Mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
gitea/routers/web/auth/oauth.go

485 lines
15 KiB
Go
Raw Normal View History

Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
// Copyright 2019 The Gitea Authors. All rights reserved.
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2022-11-27 11:20:29 -07:00
// SPDX-License-Identifier: MIT
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
package auth
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
import (
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"errors"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
"fmt"
Escape more things that are passed through str2html (#12622) * Escape more things that are passed through str2html Signed-off-by: Andrew Thornton <art27@cantab.net> * Bloody editors! Co-authored-by: mrsdizzie <info@mrsdizzie.com> * Update routers/user/oauth.go Co-authored-by: mrsdizzie <info@mrsdizzie.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-08-27 22:37:05 -06:00
"html"
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"io"
[refactor] replace int with httpStatusCodes (#15282) * replace "200" (int) with "http.StatusOK" (const) * ctx.Error & ctx.HTML * ctx.JSON Part1 * ctx.JSON Part2 * ctx.JSON Part3
2021-04-05 09:30:52 -06:00
"net/http"
Show OAuth2 errors to end users (#25261) Partially fix #23936 ![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3) ![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2) ![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)
2023-06-14 19:12:50 -06:00
"sort"
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
2019-03-10 20:54:59 -06:00
"strings"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"code.gitea.io/gitea/models/auth"
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge
2021-11-24 02:49:20 -07:00
user_model "code.gitea.io/gitea/models/user"
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
auth_module "code.gitea.io/gitea/modules/auth"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
"code.gitea.io/gitea/modules/base"
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
"code.gitea.io/gitea/modules/container"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
"code.gitea.io/gitea/modules/log"
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
"code.gitea.io/gitea/modules/optional"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
"code.gitea.io/gitea/modules/setting"
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"code.gitea.io/gitea/modules/web/middleware"
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
source_service "code.gitea.io/gitea/services/auth/source"
Refactor: Move login out of models (#16199) `models` does far too much. In particular it handles all `UserSignin`. It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in. Therefore we should move this code out of `models`. This code has to depend on `models` - therefore it belongs in `services`. There is a package in `services` called `auth` and clearly this functionality belongs in there. Plan: - [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication. - [x] Move `models.UserSignIn` into `auth` - [x] Move `models.ExternalUserLogin` - [x] Move most of the `LoginVia*` methods to `auth` or subpackages - [x] Move Resynchronize functionality to `auth` - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files. - [x] Move the rest of the LDAP functionality in to the ldap subpackage - [x] Re-factor the login sources to express an interfaces `auth.Source`? - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future - [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable - [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2 - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models. - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 - [x] More simplifications of login_source.go may need to be done - Allow wiring in of notify registration - *this can now easily be done - but I think we should do it in another PR* - see #16178 - More refactors...? - OpenID should probably become an auth Method but I think that can be left for another PR - Methods should also probably be cleaned up - again another PR I think. - SSPI still needs more refactors.* Rename auth.Auth auth.Method * Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-07-24 04:16:34 -06:00
"code.gitea.io/gitea/services/auth/source/oauth2"
Move context from modules to services (#29440) Since `modules/context` has to depend on `models` and many other packages, it should be moved from `modules/context` to `services/context` according to design principles. There is no logic code change on this PR, only move packages. - Move `code.gitea.io/gitea/modules/context` to `code.gitea.io/gitea/services/context` - Move `code.gitea.io/gitea/modules/contexttest` to `code.gitea.io/gitea/services/contexttest` because of depending on context - Move `code.gitea.io/gitea/modules/upload` to `code.gitea.io/gitea/services/context/upload` because of depending on context
2024-02-27 00:12:22 -07:00
"code.gitea.io/gitea/services/context"
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"code.gitea.io/gitea/services/externalaccount"
user_service "code.gitea.io/gitea/services/user"
Add golangci (#6418)
2019-06-12 13:41:28 -06:00
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
"github.com/markbates/goth"
Catch the error before the response is processed by goth. (#20000) The code introduced by #18185 gets the error from response after it was processed by goth. That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a `oauth2: cannot fetch token: 400 Bad Request` error from goth. It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to [RFC 6749, Section 4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed. This fixes it by handling the error before the request is passed to goth.
2022-06-20 09:37:54 -06:00
"github.com/markbates/goth/gothic"
Show OAuth2 errors to end users (#25261) Partially fix #23936 ![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3) ![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2) ![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)
2023-06-14 19:12:50 -06:00
go_oauth2 "golang.org/x/oauth2"
Integrate OAuth2 Provider (#5378)
2019-03-08 09:42:50 -07:00
)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// SignInOAuth handles the OAuth2 login buttons
func SignInOAuth(ctx *context.Context) {
Refactor names (#31405) This PR only does "renaming": * `Route` should be `Router` (and chi router is also called "router") * `Params` should be `PathParam` (to distingush it from URL query param, and to match `FormString`) * Use lower case for private functions to avoid exposing or abusing
2024-06-18 16:32:45 -06:00
provider := ctx.PathParam(":provider")
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
authSource, err := auth.GetActiveOAuth2SourceByName(ctx, provider)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil {
ctx.ServerError("SignIn", err)
return
}
Allow setting `redirect_to` cookie on OAuth login (#22594) The regular login flow can use a `redirect_to` cookie to ensure the user ends their authentication flow on the same page as where they started it. This commit adds the same functionality to the OAuth login URLs, so that you can use URLs like these to directly use a specific OAuth provider: `/user/oauth2/{provider}?redirect_to={post-login path}` Only the `auth.SignInOAuth()` function needed a change for this, as the rest of the login flow is aware of this cookie and uses it properly already.
2023-01-24 09:41:38 -07:00
redirectTo := ctx.FormString("redirect_to")
if len(redirectTo) > 0 {
middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
Reduce usage of `db.DefaultContext` (#27073) Part of #27065 This reduces the usage of `db.DefaultContext`. I think I've got enough files for the first PR. When this is merged, I will continue working on this. Considering how many files this PR affect, I hope it won't take to long to merge, so I don't end up in the merge conflict hell. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 11:09:32 -06:00
user, gothUser, err := oAuth2UserLoginCallback(ctx, authSource, ctx.Req, ctx.Resp)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err == nil && user != nil {
// we got the user without going through the whole OAuth2 authentication flow again
handleOAuth2SignIn(ctx, authSource, user, gothUser)
return
}
if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
if strings.Contains(err.Error(), "no provider for ") {
Final round of `db.DefaultContext` refactor (#27587) Last part of #27065
2023-10-14 02:37:24 -06:00
if err = oauth2.ResetOAuth2(ctx); err != nil {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
ctx.ServerError("SignIn", err)
return
}
if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
ctx.ServerError("SignIn", err)
}
return
}
ctx.ServerError("SignIn", err)
}
// redirect is done in oauth2.Auth
}
// SignInOAuthCallback handles the callback from the given provider
func SignInOAuthCallback(ctx *context.Context) {
Refactor names (#31405) This PR only does "renaming": * `Route` should be `Router` (and chi router is also called "router") * `Params` should be `PathParam` (to distingush it from URL query param, and to match `FormString`) * Use lower case for private functions to avoid exposing or abusing
2024-06-18 16:32:45 -06:00
provider := ctx.PathParam(":provider")
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
Show OAuth2 errors to end users (#25261) Partially fix #23936 ![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3) ![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2) ![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)
2023-06-14 19:12:50 -06:00
if ctx.Req.FormValue("error") != "" {
var errorKeyValues []string
for k, vv := range ctx.Req.Form {
for _, v := range vv {
errorKeyValues = append(errorKeyValues, fmt.Sprintf("%s = %s", html.EscapeString(k), html.EscapeString(v)))
}
}
sort.Strings(errorKeyValues)
ctx.Flash.Error(strings.Join(errorKeyValues, "<br>"), true)
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// first look if the provider is still active
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
authSource, err := auth.GetActiveOAuth2SourceByName(ctx, provider)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil {
ctx.ServerError("SignIn", err)
return
}
if authSource == nil {
Show OAuth2 errors to end users (#25261) Partially fix #23936 ![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3) ![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2) ![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)
2023-06-14 19:12:50 -06:00
ctx.ServerError("SignIn", errors.New("no valid provider found, check configured callback url in provider"))
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
Reduce usage of `db.DefaultContext` (#27073) Part of #27065 This reduces the usage of `db.DefaultContext`. I think I've got enough files for the first PR. When this is merged, I will continue working on this. Considering how many files this PR affect, I hope it won't take to long to merge, so I don't end up in the merge conflict hell. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 11:09:32 -06:00
u, gothUser, err := oAuth2UserLoginCallback(ctx, authSource, ctx.Req, ctx.Resp)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil {
if user_model.IsErrUserProhibitLogin(err) {
Prevent panic on prohibited user login with oauth2 (#18562) There was an unfortunate regression in #17962 where following detection of the UserProhibitLogin error the err is cast to a pointer by mistake. This causes a panic due to an interface error. Fix #18561 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-03 03:44:18 -07:00
uplerr := err.(user_model.ErrUserProhibitLogin)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
return
}
Show OAuth callback error message (#18185) * Show callback error message. * lint * Use error code to display a message. Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-07 14:02:09 -07:00
if callbackErr, ok := err.(errCallback); ok {
log.Info("Failed OAuth callback: (%v) %v", callbackErr.Code, callbackErr.Description)
switch callbackErr.Code {
case "access_denied":
ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error.access_denied"))
case "temporarily_unavailable":
ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error.temporarily_unavailable"))
default:
ctx.Flash.Error(ctx.Tr("auth.oauth.signin.error"))
}
ctx.Redirect(setting.AppSubURL + "/user/login")
return
}
Show OAuth2 errors to end users (#25261) Partially fix #23936 ![image](https://github.com/go-gitea/gitea/assets/2114189/8aa7f3ad-a5f0-42ce-a478-289a03bd08a3) ![image](https://github.com/go-gitea/gitea/assets/2114189/bb901e7d-485a-47a5-b68d-9ebe7013a6b2) ![image](https://github.com/go-gitea/gitea/assets/2114189/9a1ce0f3-f011-4baf-8e2f-cc6304bc9703)
2023-06-14 19:12:50 -06:00
if err, ok := err.(*go_oauth2.RetrieveError); ok {
ctx.Flash.Error("OAuth2 RetrieveError: "+err.Error(), true)
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
ctx.ServerError("UserSignIn", err)
return
}
if u == nil {
Adding button to link accounts from user settings (#19792) * Adding button to link accounts from user settings * Only display button to link user accounts when at least one OAuth2 provider is active
2022-05-28 18:03:17 -06:00
if ctx.Doer != nil {
Improve oauth2 client "preferred username field" logic and the error handling (#30622) Follow #30454 And fix #24957 When using "preferred_username", if no such field, `extractUserNameFromOAuth2` (old `getUserName`) shouldn't return an error. All other USERNAME options do not return such error. And fine tune some logic and error messages, make code more stable and more friendly to end users.
2024-04-25 05:22:32 -06:00
// attach user to the current signed-in user
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser)
Adding button to link accounts from user settings (#19792) * Adding button to link accounts from user settings * Only display button to link user accounts when at least one OAuth2 provider is active
2022-05-28 18:03:17 -06:00
if err != nil {
ctx.ServerError("UserLinkAccount", err)
return
}
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
} else if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// create new user with details from oauth2 provider
var missingFields []string
if gothUser.UserID == "" {
missingFields = append(missingFields, "sub")
}
if gothUser.Email == "" {
missingFields = append(missingFields, "email")
}
Improve oauth2 client "preferred username field" logic and the error handling (#30622) Follow #30454 And fix #24957 When using "preferred_username", if no such field, `extractUserNameFromOAuth2` (old `getUserName`) shouldn't return an error. All other USERNAME options do not return such error. And fine tune some logic and error messages, make code more stable and more friendly to end users.
2024-04-25 05:22:32 -06:00
uname, err := extractUserNameFromOAuth2(&gothUser)
if err != nil {
ctx.ServerError("UserSignIn", err)
return
}
if uname == "" {
if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname {
missingFields = append(missingFields, "nickname")
} else if setting.OAuth2Client.Username == setting.OAuth2UsernamePreferredUsername {
missingFields = append(missingFields, "preferred_username")
} // else: "UserID" and "Email" have been handled above separately
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
if len(missingFields) > 0 {
Improve oauth2 client "preferred username field" logic and the error handling (#30622) Follow #30454 And fix #24957 When using "preferred_username", if no such field, `extractUserNameFromOAuth2` (old `getUserName`) shouldn't return an error. All other USERNAME options do not return such error. And fine tune some logic and error messages, make code more stable and more friendly to end users.
2024-04-25 05:22:32 -06:00
log.Error(`OAuth2 auto registration (ENABLE_AUTO_REGISTRATION) is enabled but OAuth2 provider %q doesn't return required fields: %s. `+
`Suggest to: disable auto registration, or make OPENID_CONNECT_SCOPES (for OpenIDConnect) / Authentication Source Scopes (for Admin panel) to request all required fields, and the fields shouldn't be empty.`,
authSource.Name, strings.Join(missingFields, ","))
// The RawData is the only way to pass the missing fields to the another page at the moment, other ways all have various problems:
// by session or cookie: difficult to clean or reset; by URL: could be injected with uncontrollable content; by ctx.Flash: the link_account page is a mess ...
// Since the RawData is for the provider's data, so we need to use our own prefix here to avoid conflict.
if gothUser.RawData == nil {
gothUser.RawData = make(map[string]any)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Improve oauth2 client "preferred username field" logic and the error handling (#30622) Follow #30454 And fix #24957 When using "preferred_username", if no such field, `extractUserNameFromOAuth2` (old `getUserName`) shouldn't return an error. All other USERNAME options do not return such error. And fine tune some logic and error messages, make code more stable and more friendly to end users.
2024-04-25 05:22:32 -06:00
gothUser.RawData["__giteaAutoRegMissingFields"] = missingFields
showLinkingLogin(ctx, gothUser)
Normalize oauth email username (#28561)
2024-01-03 17:48:20 -07:00
return
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
u = &user_model.User{
Normalize oauth email username (#28561)
2024-01-03 17:48:20 -07:00
Name: uname,
Respect DefaultUserIsRestricted system default when creating new user (#19310) * Apply DefaultUserIsRestricted in CreateUser * Enforce system defaults in CreateUser Allow for overwrites with CreateUserOverwriteOptions * Fix compilation errors * Add "restricted" option to create user command * Add "restricted" option to create user admin api * Respect default setting.Service.RegisterEmailConfirm and setting.Service.RegisterManualConfirm where needed * Revert "Respect default setting.Service.RegisterEmailConfirm and setting.Service.RegisterManualConfirm where needed" This reverts commit ee95d3e8dc9e9fff4fa66a5111e4d3930280e033.
2022-04-29 13:38:11 -06:00
FullName: gothUser.Name,
Email: gothUser.Email,
LoginType: auth.OAuth2,
LoginSource: authSource.ID,
LoginName: gothUser.UserID,
}
overwriteDefault := &user_model.CreateUserOverwriteOptions{
Start to migrate from `util.OptionalBool` to `optional.Option[bool]` (#29329) just create transition helper and migrate two structs
2024-02-22 19:18:33 -07:00
IsActive: optional.Some(!setting.OAuth2Client.RegisterEmailConfirm && !setting.Service.RegisterManualConfirm),
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
source := authSource.Cfg.(*oauth2.Source)
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
isAdmin, isRestricted := getUserAdminAndRestrictedFromGroupClaims(source, &gothUser)
u.IsAdmin = isAdmin.ValueOrDefault(false)
u.IsRestricted = isRestricted.ValueOrDefault(false)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// error already handled
return
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
if err := syncGroupsToTeams(ctx, source, &gothUser, u); err != nil {
ctx.ServerError("SyncGroupsToTeams", err)
return
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
} else {
// no existing user is found, request attach or new account
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
showLinkingLogin(ctx, gothUser)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
}
handleOAuth2SignIn(ctx, authSource, u, gothUser)
}
Replace `interface{}` with `any` (#25686) Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
2023-07-04 12:36:08 -06:00
func claimValueToStringSet(claimValue any) container.Set[string] {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
var groups []string
switch rawGroup := claimValue.(type) {
case []string:
groups = rawGroup
Replace `interface{}` with `any` (#25686) Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
2023-07-04 12:36:08 -06:00
case []any:
Fix OAuth Source Edit Page (#18495) * Fix OAuth Source Edit Page to ensure restricted and group settings are set * Also tolerate []interface in the groups Fix #18432 Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-31 13:41:11 -07:00
for _, group := range rawGroup {
groups = append(groups, fmt.Sprintf("%s", group))
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
default:
str := fmt.Sprintf("%s", rawGroup)
groups = strings.Split(str, ",")
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
return container.SetOf(groups...)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
func syncGroupsToTeams(ctx *context.Context, source *oauth2.Source, gothUser *goth.User, u *user_model.User) error {
if source.GroupTeamMap != "" || source.GroupTeamMapRemoval {
groupTeamMapping, err := auth_module.UnmarshalGroupTeamMapping(source.GroupTeamMap)
if err != nil {
return err
}
groups := getClaimedGroups(source, gothUser)
if err := source_service.SyncGroupsToTeams(ctx, u, groups, groupTeamMapping, source.GroupTeamMapRemoval); err != nil {
return err
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
return nil
}
func getClaimedGroups(source *oauth2.Source, gothUser *goth.User) container.Set[string] {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
groupClaims, has := gothUser.RawData[source.GroupClaimName]
if !has {
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
return nil
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
return claimValueToStringSet(groupClaims)
}
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
func getUserAdminAndRestrictedFromGroupClaims(source *oauth2.Source, gothUser *goth.User) (isAdmin, isRestricted optional.Option[bool]) {
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
groups := getClaimedGroups(source, gothUser)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if source.AdminGroup != "" {
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
isAdmin = optional.Some(groups.Contains(source.AdminGroup))
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
if source.RestrictedGroup != "" {
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
isRestricted = optional.Some(groups.Contains(source.RestrictedGroup))
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
return isAdmin, isRestricted
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
Replace `interface{}` with `any` (#25686) Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
2023-07-04 12:36:08 -06:00
if err := updateSession(ctx, nil, map[string]any{
Revert "Support SAML authentication (#25165)" (#29358) This reverts #25165 (5bb8d1924d77c675467694de26697b876d709a17), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242 temporary Open #5512 again
2024-02-23 21:18:49 -07:00
"linkAccountGothUser": gothUser,
Extract updateSession function to reduce repetition (#21735) A simple refactor to reduce duplicate codes. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de>
2022-11-10 04:43:06 -07:00
}); err != nil {
ctx.ServerError("updateSession", err)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
ctx.Redirect(setting.AppSubURL + "/user/link_account")
}
Penultimate round of `db.DefaultContext` refactor (#27414) Part of #27065 --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-10 22:24:07 -06:00
func updateAvatarIfNeed(ctx *context.Context, url string, u *user_model.User) {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
resp, err := http.Get(url)
if err == nil {
defer func() {
_ = resp.Body.Close()
}()
}
// ignore any error
if err == nil && resp.StatusCode == http.StatusOK {
data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
Penultimate round of `db.DefaultContext` refactor (#27414) Part of #27065 --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-10 22:24:07 -06:00
_ = user_service.UploadAvatar(ctx, u, data)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
}
}
}
}
func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) {
Penultimate round of `db.DefaultContext` refactor (#27414) Part of #27065 --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-10-10 22:24:07 -06:00
updateAvatarIfNeed(ctx, gothUser.AvatarURL, u)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
needs2FA := false
if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
More refactoring of `db.DefaultContext` (#27083) Next step of #27065
2023-09-15 00:13:19 -06:00
_, err := auth.GetTwoFactorByUID(ctx, u.ID)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
ctx.ServerError("UserSignIn", err)
return
}
needs2FA = err == nil
}
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
oauth2Source := source.Cfg.(*oauth2.Source)
groupTeamMapping, err := auth_module.UnmarshalGroupTeamMapping(oauth2Source.GroupTeamMap)
if err != nil {
ctx.ServerError("UnmarshalGroupTeamMapping", err)
return
}
groups := getClaimedGroups(oauth2Source, &gothUser)
allow synchronizing user status from OAuth2 login providers (#31572) This leverages the existing `sync_external_users` cron job to synchronize the `IsActive` flag on users who use an OAuth2 provider set to synchronize. This synchronization is done by checking for expired access tokens, and using the stored refresh token to request a new access token. If the response back from the OAuth2 provider is the `invalid_grant` error code, the user is marked as inactive. However, the user is able to reactivate their account by logging in the web browser through their OAuth2 flow. Also changed to support this is that a linked `ExternalLoginUser` is always created upon a login or signup via OAuth2. ### Notes on updating permissions Ideally, we would also refresh permissions from the configured OAuth provider (e.g., admin, restricted and group mappings) to match the implementation of LDAP. However, the OAuth library used for this `goth`, doesn't seem to support issuing a session via refresh tokens. The interface provides a [`RefreshToken` method](https://github.com/markbates/goth/blob/master/provider.go#L20), but the returned `oauth.Token` doesn't implement the `goth.Session` we would need to call `FetchUser`. Due to specific implementations, we would need to build a compatibility function for every provider, since they cast to concrete types (e.g. [Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132)) --------- Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-07-16 12:33:16 -06:00
opts := &user_service.UpdateOptions{}
// Reactivate user if they are deactivated
if !u.IsActive {
opts.IsActive = optional.Some(true)
}
// Update GroupClaims
opts.IsAdmin, opts.IsRestricted = getUserAdminAndRestrictedFromGroupClaims(oauth2Source, &gothUser)
if oauth2Source.GroupTeamMap != "" || oauth2Source.GroupTeamMapRemoval {
if err := source_service.SyncGroupsToTeams(ctx, u, groups, groupTeamMapping, oauth2Source.GroupTeamMapRemoval); err != nil {
ctx.ServerError("SyncGroupsToTeams", err)
return
}
}
if err := externalaccount.EnsureLinkExternalToUser(ctx, u, gothUser); err != nil {
ctx.ServerError("EnsureLinkExternalToUser", err)
return
}
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
// If this user is enrolled in 2FA and this source doesn't override it,
// we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
if !needs2FA {
allow synchronizing user status from OAuth2 login providers (#31572) This leverages the existing `sync_external_users` cron job to synchronize the `IsActive` flag on users who use an OAuth2 provider set to synchronize. This synchronization is done by checking for expired access tokens, and using the stored refresh token to request a new access token. If the response back from the OAuth2 provider is the `invalid_grant` error code, the user is marked as inactive. However, the user is able to reactivate their account by logging in the web browser through their OAuth2 flow. Also changed to support this is that a linked `ExternalLoginUser` is always created upon a login or signup via OAuth2. ### Notes on updating permissions Ideally, we would also refresh permissions from the configured OAuth provider (e.g., admin, restricted and group mappings) to match the implementation of LDAP. However, the OAuth library used for this `goth`, doesn't seem to support issuing a session via refresh tokens. The interface provides a [`RefreshToken` method](https://github.com/markbates/goth/blob/master/provider.go#L20), but the returned `oauth.Token` doesn't implement the `goth.Session` we would need to call `FetchUser`. Due to specific implementations, we would need to build a compatibility function for every provider, since they cast to concrete types (e.g. [Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132)) --------- Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-07-16 12:33:16 -06:00
// Register last login
opts.SetLastLogin = true
if err := user_service.UpdateUser(ctx, u, opts); err != nil {
ctx.ServerError("UpdateUser", err)
return
}
Replace `interface{}` with `any` (#25686) Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
2023-07-04 12:36:08 -06:00
if err := updateSession(ctx, nil, map[string]any{
Extract updateSession function to reduce repetition (#21735) A simple refactor to reduce duplicate codes. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de>
2022-11-10 04:43:06 -07:00
"uid": u.ID,
"uname": u.Name,
}); err != nil {
ctx.ServerError("updateSession", err)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
Refactor CSRF token (#32216)
2024-10-09 21:48:21 -06:00
// force to generate a new CSRF token
ctx.Csrf.PrepareForSessionUser(ctx)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err := resetLocale(ctx, u); err != nil {
ctx.ServerError("resetLocale", err)
return
}
Refactor cookie (#24107) Close #24062 At the beginning, I just wanted to fix the warning mentioned by #24062 But, the cookie code really doesn't look good to me, so clean up them. Complete the TODO on `SetCookie`: > TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
2023-04-13 13:45:33 -06:00
if redirectTo := ctx.GetSiteCookie("redirect_to"); len(redirectTo) > 0 {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
middleware.DeleteRedirectToCookie(ctx.Resp)
Refactor URL detection (#29960) "Redirect" functions should only redirect if the target is for current Gitea site.
2024-03-21 06:02:34 -06:00
ctx.RedirectToCurrentSite(redirectTo)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
ctx.Redirect(setting.AppSubURL + "/")
return
}
allow synchronizing user status from OAuth2 login providers (#31572) This leverages the existing `sync_external_users` cron job to synchronize the `IsActive` flag on users who use an OAuth2 provider set to synchronize. This synchronization is done by checking for expired access tokens, and using the stored refresh token to request a new access token. If the response back from the OAuth2 provider is the `invalid_grant` error code, the user is marked as inactive. However, the user is able to reactivate their account by logging in the web browser through their OAuth2 flow. Also changed to support this is that a linked `ExternalLoginUser` is always created upon a login or signup via OAuth2. ### Notes on updating permissions Ideally, we would also refresh permissions from the configured OAuth provider (e.g., admin, restricted and group mappings) to match the implementation of LDAP. However, the OAuth library used for this `goth`, doesn't seem to support issuing a session via refresh tokens. The interface provides a [`RefreshToken` method](https://github.com/markbates/goth/blob/master/provider.go#L20), but the returned `oauth.Token` doesn't implement the `goth.Session` we would need to call `FetchUser`. Due to specific implementations, we would need to build a compatibility function for every provider, since they cast to concrete types (e.g. [Azure](https://github.com/markbates/goth/blob/master/providers/azureadv2/azureadv2.go#L132)) --------- Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-07-16 12:33:16 -06:00
if opts.IsActive.Has() || opts.IsAdmin.Has() || opts.IsRestricted.Has() {
Unify user update methods (#28733) Fixes #28660 Fixes an admin api bug related to `user.LoginSource` Fixed `/user/emails` response not identical to GitHub api This PR unifies the user update methods. The goal is to keep the logic only at one place (having audit logs in mind). For example, do the password checks only in one method not everywhere a password is updated. After that PR is merged, the user creation should be next.
2024-02-04 06:29:09 -07:00
if err := user_service.UpdateUser(ctx, u, opts); err != nil {
ctx.ServerError("UpdateUser", err)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
}
Replace `interface{}` with `any` (#25686) Result of running `perl -p -i -e 's#interface\{\}#any#g' **/*` and `make fmt`. Basically the same [as golang did](https://github.com/golang/go/commit/2580d0e08d5e9f979b943758d3c49877fb2324cb).
2023-07-04 12:36:08 -06:00
if err := updateSession(ctx, nil, map[string]any{
Extract updateSession function to reduce repetition (#21735) A simple refactor to reduce duplicate codes. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de>
2022-11-10 04:43:06 -07:00
// User needs to use 2FA, save data and redirect to 2FA page.
"twofaUid": u.ID,
"twofaRemember": false,
}); err != nil {
ctx.ServerError("updateSession", err)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
Support webauthn (#17957) Migrate from U2F to Webauthn Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-14 08:03:31 -07:00
// If WebAuthn is enrolled -> Redirect to WebAuthn instead
Next round of `db.DefaultContext` refactor (#27089) Part of #27065
2023-09-16 08:39:12 -06:00
regs, err := auth.GetWebAuthnCredentialsByUID(ctx, u.ID)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err == nil && len(regs) > 0 {
Support webauthn (#17957) Migrate from U2F to Webauthn Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-14 08:03:31 -07:00
ctx.Redirect(setting.AppSubURL + "/user/webauthn")
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return
}
ctx.Redirect(setting.AppSubURL + "/user/two_factor")
}
// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
// login the user
Reduce usage of `db.DefaultContext` (#27073) Part of #27065 This reduces the usage of `db.DefaultContext`. I think I've got enough files for the first PR. When this is merged, I will continue working on this. Considering how many files this PR affect, I hope it won't take to long to merge, so I don't end up in the merge conflict hell. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 11:09:32 -06:00
func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
oauth2Source := authSource.Cfg.(*oauth2.Source)
Catch the error before the response is processed by goth. (#20000) The code introduced by #18185 gets the error from response after it was processed by goth. That is incorrect, as goth (and golang.org/x/oauth) doesn't really care about the error, and it sends a token request with an empty authorization code to the server anyway, which always results in a `oauth2: cannot fetch token: 400 Bad Request` error from goth. It means that unless the "state" parameter is omitted from the error response (which is required to be present, according to [RFC 6749, Section 4.1.2.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)) or the page is reloaded (makes the session invalid), a 500 Internal Server Error page will be displayed. This fixes it by handling the error before the request is passed to goth.
2022-06-20 09:37:54 -06:00
// Make sure that the response is not an error response.
errorName := request.FormValue("error")
if len(errorName) > 0 {
errorDescription := request.FormValue("error_description")
// Delete the goth session
err := gothic.Logout(response, request)
if err != nil {
return nil, goth.User{}, err
}
return nil, goth.User{}, errCallback{
Code: errorName,
Description: errorDescription,
}
}
// Proceed to authenticate through goth.
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
gothUser, err := oauth2Source.Callback(request, response)
if err != nil {
if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") {
log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
}
return nil, goth.User{}, err
}
if oauth2Source.RequiredClaimName != "" {
claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
if !has {
return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
}
if oauth2Source.RequiredClaimValue != "" {
Map OIDC groups to Orgs/Teams (#21441) Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-07 23:44:42 -07:00
groups := claimValueToStringSet(claimInterface)
if !groups.Contains(oauth2Source.RequiredClaimValue) {
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
}
}
}
user := &user_model.User{
LoginName: gothUser.UserID,
LoginType: auth.OAuth2,
LoginSource: authSource.ID,
}
Reduce usage of `db.DefaultContext` (#27073) Part of #27065 This reduces the usage of `db.DefaultContext`. I think I've got enough files for the first PR. When this is merged, I will continue working on this. Considering how many files this PR affect, I hope it won't take to long to merge, so I don't end up in the merge conflict hell. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-09-14 11:09:32 -06:00
hasUser, err := user_model.GetUser(ctx, user)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil {
return nil, goth.User{}, err
}
if hasUser {
return user, gothUser, nil
}
// search in external linked users
externalLoginUser := &user_model.ExternalLoginUser{
ExternalID: gothUser.UserID,
LoginSourceID: authSource.ID,
}
Final round of `db.DefaultContext` refactor (#27587) Last part of #27065
2023-10-14 02:37:24 -06:00
hasUser, err = user_model.GetExternalLogin(request.Context(), externalLoginUser)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
if err != nil {
return nil, goth.User{}, err
}
if hasUser {
refactor some functions to support ctx as first parameter (#21878) Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Lauris BH <lauris@nix.lv>
2022-12-02 19:48:26 -07:00
user, err = user_model.GetUserByID(request.Context(), externalLoginUser.UserID)
Refactor auth package (#17962)
2022-01-02 06:12:35 -07:00
return user, gothUser, err
}
// no user found to login
return nil, gothUser, nil
}