2014-06-08 17:53:53 -04:00
// Copyright 2014 The Gogs Authors. All rights reserved.
2019-11-14 20:10:23 +01:00
// Copyright 2019 The Gitea Authors. All rights reserved.
2022-11-27 13:20:29 -05:00
// SPDX-License-Identifier: MIT
2014-05-05 05:32:47 -04:00
2022-01-02 21:12:35 +08:00
package auth
2014-04-26 14:21:04 +08:00
2014-05-03 10:48:14 +08:00
import (
2023-10-11 06:24:07 +02:00
"context"
2021-09-24 19:32:56 +08:00
"fmt"
2021-07-24 11:16:34 +01:00
"reflect"
2014-04-26 14:21:04 +08:00
2021-09-19 19:49:59 +08:00
"code.gitea.io/gitea/models/db"
2016-11-10 17:24:48 +01:00
"code.gitea.io/gitea/modules/log"
2019-08-15 22:46:21 +08:00
"code.gitea.io/gitea/modules/timeutil"
2022-10-18 06:50:37 +01:00
"code.gitea.io/gitea/modules/util"
2019-08-15 22:46:21 +08:00
2019-10-17 17:26:49 +08:00
"xorm.io/xorm"
2020-03-22 23:12:55 +08:00
"xorm.io/xorm/convert"
2014-05-03 10:48:14 +08:00
)
2014-04-26 14:21:04 +08:00
2021-09-24 19:32:56 +08:00
// Type represents an login type.
type Type int
2014-06-08 17:53:53 -04:00
2016-08-31 01:22:41 -07:00
// Note: new type must append to the end of list to maintain compatibility.
2014-05-05 16:40:25 +08:00
const (
2021-09-24 19:32:56 +08:00
NoType Type = iota
Plain // 1
LDAP // 2
SMTP // 3
PAM // 4
DLDAP // 5
OAuth2 // 6
SSPI // 7
2014-05-05 16:40:25 +08:00
)
2021-07-24 11:16:34 +01:00
// String returns the string name of the LoginType
2021-09-24 19:32:56 +08:00
func ( typ Type ) String ( ) string {
return Names [ typ ]
2021-07-24 11:16:34 +01:00
}
2021-07-25 08:09:52 +01:00
// Int returns the int value of the LoginType
2021-09-24 19:32:56 +08:00
func ( typ Type ) Int ( ) int {
2021-07-25 08:09:52 +01:00
return int ( typ )
}
2021-09-24 19:32:56 +08:00
// Names contains the name of LoginType values.
var Names = map [ Type ] string {
LDAP : "LDAP (via BindDN)" ,
DLDAP : "LDAP (simple auth)" , // Via direct bind
SMTP : "SMTP" ,
PAM : "PAM" ,
OAuth2 : "OAuth2" ,
SSPI : "SPNEGO with SSPI" ,
2014-05-05 16:40:25 +08:00
}
2014-04-26 14:21:04 +08:00
2021-09-24 19:32:56 +08:00
// Config represents login config as far as the db is concerned
type Config interface {
2021-07-24 11:16:34 +01:00
convert . Conversion
2014-04-26 14:21:04 +08:00
}
2021-07-24 11:16:34 +01:00
// SkipVerifiable configurations provide a IsSkipVerify to check if SkipVerify is set
type SkipVerifiable interface {
IsSkipVerify ( ) bool
2016-07-08 07:25:09 +08:00
}
2021-07-24 11:16:34 +01:00
// HasTLSer configurations provide a HasTLS to check if TLS can be enabled
type HasTLSer interface {
HasTLS ( ) bool
2014-05-11 15:49:36 +08:00
}
2021-07-24 11:16:34 +01:00
// UseTLSer configurations provide a HasTLS to check if TLS is enabled
type UseTLSer interface {
UseTLS ( ) bool
2014-05-11 15:49:36 +08:00
}
2021-07-24 11:16:34 +01:00
// SSHKeyProvider configurations provide ProvidesSSHKeys to check if they provide SSHKeys
type SSHKeyProvider interface {
ProvidesSSHKeys ( ) bool
2014-05-11 15:49:36 +08:00
}
2021-07-24 11:16:34 +01:00
// RegisterableSource configurations provide RegisterSource which needs to be run on creation
type RegisterableSource interface {
RegisterSource ( ) error
UnregisterSource ( ) error
2015-04-23 13:58:57 +02:00
}
2022-01-02 21:12:35 +08:00
var registeredConfigs = map [ Type ] func ( ) Config { }
2015-04-23 13:58:57 +02:00
2021-09-24 19:32:56 +08:00
// RegisterTypeConfig register a config for a provided type
func RegisterTypeConfig ( typ Type , exemplar Config ) {
2021-07-24 11:16:34 +01:00
if reflect . TypeOf ( exemplar ) . Kind ( ) == reflect . Ptr {
// Pointer:
2021-09-24 19:32:56 +08:00
registeredConfigs [ typ ] = func ( ) Config {
return reflect . New ( reflect . ValueOf ( exemplar ) . Elem ( ) . Type ( ) ) . Interface ( ) . ( Config )
2021-07-24 11:16:34 +01:00
}
return
}
2019-11-23 01:33:31 +02:00
2021-07-24 11:16:34 +01:00
// Not a Pointer
2021-09-24 19:32:56 +08:00
registeredConfigs [ typ ] = func ( ) Config {
return reflect . New ( reflect . TypeOf ( exemplar ) ) . Elem ( ) . Interface ( ) . ( Config )
2021-07-24 11:16:34 +01:00
}
2019-11-23 01:33:31 +02:00
}
2022-01-02 21:12:35 +08:00
// SourceSettable configurations can have their authSource set on them
type SourceSettable interface {
SetAuthSource ( * Source )
}
2019-11-23 01:33:31 +02:00
2021-09-24 19:32:56 +08:00
// Source represents an external way for authorizing users.
type Source struct {
2017-05-10 16:10:18 +03:00
ID int64 ` xorm:"pk autoincr" `
2021-09-24 19:32:56 +08:00
Type Type
2020-03-22 23:12:55 +08:00
Name string ` xorm:"UNIQUE" `
2021-07-24 11:16:34 +01:00
IsActive bool ` xorm:"INDEX NOT NULL DEFAULT false" `
2020-03-22 23:12:55 +08:00
IsSyncEnabled bool ` xorm:"INDEX NOT NULL DEFAULT false" `
Cfg convert . Conversion ` xorm:"TEXT" `
2016-03-09 19:53:30 -05:00
2019-08-15 22:46:21 +08:00
CreatedUnix timeutil . TimeStamp ` xorm:"INDEX created" `
UpdatedUnix timeutil . TimeStamp ` xorm:"INDEX updated" `
2014-05-03 10:48:14 +08:00
}
2021-09-24 19:32:56 +08:00
// TableName xorm will read the table name from this method
func ( Source ) TableName ( ) string {
return "login_source"
}
2021-09-19 19:49:59 +08:00
func init ( ) {
2021-09-24 19:32:56 +08:00
db . RegisterModel ( new ( Source ) )
2021-09-19 19:49:59 +08:00
}
2016-11-24 12:34:38 +01:00
// BeforeSet is invoked from XORM before setting the value of a field of this object.
2021-09-24 19:32:56 +08:00
func ( source * Source ) BeforeSet ( colName string , val xorm . Cell ) {
2019-06-12 21:41:28 +02:00
if colName == "type" {
2022-01-02 21:12:35 +08:00
typ := Type ( db . Cell2Int64 ( val ) )
2021-09-24 19:32:56 +08:00
constructor , ok := registeredConfigs [ typ ]
2021-07-24 11:16:34 +01:00
if ! ok {
return
}
source . Cfg = constructor ( )
2021-09-24 19:32:56 +08:00
if settable , ok := source . Cfg . ( SourceSettable ) ; ok {
2022-01-02 21:12:35 +08:00
settable . SetAuthSource ( source )
2015-08-29 15:45:58 +08:00
}
}
}
2016-11-24 12:34:38 +01:00
// TypeName return name of this login source type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) TypeName ( ) string {
return Names [ source . Type ]
2014-05-05 16:40:25 +08:00
}
2016-11-24 12:34:38 +01:00
// IsLDAP returns true of this source is of the LDAP type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsLDAP ( ) bool {
return source . Type == LDAP
2015-09-11 12:03:08 -04:00
}
2016-11-24 12:34:38 +01:00
// IsDLDAP returns true of this source is of the DLDAP type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsDLDAP ( ) bool {
return source . Type == DLDAP
2015-09-11 12:03:08 -04:00
}
2016-11-24 12:34:38 +01:00
// IsSMTP returns true of this source is of the SMTP type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsSMTP ( ) bool {
return source . Type == SMTP
2015-09-11 12:03:08 -04:00
}
2016-11-24 12:34:38 +01:00
// IsPAM returns true of this source is of the PAM type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsPAM ( ) bool {
return source . Type == PAM
2015-09-11 12:03:08 -04:00
}
2017-02-22 08:14:37 +01:00
// IsOAuth2 returns true of this source is of the OAuth2 type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsOAuth2 ( ) bool {
return source . Type == OAuth2
2017-02-22 08:14:37 +01:00
}
2019-11-23 01:33:31 +02:00
// IsSSPI returns true of this source is of the SSPI type.
2021-09-24 19:32:56 +08:00
func ( source * Source ) IsSSPI ( ) bool {
return source . Type == SSPI
2019-11-23 01:33:31 +02:00
}
2016-11-24 12:34:38 +01:00
// HasTLS returns true of this source supports TLS.
2021-09-24 19:32:56 +08:00
func ( source * Source ) HasTLS ( ) bool {
2021-07-24 11:16:34 +01:00
hasTLSer , ok := source . Cfg . ( HasTLSer )
return ok && hasTLSer . HasTLS ( )
2016-07-08 07:25:09 +08:00
}
2016-11-24 12:34:38 +01:00
// UseTLS returns true of this source is configured to use TLS.
2021-09-24 19:32:56 +08:00
func ( source * Source ) UseTLS ( ) bool {
2021-07-24 11:16:34 +01:00
useTLSer , ok := source . Cfg . ( UseTLSer )
return ok && useTLSer . UseTLS ( )
2015-09-11 12:03:08 -04:00
}
2016-11-24 12:34:38 +01:00
// SkipVerify returns true if this source is configured to skip SSL
// verification.
2021-09-24 19:32:56 +08:00
func ( source * Source ) SkipVerify ( ) bool {
2021-07-24 11:16:34 +01:00
skipVerifiable , ok := source . Cfg . ( SkipVerifiable )
return ok && skipVerifiable . IsSkipVerify ( )
2019-11-23 01:33:31 +02:00
}
2022-01-02 21:12:35 +08:00
// CreateSource inserts a AuthSource in the DB if not already
2016-11-24 12:34:38 +01:00
// existing with the given name.
2023-10-11 06:24:07 +02:00
func CreateSource ( ctx context . Context , source * Source ) error {
has , err := db . GetEngine ( ctx ) . Where ( "name=?" , source . Name ) . Exist ( new ( Source ) )
2016-08-31 00:56:10 -07:00
if err != nil {
return err
} else if has {
2021-09-24 19:32:56 +08:00
return ErrSourceAlreadyExist { source . Name }
2016-08-31 00:56:10 -07:00
}
2021-07-08 07:38:13 -04:00
// Synchronization is only available with LDAP for now
2017-05-10 16:10:18 +03:00
if ! source . IsLDAP ( ) {
source . IsSyncEnabled = false
}
2016-08-31 00:56:10 -07:00
2023-10-11 06:24:07 +02:00
_ , err = db . GetEngine ( ctx ) . Insert ( source )
2021-07-24 11:16:34 +01:00
if err != nil {
return err
}
if ! source . IsActive {
return nil
}
2021-09-24 19:32:56 +08:00
if settable , ok := source . Cfg . ( SourceSettable ) ; ok {
2022-01-02 21:12:35 +08:00
settable . SetAuthSource ( source )
2021-07-25 08:09:52 +01:00
}
2021-07-24 11:16:34 +01:00
registerableSource , ok := source . Cfg . ( RegisterableSource )
if ! ok {
return nil
}
err = registerableSource . RegisterSource ( )
if err != nil {
2022-01-02 21:12:35 +08:00
// remove the AuthSource in case of errors while registering configuration
2023-10-11 06:24:07 +02:00
if _ , err := db . GetEngine ( ctx ) . Delete ( source ) ; err != nil {
2021-09-24 19:32:56 +08:00
log . Error ( "CreateSource: Error while wrapOpenIDConnectInitializeError: %v" , err )
2017-05-01 15:26:53 +02:00
}
2017-02-22 08:14:37 +01:00
}
2014-06-08 17:53:53 -04:00
return err
}
2021-09-24 19:32:56 +08:00
// Sources returns a slice of all login sources found in DB.
2023-10-11 06:24:07 +02:00
func Sources ( ctx context . Context ) ( [ ] * Source , error ) {
2021-09-24 19:32:56 +08:00
auths := make ( [ ] * Source , 0 , 6 )
2023-10-11 06:24:07 +02:00
return auths , db . GetEngine ( ctx ) . Find ( & auths )
2014-05-03 10:48:14 +08:00
}
2021-09-24 19:32:56 +08:00
// SourcesByType returns all sources of the specified type
2023-10-11 06:24:07 +02:00
func SourcesByType ( ctx context . Context , loginType Type ) ( [ ] * Source , error ) {
2021-09-24 19:32:56 +08:00
sources := make ( [ ] * Source , 0 , 1 )
2023-10-11 06:24:07 +02:00
if err := db . GetEngine ( ctx ) . Where ( "type = ?" , loginType ) . Find ( & sources ) ; err != nil {
2019-11-23 01:33:31 +02:00
return nil , err
}
return sources , nil
}
2021-09-24 19:32:56 +08:00
// AllActiveSources returns all active sources
2023-10-11 06:24:07 +02:00
func AllActiveSources ( ctx context . Context ) ( [ ] * Source , error ) {
2021-09-24 19:32:56 +08:00
sources := make ( [ ] * Source , 0 , 5 )
2023-10-11 06:24:07 +02:00
if err := db . GetEngine ( ctx ) . Where ( "is_active = ?" , true ) . Find ( & sources ) ; err != nil {
2021-07-24 11:16:34 +01:00
return nil , err
}
return sources , nil
}
2021-09-24 19:32:56 +08:00
// ActiveSources returns all active sources of the specified type
2023-10-11 06:24:07 +02:00
func ActiveSources ( ctx context . Context , tp Type ) ( [ ] * Source , error ) {
2021-09-24 19:32:56 +08:00
sources := make ( [ ] * Source , 0 , 1 )
2023-10-11 06:24:07 +02:00
if err := db . GetEngine ( ctx ) . Where ( "is_active = ? and type = ?" , true , tp ) . Find ( & sources ) ; err != nil {
2019-11-23 01:33:31 +02:00
return nil , err
}
return sources , nil
}
// IsSSPIEnabled returns true if there is at least one activated login
// source of type LoginSSPI
2023-10-11 06:24:07 +02:00
func IsSSPIEnabled ( ctx context . Context ) bool {
2021-09-19 19:49:59 +08:00
if ! db . HasEngine {
2019-11-23 01:33:31 +02:00
return false
}
2023-10-11 06:24:07 +02:00
sources , err := ActiveSources ( ctx , SSPI )
2019-11-23 01:33:31 +02:00
if err != nil {
2021-09-24 19:32:56 +08:00
log . Error ( "ActiveSources: %v" , err )
2019-11-23 01:33:31 +02:00
return false
}
return len ( sources ) > 0
}
2021-09-24 19:32:56 +08:00
// GetSourceByID returns login source by given ID.
2023-10-11 06:24:07 +02:00
func GetSourceByID ( ctx context . Context , id int64 ) ( * Source , error ) {
2021-09-24 19:32:56 +08:00
source := new ( Source )
2021-07-24 11:16:34 +01:00
if id == 0 {
2021-09-24 19:32:56 +08:00
source . Cfg = registeredConfigs [ NoType ] ( )
2021-07-24 11:16:34 +01:00
// Set this source to active
// FIXME: allow disabling of db based password authentication in future
source . IsActive = true
return source , nil
}
2023-10-11 06:24:07 +02:00
has , err := db . GetEngine ( ctx ) . ID ( id ) . Get ( source )
2014-05-05 16:40:25 +08:00
if err != nil {
return nil , err
2014-06-08 17:53:53 -04:00
} else if ! has {
2021-09-24 19:32:56 +08:00
return nil , ErrSourceNotExist { id }
2014-05-05 16:40:25 +08:00
}
return source , nil
}
2021-09-24 19:32:56 +08:00
// UpdateSource updates a Source record in DB.
2023-10-11 06:24:07 +02:00
func UpdateSource ( ctx context . Context , source * Source ) error {
2022-01-02 21:12:35 +08:00
var originalSource * Source
2017-05-01 15:26:53 +02:00
if source . IsOAuth2 ( ) {
// keep track of the original values so we can restore in case of errors while registering OAuth2 providers
var err error
2023-10-11 06:24:07 +02:00
if originalSource , err = GetSourceByID ( ctx , source . ID ) ; err != nil {
2017-05-01 15:26:53 +02:00
return err
}
}
2023-10-11 06:24:07 +02:00
has , err := db . GetEngine ( ctx ) . Where ( "name=? AND id!=?" , source . Name , source . ID ) . Exist ( new ( Source ) )
2023-03-31 23:32:18 +09:00
if err != nil {
return err
} else if has {
return ErrSourceAlreadyExist { source . Name }
}
2023-10-11 06:24:07 +02:00
_ , err = db . GetEngine ( ctx ) . ID ( source . ID ) . AllCols ( ) . Update ( source )
2021-07-24 11:16:34 +01:00
if err != nil {
return err
}
if ! source . IsActive {
return nil
}
2021-09-24 19:32:56 +08:00
if settable , ok := source . Cfg . ( SourceSettable ) ; ok {
2022-01-02 21:12:35 +08:00
settable . SetAuthSource ( source )
2021-07-25 08:09:52 +01:00
}
2021-07-24 11:16:34 +01:00
registerableSource , ok := source . Cfg . ( RegisterableSource )
if ! ok {
return nil
}
err = registerableSource . RegisterSource ( )
if err != nil {
// restore original values since we cannot update the provider it self
2023-10-11 06:24:07 +02:00
if _ , err := db . GetEngine ( ctx ) . ID ( source . ID ) . AllCols ( ) . Update ( originalSource ) ; err != nil {
2021-07-24 11:16:34 +01:00
log . Error ( "UpdateSource: Error while wrapOpenIDConnectInitializeError: %v" , err )
2017-05-01 15:26:53 +02:00
}
2017-02-22 08:14:37 +01:00
}
2014-05-03 10:48:14 +08:00
return err
}
2021-09-24 19:32:56 +08:00
// CountSources returns number of login sources.
2023-10-11 06:24:07 +02:00
func CountSources ( ctx context . Context ) int64 {
count , _ := db . GetEngine ( ctx ) . Count ( new ( Source ) )
2021-09-24 19:32:56 +08:00
return count
}
2017-02-22 08:14:37 +01:00
2021-09-24 19:32:56 +08:00
// ErrSourceNotExist represents a "SourceNotExist" kind of error.
type ErrSourceNotExist struct {
ID int64
}
2017-02-22 08:14:37 +01:00
2021-09-24 19:32:56 +08:00
// IsErrSourceNotExist checks if an error is a ErrSourceNotExist.
func IsErrSourceNotExist ( err error ) bool {
_ , ok := err . ( ErrSourceNotExist )
return ok
}
2017-02-22 08:14:37 +01:00
2021-09-24 19:32:56 +08:00
func ( err ErrSourceNotExist ) Error ( ) string {
return fmt . Sprintf ( "login source does not exist [id: %d]" , err . ID )
2014-04-26 14:21:04 +08:00
}
2014-05-11 14:12:45 +08:00
2022-10-18 06:50:37 +01:00
// Unwrap unwraps this as a ErrNotExist err
func ( err ErrSourceNotExist ) Unwrap ( ) error {
return util . ErrNotExist
}
2021-09-24 19:32:56 +08:00
// ErrSourceAlreadyExist represents a "SourceAlreadyExist" kind of error.
type ErrSourceAlreadyExist struct {
Name string
}
// IsErrSourceAlreadyExist checks if an error is a ErrSourceAlreadyExist.
func IsErrSourceAlreadyExist ( err error ) bool {
_ , ok := err . ( ErrSourceAlreadyExist )
return ok
}
func ( err ErrSourceAlreadyExist ) Error ( ) string {
return fmt . Sprintf ( "login source already exists [name: %s]" , err . Name )
}
2022-10-18 06:50:37 +01:00
// Unwrap unwraps this as a ErrExist err
func ( err ErrSourceAlreadyExist ) Unwrap ( ) error {
return util . ErrAlreadyExist
}
2021-09-24 19:32:56 +08:00
// ErrSourceInUse represents a "SourceInUse" kind of error.
type ErrSourceInUse struct {
ID int64
}
// IsErrSourceInUse checks if an error is a ErrSourceInUse.
func IsErrSourceInUse ( err error ) bool {
_ , ok := err . ( ErrSourceInUse )
return ok
}
func ( err ErrSourceInUse ) Error ( ) string {
return fmt . Sprintf ( "login source is still used by some users [id: %d]" , err . ID )
2016-08-31 01:22:41 -07:00
}