrNameReserved(err):

  415. 			ctx.Data["Err_UserName"] = true

  416. 			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUpOID, &form)

  417. 		case models.IsErrNamePatternNotAllowed(err):

  418. 			ctx.Data["Err_UserName"] = true

  419. 			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUpOID, &form)

  420. 		case models.IsErrNameCharsNotAllowed(err):

  421. 			ctx.Data["Err_UserName"] = true

  422. 			ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(models.ErrNameCharsNotAllowed).Name), tplSignUpOID, &form)

  423. 		default:

  424. 			ctx.ServerError("CreateUser", err)

  425. 		}

  426. 		return

  427. 	}

  428. 	log.Trace("Account created: %s", u.Name)

  429. 

  430. 	// add OpenID for the user

  431. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  432. 	if err = models.AddUserOpenID(userOID); err != nil {

  433. 		if models.IsErrOpenIDAlreadyUsed(err) {

  434. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)

  435. 			return

  436. 		}

  437. 		ctx.ServerError("AddUserOpenID", err)

  438. 		return

  439. 	}

  440. 

  441. 	// Auto-set admin for the only user.

  442. 	if models.CountUsers() == 1 {

  443. 		u.IsAdmin = true

  444. 		u.IsActive = true

  445. 		u.SetLastLogin()

  446. 		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {

  447. 			ctx.ServerError("UpdateUser", err)

  448. 			return

  449. 		}

  450. 	}

  451. 

  452. 	// Send confirmation email, no need for social account.

  453. 	if setting.Service.RegisterEmailConfirm && u.ID > 1 {

  454. 		mailer.SendActivateAccountMail(ctx.Locale, u)

  455. 

  456. 		ctx.Data["IsSendRegisterMail"] = true

  457. 		ctx.Data["Email"] = u.Email

  458. 		ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  459. 		ctx.HTML(200, TplActivate)

  460. 

  461. 		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  462. 			log.Error("Set cache(MailResendLimit) fail: %v", err)

  463. 		}

  464. 		return

  465. 	}

  466. 

  467. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  468. 	log.Trace("Session stored openid-remember: %t", remember)

  469. 	handleSignIn(ctx, u, remember)

  470. }