You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

308 lines
15 KiB

Oauth2 consumer (#679) * initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
7 years ago
Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
  1. {{template "base/head" .}}
  2. <div class="admin edit authentication">
  3. {{template "admin/navbar" .}}
  4. <div class="ui container">
  5. {{template "base/alert" .}}
  6. <h4 class="ui top attached header">
  7. {{.i18n.Tr "admin.auths.edit"}}
  8. </h4>
  9. <div class="ui attached segment">
  10. <form class="ui form" action="{{.Link}}" method="post">
  11. {{.CsrfTokenHtml}}
  12. <input type="hidden" name="id" value="{{.Source.ID}}">
  13. <div class="inline field">
  14. <label>{{$.i18n.Tr "admin.auths.auth_type"}}</label>
  15. <input type="hidden" id="auth_type" name="type" value="{{.Source.Type}}">
  16. <span>{{.Source.TypeName}}</span>
  17. </div>
  18. <div class="required inline field {{if .Err_Name}}error{{end}}">
  19. <label for="name">{{.i18n.Tr "admin.auths.auth_name"}}</label>
  20. <input id="name" name="name" value="{{.Source.Name}}" autofocus required>
  21. </div>
  22. <!-- LDAP and DLDAP -->
  23. {{if or .Source.IsLDAP .Source.IsDLDAP}}
  24. {{ $cfg:=.Source.LDAP }}
  25. <div class="inline required field {{if .Err_SecurityProtocol}}error{{end}}">
  26. <label>{{.i18n.Tr "admin.auths.security_protocol"}}</label>
  27. <div class="ui selection security-protocol dropdown">
  28. <input type="hidden" id="security_protocol" name="security_protocol" value="{{$cfg.SecurityProtocol}}">
  29. <div class="text">{{$cfg.SecurityProtocolName}}</div>
  30. <i class="dropdown icon"></i>
  31. <div class="menu">
  32. {{range .SecurityProtocols}}
  33. <div class="item" data-value="{{.Type}}">{{.Name}}</div>
  34. {{end}}
  35. </div>
  36. </div>
  37. </div>
  38. <div class="required field">
  39. <label for="host">{{.i18n.Tr "admin.auths.host"}}</label>
  40. <input id="host" name="host" value="{{$cfg.Host}}" placeholder="e.g. mydomain.com" required>
  41. </div>
  42. <div class="required field">
  43. <label for="port">{{.i18n.Tr "admin.auths.port"}}</label>
  44. <input id="port" name="port" value="{{$cfg.Port}}" placeholder="e.g. 636" required>
  45. </div>
  46. {{if .Source.IsLDAP}}
  47. <div class="field">
  48. <label for="bind_dn">{{.i18n.Tr "admin.auths.bind_dn"}}</label>
  49. <input id="bind_dn" name="bind_dn" value="{{$cfg.BindDN}}" placeholder="e.g. cn=Search,dc=mydomain,dc=com">
  50. </div>
  51. <input class="fake" type="password">
  52. <div class="field">
  53. <label for="bind_password">{{.i18n.Tr "admin.auths.bind_password"}}</label>
  54. <input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
  55. <p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
  56. </div>
  57. {{end}}
  58. <div class="{{if .Source.IsLDAP}}required{{end}} field">
  59. <label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
  60. <input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" {{if .Source.IsLDAP}}required{{end}}>
  61. </div>
  62. {{if .Source.IsDLDAP}}
  63. <div class="required field">
  64. <label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>
  65. <input id="user_dn" name="user_dn" value="{{$cfg.UserDN}}" placeholder="e.g. uid=%s,ou=Users,dc=mydomain,dc=com" required>
  66. </div>
  67. {{end}}
  68. <div class="required field">
  69. <label for="filter">{{.i18n.Tr "admin.auths.filter"}}</label>
  70. <input id="filter" name="filter" value="{{$cfg.Filter}}" placeholder="e.g. (&(objectClass=posixAccount)(uid=%s))" required>
  71. </div>
  72. <div class="field">
  73. <label for="admin_filter">{{.i18n.Tr "admin.auths.admin_filter"}}</label>
  74. <input id="admin_filter" name="admin_filter" value="{{$cfg.AdminFilter}}">
  75. </div>
  76. <div class="field">
  77. <label for="attribute_username">{{.i18n.Tr "admin.auths.attribute_username"}}</label>
  78. <input id="attribute_username" name="attribute_username" value="{{$cfg.AttributeUsername}}" placeholder="{{.i18n.Tr "admin.auths.attribute_username_placeholder"}}">
  79. </div>
  80. <div class="field">
  81. <label for="attribute_name">{{.i18n.Tr "admin.auths.attribute_name"}}</label>
  82. <input id="attribute_name" name="attribute_name" value="{{$cfg.AttributeName}}">
  83. </div>
  84. <div class="field">
  85. <label for="attribute_surname">{{.i18n.Tr "admin.auths.attribute_surname"}}</label>
  86. <input id="attribute_surname" name="attribute_surname" value="{{$cfg.AttributeSurname}}">
  87. </div>
  88. <div class="required field">
  89. <label for="attribute_mail">{{.i18n.Tr "admin.auths.attribute_mail"}}</label>
  90. <input id="attribute_mail" name="attribute_mail" value="{{$cfg.AttributeMail}}" placeholder="e.g. mail" required>
  91. </div>
  92. <div class="field">
  93. <label for="attribute_ssh_public_key">{{.i18n.Tr "admin.auths.attribute_ssh_public_key"}}</label>
  94. <input id="attribute_ssh_public_key" name="attribute_ssh_public_key" value="{{$cfg.AttributeSSHPublicKey}}" placeholder="e.g. SshPublicKey">
  95. </div>
  96. {{if .Source.IsLDAP}}
  97. <div class="inline field">
  98. <div class="ui checkbox">
  99. <label for="use_paged_search"><strong>{{.i18n.Tr "admin.auths.use_paged_search"}}</strong></label>
  100. <input id="use_paged_search" name="use_paged_search" type="checkbox" {{if $cfg.UsePagedSearch}}checked{{end}}>
  101. </div>
  102. </div>
  103. <div class="field required search-page-size{{if not $cfg.UsePagedSearch}} hide{{end}}">
  104. <label for="search_page_size">{{.i18n.Tr "admin.auths.search_page_size"}}</label>
  105. <input id="search_page_size" name="search_page_size" value="{{if $cfg.UsePagedSearch}}{{$cfg.SearchPageSize}}{{end}}">
  106. </div>
  107. <div class="inline field">
  108. <div class="ui checkbox">
  109. <label><strong>{{.i18n.Tr "admin.auths.attributes_in_bind"}}</strong></label>
  110. <input name="attributes_in_bind" type="checkbox" {{if $cfg.AttributesInBind}}checked{{end}}>
  111. </div>
  112. </div>
  113. {{end}}
  114. {{end}}
  115. <!-- SMTP -->
  116. {{if .Source.IsSMTP}}
  117. {{ $cfg:=.Source.SMTP }}
  118. <div class="inline required field">
  119. <label>{{.i18n.Tr "admin.auths.smtp_auth"}}</label>
  120. <div class="ui selection type dropdown">
  121. <input type="hidden" id="smtp_auth" name="smtp_auth" value="{{$cfg.Auth}}" required>
  122. <div class="text">{{$cfg.Auth}}</div>
  123. <i class="dropdown icon"></i>
  124. <div class="menu">
  125. {{range .SMTPAuths}}
  126. <div class="item" data-value="{{.}}">{{.}}</div>
  127. {{end}}
  128. </div>
  129. </div>
  130. </div>
  131. <div class="required field">
  132. <label for="smtp_host">{{.i18n.Tr "admin.auths.smtphost"}}</label>
  133. <input id="smtp_host" name="smtp_host" value="{{$cfg.Host}}" required>
  134. </div>
  135. <div class="required field">
  136. <label for="smtp_port">{{.i18n.Tr "admin.auths.smtpport"}}</label>
  137. <input id="smtp_port" name="smtp_port" value="{{$cfg.Port}}" required>
  138. </div>
  139. <div class="field">
  140. <label for="allowed_domains">{{.i18n.Tr "admin.auths.allowed_domains"}}</label>
  141. <input id="allowed_domains" name="allowed_domains" value="{{$cfg.AllowedDomains}}">
  142. <p class="help">{{.i18n.Tr "admin.auths.allowed_domains_helper"}}</p>
  143. </div>
  144. {{end}}
  145. <!-- PAM -->
  146. {{if .Source.IsPAM}}
  147. {{ $cfg:=.Source.PAM }}
  148. <div class="required field">
  149. <label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
  150. <input id="pam_service_name" name="pam_service_name" value="{{$cfg.ServiceName}}" required>
  151. </div>
  152. {{end}}
  153. <!-- OAuth2 -->
  154. {{if .Source.IsOAuth2}}
  155. {{ $cfg:=.Source.OAuth2 }}
  156. <div class="inline required field">
  157. <label>{{.i18n.Tr "admin.auths.oauth2_provider"}}</label>
  158. <div class="ui selection type dropdown">
  159. <input type="hidden" id="oauth2_provider" name="oauth2_provider" value="{{$cfg.Provider}}" required>
  160. <div class="text">{{.CurrentOAuth2Provider.DisplayName}}</div>
  161. <i class="dropdown icon"></i>
  162. <div class="menu">
  163. {{range $key, $value := .OAuth2Providers}}
  164. <div class="item" data-value="{{$key}}">{{$value.DisplayName}}</div>
  165. {{end}}
  166. </div>
  167. </div>
  168. </div>
  169. <div class="required field">
  170. <label for="oauth2_key">{{.i18n.Tr "admin.auths.oauth2_clientID"}}</label>
  171. <input id="oauth2_key" name="oauth2_key" value="{{$cfg.ClientID}}" required>
  172. </div>
  173. <div class="required field">
  174. <label for="oauth2_secret">{{.i18n.Tr "admin.auths.oauth2_clientSecret"}}</label>
  175. <input id="oauth2_secret" name="oauth2_secret" value="{{$cfg.ClientSecret}}" required>
  176. </div>
  177. <div class="open_id_connect_auto_discovery_url required field">
  178. <label for="open_id_connect_auto_discovery_url">{{.i18n.Tr "admin.auths.openIdConnectAutoDiscoveryURL"}}</label>
  179. <input id="open_id_connect_auto_discovery_url" name="open_id_connect_auto_discovery_url" value="{{$cfg.OpenIDConnectAutoDiscoveryURL}}">
  180. </div>
  181. <div class="oauth2_use_custom_url inline field">
  182. <div class="ui checkbox">
  183. <label><strong>{{.i18n.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label>
  184. <input id="oauth2_use_custom_url" name="oauth2_use_custom_url" type="checkbox" {{if $cfg.CustomURLMapping}}checked{{end}}>
  185. </div>
  186. </div>
  187. <div class="oauth2_use_custom_url_field oauth2_auth_url required field">
  188. <label for="oauth2_auth_url">{{.i18n.Tr "admin.auths.oauth2_authURL"}}</label>
  189. <input id="oauth2_auth_url" name="oauth2_auth_url" value="{{if $cfg.CustomURLMapping}}{{$cfg.CustomURLMapping.AuthURL}}{{end}}">
  190. </div>
  191. <div class="oauth2_use_custom_url_field oauth2_token_url required field">
  192. <label for="oauth2_token_url">{{.i18n.Tr "admin.auths.oauth2_tokenURL"}}</label>
  193. <input id="oauth2_token_url" name="oauth2_token_url" value="{{if $cfg.CustomURLMapping}}{{$cfg.CustomURLMapping.TokenURL}}{{end}}">
  194. </div>
  195. <div class="oauth2_use_custom_url_field oauth2_profile_url required field">
  196. <label for="oauth2_profile_url">{{.i18n.Tr "admin.auths.oauth2_profileURL"}}</label>
  197. <input id="oauth2_profile_url" name="oauth2_profile_url" value="{{if $cfg.CustomURLMapping}}{{$cfg.CustomURLMapping.ProfileURL}}{{end}}">
  198. </div>
  199. <div class="oauth2_use_custom_url_field oauth2_email_url required field">
  200. <label for="oauth2_email_url">{{.i18n.Tr "admin.auths.oauth2_emailURL"}}</label>
  201. <input id="oauth2_email_url" name="oauth2_email_url" value="{{if $cfg.CustomURLMapping}}{{$cfg.CustomURLMapping.EmailURL}}{{end}}">
  202. </div>
  203. {{if .OAuth2DefaultCustomURLMappings}}{{range $key, $value := .OAuth2DefaultCustomURLMappings}}
  204. <input id="{{$key}}_token_url" value="{{$value.TokenURL}}" type="hidden" />
  205. <input id="{{$key}}_auth_url" value="{{$value.AuthURL}}" type="hidden" />
  206. <input id="{{$key}}_profile_url" value="{{$value.ProfileURL}}" type="hidden" />
  207. <input id="{{$key}}_email_url" value="{{$value.EmailURL}}" type="hidden" />
  208. {{end}}{{end}}
  209. {{end}}
  210. <!-- SSPI -->
  211. {{if .Source.IsSSPI}}
  212. {{ $cfg:=.Source.SSPI }}
  213. <div class="field">
  214. <div class="ui checkbox">
  215. <label for="sspi_auto_create_users"><strong>{{.i18n.Tr "admin.auths.sspi_auto_create_users"}}</strong></label>
  216. <input id="sspi_auto_create_users" name="sspi_auto_create_users" class="sspi-auto-create-users" type="checkbox" {{if $cfg.AutoCreateUsers}}checked{{end}}>
  217. <p class="help">{{.i18n.Tr "admin.auths.sspi_auto_create_users_helper"}}</p>
  218. </div>
  219. </div>
  220. <div class="field">
  221. <div class="ui checkbox">
  222. <label for="sspi_auto_activate_users"><strong>{{.i18n.Tr "admin.auths.sspi_auto_activate_users"}}</strong></label>
  223. <input id="sspi_auto_activate_users" name="sspi_auto_activate_users" class="sspi-auto-activate-users" type="checkbox" {{if $cfg.AutoActivateUsers}}checked{{end}}>
  224. <p class="help">{{.i18n.Tr "admin.auths.sspi_auto_activate_users_helper"}}</p>
  225. </div>
  226. </div>
  227. <div class="field">
  228. <div class="ui checkbox">
  229. <label for="sspi_strip_domain_names"><strong>{{.i18n.Tr "admin.auths.sspi_strip_domain_names"}}</strong></label>
  230. <input id="sspi_strip_domain_names" name="sspi_strip_domain_names" class="sspi-strip-domain-names" type="checkbox" {{if $cfg.StripDomainNames}}checked{{end}}>
  231. <p class="help">{{.i18n.Tr "admin.auths.sspi_strip_domain_names_helper"}}</p>
  232. </div>
  233. </div>
  234. <div class="required field">
  235. <label for="sspi_separator_replacement">{{.i18n.Tr "admin.auths.sspi_separator_replacement"}}</label>
  236. <input id="sspi_separator_replacement" name="sspi_separator_replacement" value="{{$cfg.SeparatorReplacement}}" required>
  237. <p class="help">{{.i18n.Tr "admin.auths.sspi_separator_replacement_helper"}}</p>
  238. </div>
  239. <div class="field">
  240. <label for="sspi_default_language">{{.i18n.Tr "admin.auths.sspi_default_language"}}</label>
  241. <div class="ui language selection dropdown" id="sspi_default_language">
  242. <input name="sspi_default_language" type="hidden" value="{{$cfg.DefaultLanguage}}">
  243. <i class="dropdown icon"></i>
  244. <div class="text">{{range .AllLangs}}{{if eq $cfg.DefaultLanguage .Lang}}{{.Name}}{{end}}{{end}}</div>
  245. <div class="menu">
  246. <div class="item{{if not $.SSPIDefaultLanguage}} active selected{{end}}" data-value="">-</div>
  247. {{range .AllLangs}}
  248. <div class="item{{if eq $cfg.DefaultLanguage .Lang}} active selected{{end}}" data-value="{{.Lang}}">{{.Name}}</div>
  249. {{end}}
  250. </div>
  251. </div>
  252. <p class="help">{{.i18n.Tr "admin.auths.sspi_default_language_helper"}}</p>
  253. </div>
  254. {{end}}
  255. <div class="inline field {{if not .Source.IsSMTP}}hide{{end}}">
  256. <div class="ui checkbox">
  257. <label><strong>{{.i18n.Tr "admin.auths.enable_tls"}}</strong></label>
  258. <input name="tls" type="checkbox" {{if .Source.UseTLS}}checked{{end}}>
  259. </div>
  260. </div>
  261. <div class="has-tls inline field {{if not .HasTLS}}hide{{end}}">
  262. <div class="ui checkbox">
  263. <label><strong>{{.i18n.Tr "admin.auths.skip_tls_verify"}}</strong></label>
  264. <input name="skip_verify" type="checkbox" {{if .Source.SkipVerify}}checked{{end}}>
  265. </div>
  266. </div>
  267. {{if .Source.IsLDAP}}
  268. <div class="inline field">
  269. <div class="ui checkbox">
  270. <label><strong>{{.i18n.Tr "admin.auths.syncenabled"}}</strong></label>
  271. <input name="is_sync_enabled" type="checkbox" {{if .Source.IsSyncEnabled}}checked{{end}}>
  272. </div>
  273. </div>
  274. {{end}}
  275. <div class="inline field">
  276. <div class="ui checkbox">
  277. <label><strong>{{.i18n.Tr "admin.auths.activated"}}</strong></label>
  278. <input name="is_active" type="checkbox" {{if .Source.IsActived}}checked{{end}}>
  279. </div>
  280. </div>
  281. <div class="field">
  282. <button class="ui green button">{{.i18n.Tr "admin.auths.update"}}</button>
  283. <div class="ui red button delete-button" data-url="{{$.Link}}/delete" data-id="{{.Source.ID}}">{{.i18n.Tr "admin.auths.delete"}}</div>
  284. </div>
  285. </form>
  286. </div>
  287. </div>
  288. </div>
  289. <div class="ui small basic delete modal">
  290. <div class="ui icon header">
  291. <i class="trash icon"></i>
  292. {{.i18n.Tr "admin.auths.delete_auth_title"}}
  293. </div>
  294. <div class="content">
  295. <p>{{.i18n.Tr "admin.auths.delete_auth_desc"}}</p>
  296. </div>
  297. {{template "base/delete_modal_actions" .}}
  298. </div>
  299. {{template "base/footer" .}}