Refactor: Move login out of models (#16199)
`models` does far too much. In particular it handles all `UserSignin`. It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in. Therefore we should move this code out of `models`. This code has to depend on `models` - therefore it belongs in `services`. There is a package in `services` called `auth` and clearly this functionality belongs in there. Plan: - [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication. - [x] Move `models.UserSignIn` into `auth` - [x] Move `models.ExternalUserLogin` - [x] Move most of the `LoginVia*` methods to `auth` or subpackages - [x] Move Resynchronize functionality to `auth` - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files. - [x] Move the rest of the LDAP functionality in to the ldap subpackage - [x] Re-factor the login sources to express an interfaces `auth.Source`? - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future - [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable - [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2 - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models. - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 - [x] More simplifications of login_source.go may need to be done - Allow wiring in of notify registration - *this can now easily be done - but I think we should do it in another PR* - see #16178 - More refactors...? - OpenID should probably become an auth Method but I think that can be left for another PR - Methods should also probably be cleaned up - again another PR I think. - SSPI still needs more refactors.* Rename auth.Auth auth.Method * Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath
@@ -1,123 +0,0 @@
|
||||
Gitea LDAP Authentication Module
|
||||
===============================
|
||||
|
||||
## About
|
||||
|
||||
This authentication module attempts to authorize and authenticate a user
|
||||
against an LDAP server. It provides two methods of authentication: LDAP via
|
||||
BindDN, and LDAP simple authentication.
|
||||
|
||||
LDAP via BindDN functions like most LDAP authentication systems. First, it
|
||||
queries the LDAP server using a Bind DN and searches for the user that is
|
||||
attempting to sign in. If the user is found, the module attempts to bind to the
|
||||
server using the user's supplied credentials. If this succeeds, the user has
|
||||
been authenticated, and his account information is retrieved and passed to the
|
||||
Gogs login infrastructure.
|
||||
|
||||
LDAP simple authentication does not utilize a Bind DN. Instead, it binds
|
||||
directly with the LDAP server using the user's supplied credentials. If the bind
|
||||
succeeds and no filter rules out the user, the user is authenticated.
|
||||
|
||||
LDAP via BindDN is recommended for most users. By using a Bind DN, the server
|
||||
can perform authorization by restricting which entries the Bind DN account can
|
||||
read. Further, using a Bind DN with reduced permissions can reduce security risk
|
||||
in the face of application bugs.
|
||||
|
||||
## Usage
|
||||
|
||||
To use this module, add an LDAP authentication source via the Authentications
|
||||
section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP
|
||||
share the following fields:
|
||||
|
||||
* Authorization Name **(required)**
|
||||
* A name to assign to the new method of authorization.
|
||||
|
||||
* Host **(required)**
|
||||
* The address where the LDAP server can be reached.
|
||||
* Example: mydomain.com
|
||||
|
||||
* Port **(required)**
|
||||
* The port to use when connecting to the server.
|
||||
* Example: 636
|
||||
|
||||
* Enable TLS Encryption (optional)
|
||||
* Whether to use TLS when connecting to the LDAP server.
|
||||
|
||||
* Admin Filter (optional)
|
||||
* An LDAP filter specifying if a user should be given administrator
|
||||
privileges. If a user accounts passes the filter, the user will be
|
||||
privileged as an administrator.
|
||||
* Example: (objectClass=adminAccount)
|
||||
|
||||
* First name attribute (optional)
|
||||
* The attribute of the user's LDAP record containing the user's first name.
|
||||
This will be used to populate their account information.
|
||||
* Example: givenName
|
||||
|
||||
* Surname attribute (optional)
|
||||
* The attribute of the user's LDAP record containing the user's surname This
|
||||
will be used to populate their account information.
|
||||
* Example: sn
|
||||
|
||||
* E-mail attribute **(required)**
|
||||
* The attribute of the user's LDAP record containing the user's email
|
||||
address. This will be used to populate their account information.
|
||||
* Example: mail
|
||||
|
||||
**LDAP via BindDN** adds the following fields:
|
||||
|
||||
* Bind DN (optional)
|
||||
* The DN to bind to the LDAP server with when searching for the user. This
|
||||
may be left blank to perform an anonymous search.
|
||||
* Example: cn=Search,dc=mydomain,dc=com
|
||||
|
||||
* Bind Password (optional)
|
||||
* The password for the Bind DN specified above, if any. _Note: The password
|
||||
is stored in plaintext at the server. As such, ensure that your Bind DN
|
||||
has as few privileges as possible._
|
||||
|
||||
* User Search Base **(required)**
|
||||
* The LDAP base at which user accounts will be searched for.
|
||||
* Example: ou=Users,dc=mydomain,dc=com
|
||||
|
||||
* User Filter **(required)**
|
||||
* An LDAP filter declaring how to find the user record that is attempting to
|
||||
authenticate. The '%s' matching parameter will be substituted with the
|
||||
user's username.
|
||||
* Example: (&(objectClass=posixAccount)(uid=%s))
|
||||
|
||||
**LDAP using simple auth** adds the following fields:
|
||||
|
||||
* User DN **(required)**
|
||||
* A template to use as the user's DN. The `%s` matching parameter will be
|
||||
substituted with the user's username.
|
||||
* Example: cn=%s,ou=Users,dc=mydomain,dc=com
|
||||
* Example: uid=%s,ou=Users,dc=mydomain,dc=com
|
||||
|
||||
* User Search Base (optional)
|
||||
* The LDAP base at which user accounts will be searched for.
|
||||
* Example: ou=Users,dc=mydomain,dc=com
|
||||
|
||||
* User Filter **(required)**
|
||||
* An LDAP filter declaring when a user should be allowed to log in. The `%s`
|
||||
matching parameter will be substituted with the user's username.
|
||||
* Example: (&(objectClass=posixAccount)(cn=%s))
|
||||
* Example: (&(objectClass=posixAccount)(uid=%s))
|
||||
|
||||
**Verify group membership in LDAP** uses the following fields:
|
||||
|
||||
* Group Search Base (optional)
|
||||
* The LDAP DN used for groups.
|
||||
* Example: ou=group,dc=mydomain,dc=com
|
||||
|
||||
* Group Name Filter (optional)
|
||||
* An LDAP filter declaring how to find valid groups in the above DN.
|
||||
* Example: (|(cn=gitea_users)(cn=admins))
|
||||
|
||||
* User Attribute in Group (optional)
|
||||
* Which user LDAP attribute is listed in the group.
|
||||
* Example: uid
|
||||
|
||||
* Group Attribute for User (optional)
|
||||
* Which group LDAP attribute contains an array above user attribute names.
|
||||
* Example: memberUid
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,299 +0,0 @@
|
||||
// Copyright 2017 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package oauth2
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
|
||||
uuid "github.com/google/uuid"
|
||||
"github.com/lafriks/xormstore"
|
||||
"github.com/markbates/goth"
|
||||
"github.com/markbates/goth/gothic"
|
||||
"github.com/markbates/goth/providers/bitbucket"
|
||||
"github.com/markbates/goth/providers/discord"
|
||||
"github.com/markbates/goth/providers/dropbox"
|
||||
"github.com/markbates/goth/providers/facebook"
|
||||
"github.com/markbates/goth/providers/gitea"
|
||||
"github.com/markbates/goth/providers/github"
|
||||
"github.com/markbates/goth/providers/gitlab"
|
||||
"github.com/markbates/goth/providers/google"
|
||||
"github.com/markbates/goth/providers/mastodon"
|
||||
"github.com/markbates/goth/providers/nextcloud"
|
||||
"github.com/markbates/goth/providers/openidConnect"
|
||||
"github.com/markbates/goth/providers/twitter"
|
||||
"github.com/markbates/goth/providers/yandex"
|
||||
"xorm.io/xorm"
|
||||
)
|
||||
|
||||
var (
|
||||
sessionUsersStoreKey = "gitea-oauth2-sessions"
|
||||
providerHeaderKey = "gitea-oauth2-provider"
|
||||
)
|
||||
|
||||
// CustomURLMapping describes the urls values to use when customizing OAuth2 provider URLs
|
||||
type CustomURLMapping struct {
|
||||
AuthURL string
|
||||
TokenURL string
|
||||
ProfileURL string
|
||||
EmailURL string
|
||||
}
|
||||
|
||||
// Init initialize the setup of the OAuth2 library
|
||||
func Init(x *xorm.Engine) error {
|
||||
store, err := xormstore.NewOptions(x, xormstore.Options{
|
||||
TableName: "oauth2_session",
|
||||
}, []byte(sessionUsersStoreKey))
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// according to the Goth lib:
|
||||
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
|
||||
// securecookie: the value is too long
|
||||
// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
|
||||
|
||||
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
|
||||
store.MaxLength(setting.OAuth2.MaxTokenLength)
|
||||
gothic.Store = store
|
||||
|
||||
gothic.SetState = func(req *http.Request) string {
|
||||
return uuid.New().String()
|
||||
}
|
||||
|
||||
gothic.GetProviderName = func(req *http.Request) (string, error) {
|
||||
return req.Header.Get(providerHeaderKey), nil
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Auth OAuth2 auth service
|
||||
func Auth(provider string, request *http.Request, response http.ResponseWriter) error {
|
||||
// not sure if goth is thread safe (?) when using multiple providers
|
||||
request.Header.Set(providerHeaderKey, provider)
|
||||
|
||||
// don't use the default gothic begin handler to prevent issues when some error occurs
|
||||
// normally the gothic library will write some custom stuff to the response instead of our own nice error page
|
||||
//gothic.BeginAuthHandler(response, request)
|
||||
|
||||
url, err := gothic.GetAuthURL(response, request)
|
||||
if err == nil {
|
||||
http.Redirect(response, request, url, http.StatusTemporaryRedirect)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url
|
||||
// this will trigger a new authentication request, but because we save it in the session we can use that
|
||||
func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, error) {
|
||||
// not sure if goth is thread safe (?) when using multiple providers
|
||||
request.Header.Set(providerHeaderKey, provider)
|
||||
|
||||
user, err := gothic.CompleteUserAuth(response, request)
|
||||
if err != nil {
|
||||
return user, err
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// RegisterProvider register a OAuth2 provider in goth lib
|
||||
func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error {
|
||||
provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping)
|
||||
|
||||
if err == nil && provider != nil {
|
||||
goth.UseProviders(provider)
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
// RemoveProvider removes the given OAuth2 provider from the goth lib
|
||||
func RemoveProvider(providerName string) {
|
||||
delete(goth.GetProviders(), providerName)
|
||||
}
|
||||
|
||||
// ClearProviders clears all OAuth2 providers from the goth lib
|
||||
func ClearProviders() {
|
||||
goth.ClearProviders()
|
||||
}
|
||||
|
||||
// used to create different types of goth providers
|
||||
func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {
|
||||
callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback"
|
||||
|
||||
var provider goth.Provider
|
||||
var err error
|
||||
|
||||
switch providerType {
|
||||
case "bitbucket":
|
||||
provider = bitbucket.New(clientID, clientSecret, callbackURL, "account")
|
||||
case "dropbox":
|
||||
provider = dropbox.New(clientID, clientSecret, callbackURL)
|
||||
case "facebook":
|
||||
provider = facebook.New(clientID, clientSecret, callbackURL, "email")
|
||||
case "github":
|
||||
authURL := github.AuthURL
|
||||
tokenURL := github.TokenURL
|
||||
profileURL := github.ProfileURL
|
||||
emailURL := github.EmailURL
|
||||
if customURLMapping != nil {
|
||||
if len(customURLMapping.AuthURL) > 0 {
|
||||
authURL = customURLMapping.AuthURL
|
||||
}
|
||||
if len(customURLMapping.TokenURL) > 0 {
|
||||
tokenURL = customURLMapping.TokenURL
|
||||
}
|
||||
if len(customURLMapping.ProfileURL) > 0 {
|
||||
profileURL = customURLMapping.ProfileURL
|
||||
}
|
||||
if len(customURLMapping.EmailURL) > 0 {
|
||||
emailURL = customURLMapping.EmailURL
|
||||
}
|
||||
}
|
||||
scopes := []string{}
|
||||
if setting.OAuth2Client.EnableAutoRegistration {
|
||||
scopes = append(scopes, "user:email")
|
||||
}
|
||||
provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL, scopes...)
|
||||
case "gitlab":
|
||||
authURL := gitlab.AuthURL
|
||||
tokenURL := gitlab.TokenURL
|
||||
profileURL := gitlab.ProfileURL
|
||||
if customURLMapping != nil {
|
||||
if len(customURLMapping.AuthURL) > 0 {
|
||||
authURL = customURLMapping.AuthURL
|
||||
}
|
||||
if len(customURLMapping.TokenURL) > 0 {
|
||||
tokenURL = customURLMapping.TokenURL
|
||||
}
|
||||
if len(customURLMapping.ProfileURL) > 0 {
|
||||
profileURL = customURLMapping.ProfileURL
|
||||
}
|
||||
}
|
||||
provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")
|
||||
case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work
|
||||
scopes := []string{"email"}
|
||||
if setting.OAuth2Client.UpdateAvatar || setting.OAuth2Client.EnableAutoRegistration {
|
||||
scopes = append(scopes, "profile")
|
||||
}
|
||||
provider = google.New(clientID, clientSecret, callbackURL, scopes...)
|
||||
case "openidConnect":
|
||||
if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil {
|
||||
log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)
|
||||
}
|
||||
case "twitter":
|
||||
provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL)
|
||||
case "discord":
|
||||
provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail)
|
||||
case "gitea":
|
||||
authURL := gitea.AuthURL
|
||||
tokenURL := gitea.TokenURL
|
||||
profileURL := gitea.ProfileURL
|
||||
if customURLMapping != nil {
|
||||
if len(customURLMapping.AuthURL) > 0 {
|
||||
authURL = customURLMapping.AuthURL
|
||||
}
|
||||
if len(customURLMapping.TokenURL) > 0 {
|
||||
tokenURL = customURLMapping.TokenURL
|
||||
}
|
||||
if len(customURLMapping.ProfileURL) > 0 {
|
||||
profileURL = customURLMapping.ProfileURL
|
||||
}
|
||||
}
|
||||
provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)
|
||||
case "nextcloud":
|
||||
authURL := nextcloud.AuthURL
|
||||
tokenURL := nextcloud.TokenURL
|
||||
profileURL := nextcloud.ProfileURL
|
||||
if customURLMapping != nil {
|
||||
if len(customURLMapping.AuthURL) > 0 {
|
||||
authURL = customURLMapping.AuthURL
|
||||
}
|
||||
if len(customURLMapping.TokenURL) > 0 {
|
||||
tokenURL = customURLMapping.TokenURL
|
||||
}
|
||||
if len(customURLMapping.ProfileURL) > 0 {
|
||||
profileURL = customURLMapping.ProfileURL
|
||||
}
|
||||
}
|
||||
provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)
|
||||
case "yandex":
|
||||
// See https://tech.yandex.com/passport/doc/dg/reference/response-docpage/
|
||||
provider = yandex.New(clientID, clientSecret, callbackURL, "login:email", "login:info", "login:avatar")
|
||||
case "mastodon":
|
||||
instanceURL := mastodon.InstanceURL
|
||||
if customURLMapping != nil && len(customURLMapping.AuthURL) > 0 {
|
||||
instanceURL = customURLMapping.AuthURL
|
||||
}
|
||||
provider = mastodon.NewCustomisedURL(clientID, clientSecret, callbackURL, instanceURL)
|
||||
}
|
||||
|
||||
// always set the name if provider is created so we can support multiple setups of 1 provider
|
||||
if err == nil && provider != nil {
|
||||
provider.SetName(providerName)
|
||||
}
|
||||
|
||||
return provider, err
|
||||
}
|
||||
|
||||
// GetDefaultTokenURL return the default token url for the given provider
|
||||
func GetDefaultTokenURL(provider string) string {
|
||||
switch provider {
|
||||
case "github":
|
||||
return github.TokenURL
|
||||
case "gitlab":
|
||||
return gitlab.TokenURL
|
||||
case "gitea":
|
||||
return gitea.TokenURL
|
||||
case "nextcloud":
|
||||
return nextcloud.TokenURL
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// GetDefaultAuthURL return the default authorize url for the given provider
|
||||
func GetDefaultAuthURL(provider string) string {
|
||||
switch provider {
|
||||
case "github":
|
||||
return github.AuthURL
|
||||
case "gitlab":
|
||||
return gitlab.AuthURL
|
||||
case "gitea":
|
||||
return gitea.AuthURL
|
||||
case "nextcloud":
|
||||
return nextcloud.AuthURL
|
||||
case "mastodon":
|
||||
return mastodon.InstanceURL
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// GetDefaultProfileURL return the default profile url for the given provider
|
||||
func GetDefaultProfileURL(provider string) string {
|
||||
switch provider {
|
||||
case "github":
|
||||
return github.ProfileURL
|
||||
case "gitlab":
|
||||
return gitlab.ProfileURL
|
||||
case "gitea":
|
||||
return gitea.ProfileURL
|
||||
case "nextcloud":
|
||||
return nextcloud.ProfileURL
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// GetDefaultEmailURL return the default email url for the given provider
|
||||
func GetDefaultEmailURL(provider string) string {
|
||||
if provider == "github" {
|
||||
return github.EmailURL
|
||||
}
|
||||
return ""
|
||||
}
|
||||
@@ -218,7 +218,7 @@ func (ctx *APIContext) CheckForOTP() {
|
||||
}
|
||||
|
||||
// APIAuth converts auth.Auth as a middleware
|
||||
func APIAuth(authMethod auth.Auth) func(*APIContext) {
|
||||
func APIAuth(authMethod auth.Method) func(*APIContext) {
|
||||
return func(ctx *APIContext) {
|
||||
// Get user from session if logged in.
|
||||
ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
|
||||
@@ -627,7 +627,7 @@ func getCsrfOpts() CsrfOptions {
|
||||
}
|
||||
|
||||
// Auth converts auth.Auth as a middleware
|
||||
func Auth(authMethod auth.Auth) func(*Context) {
|
||||
func Auth(authMethod auth.Method) func(*Context) {
|
||||
return func(ctx *Context) {
|
||||
ctx.User = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
||||
if ctx.User != nil {
|
||||
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
"code.gitea.io/gitea/modules/migrations"
|
||||
repository_service "code.gitea.io/gitea/modules/repository"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"code.gitea.io/gitea/services/auth"
|
||||
mirror_service "code.gitea.io/gitea/services/mirror"
|
||||
)
|
||||
|
||||
@@ -80,7 +81,7 @@ func registerSyncExternalUsers() {
|
||||
UpdateExisting: true,
|
||||
}, func(ctx context.Context, _ *models.User, config Config) error {
|
||||
realConfig := config.(*UpdateExistingConfig)
|
||||
return models.SyncExternalUsers(ctx, realConfig.UpdateExisting)
|
||||
return auth.SyncExternalUsers(ctx, realConfig.UpdateExisting)
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user