OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
8420 Commits
197 Branches
392 MB
2630 Download
Tree: 8ff3d5cc35
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8ff3d5cc35'
${ noResults }
aiforge/modules/auth/sso/sso.go

sso.go 4.4 kB
Raw Normal View History

Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. package sso

  7. 

  8. import (

  9. 	"fmt"

  10. 	"reflect"

  11. 	"strings"

  12. 

  13. 	"code.gitea.io/gitea/models"

  14. 	"code.gitea.io/gitea/modules/log"

  15. 	"code.gitea.io/gitea/modules/setting"

  16. 

  17. 	"gitea.com/macaron/macaron"

  18. 	"gitea.com/macaron/session"

  19. )

  20. 

  21. // ssoMethods contains the list of SSO authentication plugins in the order they are expected to be

  22. // executed.

  23. //

  24. // The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored

  25. // in the session (if there is a user id stored in session other plugins might return the user

  26. // object for that id).

  27. //

  28. // The Session plugin is expected to be executed second, in order to skip authentication

  29. // for users that have already signed in.

  30. var ssoMethods = []SingleSignOn{

  31. 	&OAuth2{},

  32. 	&Session{},

  33. 	&ReverseProxy{},

  34. 	&Basic{},

  35. }

  36. 

  37. // The purpose of the following three function variables is to let the linter know that

  38. // those functions are not dead code and are actually being used

  39. var (

  40. 	_ = handleSignIn

  41. )

  42. 

  43. // Methods returns the instances of all registered SSO methods

  44. func Methods() []SingleSignOn {

  45. 	return ssoMethods

  46. }

  47. 

  48. // Register adds the specified instance to the list of available SSO methods

  49. func Register(method SingleSignOn) {

  50. 	ssoMethods = append(ssoMethods, method)

  51. }

  52. 

  53. // Init should be called exactly once when the application starts to allow SSO plugins

  54. // to allocate necessary resources

  55. func Init() {

  56. 	for _, method := range Methods() {

  57. 		err := method.Init()

  58. 		if err != nil {

  59. 			log.Error("Could not initialize '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)

  60. 		}

  61. 	}

  62. }

  63. 

  64. // Free should be called exactly once when the application is terminating to allow SSO plugins

  65. // to release necessary resources

  66. func Free() {

  67. 	for _, method := range Methods() {

  68. 		err := method.Free()

  69. 		if err != nil {

  70. 			log.Error("Could not free '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)

  71. 		}

  72. 	}

  73. }

  74. 

  75. // SessionUser returns the user object corresponding to the "uid" session variable.

  76. func SessionUser(sess session.Store) *models.User {

  77. 	// Get user ID

  78. 	uid := sess.Get("uid")

  79. 	if uid == nil {

  80. 		return nil

  81. 	}

  82. 	id, ok := uid.(int64)

  83. 	if !ok {

  84. 		return nil

  85. 	}

  86. 

  87. 	// Get user object

  88. 	user, err := models.GetUserByID(id)

  89. 	if err != nil {

  90. 		if !models.IsErrUserNotExist(err) {

  91. 			log.Error("GetUserById: %v", err)

  92. 		}

  93. 		return nil

  94. 	}

  95. 	return user

  96. }

  97. 

  98. // isAPIPath returns true if the specified URL is an API path

  99. func isAPIPath(ctx *macaron.Context) bool {

  100. 	return strings.HasPrefix(ctx.Req.URL.Path, "/api/")

  101. }

  102. 

  103. // isAttachmentDownload check if request is a file download (GET) with URL to an attachment

  104. func isAttachmentDownload(ctx *macaron.Context) bool {

  105. 	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"

  106. }

  107. 

  108. // handleSignIn clears existing session variables and stores new ones for the specified user object

  109. func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) {

  110. 	_ = sess.Delete("openid_verified_uri")

  111. 	_ = sess.Delete("openid_signin_remember")

  112. 	_ = sess.Delete("openid_determined_email")

  113. 	_ = sess.Delete("openid_determined_username")

  114. 	_ = sess.Delete("twofaUid")

  115. 	_ = sess.Delete("twofaRemember")

  116. 	_ = sess.Delete("u2fChallenge")

  117. 	_ = sess.Delete("linkAccount")

  118. 	err := sess.Set("uid", user.ID)

  119. 	if err != nil {

  120. 		log.Error(fmt.Sprintf("Error setting session: %v", err))

  121. 	}

  122. 	err = sess.Set("uname", user.Name)

  123. 	if err != nil {

  124. 		log.Error(fmt.Sprintf("Error setting session: %v", err))

  125. 	}

  126. 

  127. 	// Language setting of the user overwrites the one previously set

  128. 	// If the user does not have a locale set, we save the current one.

  129. 	if len(user.Language) == 0 {

  130. 		user.Language = ctx.Locale.Language()

  131. 		if err := models.UpdateUserCols(user, "language"); err != nil {

  132. 			log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language))

  133. 			return

  134. 		}

  135. 	}

  136. 

  137. 	ctx.SetCookie("lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)

  138. 

  139. 	// Clear whatever CSRF has right now, force to generate a new one

  140. 	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)

  141. }

No Description