2021-04-14 15:02:12 +03:00
// Copyright 2021 The Gitea Authors. All rights reserved.
2022-11-27 21:20:29 +03:00
// SPDX-License-Identifier: MIT
2021-04-14 15:02:12 +03:00
package setting
import (
2023-04-25 18:06:39 +03:00
"encoding/base64"
2023-02-19 19:12:01 +03:00
"math"
"path/filepath"
2023-04-25 18:06:39 +03:00
"code.gitea.io/gitea/modules/generate"
2021-04-14 15:02:12 +03:00
"code.gitea.io/gitea/modules/log"
)
// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
type OAuth2UsernameType string
const (
// OAuth2UsernameUserid oauth2 userid field will be used as gitea name
OAuth2UsernameUserid OAuth2UsernameType = "userid"
// OAuth2UsernameNickname oauth2 nickname field will be used as gitea name
OAuth2UsernameNickname OAuth2UsernameType = "nickname"
// OAuth2UsernameEmail username of oauth2 email filed will be used as gitea name
OAuth2UsernameEmail OAuth2UsernameType = "email"
)
func ( username OAuth2UsernameType ) isValid ( ) bool {
switch username {
case OAuth2UsernameUserid , OAuth2UsernameNickname , OAuth2UsernameEmail :
return true
}
return false
}
// OAuth2AccountLinkingType is enum describing behaviour of linking with existing account
type OAuth2AccountLinkingType string
const (
// OAuth2AccountLinkingDisabled error will be displayed if account exist
OAuth2AccountLinkingDisabled OAuth2AccountLinkingType = "disabled"
// OAuth2AccountLinkingLogin account linking login will be displayed if account exist
OAuth2AccountLinkingLogin OAuth2AccountLinkingType = "login"
// OAuth2AccountLinkingAuto account will be automatically linked if account exist
OAuth2AccountLinkingAuto OAuth2AccountLinkingType = "auto"
)
func ( accountLinking OAuth2AccountLinkingType ) isValid ( ) bool {
switch accountLinking {
case OAuth2AccountLinkingDisabled , OAuth2AccountLinkingLogin , OAuth2AccountLinkingAuto :
return true
}
return false
}
// OAuth2Client settings
var OAuth2Client struct {
RegisterEmailConfirm bool
OpenIDConnectScopes [ ] string
EnableAutoRegistration bool
Username OAuth2UsernameType
UpdateAvatar bool
AccountLinking OAuth2AccountLinkingType
}
2023-02-19 19:12:01 +03:00
func loadOAuth2ClientFrom ( rootCfg ConfigProvider ) {
sec := rootCfg . Section ( "oauth2_client" )
2021-04-14 15:02:12 +03:00
OAuth2Client . RegisterEmailConfirm = sec . Key ( "REGISTER_EMAIL_CONFIRM" ) . MustBool ( Service . RegisterEmailConfirm )
OAuth2Client . OpenIDConnectScopes = parseScopes ( sec , "OPENID_CONNECT_SCOPES" )
OAuth2Client . EnableAutoRegistration = sec . Key ( "ENABLE_AUTO_REGISTRATION" ) . MustBool ( )
OAuth2Client . Username = OAuth2UsernameType ( sec . Key ( "USERNAME" ) . MustString ( string ( OAuth2UsernameNickname ) ) )
if ! OAuth2Client . Username . isValid ( ) {
log . Warn ( "Username setting is not valid: '%s', will fallback to '%s'" , OAuth2Client . Username , OAuth2UsernameNickname )
OAuth2Client . Username = OAuth2UsernameNickname
}
OAuth2Client . UpdateAvatar = sec . Key ( "UPDATE_AVATAR" ) . MustBool ( )
2021-05-07 17:15:16 +03:00
OAuth2Client . AccountLinking = OAuth2AccountLinkingType ( sec . Key ( "ACCOUNT_LINKING" ) . MustString ( string ( OAuth2AccountLinkingLogin ) ) )
2021-04-14 15:02:12 +03:00
if ! OAuth2Client . AccountLinking . isValid ( ) {
2021-05-07 17:15:16 +03:00
log . Warn ( "Account linking setting is not valid: '%s', will fallback to '%s'" , OAuth2Client . AccountLinking , OAuth2AccountLinkingLogin )
OAuth2Client . AccountLinking = OAuth2AccountLinkingLogin
2021-04-14 15:02:12 +03:00
}
}
2023-04-25 18:06:39 +03:00
func parseScopes ( sec ConfigSection , name string ) [ ] string {
2021-04-14 15:02:12 +03:00
parts := sec . Key ( name ) . Strings ( " " )
scopes := make ( [ ] string , 0 , len ( parts ) )
for _ , scope := range parts {
if scope != "" {
scopes = append ( scopes , scope )
}
}
return scopes
}
2023-02-19 19:12:01 +03:00
var OAuth2 = struct {
Enable bool
AccessTokenExpirationTime int64
RefreshTokenExpirationTime int64
InvalidateRefreshTokens bool
JWTSigningAlgorithm string ` ini:"JWT_SIGNING_ALGORITHM" `
JWTSecretBase64 string ` ini:"JWT_SECRET" `
JWTSigningPrivateKeyFile string ` ini:"JWT_SIGNING_PRIVATE_KEY_FILE" `
MaxTokenLength int
} {
Enable : true ,
AccessTokenExpirationTime : 3600 ,
RefreshTokenExpirationTime : 730 ,
InvalidateRefreshTokens : false ,
JWTSigningAlgorithm : "RS256" ,
JWTSigningPrivateKeyFile : "jwt/private.pem" ,
MaxTokenLength : math . MaxInt16 ,
}
func loadOAuth2From ( rootCfg ConfigProvider ) {
if err := rootCfg . Section ( "oauth2" ) . MapTo ( & OAuth2 ) ; err != nil {
log . Fatal ( "Failed to OAuth2 settings: %v" , err )
return
}
2023-06-29 00:30:06 +03:00
if ! OAuth2 . Enable {
return
}
2023-06-23 03:16:12 +03:00
OAuth2 . JWTSecretBase64 = loadSecret ( rootCfg . Section ( "oauth2" ) , "JWT_SECRET_URI" , "JWT_SECRET" )
2023-02-19 19:12:01 +03:00
if ! filepath . IsAbs ( OAuth2 . JWTSigningPrivateKeyFile ) {
OAuth2 . JWTSigningPrivateKeyFile = filepath . Join ( AppDataPath , OAuth2 . JWTSigningPrivateKeyFile )
}
2023-04-25 18:06:39 +03:00
2023-06-18 19:10:44 +03:00
if InstallLock {
key := make ( [ ] byte , 32 )
n , err := base64 . RawURLEncoding . Decode ( key , [ ] byte ( OAuth2 . JWTSecretBase64 ) )
if err != nil || n != 32 {
key , err = generate . NewJwtSecret ( )
if err != nil {
log . Fatal ( "error generating JWT secret: %v" , err )
}
secretBase64 := base64 . RawURLEncoding . EncodeToString ( key )
2023-06-21 05:31:40 +03:00
saveCfg , err := rootCfg . PrepareSaving ( )
if err != nil {
log . Fatal ( "save oauth2.JWT_SECRET failed: %v" , err )
}
2023-06-18 19:10:44 +03:00
rootCfg . Section ( "oauth2" ) . Key ( "JWT_SECRET" ) . SetValue ( secretBase64 )
2023-06-21 05:31:40 +03:00
saveCfg . Section ( "oauth2" ) . Key ( "JWT_SECRET" ) . SetValue ( secretBase64 )
if err := saveCfg . Save ( ) ; err != nil {
2023-06-18 19:10:44 +03:00
log . Fatal ( "save oauth2.JWT_SECRET failed: %v" , err )
}
2023-04-25 18:06:39 +03:00
}
}
2023-02-19 19:12:01 +03:00
}