mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10380 Commits
17 Branches
Tree: v1.22.0-rc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'v1.22.0-rc'
${ noResults }
gitea/cmd/admin_auth_oauth.go

admin_auth_oauth.go 8.0KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298 
  1. // Copyright 2023 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package cmd

  5. 

  6. import (

  7. 	"fmt"

  8. 	"net/url"

  9. 

  10. 	auth_model "code.gitea.io/gitea/models/auth"

  11. 	"code.gitea.io/gitea/services/auth/source/oauth2"

  12. 

  13. 	"github.com/urfave/cli/v2"

  14. )

  15. 

  16. var (

  17. 	oauthCLIFlags = []cli.Flag{

  18. 		&cli.StringFlag{

  19. 			Name:  "name",

  20. 			Value: "",

  21. 			Usage: "Application Name",

  22. 		},

  23. 		&cli.StringFlag{

  24. 			Name:  "provider",

  25. 			Value: "",

  26. 			Usage: "OAuth2 Provider",

  27. 		},

  28. 		&cli.StringFlag{

  29. 			Name:  "key",

  30. 			Value: "",

  31. 			Usage: "Client ID (Key)",

  32. 		},

  33. 		&cli.StringFlag{

  34. 			Name:  "secret",

  35. 			Value: "",

  36. 			Usage: "Client Secret",

  37. 		},

  38. 		&cli.StringFlag{

  39. 			Name:  "auto-discover-url",

  40. 			Value: "",

  41. 			Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",

  42. 		},

  43. 		&cli.StringFlag{

  44. 			Name:  "use-custom-urls",

  45. 			Value: "false",

  46. 			Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",

  47. 		},

  48. 		&cli.StringFlag{

  49. 			Name:  "custom-tenant-id",

  50. 			Value: "",

  51. 			Usage: "Use custom Tenant ID for OAuth endpoints",

  52. 		},

  53. 		&cli.StringFlag{

  54. 			Name:  "custom-auth-url",

  55. 			Value: "",

  56. 			Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",

  57. 		},

  58. 		&cli.StringFlag{

  59. 			Name:  "custom-token-url",

  60. 			Value: "",

  61. 			Usage: "Use a custom Token URL (option for GitLab/GitHub)",

  62. 		},

  63. 		&cli.StringFlag{

  64. 			Name:  "custom-profile-url",

  65. 			Value: "",

  66. 			Usage: "Use a custom Profile URL (option for GitLab/GitHub)",

  67. 		},

  68. 		&cli.StringFlag{

  69. 			Name:  "custom-email-url",

  70. 			Value: "",

  71. 			Usage: "Use a custom Email URL (option for GitHub)",

  72. 		},

  73. 		&cli.StringFlag{

  74. 			Name:  "icon-url",

  75. 			Value: "",

  76. 			Usage: "Custom icon URL for OAuth2 login source",

  77. 		},

  78. 		&cli.BoolFlag{

  79. 			Name:  "skip-local-2fa",

  80. 			Usage: "Set to true to skip local 2fa for users authenticated by this source",

  81. 		},

  82. 		&cli.StringSliceFlag{

  83. 			Name:  "scopes",

  84. 			Value: nil,

  85. 			Usage: "Scopes to request when to authenticate against this OAuth2 source",

  86. 		},

  87. 		&cli.StringFlag{

  88. 			Name:  "required-claim-name",

  89. 			Value: "",

  90. 			Usage: "Claim name that has to be set to allow users to login with this source",

  91. 		},

  92. 		&cli.StringFlag{

  93. 			Name:  "required-claim-value",

  94. 			Value: "",

  95. 			Usage: "Claim value that has to be set to allow users to login with this source",

  96. 		},

  97. 		&cli.StringFlag{

  98. 			Name:  "group-claim-name",

  99. 			Value: "",

  100. 			Usage: "Claim name providing group names for this source",

  101. 		},

  102. 		&cli.StringFlag{

  103. 			Name:  "admin-group",

  104. 			Value: "",

  105. 			Usage: "Group Claim value for administrator users",

  106. 		},

  107. 		&cli.StringFlag{

  108. 			Name:  "restricted-group",

  109. 			Value: "",

  110. 			Usage: "Group Claim value for restricted users",

  111. 		},

  112. 		&cli.StringFlag{

  113. 			Name:  "group-team-map",

  114. 			Value: "",

  115. 			Usage: "JSON mapping between groups and org teams",

  116. 		},

  117. 		&cli.BoolFlag{

  118. 			Name:  "group-team-map-removal",

  119. 			Usage: "Activate automatic team membership removal depending on groups",

  120. 		},

  121. 	}

  122. 

  123. 	microcmdAuthAddOauth = &cli.Command{

  124. 		Name:   "add-oauth",

  125. 		Usage:  "Add new Oauth authentication source",

  126. 		Action: runAddOauth,

  127. 		Flags:  oauthCLIFlags,

  128. 	}

  129. 

  130. 	microcmdAuthUpdateOauth = &cli.Command{

  131. 		Name:   "update-oauth",

  132. 		Usage:  "Update existing Oauth authentication source",

  133. 		Action: runUpdateOauth,

  134. 		Flags:  append(oauthCLIFlags[:1], append([]cli.Flag{idFlag}, oauthCLIFlags[1:]...)...),

  135. 	}

  136. )

  137. 

  138. func parseOAuth2Config(c *cli.Context) *oauth2.Source {

  139. 	var customURLMapping *oauth2.CustomURLMapping

  140. 	if c.IsSet("use-custom-urls") {

  141. 		customURLMapping = &oauth2.CustomURLMapping{

  142. 			TokenURL:   c.String("custom-token-url"),

  143. 			AuthURL:    c.String("custom-auth-url"),

  144. 			ProfileURL: c.String("custom-profile-url"),

  145. 			EmailURL:   c.String("custom-email-url"),

  146. 			Tenant:     c.String("custom-tenant-id"),

  147. 		}

  148. 	} else {

  149. 		customURLMapping = nil

  150. 	}

  151. 	return &oauth2.Source{

  152. 		Provider:                      c.String("provider"),

  153. 		ClientID:                      c.String("key"),

  154. 		ClientSecret:                  c.String("secret"),

  155. 		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),

  156. 		CustomURLMapping:              customURLMapping,

  157. 		IconURL:                       c.String("icon-url"),

  158. 		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),

  159. 		Scopes:                        c.StringSlice("scopes"),

  160. 		RequiredClaimName:             c.String("required-claim-name"),

  161. 		RequiredClaimValue:            c.String("required-claim-value"),

  162. 		GroupClaimName:                c.String("group-claim-name"),

  163. 		AdminGroup:                    c.String("admin-group"),

  164. 		RestrictedGroup:               c.String("restricted-group"),

  165. 		GroupTeamMap:                  c.String("group-team-map"),

  166. 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),

  167. 	}

  168. }

  169. 

  170. func runAddOauth(c *cli.Context) error {

  171. 	ctx, cancel := installSignals()

  172. 	defer cancel()

  173. 

  174. 	if err := initDB(ctx); err != nil {

  175. 		return err

  176. 	}

  177. 

  178. 	config := parseOAuth2Config(c)

  179. 	if config.Provider == "openidConnect" {

  180. 		discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)

  181. 		if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {

  182. 			return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)

  183. 		}

  184. 	}

  185. 

  186. 	return auth_model.CreateSource(ctx, &auth_model.Source{

  187. 		Type:     auth_model.OAuth2,

  188. 		Name:     c.String("name"),

  189. 		IsActive: true,

  190. 		Cfg:      config,

  191. 	})

  192. }

  193. 

  194. func runUpdateOauth(c *cli.Context) error {

  195. 	if !c.IsSet("id") {

  196. 		return fmt.Errorf("--id flag is missing")

  197. 	}

  198. 

  199. 	ctx, cancel := installSignals()

  200. 	defer cancel()

  201. 

  202. 	if err := initDB(ctx); err != nil {

  203. 		return err

  204. 	}

  205. 

  206. 	source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))

  207. 	if err != nil {

  208. 		return err

  209. 	}

  210. 

  211. 	oAuth2Config := source.Cfg.(*oauth2.Source)

  212. 

  213. 	if c.IsSet("name") {

  214. 		source.Name = c.String("name")

  215. 	}

  216. 

  217. 	if c.IsSet("provider") {

  218. 		oAuth2Config.Provider = c.String("provider")

  219. 	}

  220. 

  221. 	if c.IsSet("key") {

  222. 		oAuth2Config.ClientID = c.String("key")

  223. 	}

  224. 

  225. 	if c.IsSet("secret") {

  226. 		oAuth2Config.ClientSecret = c.String("secret")

  227. 	}

  228. 

  229. 	if c.IsSet("auto-discover-url") {

  230. 		oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")

  231. 	}

  232. 

  233. 	if c.IsSet("icon-url") {

  234. 		oAuth2Config.IconURL = c.String("icon-url")

  235. 	}

  236. 

  237. 	if c.IsSet("scopes") {

  238. 		oAuth2Config.Scopes = c.StringSlice("scopes")

  239. 	}

  240. 

  241. 	if c.IsSet("required-claim-name") {

  242. 		oAuth2Config.RequiredClaimName = c.String("required-claim-name")

  243. 	}

  244. 	if c.IsSet("required-claim-value") {

  245. 		oAuth2Config.RequiredClaimValue = c.String("required-claim-value")

  246. 	}

  247. 

  248. 	if c.IsSet("group-claim-name") {

  249. 		oAuth2Config.GroupClaimName = c.String("group-claim-name")

  250. 	}

  251. 	if c.IsSet("admin-group") {

  252. 		oAuth2Config.AdminGroup = c.String("admin-group")

  253. 	}

  254. 	if c.IsSet("restricted-group") {

  255. 		oAuth2Config.RestrictedGroup = c.String("restricted-group")

  256. 	}

  257. 	if c.IsSet("group-team-map") {

  258. 		oAuth2Config.GroupTeamMap = c.String("group-team-map")

  259. 	}

  260. 	if c.IsSet("group-team-map-removal") {

  261. 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")

  262. 	}

  263. 

  264. 	// update custom URL mapping

  265. 	customURLMapping := &oauth2.CustomURLMapping{}

  266. 

  267. 	if oAuth2Config.CustomURLMapping != nil {

  268. 		customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL

  269. 		customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL

  270. 		customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL

  271. 		customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL

  272. 		customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant

  273. 	}

  274. 	if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {

  275. 		customURLMapping.TokenURL = c.String("custom-token-url")

  276. 	}

  277. 

  278. 	if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {

  279. 		customURLMapping.AuthURL = c.String("custom-auth-url")

  280. 	}

  281. 

  282. 	if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {

  283. 		customURLMapping.ProfileURL = c.String("custom-profile-url")

  284. 	}

  285. 

  286. 	if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {

  287. 		customURLMapping.EmailURL = c.String("custom-email-url")

  288. 	}

  289. 

  290. 	if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {

  291. 		customURLMapping.Tenant = c.String("custom-tenant-id")

  292. 	}

  293. 

  294. 	oAuth2Config.CustomURLMapping = customURLMapping

  295. 	source.Cfg = oAuth2Config

  296. 

  297. 	return auth_model.UpdateSource(ctx, source)

  298. }