closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9211 Commits
2 Branches
178 MiB
Tree: 8cffae65a6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8cffae65a6'
${ noResults }
gitea/modules/auth/sso/sspi_windows.go

237 lines
7.0 KiB
Raw Normal View History

Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package sso
  6. 

  7. import (
  8. 	"errors"
  9. 	"reflect"
  10. 	"strings"
  11. 

  12. 	"code.gitea.io/gitea/models"
  13. 	"code.gitea.io/gitea/modules/base"
  14. 	"code.gitea.io/gitea/modules/log"
  15. 	"code.gitea.io/gitea/modules/setting"
  16. 

  17. 	"gitea.com/macaron/macaron"
  18. 	"gitea.com/macaron/session"
  19. 

  20. 	"github.com/quasoft/websspi"
  21. 	gouuid "github.com/satori/go.uuid"
  22. )
  23. 

  24. const (
  25. 	tplSignIn base.TplName = "user/auth/signin"
  26. )
  27. 

  28. var (
  29. 	// sspiAuth is a global instance of the websspi authentication package,

  30. 	// which is used to avoid acquiring the server credential handle on

  31. 	// every request

  32. 	sspiAuth *websspi.Authenticator
  33. 

  34. 	// Ensure the struct implements the interface.

  35. 	_ SingleSignOn = &SSPI{}
  36. )
  37. 

  38. // SSPI implements the SingleSignOn interface and authenticates requests

  39. // via the built-in SSPI module in Windows for SPNEGO authentication.

  40. // On successful authentication returns a valid user object.

  41. // Returns nil if authentication fails.

  42. type SSPI struct {
  43. }
  44. 

  45. // Init creates a new global websspi.Authenticator object

  46. func (s *SSPI) Init() error {
  47. 	config := websspi.NewConfig()
  48. 	var err error
  49. 	sspiAuth, err = websspi.New(config)
  50. 	return err
  51. }
  52. 

  53. // Free releases resources used by the global websspi.Authenticator object

  54. func (s *SSPI) Free() error {
  55. 	return sspiAuth.Free()
  56. }
  57. 

  58. // IsEnabled checks if there is an active SSPI authentication source

  59. func (s *SSPI) IsEnabled() bool {
  60. 	return models.IsSSPIEnabled()
  61. }
  62. 

  63. // VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.

  64. // If authentication is successful, returs the corresponding user object.

  65. // If negotiation should continue or authentication fails, immediately returns a 401 HTTP

  66. // response code, as required by the SPNEGO protocol.

  67. func (s *SSPI) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
  68. 	if !s.shouldAuthenticate(ctx) {
  69. 		return nil
  70. 	}
  71. 

  72. 	cfg, err := s.getConfig()
  73. 	if err != nil {
  74. 		log.Error("could not get SSPI config: %v", err)
  75. 		return nil
  76. 	}
  77. 

  78. 	userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp)
  79. 	if err != nil {
  80. 		log.Warn("Authentication failed with error: %v\n", err)
  81. 		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
  82. 

  83. 		// Include the user login page in the 401 response to allow the user

  84. 		// to login with another authentication method if SSPI authentication

  85. 		// fails

  86. 		addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed"))
  87. 		ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
  88. 		ctx.Data["EnableSSPI"] = true
  89. 		ctx.HTML(401, string(tplSignIn))
  90. 		return nil
  91. 	}
  92. 	if outToken != "" {
  93. 		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
  94. 	}
  95. 

  96. 	username := sanitizeUsername(userInfo.Username, cfg)
  97. 	if len(username) == 0 {
  98. 		return nil
  99. 	}
  100. 	log.Info("Authenticated as %s\n", username)
  101. 

  102. 	user, err := models.GetUserByName(username)
  103. 	if err != nil {
  104. 		if !models.IsErrUserNotExist(err) {
  105. 			log.Error("GetUserByName: %v", err)
  106. 			return nil
  107. 		}
  108. 		if !cfg.AutoCreateUsers {
  109. 			log.Error("User '%s' not found", username)
  110. 			return nil
  111. 		}
  112. 		user, err = s.newUser(ctx, username, cfg)
  113. 		if err != nil {
  114. 			log.Error("CreateUser: %v", err)
  115. 			return nil
  116. 		}
  117. 	}
  118. 

  119. 	// Make sure requests to API paths and PWA resources do not create a new session

  120. 	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
  121. 		handleSignIn(ctx, sess, user)
  122. 	}
  123. 

  124. 	return user
  125. }
  126. 

  127. // getConfig retrieves the SSPI configuration from login sources

  128. func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
  129. 	sources, err := models.ActiveLoginSources(models.LoginSSPI)
  130. 	if err != nil {
  131. 		return nil, err
  132. 	}
  133. 	if len(sources) == 0 {
  134. 		return nil, errors.New("no active login sources of type SSPI found")
  135. 	}
  136. 	if len(sources) > 1 {
  137. 		return nil, errors.New("more than one active login source of type SSPI found")
  138. 	}
  139. 	return sources[0].SSPI(), nil
  140. }
  141. 

  142. func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
  143. 	shouldAuth = false
  144. 	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
  145. 	if path == "/user/login" {
  146. 		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
  147. 			shouldAuth = false
  148. 		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
  149. 			shouldAuth = true
  150. 		}
  151. 	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
  152. 		shouldAuth = true
  153. 	}
  154. 	return
  155. }
  156. 

  157. // newUser creates a new user object for the purpose of automatic registration

  158. // and populates its name and email with the information present in request headers.

  159. func (s *SSPI) newUser(ctx *macaron.Context, username string, cfg *models.SSPIConfig) (*models.User, error) {
  160. 	email := gouuid.NewV4().String() + "@localhost.localdomain"
  161. 	user := &models.User{
  162. 		Name:                         username,
  163. 		Email:                        email,
  164. 		KeepEmailPrivate:             true,
  165. 		Passwd:                       gouuid.NewV4().String(),
  166. 		IsActive:                     cfg.AutoActivateUsers,
  167. 		Language:                     cfg.DefaultLanguage,
  168. 		UseCustomAvatar:              true,
  169. 		Avatar:                       base.DefaultAvatarLink(),
  170. 		EmailNotificationsPreference: models.EmailNotificationsDisabled,
  171. 	}
  172. 	if err := models.CreateUser(user); err != nil {
  173. 		return nil, err
  174. 	}
  175. 	return user, nil
  176. }
  177. 

  178. // stripDomainNames removes NETBIOS domain name and separator from down-level logon names

  179. // (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator

  180. // from UPNs (eg. "user@domain.local" becomes "user")

  181. func stripDomainNames(username string) string {
  182. 	if strings.Contains(username, "\\") {
  183. 		parts := strings.SplitN(username, "\\", 2)
  184. 		if len(parts) > 1 {
  185. 			username = parts[1]
  186. 		}
  187. 	} else if strings.Contains(username, "@") {
  188. 		parts := strings.Split(username, "@")
  189. 		if len(parts) > 1 {
  190. 			username = parts[0]
  191. 		}
  192. 	}
  193. 	return username
  194. }
  195. 

  196. func replaceSeparators(username string, cfg *models.SSPIConfig) string {
  197. 	newSep := cfg.SeparatorReplacement
  198. 	username = strings.ReplaceAll(username, "\\", newSep)
  199. 	username = strings.ReplaceAll(username, "/", newSep)
  200. 	username = strings.ReplaceAll(username, "@", newSep)
  201. 	return username
  202. }
  203. 

  204. func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
  205. 	if len(username) == 0 {
  206. 		return ""
  207. 	}
  208. 	if cfg.StripDomainNames {
  209. 		username = stripDomainNames(username)
  210. 	}
  211. 	// Replace separators even if we have already stripped the domain name part,

  212. 	// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"

  213. 	username = replaceSeparators(username, cfg)
  214. 	return username
  215. }
  216. 

  217. // addFlashErr adds an error message to the Flash object mapped to a macaron.Context

  218. func addFlashErr(ctx *macaron.Context, err string) {
  219. 	fv := ctx.GetVal(reflect.TypeOf(&session.Flash{}))
  220. 	if !fv.IsValid() {
  221. 		return
  222. 	}
  223. 	flash, ok := fv.Interface().(*session.Flash)
  224. 	if !ok {
  225. 		return
  226. 	}
  227. 	flash.Error(err)
  228. 	ctx.Data["Flash"] = flash
  229. }
  230. 

  231. // init registers the SSPI auth method as the last method in the list.

  232. // The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation

  233. // fails (or if negotiation should continue), which would prevent other authentication methods

  234. // to execute at all.

  235. func init() {
  236. 	Register(&SSPI{})
  237. }