2019-11-23 01:33:31 +02:00
// Copyright 2014 The Gogs Authors. All rights reserved.
// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
2021-06-10 01:53:16 +08:00
package auth
2019-11-23 01:33:31 +02:00
import (
2021-01-05 21:05:40 +08:00
"net/http"
2019-11-23 01:33:31 +02:00
"strings"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
2021-05-15 19:33:13 +01:00
"code.gitea.io/gitea/modules/web/middleware"
2019-11-23 01:33:31 +02:00
2020-06-18 17:18:44 +08:00
gouuid "github.com/google/uuid"
2019-11-23 01:33:31 +02:00
)
// Ensure the struct implements the interface.
var (
2021-07-24 11:16:34 +01:00
_ Method = & ReverseProxy { }
_ Named = & ReverseProxy { }
2019-11-23 01:33:31 +02:00
)
2021-06-10 01:53:16 +08:00
// ReverseProxy implements the Auth interface, but actually relies on
2019-11-23 01:33:31 +02:00
// a reverse proxy for authentication of users.
// On successful authentication the proxy is expected to populate the username in the
// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
// user in the "setting.ReverseProxyAuthEmail" header.
type ReverseProxy struct {
}
// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
2021-01-05 21:05:40 +08:00
func ( r * ReverseProxy ) getUserName ( req * http . Request ) string {
webAuthUser := strings . TrimSpace ( req . Header . Get ( setting . ReverseProxyAuthUser ) )
2019-11-23 01:33:31 +02:00
if len ( webAuthUser ) == 0 {
return ""
}
return webAuthUser
}
2021-06-10 01:53:16 +08:00
// Name represents the name of auth method
func ( r * ReverseProxy ) Name ( ) string {
return "reverse_proxy"
}
// Verify extracts the username from the "setting.ReverseProxyAuthUser" header
2019-11-23 01:33:31 +02:00
// of the request and returns the corresponding user object for that name.
// Verification of header data is not performed as it should have already been done by
// the revese proxy.
// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
// user object is returned (populated with username or email found in header).
// Returns nil if header is empty.
2021-06-10 01:53:16 +08:00
func ( r * ReverseProxy ) Verify ( req * http . Request , w http . ResponseWriter , store DataStore , sess SessionStore ) * models . User {
2021-01-05 21:05:40 +08:00
username := r . getUserName ( req )
2019-11-23 01:33:31 +02:00
if len ( username ) == 0 {
return nil
}
2021-05-09 17:04:53 +01:00
log . Trace ( "ReverseProxy Authorization: Found username: %s" , username )
2019-11-23 01:33:31 +02:00
user , err := models . GetUserByName ( username )
if err != nil {
2021-05-15 19:33:13 +01:00
if ! models . IsErrUserNotExist ( err ) || ! r . isAutoRegisterAllowed ( ) {
log . Error ( "GetUserByName: %v" , err )
return nil
2019-11-23 01:33:31 +02:00
}
2021-05-15 19:33:13 +01:00
user = r . newUser ( req )
2019-11-23 01:33:31 +02:00
}
2021-05-15 19:33:13 +01:00
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
2021-05-27 19:46:11 +01:00
if ! middleware . IsAPIPath ( req ) && ! isAttachmentDownload ( req ) && ! isGitRawOrLFSPath ( req ) {
2021-05-31 07:54:16 +01:00
if sess != nil && ( sess . Get ( "uid" ) == nil || sess . Get ( "uid" ) . ( int64 ) != user . ID ) {
2021-05-15 19:33:13 +01:00
handleSignIn ( w , req , sess , user )
}
}
store . GetData ( ) [ "IsReverseProxy" ] = true
2021-05-09 17:04:53 +01:00
log . Trace ( "ReverseProxy Authorization: Logged in user %-v" , user )
2019-11-23 01:33:31 +02:00
return user
}
// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
func ( r * ReverseProxy ) isAutoRegisterAllowed ( ) bool {
return setting . Service . EnableReverseProxyAutoRegister
}
// newUser creates a new user object for the purpose of automatic registration
// and populates its name and email with the information present in request headers.
2021-01-05 21:05:40 +08:00
func ( r * ReverseProxy ) newUser ( req * http . Request ) * models . User {
username := r . getUserName ( req )
2019-11-23 01:33:31 +02:00
if len ( username ) == 0 {
return nil
}
2020-06-18 17:18:44 +08:00
email := gouuid . New ( ) . String ( ) + "@localhost"
2019-11-23 01:33:31 +02:00
if setting . Service . EnableReverseProxyEmail {
2021-01-05 21:05:40 +08:00
webAuthEmail := req . Header . Get ( setting . ReverseProxyAuthEmail )
2019-11-23 01:33:31 +02:00
if len ( webAuthEmail ) > 0 {
email = webAuthEmail
}
}
user := & models . User {
Name : username ,
Email : email ,
IsActive : true ,
}
if err := models . CreateUser ( user ) ; err != nil {
// FIXME: should I create a system notice?
log . Error ( "CreateUser: %v" , err )
return nil
}
2021-05-15 19:33:13 +01:00
2019-11-23 01:33:31 +02:00
return user
}