5d2e11eedb
`models` does far too much. In particular it handles all `UserSignin`. It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in. Therefore we should move this code out of `models`. This code has to depend on `models` - therefore it belongs in `services`. There is a package in `services` called `auth` and clearly this functionality belongs in there. Plan: - [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication. - [x] Move `models.UserSignIn` into `auth` - [x] Move `models.ExternalUserLogin` - [x] Move most of the `LoginVia*` methods to `auth` or subpackages - [x] Move Resynchronize functionality to `auth` - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files. - [x] Move the rest of the LDAP functionality in to the ldap subpackage - [x] Re-factor the login sources to express an interfaces `auth.Source`? - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future - [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable - [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2 - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models. - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 - [x] More simplifications of login_source.go may need to be done - Allow wiring in of notify registration - *this can now easily be done - but I think we should do it in another PR* - see #16178 - More refactors...? - OpenID should probably become an auth Method but I think that can be left for another PR - Methods should also probably be cleaned up - again another PR I think. - SSPI still needs more refactors.* Rename auth.Auth auth.Method * Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton <art27@cantab.net>
258 lines
9.3 KiB
Go
258 lines
9.3 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package oauth2
|
|
|
|
import (
|
|
"net/url"
|
|
"sort"
|
|
|
|
"code.gitea.io/gitea/models"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"github.com/markbates/goth"
|
|
"github.com/markbates/goth/providers/bitbucket"
|
|
"github.com/markbates/goth/providers/discord"
|
|
"github.com/markbates/goth/providers/dropbox"
|
|
"github.com/markbates/goth/providers/facebook"
|
|
"github.com/markbates/goth/providers/gitea"
|
|
"github.com/markbates/goth/providers/github"
|
|
"github.com/markbates/goth/providers/gitlab"
|
|
"github.com/markbates/goth/providers/google"
|
|
"github.com/markbates/goth/providers/mastodon"
|
|
"github.com/markbates/goth/providers/nextcloud"
|
|
"github.com/markbates/goth/providers/openidConnect"
|
|
"github.com/markbates/goth/providers/twitter"
|
|
"github.com/markbates/goth/providers/yandex"
|
|
)
|
|
|
|
// Provider describes the display values of a single OAuth2 provider
|
|
type Provider struct {
|
|
Name string
|
|
DisplayName string
|
|
Image string
|
|
CustomURLMapping *CustomURLMapping
|
|
}
|
|
|
|
// Providers contains the map of registered OAuth2 providers in Gitea (based on goth)
|
|
// key is used to map the OAuth2Provider with the goth provider type (also in LoginSource.OAuth2Config.Provider)
|
|
// value is used to store display data
|
|
var Providers = map[string]Provider{
|
|
"bitbucket": {Name: "bitbucket", DisplayName: "Bitbucket", Image: "/assets/img/auth/bitbucket.png"},
|
|
"dropbox": {Name: "dropbox", DisplayName: "Dropbox", Image: "/assets/img/auth/dropbox.png"},
|
|
"facebook": {Name: "facebook", DisplayName: "Facebook", Image: "/assets/img/auth/facebook.png"},
|
|
"github": {
|
|
Name: "github", DisplayName: "GitHub", Image: "/assets/img/auth/github.png",
|
|
CustomURLMapping: &CustomURLMapping{
|
|
TokenURL: github.TokenURL,
|
|
AuthURL: github.AuthURL,
|
|
ProfileURL: github.ProfileURL,
|
|
EmailURL: github.EmailURL,
|
|
},
|
|
},
|
|
"gitlab": {
|
|
Name: "gitlab", DisplayName: "GitLab", Image: "/assets/img/auth/gitlab.png",
|
|
CustomURLMapping: &CustomURLMapping{
|
|
TokenURL: gitlab.TokenURL,
|
|
AuthURL: gitlab.AuthURL,
|
|
ProfileURL: gitlab.ProfileURL,
|
|
},
|
|
},
|
|
"gplus": {Name: "gplus", DisplayName: "Google", Image: "/assets/img/auth/google.png"},
|
|
"openidConnect": {Name: "openidConnect", DisplayName: "OpenID Connect", Image: "/assets/img/auth/openid_connect.svg"},
|
|
"twitter": {Name: "twitter", DisplayName: "Twitter", Image: "/assets/img/auth/twitter.png"},
|
|
"discord": {Name: "discord", DisplayName: "Discord", Image: "/assets/img/auth/discord.png"},
|
|
"gitea": {
|
|
Name: "gitea", DisplayName: "Gitea", Image: "/assets/img/auth/gitea.png",
|
|
CustomURLMapping: &CustomURLMapping{
|
|
TokenURL: gitea.TokenURL,
|
|
AuthURL: gitea.AuthURL,
|
|
ProfileURL: gitea.ProfileURL,
|
|
},
|
|
},
|
|
"nextcloud": {
|
|
Name: "nextcloud", DisplayName: "Nextcloud", Image: "/assets/img/auth/nextcloud.png",
|
|
CustomURLMapping: &CustomURLMapping{
|
|
TokenURL: nextcloud.TokenURL,
|
|
AuthURL: nextcloud.AuthURL,
|
|
ProfileURL: nextcloud.ProfileURL,
|
|
},
|
|
},
|
|
"yandex": {Name: "yandex", DisplayName: "Yandex", Image: "/assets/img/auth/yandex.png"},
|
|
"mastodon": {
|
|
Name: "mastodon", DisplayName: "Mastodon", Image: "/assets/img/auth/mastodon.png",
|
|
CustomURLMapping: &CustomURLMapping{
|
|
AuthURL: mastodon.InstanceURL,
|
|
},
|
|
},
|
|
}
|
|
|
|
// GetActiveOAuth2Providers returns the map of configured active OAuth2 providers
|
|
// key is used as technical name (like in the callbackURL)
|
|
// values to display
|
|
func GetActiveOAuth2Providers() ([]string, map[string]Provider, error) {
|
|
// Maybe also separate used and unused providers so we can force the registration of only 1 active provider for each type
|
|
|
|
loginSources, err := models.GetActiveOAuth2ProviderLoginSources()
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
var orderedKeys []string
|
|
providers := make(map[string]Provider)
|
|
for _, source := range loginSources {
|
|
prov := Providers[source.Cfg.(*Source).Provider]
|
|
if source.Cfg.(*Source).IconURL != "" {
|
|
prov.Image = source.Cfg.(*Source).IconURL
|
|
}
|
|
providers[source.Name] = prov
|
|
orderedKeys = append(orderedKeys, source.Name)
|
|
}
|
|
|
|
sort.Strings(orderedKeys)
|
|
|
|
return orderedKeys, providers, nil
|
|
}
|
|
|
|
// RegisterProvider register a OAuth2 provider in goth lib
|
|
func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error {
|
|
provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping)
|
|
|
|
if err == nil && provider != nil {
|
|
goth.UseProviders(provider)
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
// RemoveProvider removes the given OAuth2 provider from the goth lib
|
|
func RemoveProvider(providerName string) {
|
|
delete(goth.GetProviders(), providerName)
|
|
}
|
|
|
|
// ClearProviders clears all OAuth2 providers from the goth lib
|
|
func ClearProviders() {
|
|
goth.ClearProviders()
|
|
}
|
|
|
|
// used to create different types of goth providers
|
|
func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {
|
|
callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback"
|
|
|
|
var provider goth.Provider
|
|
var err error
|
|
|
|
switch providerType {
|
|
case "bitbucket":
|
|
provider = bitbucket.New(clientID, clientSecret, callbackURL, "account")
|
|
case "dropbox":
|
|
provider = dropbox.New(clientID, clientSecret, callbackURL)
|
|
case "facebook":
|
|
provider = facebook.New(clientID, clientSecret, callbackURL, "email")
|
|
case "github":
|
|
authURL := github.AuthURL
|
|
tokenURL := github.TokenURL
|
|
profileURL := github.ProfileURL
|
|
emailURL := github.EmailURL
|
|
if customURLMapping != nil {
|
|
if len(customURLMapping.AuthURL) > 0 {
|
|
authURL = customURLMapping.AuthURL
|
|
}
|
|
if len(customURLMapping.TokenURL) > 0 {
|
|
tokenURL = customURLMapping.TokenURL
|
|
}
|
|
if len(customURLMapping.ProfileURL) > 0 {
|
|
profileURL = customURLMapping.ProfileURL
|
|
}
|
|
if len(customURLMapping.EmailURL) > 0 {
|
|
emailURL = customURLMapping.EmailURL
|
|
}
|
|
}
|
|
scopes := []string{}
|
|
if setting.OAuth2Client.EnableAutoRegistration {
|
|
scopes = append(scopes, "user:email")
|
|
}
|
|
provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL, scopes...)
|
|
case "gitlab":
|
|
authURL := gitlab.AuthURL
|
|
tokenURL := gitlab.TokenURL
|
|
profileURL := gitlab.ProfileURL
|
|
if customURLMapping != nil {
|
|
if len(customURLMapping.AuthURL) > 0 {
|
|
authURL = customURLMapping.AuthURL
|
|
}
|
|
if len(customURLMapping.TokenURL) > 0 {
|
|
tokenURL = customURLMapping.TokenURL
|
|
}
|
|
if len(customURLMapping.ProfileURL) > 0 {
|
|
profileURL = customURLMapping.ProfileURL
|
|
}
|
|
}
|
|
provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")
|
|
case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work
|
|
scopes := []string{"email"}
|
|
if setting.OAuth2Client.UpdateAvatar || setting.OAuth2Client.EnableAutoRegistration {
|
|
scopes = append(scopes, "profile")
|
|
}
|
|
provider = google.New(clientID, clientSecret, callbackURL, scopes...)
|
|
case "openidConnect":
|
|
if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil {
|
|
log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)
|
|
}
|
|
case "twitter":
|
|
provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL)
|
|
case "discord":
|
|
provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail)
|
|
case "gitea":
|
|
authURL := gitea.AuthURL
|
|
tokenURL := gitea.TokenURL
|
|
profileURL := gitea.ProfileURL
|
|
if customURLMapping != nil {
|
|
if len(customURLMapping.AuthURL) > 0 {
|
|
authURL = customURLMapping.AuthURL
|
|
}
|
|
if len(customURLMapping.TokenURL) > 0 {
|
|
tokenURL = customURLMapping.TokenURL
|
|
}
|
|
if len(customURLMapping.ProfileURL) > 0 {
|
|
profileURL = customURLMapping.ProfileURL
|
|
}
|
|
}
|
|
provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)
|
|
case "nextcloud":
|
|
authURL := nextcloud.AuthURL
|
|
tokenURL := nextcloud.TokenURL
|
|
profileURL := nextcloud.ProfileURL
|
|
if customURLMapping != nil {
|
|
if len(customURLMapping.AuthURL) > 0 {
|
|
authURL = customURLMapping.AuthURL
|
|
}
|
|
if len(customURLMapping.TokenURL) > 0 {
|
|
tokenURL = customURLMapping.TokenURL
|
|
}
|
|
if len(customURLMapping.ProfileURL) > 0 {
|
|
profileURL = customURLMapping.ProfileURL
|
|
}
|
|
}
|
|
provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)
|
|
case "yandex":
|
|
// See https://tech.yandex.com/passport/doc/dg/reference/response-docpage/
|
|
provider = yandex.New(clientID, clientSecret, callbackURL, "login:email", "login:info", "login:avatar")
|
|
case "mastodon":
|
|
instanceURL := mastodon.InstanceURL
|
|
if customURLMapping != nil && len(customURLMapping.AuthURL) > 0 {
|
|
instanceURL = customURLMapping.AuthURL
|
|
}
|
|
provider = mastodon.NewCustomisedURL(clientID, clientSecret, callbackURL, instanceURL)
|
|
}
|
|
|
|
// always set the name if provider is created so we can support multiple setups of 1 provider
|
|
if err == nil && provider != nil {
|
|
provider.SetName(providerName)
|
|
}
|
|
|
|
return provider, err
|
|
}
|