- // Copyright 2014 The Gogs Authors. All rights reserved.
- // Use of this source code is governed by a MIT-style
- // license that can be found in the LICENSE file.
-
- package admin
-
- import (
- "errors"
- "fmt"
- "regexp"
-
- "code.gitea.io/gitea/models"
- "code.gitea.io/gitea/modules/auth"
- "code.gitea.io/gitea/modules/auth/ldap"
- "code.gitea.io/gitea/modules/auth/oauth2"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/context"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/util"
-
- "github.com/unknwon/com"
- "xorm.io/xorm/convert"
- )
-
- const (
- tplAuths base.TplName = "admin/auth/list"
- tplAuthNew base.TplName = "admin/auth/new"
- tplAuthEdit base.TplName = "admin/auth/edit"
- )
-
- var (
- separatorAntiPattern = regexp.MustCompile(`[^\w-\.]`)
- langCodePattern = regexp.MustCompile(`^[a-z]{2}-[A-Z]{2}$`)
- )
-
- // Authentications show authentication config page
- func Authentications(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("admin.authentication")
- ctx.Data["PageIsAdmin"] = true
- ctx.Data["PageIsAdminAuthentications"] = true
-
- var err error
- ctx.Data["Sources"], err = models.LoginSources()
- if err != nil {
- ctx.ServerError("LoginSources", err)
- return
- }
-
- ctx.Data["Total"] = models.CountLoginSources()
- ctx.HTML(200, tplAuths)
- }
-
- type dropdownItem struct {
- Name string
- Type interface{}
- }
-
- var (
- authSources = []dropdownItem{
- {models.LoginNames[models.LoginLDAP], models.LoginLDAP},
- {models.LoginNames[models.LoginDLDAP], models.LoginDLDAP},
- {models.LoginNames[models.LoginSMTP], models.LoginSMTP},
- {models.LoginNames[models.LoginPAM], models.LoginPAM},
- {models.LoginNames[models.LoginOAuth2], models.LoginOAuth2},
- {models.LoginNames[models.LoginSSPI], models.LoginSSPI},
- }
- securityProtocols = []dropdownItem{
- {models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted], ldap.SecurityProtocolUnencrypted},
- {models.SecurityProtocolNames[ldap.SecurityProtocolLDAPS], ldap.SecurityProtocolLDAPS},
- {models.SecurityProtocolNames[ldap.SecurityProtocolStartTLS], ldap.SecurityProtocolStartTLS},
- }
- )
-
- // NewAuthSource render adding a new auth source page
- func NewAuthSource(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("admin.auths.new")
- ctx.Data["PageIsAdmin"] = true
- ctx.Data["PageIsAdminAuthentications"] = true
-
- ctx.Data["type"] = models.LoginLDAP
- ctx.Data["CurrentTypeName"] = models.LoginNames[models.LoginLDAP]
- ctx.Data["CurrentSecurityProtocol"] = models.SecurityProtocolNames[ldap.SecurityProtocolUnencrypted]
- ctx.Data["smtp_auth"] = "PLAIN"
- ctx.Data["is_active"] = true
- ctx.Data["is_sync_enabled"] = true
- ctx.Data["AuthSources"] = authSources
- ctx.Data["SecurityProtocols"] = securityProtocols
- ctx.Data["SMTPAuths"] = models.SMTPAuths
- ctx.Data["OAuth2Providers"] = models.OAuth2Providers
- ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
-
- ctx.Data["SSPIAutoCreateUsers"] = true
- ctx.Data["SSPIAutoActivateUsers"] = true
- ctx.Data["SSPIStripDomainNames"] = true
- ctx.Data["SSPISeparatorReplacement"] = "_"
- ctx.Data["SSPIDefaultLanguage"] = ""
-
- // only the first as default
- for key := range models.OAuth2Providers {
- ctx.Data["oauth2_provider"] = key
- break
- }
-
- ctx.HTML(200, tplAuthNew)
- }
-
- func parseLDAPConfig(form auth.AuthenticationForm) *models.LDAPConfig {
- var pageSize uint32
- if form.UsePagedSearch {
- pageSize = uint32(form.SearchPageSize)
- }
- return &models.LDAPConfig{
- Source: &ldap.Source{
- Name: form.Name,
- Host: form.Host,
- Port: form.Port,
- SecurityProtocol: ldap.SecurityProtocol(form.SecurityProtocol),
- SkipVerify: form.SkipVerify,
- BindDN: form.BindDN,
- UserDN: form.UserDN,
- BindPassword: form.BindPassword,
- UserBase: form.UserBase,
- AttributeUsername: form.AttributeUsername,
- AttributeName: form.AttributeName,
- AttributeSurname: form.AttributeSurname,
- AttributeMail: form.AttributeMail,
- AttributesInBind: form.AttributesInBind,
- AttributeSSHPublicKey: form.AttributeSSHPublicKey,
- SearchPageSize: pageSize,
- Filter: form.Filter,
- AdminFilter: form.AdminFilter,
- RestrictedFilter: form.RestrictedFilter,
- AllowDeactivateAll: form.AllowDeactivateAll,
- Enabled: true,
- },
- }
- }
-
- func parseSMTPConfig(form auth.AuthenticationForm) *models.SMTPConfig {
- return &models.SMTPConfig{
- Auth: form.SMTPAuth,
- Host: form.SMTPHost,
- Port: form.SMTPPort,
- AllowedDomains: form.AllowedDomains,
- TLS: form.TLS,
- SkipVerify: form.SkipVerify,
- }
- }
-
- func parseOAuth2Config(form auth.AuthenticationForm) *models.OAuth2Config {
- var customURLMapping *oauth2.CustomURLMapping
- if form.Oauth2UseCustomURL {
- customURLMapping = &oauth2.CustomURLMapping{
- TokenURL: form.Oauth2TokenURL,
- AuthURL: form.Oauth2AuthURL,
- ProfileURL: form.Oauth2ProfileURL,
- EmailURL: form.Oauth2EmailURL,
- }
- } else {
- customURLMapping = nil
- }
- return &models.OAuth2Config{
- Provider: form.Oauth2Provider,
- ClientID: form.Oauth2Key,
- ClientSecret: form.Oauth2Secret,
- OpenIDConnectAutoDiscoveryURL: form.OpenIDConnectAutoDiscoveryURL,
- CustomURLMapping: customURLMapping,
- }
- }
-
- func parseSSPIConfig(ctx *context.Context, form auth.AuthenticationForm) (*models.SSPIConfig, error) {
- if util.IsEmptyString(form.SSPISeparatorReplacement) {
- ctx.Data["Err_SSPISeparatorReplacement"] = true
- return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.require_error"))
- }
- if separatorAntiPattern.MatchString(form.SSPISeparatorReplacement) {
- ctx.Data["Err_SSPISeparatorReplacement"] = true
- return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.alpha_dash_dot_error"))
- }
-
- if form.SSPIDefaultLanguage != "" && !langCodePattern.MatchString(form.SSPIDefaultLanguage) {
- ctx.Data["Err_SSPIDefaultLanguage"] = true
- return nil, errors.New(ctx.Tr("form.lang_select_error"))
- }
-
- return &models.SSPIConfig{
- AutoCreateUsers: form.SSPIAutoCreateUsers,
- AutoActivateUsers: form.SSPIAutoActivateUsers,
- StripDomainNames: form.SSPIStripDomainNames,
- SeparatorReplacement: form.SSPISeparatorReplacement,
- DefaultLanguage: form.SSPIDefaultLanguage,
- }, nil
- }
-
- // NewAuthSourcePost response for adding an auth source
- func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
- ctx.Data["Title"] = ctx.Tr("admin.auths.new")
- ctx.Data["PageIsAdmin"] = true
- ctx.Data["PageIsAdminAuthentications"] = true
-
- ctx.Data["CurrentTypeName"] = models.LoginNames[models.LoginType(form.Type)]
- ctx.Data["CurrentSecurityProtocol"] = models.SecurityProtocolNames[ldap.SecurityProtocol(form.SecurityProtocol)]
- ctx.Data["AuthSources"] = authSources
- ctx.Data["SecurityProtocols"] = securityProtocols
- ctx.Data["SMTPAuths"] = models.SMTPAuths
- ctx.Data["OAuth2Providers"] = models.OAuth2Providers
- ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
-
- ctx.Data["SSPIAutoCreateUsers"] = true
- ctx.Data["SSPIAutoActivateUsers"] = true
- ctx.Data["SSPIStripDomainNames"] = true
- ctx.Data["SSPISeparatorReplacement"] = "_"
- ctx.Data["SSPIDefaultLanguage"] = ""
-
- hasTLS := false
- var config convert.Conversion
- switch models.LoginType(form.Type) {
- case models.LoginLDAP, models.LoginDLDAP:
- config = parseLDAPConfig(form)
- hasTLS = ldap.SecurityProtocol(form.SecurityProtocol) > ldap.SecurityProtocolUnencrypted
- case models.LoginSMTP:
- config = parseSMTPConfig(form)
- hasTLS = true
- case models.LoginPAM:
- config = &models.PAMConfig{
- ServiceName: form.PAMServiceName,
- }
- case models.LoginOAuth2:
- config = parseOAuth2Config(form)
- case models.LoginSSPI:
- var err error
- config, err = parseSSPIConfig(ctx, form)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplAuthNew, form)
- return
- }
- existing, err := models.LoginSourcesByType(models.LoginSSPI)
- if err != nil || len(existing) > 0 {
- ctx.Data["Err_Type"] = true
- ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
- return
- }
- default:
- ctx.Error(400)
- return
- }
- ctx.Data["HasTLS"] = hasTLS
-
- if ctx.HasError() {
- ctx.HTML(200, tplAuthNew)
- return
- }
-
- if err := models.CreateLoginSource(&models.LoginSource{
- Type: models.LoginType(form.Type),
- Name: form.Name,
- IsActived: form.IsActive,
- IsSyncEnabled: form.IsSyncEnabled,
- Cfg: config,
- }); err != nil {
- if models.IsErrLoginSourceAlreadyExist(err) {
- ctx.Data["Err_Name"] = true
- ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_exist", err.(models.ErrLoginSourceAlreadyExist).Name), tplAuthNew, form)
- } else {
- ctx.ServerError("CreateSource", err)
- }
- return
- }
-
- log.Trace("Authentication created by admin(%s): %s", ctx.User.Name, form.Name)
-
- ctx.Flash.Success(ctx.Tr("admin.auths.new_success", form.Name))
- ctx.Redirect(setting.AppSubURL + "/admin/auths")
- }
-
- // EditAuthSource render editing auth source page
- func EditAuthSource(ctx *context.Context) {
- ctx.Data["Title"] = ctx.Tr("admin.auths.edit")
- ctx.Data["PageIsAdmin"] = true
- ctx.Data["PageIsAdminAuthentications"] = true
-
- ctx.Data["SecurityProtocols"] = securityProtocols
- ctx.Data["SMTPAuths"] = models.SMTPAuths
- ctx.Data["OAuth2Providers"] = models.OAuth2Providers
- ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
-
- source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
- if err != nil {
- ctx.ServerError("GetLoginSourceByID", err)
- return
- }
- ctx.Data["Source"] = source
- ctx.Data["HasTLS"] = source.HasTLS()
-
- if source.IsOAuth2() {
- ctx.Data["CurrentOAuth2Provider"] = models.OAuth2Providers[source.OAuth2().Provider]
- }
- ctx.HTML(200, tplAuthEdit)
- }
-
- // EditAuthSourcePost response for editing auth source
- func EditAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
- ctx.Data["Title"] = ctx.Tr("admin.auths.edit")
- ctx.Data["PageIsAdmin"] = true
- ctx.Data["PageIsAdminAuthentications"] = true
-
- ctx.Data["SMTPAuths"] = models.SMTPAuths
- ctx.Data["OAuth2Providers"] = models.OAuth2Providers
- ctx.Data["OAuth2DefaultCustomURLMappings"] = models.OAuth2DefaultCustomURLMappings
-
- source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
- if err != nil {
- ctx.ServerError("GetLoginSourceByID", err)
- return
- }
- ctx.Data["Source"] = source
- ctx.Data["HasTLS"] = source.HasTLS()
-
- if ctx.HasError() {
- ctx.HTML(200, tplAuthEdit)
- return
- }
-
- var config convert.Conversion
- switch models.LoginType(form.Type) {
- case models.LoginLDAP, models.LoginDLDAP:
- config = parseLDAPConfig(form)
- case models.LoginSMTP:
- config = parseSMTPConfig(form)
- case models.LoginPAM:
- config = &models.PAMConfig{
- ServiceName: form.PAMServiceName,
- }
- case models.LoginOAuth2:
- config = parseOAuth2Config(form)
- case models.LoginSSPI:
- config, err = parseSSPIConfig(ctx, form)
- if err != nil {
- ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
- return
- }
- default:
- ctx.Error(400)
- return
- }
-
- source.Name = form.Name
- source.IsActived = form.IsActive
- source.IsSyncEnabled = form.IsSyncEnabled
- source.Cfg = config
- if err := models.UpdateSource(source); err != nil {
- if models.IsErrOpenIDConnectInitialize(err) {
- ctx.Flash.Error(err.Error(), true)
- ctx.HTML(200, tplAuthEdit)
- } else {
- ctx.ServerError("UpdateSource", err)
- }
- return
- }
- log.Trace("Authentication changed by admin(%s): %d", ctx.User.Name, source.ID)
-
- ctx.Flash.Success(ctx.Tr("admin.auths.update_success"))
- ctx.Redirect(setting.AppSubURL + "/admin/auths/" + com.ToStr(form.ID))
- }
-
- // DeleteAuthSource response for deleting an auth source
- func DeleteAuthSource(ctx *context.Context) {
- source, err := models.GetLoginSourceByID(ctx.ParamsInt64(":authid"))
- if err != nil {
- ctx.ServerError("GetLoginSourceByID", err)
- return
- }
-
- if err = models.DeleteSource(source); err != nil {
- if models.IsErrLoginSourceInUse(err) {
- ctx.Flash.Error(ctx.Tr("admin.auths.still_in_used"))
- } else {
- ctx.Flash.Error(fmt.Sprintf("DeleteSource: %v", err))
- }
- ctx.JSON(200, map[string]interface{}{
- "redirect": setting.AppSubURL + "/admin/auths/" + ctx.Params(":authid"),
- })
- return
- }
- log.Trace("Authentication deleted by admin(%s): %d", ctx.User.Name, source.ID)
-
- ctx.Flash.Success(ctx.Tr("admin.auths.deletion_success"))
- ctx.JSON(200, map[string]interface{}{
- "redirect": setting.AppSubURL + "/admin/auths",
- })
- }
|
