Revert "Support SAML authentication (#25165)" (#29358)

This reverts #25165 (5bb8d1924d), as there
was a chance some important reviews got missed.

so after reverting this patch it will be resubmitted for reviewing again

https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242

temporary Open #5512 again
This commit is contained in:
6543 2024-02-24 05:18:49 +01:00 committed by GitHub
parent 875f5ea6d8
commit 4ba642d07d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
37 changed files with 69 additions and 1440 deletions

View File

@ -37,14 +37,6 @@ jobs:
MINIO_ROOT_PASSWORD: 12345678
ports:
- "9000:9000"
simplesaml:
image: allspice/simple-saml
ports:
- "8080:8080"
env:
SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3002/user/saml/test-sp/metadata
SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3002/user/saml/test-sp/acs
SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3002/user/saml/test-sp/acs
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5

File diff suppressed because one or more lines are too long

View File

@ -349,72 +349,3 @@ If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WE
You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
## SAML
### Configuring Gitea as a SAML 2.0 Service Provider
- Navigate to `Site Administration > Identity & Access > Authentication Sources`.
- Click the `Add Authentication Source` button.
- Select `SAML` as the authentication type.
#### Features Not Yet Supported
Currently, auto-registration is not supported for SAML. During the external account linking process the user will be prompted to set a username and email address or link to an existing account.
SAML group mapping is not supported.
#### Settings
- `Authentication Name` **(required)**
- The name of this authentication source (appears in the Gitea ACS and metadata URLs)
- `SAML NameID Format` **(required)**
- This specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
- `Icon URL` (optional)
- URL of an icon to display on the Sign-In page for this authentication source.
- `[Insecure] Skip Assertion Signature Validation` (optional)
- This option is not recommended and disables integrity verification of IdP SAML assertions.
- `Identity Provider Metadata URL` (optional if XML set)
- The URL of the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata XML` is left blank.
- `Identity Provider Metadata XML` (optional if URL set)
- The XML returned by the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata URL` is left blank.
- `Service Provider Certificate` (optional)
- X.509-formatted certificate (with `Service Provider Private Key`) used for signing SAML requests.
- A certificate will be generated if this field is left blank.
- `Service Provider Private Key` (optional)
- DSA/RSA private key (with `Service Provider Certificate`) used for signing SAML requests.
- A private key will be generated if this field is left blank.
- `Email Assertion Key` (optional)
- The SAML assertion key used for the IdP user's email (depends on provider configuration).
- `Name Assertion Key` (optional)
- The SAML assertion key used for the IdP user's nickname (depends on provider configuration).
- `Username Assertion Key` (optional)
- The SAML assertion key used for the IdP user's username (depends on provider configuration).
### Configuring a SAML 2.0 Identity Provider to use Gitea
- The service provider assertion consumer service url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/acs`.
- The service provider metadata url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/metadata`.

5
go.mod
View File

@ -91,8 +91,6 @@ require (
github.com/quasoft/websspi v1.1.2
github.com/redis/go-redis/v9 v9.4.0
github.com/robfig/cron/v3 v3.0.1
github.com/russellhaering/gosaml2 v0.9.1
github.com/russellhaering/goxmldsig v1.3.0
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
github.com/sassoftware/go-rpmutils v0.2.1-0.20240124161140-277b154961dd
github.com/sergi/go-diff v1.3.1
@ -145,7 +143,6 @@ require (
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/beevik/etree v1.1.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bits-and-blooms/bitset v1.13.0 // indirect
github.com/blevesearch/bleve_index_api v1.1.5 // indirect
@ -219,7 +216,6 @@ require (
github.com/imdario/mergo v0.3.16 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jessevdk/go-flags v1.5.0 // indirect
github.com/jonboulle/clockwork v0.3.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/pgzip v1.2.6 // indirect
@ -229,7 +225,6 @@ require (
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/markbates/going v1.0.3 // indirect
github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mholt/acmez v1.2.0 // indirect

12
go.sum
View File

@ -130,8 +130,6 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bits-and-blooms/bitset v1.1.10/go.mod h1:w0XsmFg8qg6cmpTtJ0z3pKgjTDBMMnI/+I2syrE6XBE=
@ -568,9 +566,6 @@ github.com/jhillyerd/enmime v1.1.0 h1:ubaIzg68VY7CMCe2YbHe6nkRvU9vujixTkNz3EBvZO
github.com/jhillyerd/enmime v1.1.0/go.mod h1:FRFuUPCLh8PByQv+8xRcLO9QHqaqTqreYhopv5eyk4I=
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@ -639,8 +634,6 @@ github.com/markbates/going v1.0.3 h1:mY45T5TvW+Xz5A6jY7lf4+NLg9D8+iuStIHyR7M8qsE
github.com/markbates/going v1.0.3/go.mod h1:fQiT6v6yQar9UD6bd/D4Z5Afbk9J6BBVBtLiyY4gp2o=
github.com/markbates/goth v1.78.0 h1:7VEIFDycJp9deyVv3YraGBPdD0ZYQW93Y3Aw1eVP3BY=
github.com/markbates/goth v1.78.0/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@ -773,17 +766,12 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/russellhaering/gosaml2 v0.9.1 h1:H/whrl8NuSoxyW46Ww5lKPskm+5K+qYLw9afqJ/Zef0=
github.com/russellhaering/gosaml2 v0.9.1/go.mod h1:ja+qgbayxm+0mxBRLMSUuX3COqy+sb0RRhIGun/W2kc=
github.com/russellhaering/goxmldsig v1.3.0 h1:DllIWUgMy0cRUMfGiASiYEa35nsieyD3cigIwLonTPM=
github.com/russellhaering/goxmldsig v1.3.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

View File

@ -8,7 +8,6 @@ import (
"crypto/sha256"
"encoding/base32"
"encoding/base64"
"encoding/gob"
"fmt"
"net"
"net/url"
@ -82,10 +81,6 @@ func Init(ctx context.Context) error {
builtinAllClientIDs = append(builtinAllClientIDs, clientID)
}
// This is needed in order to encode and store the struct in the goth/gothic session
// during the process of linking the external user.
gob.Register(LinkAccountUser{})
var registeredApps []*OAuth2Application
if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(&registeredApps); err != nil {
return err
@ -610,6 +605,21 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
return util.ErrNotExist
}
// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {
authSource := new(Source)
has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
if err != nil {
return nil, err
}
if !has {
return nil, fmt.Errorf("oauth2 source not found, name: %q", name)
}
return authSource, nil
}
func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})

View File

@ -14,7 +14,6 @@ import (
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"
"github.com/markbates/goth"
"xorm.io/builder"
"xorm.io/xorm"
"xorm.io/xorm/convert"
@ -33,7 +32,6 @@ const (
DLDAP // 5
OAuth2 // 6
SSPI // 7
SAML // 8
)
// String returns the string name of the LoginType
@ -54,7 +52,6 @@ var Names = map[Type]string{
PAM: "PAM",
OAuth2: "OAuth2",
SSPI: "SPNEGO with SSPI",
SAML: "SAML",
}
// Config represents login config as far as the db is concerned
@ -124,12 +121,6 @@ type Source struct {
UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}
// LinkAccountUser is used to link an external user with a local user
type LinkAccountUser struct {
Type Type
GothUser goth.User
}
// TableName xorm will read the table name from this method
func (Source) TableName() string {
return "login_source"
@ -189,11 +180,6 @@ func (source *Source) IsSSPI() bool {
return source.Type == SSPI
}
// IsSAML returns true of this source is of the SAML type.
func (source *Source) IsSAML() bool {
return source.Type == SAML
}
// HasTLS returns true of this source supports TLS.
func (source *Source) HasTLS() bool {
hasTLSer, ok := source.Cfg.(HasTLSer)
@ -406,27 +392,3 @@ func IsErrSourceInUse(err error) bool {
func (err ErrSourceInUse) Error() string {
return fmt.Sprintf("login source is still used by some users [id: %d]", err.ID)
}
// GetActiveAuthProviderSources returns all activated sources
func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
sources := make([]*Source, 0, 1)
if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
return nil, err
}
return sources, nil
}
// GetActiveAuthSourceByName returns an AuthSource based on the given name and type
func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
authSource := new(Source)
has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)
if err != nil {
return nil, err
}
if !has {
return nil, fmt.Errorf("auth source not found, name: %q", name)
}
return authSource, nil
}

View File

@ -523,9 +523,6 @@ Content = Content
SSPISeparatorReplacement = Separator
SSPIDefaultLanguage = Default Language
SAMLMetadata = Either SAML Identity Provider metadata URL or XML
SAMLMetadataURL = SAML Identity Provider metadata URL is invalid
require_error = ` cannot be empty.`
alpha_dash_error = ` should contain only alphanumeric, dash ('-') and underscore ('_') characters.`
alpha_dash_dot_error = ` should contain only alphanumeric, dash ('-'), underscore ('_') and dot ('.') characters.`
@ -3032,18 +3029,7 @@ auths.sspi_separator_replacement = Separator to use instead of \, / and @
auths.sspi_separator_replacement_helper = The character to use to replace the separators of down-level logon names (eg. the \ in "DOMAIN\user") and user principal names (eg. the @ in "user@example.org").
auths.sspi_default_language = Default user language
auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
auths.saml_nameidformat = SAML NameID Format
auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
auths.saml_identity_provider_metadata = Identity Provider Metadata XML
auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
auths.saml_service_provider_certificate = Service Provider Certificate
auths.saml_service_provider_private_key = Service Provider Private Key
auths.saml_identity_provider_email_assertion_key = Email Assertion Key
auths.saml_identity_provider_name_assertion_key = Name Assertion Key
auths.saml_identity_provider_username_assertion_key = Username Assertion Key
auths.saml_icon_url = Icon URL
auths.tips = Tips
auths.tips.saml = Documentation can be found at https://docs.gitea.com/usage/authentication#saml
auths.tips.oauth2.general = OAuth2 Authentication
auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
auths.tip.oauth2_provider = OAuth2 Provider

View File

@ -35,7 +35,6 @@ import (
actions_service "code.gitea.io/gitea/services/actions"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
"code.gitea.io/gitea/services/auth/source/saml"
"code.gitea.io/gitea/services/automerge"
"code.gitea.io/gitea/services/cron"
feed_service "code.gitea.io/gitea/services/feed"
@ -139,7 +138,6 @@ func InitWebInstalled(ctx context.Context) {
log.Info("ORM engine initialization successful!")
mustInit(system.Init)
mustInitCtx(ctx, oauth2.Init)
mustInitCtx(ctx, saml.Init)
mustInit(release_service.Init)

View File

@ -1,12 +1,9 @@
// Copyright 2014 The Gogs Authors. All rights reserved.
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package admin
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net/http"
@ -28,7 +25,6 @@ import (
"code.gitea.io/gitea/services/auth/source/ldap"
"code.gitea.io/gitea/services/auth/source/oauth2"
pam_service "code.gitea.io/gitea/services/auth/source/pam"
"code.gitea.io/gitea/services/auth/source/saml"
"code.gitea.io/gitea/services/auth/source/smtp"
"code.gitea.io/gitea/services/auth/source/sspi"
"code.gitea.io/gitea/services/forms"
@ -75,7 +71,6 @@ var (
{auth.SMTP.String(), auth.SMTP},
{auth.OAuth2.String(), auth.OAuth2},
{auth.SSPI.String(), auth.SSPI},
{auth.SAML.String(), auth.SAML},
}
if pam.Supported {
items = append(items, dropdownItem{auth.Names[auth.PAM], auth.PAM})
@ -88,16 +83,6 @@ var (
{ldap.SecurityProtocolNames[ldap.SecurityProtocolLDAPS], ldap.SecurityProtocolLDAPS},
{ldap.SecurityProtocolNames[ldap.SecurityProtocolStartTLS], ldap.SecurityProtocolStartTLS},
}
nameIDFormats = []dropdownItem{
{saml.NameIDFormatNames[saml.SAML20Persistent], saml.SAML20Persistent}, // use this as default value
{saml.NameIDFormatNames[saml.SAML11Email], saml.SAML11Email},
{saml.NameIDFormatNames[saml.SAML11Persistent], saml.SAML11Persistent},
{saml.NameIDFormatNames[saml.SAML11Unspecified], saml.SAML11Unspecified},
{saml.NameIDFormatNames[saml.SAML20Email], saml.SAML20Email},
{saml.NameIDFormatNames[saml.SAML20Transient], saml.SAML20Transient},
{saml.NameIDFormatNames[saml.SAML20Unspecified], saml.SAML20Unspecified},
}
)
// NewAuthSource render adding a new auth source page
@ -113,8 +98,6 @@ func NewAuthSource(ctx *context.Context) {
ctx.Data["is_sync_enabled"] = true
ctx.Data["AuthSources"] = authSources
ctx.Data["SecurityProtocols"] = securityProtocols
ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.SAML20Persistent]
ctx.Data["NameIDFormats"] = nameIDFormats
ctx.Data["SMTPAuths"] = smtp.Authenticators
oauth2providers := oauth2.GetSupportedOAuth2Providers()
ctx.Data["OAuth2Providers"] = oauth2providers
@ -248,52 +231,6 @@ func parseSSPIConfig(ctx *context.Context, form forms.AuthenticationForm) (*sspi
}, nil
}
func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml.Source, error) {
if util.IsEmptyString(form.IdentityProviderMetadata) && util.IsEmptyString(form.IdentityProviderMetadataURL) {
return nil, fmt.Errorf("%s %s", ctx.Tr("form.SAMLMetadata"), ctx.Tr("form.require_error"))
}
if !util.IsEmptyString(form.IdentityProviderMetadataURL) {
_, err := url.Parse(form.IdentityProviderMetadataURL)
if err != nil {
return nil, fmt.Errorf("%s", ctx.Tr("form.SAMLMetadataURL"))
}
}
// check the integrity of the certificate and private key (autogenerated if these form fields are blank)
if !util.IsEmptyString(form.ServiceProviderCertificate) && !util.IsEmptyString(form.ServiceProviderPrivateKey) {
keyPair, err := tls.X509KeyPair([]byte(form.ServiceProviderCertificate), []byte(form.ServiceProviderPrivateKey))
if err != nil {
return nil, err
}
keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
if err != nil {
return nil, err
}
} else {
privateKey, cert, err := saml.GenerateSAMLSPKeypair()
if err != nil {
return nil, err
}
form.ServiceProviderPrivateKey = privateKey
form.ServiceProviderCertificate = cert
}
return &saml.Source{
IdentityProviderMetadata: form.IdentityProviderMetadata,
IdentityProviderMetadataURL: form.IdentityProviderMetadataURL,
InsecureSkipAssertionSignatureValidation: form.InsecureSkipAssertionSignatureValidation,
NameIDFormat: saml.NameIDFormat(form.NameIDFormat),
ServiceProviderCertificate: form.ServiceProviderCertificate,
ServiceProviderPrivateKey: form.ServiceProviderPrivateKey,
EmailAssertionKey: form.EmailAssertionKey,
NameAssertionKey: form.NameAssertionKey,
UsernameAssertionKey: form.UsernameAssertionKey,
IconURL: form.SAMLIconURL,
}, nil
}
// NewAuthSourcePost response for adding an auth source
func NewAuthSourcePost(ctx *context.Context) {
form := *web.GetForm(ctx).(*forms.AuthenticationForm)
@ -307,8 +244,6 @@ func NewAuthSourcePost(ctx *context.Context) {
ctx.Data["SMTPAuths"] = smtp.Authenticators
oauth2providers := oauth2.GetSupportedOAuth2Providers()
ctx.Data["OAuth2Providers"] = oauth2providers
ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.NameIDFormat(form.NameIDFormat)]
ctx.Data["NameIDFormats"] = nameIDFormats
ctx.Data["SSPIAutoCreateUsers"] = true
ctx.Data["SSPIAutoActivateUsers"] = true
@ -355,13 +290,6 @@ func NewAuthSourcePost(ctx *context.Context) {
ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
return
}
case auth.SAML:
var err error
config, err = parseSAMLConfig(ctx, form)
if err != nil {
ctx.RenderWithErr(err.Error(), tplAuthNew, form)
return
}
default:
ctx.Error(http.StatusBadRequest)
return
@ -408,7 +336,6 @@ func EditAuthSource(ctx *context.Context) {
ctx.Data["SMTPAuths"] = smtp.Authenticators
oauth2providers := oauth2.GetSupportedOAuth2Providers()
ctx.Data["OAuth2Providers"] = oauth2providers
ctx.Data["NameIDFormats"] = nameIDFormats
source, err := auth.GetSourceByID(ctx, ctx.ParamsInt64(":authid"))
if err != nil {
@ -417,9 +344,6 @@ func EditAuthSource(ctx *context.Context) {
}
ctx.Data["Source"] = source
ctx.Data["HasTLS"] = source.HasTLS()
if source.IsSAML() {
ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[source.Cfg.(*saml.Source).NameIDFormat]
}
if source.IsOAuth2() {
type Named interface {
@ -454,8 +378,6 @@ func EditAuthSourcePost(ctx *context.Context) {
}
ctx.Data["Source"] = source
ctx.Data["HasTLS"] = source.HasTLS()
ctx.Data["CurrentNameIDFormat"] = saml.NameIDFormatNames[saml.SAML20Persistent]
ctx.Data["NameIDFormats"] = nameIDFormats
if ctx.HasError() {
ctx.HTML(http.StatusOK, tplAuthEdit)
@ -490,12 +412,6 @@ func EditAuthSourcePost(ctx *context.Context) {
ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
return
}
case auth.SAML:
config, err = parseSAMLConfig(ctx, form)
if err != nil {
ctx.RenderWithErr(err.Error(), tplAuthEdit, form)
return
}
default:
ctx.Error(http.StatusBadRequest)
return

View File

@ -28,7 +28,6 @@ import (
"code.gitea.io/gitea/routers/utils"
auth_service "code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
"code.gitea.io/gitea/services/auth/source/saml"
"code.gitea.io/gitea/services/externalaccount"
"code.gitea.io/gitea/services/forms"
"code.gitea.io/gitea/services/mailer"
@ -171,14 +170,6 @@ func SignIn(ctx *context.Context) {
return
}
ctx.Data["OAuth2Providers"] = oauth2Providers
samlProviders, err := saml.GetSAMLProviders(ctx, util.OptionalBoolTrue)
if err != nil {
ctx.ServerError("UserSignIn", err)
return
}
ctx.Data["SAMLProviders"] = samlProviders
ctx.Data["Title"] = ctx.Tr("sign_in")
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
ctx.Data["PageIsSignIn"] = true
@ -202,14 +193,6 @@ func SignInPost(ctx *context.Context) {
return
}
ctx.Data["OAuth2Providers"] = oauth2Providers
samlProviders, err := saml.GetSAMLProviders(ctx, util.OptionalBoolTrue)
if err != nil {
ctx.ServerError("UserSignIn", err)
return
}
ctx.Data["SAMLProviders"] = samlProviders
ctx.Data["Title"] = ctx.Tr("sign_in")
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
ctx.Data["PageIsSignIn"] = true
@ -521,7 +504,7 @@ func SignUpPost(ctx *context.Context) {
Passwd: form.Password,
}
if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false, auth.NoType) {
if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false) {
// error already handled
return
}
@ -532,16 +515,16 @@ func SignUpPost(ctx *context.Context) {
// createAndHandleCreatedUser calls createUserInContext and
// then handleUserCreated.
func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool, authType auth.Type) bool {
if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink, authType) {
func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) bool {
if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink) {
return false
}
return handleUserCreated(ctx, u, gothUser, authType)
return handleUserCreated(ctx, u, gothUser)
}
// createUserInContext creates a user and handles errors within a given context.
// Optionally a template can be specified.
func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool, authType auth.Type) (ok bool) {
func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) (ok bool) {
if err := user_model.CreateUser(ctx, u, overwrites); err != nil {
if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
@ -558,10 +541,10 @@ func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *us
}
// TODO: probably we should respect 'remember' user's choice...
linkAccount(ctx, user, *gothUser, true, authType)
linkAccount(ctx, user, *gothUser, true)
return false // user is already created here, all redirects are handled
} else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
showLinkingLogin(ctx, *gothUser, authType)
showLinkingLogin(ctx, *gothUser)
return false // user will be created only after linking login
}
}
@ -607,7 +590,7 @@ func createUserInContext(ctx *context.Context, tpl base.TplName, form any, u *us
// handleUserCreated does additional steps after a new user is created.
// It auto-sets admin for the only user, updates the optional external user and
// sends a confirmation email if required.
func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User, authType auth.Type) (ok bool) {
func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
// Auto-set admin for the only user.
if user_model.CountUsers(ctx, nil) == 1 {
opts := &user_service.UpdateOptions{
@ -623,7 +606,7 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.
// update external user information
if gothUser != nil {
if err := externalaccount.UpdateExternalUser(ctx, u, *gothUser, authType); err != nil {
if err := externalaccount.UpdateExternalUser(ctx, u, *gothUser); err != nil {
if !errors.Is(err, util.ErrNotExist) {
log.Error("UpdateExternalUser failed: %v", err)
}

View File

@ -48,13 +48,13 @@ func LinkAccount(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
externalLinkUser := ctx.Session.Get("linkAccountUser")
if externalLinkUser == nil {
gothUser := ctx.Session.Get("linkAccountGothUser")
if gothUser == nil {
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
return
}
gu := externalLinkUser.(auth.LinkAccountUser).GothUser
gu, _ := gothUser.(goth.User)
uname, err := getUserName(&gu)
if err != nil {
ctx.ServerError("UserSignIn", err)
@ -135,14 +135,12 @@ func LinkAccountPostSignIn(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
externalLinkUserInterface := ctx.Session.Get("linkAccountUser")
if externalLinkUserInterface == nil {
gothUser := ctx.Session.Get("linkAccountGothUser")
if gothUser == nil {
ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
return
}
externalLinkUser := externalLinkUserInterface.(auth.LinkAccountUser)
if ctx.HasError() {
ctx.HTML(http.StatusOK, tplLinkAccount)
return
@ -154,10 +152,10 @@ func LinkAccountPostSignIn(ctx *context.Context) {
return
}
linkAccount(ctx, u, externalLinkUser.GothUser, signInForm.Remember, externalLinkUser.Type)
linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
}
func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool, authType auth.Type) {
func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
updateAvatarIfNeed(ctx, gothUser.AvatarURL, u)
// If this user is enrolled in 2FA, we can't sign the user in just yet.
@ -170,7 +168,7 @@ func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, r
return
}
err = externalaccount.LinkAccountToUser(ctx, u, gothUser, authType)
err = externalaccount.LinkAccountToUser(ctx, u, gothUser)
if err != nil {
ctx.ServerError("UserLinkAccount", err)
return
@ -224,14 +222,14 @@ func LinkAccountPostRegister(ctx *context.Context) {
ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
externalLinkUser := ctx.Session.Get("linkAccountUser")
if externalLinkUser == nil {
gothUserInterface := ctx.Session.Get("linkAccountGothUser")
if gothUserInterface == nil {
ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
return
}
linkUser, ok := externalLinkUser.(auth.LinkAccountUser)
gothUser, ok := gothUserInterface.(goth.User)
if !ok {
ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountUser type is %t but not goth.User", externalLinkUser))
ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
return
}
@ -277,7 +275,7 @@ func LinkAccountPostRegister(ctx *context.Context) {
}
}
authSource, err := auth.GetActiveAuthSourceByName(ctx, linkUser.GothUser.Provider, linkUser.Type)
authSource, err := auth.GetActiveOAuth2SourceByName(ctx, gothUser.Provider)
if err != nil {
ctx.ServerError("CreateUser", err)
return
@ -287,24 +285,21 @@ func LinkAccountPostRegister(ctx *context.Context) {
Name: form.UserName,
Email: form.Email,
Passwd: form.Password,
LoginType: authSource.Type,
LoginType: auth.OAuth2,
LoginSource: authSource.ID,
LoginName: linkUser.GothUser.UserID,
LoginName: gothUser.UserID,
}
if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &linkUser.GothUser, false, linkUser.Type) {
if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &gothUser, false) {
// error already handled
return
}
if linkUser.Type == auth.OAuth2 {
source := authSource.Cfg.(*oauth2.Source)
if err := syncGroupsToTeams(ctx, source, &linkUser.GothUser, u); err != nil {
ctx.ServerError("SyncGroupsToTeams", err)
return
}
source := authSource.Cfg.(*oauth2.Source)
if err := syncGroupsToTeams(ctx, source, &gothUser, u); err != nil {
ctx.ServerError("SyncGroupsToTeams", err)
return
}
// TODO we will support some form of group mapping for SAML
handleSignIn(ctx, u, false)
}

View File

@ -841,7 +841,7 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect
func SignInOAuth(ctx *context.Context) {
provider := ctx.Params(":provider")
authSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.OAuth2)
authSource, err := auth.GetActiveOAuth2SourceByName(ctx, provider)
if err != nil {
ctx.ServerError("SignIn", err)
return
@ -892,7 +892,7 @@ func SignInOAuthCallback(ctx *context.Context) {
}
// first look if the provider is still active
authSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.OAuth2)
authSource, err := auth.GetActiveOAuth2SourceByName(ctx, provider)
if err != nil {
ctx.ServerError("SignIn", err)
return
@ -935,7 +935,7 @@ func SignInOAuthCallback(ctx *context.Context) {
if u == nil {
if ctx.Doer != nil {
// attach user to already logged in user
err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser, auth.OAuth2)
err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser)
if err != nil {
ctx.ServerError("UserLinkAccount", err)
return
@ -988,7 +988,7 @@ func SignInOAuthCallback(ctx *context.Context) {
u.IsAdmin = isAdmin.ValueOrDefault(false)
u.IsRestricted = isRestricted.ValueOrDefault(false)
if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled, auth.OAuth2) {
if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
// error already handled
return
}
@ -999,7 +999,7 @@ func SignInOAuthCallback(ctx *context.Context) {
}
} else {
// no existing user is found, request attach or new account
showLinkingLogin(ctx, gothUser, auth.OAuth2)
showLinkingLogin(ctx, gothUser)
return
}
}
@ -1063,12 +1063,9 @@ func getUserAdminAndRestrictedFromGroupClaims(source *oauth2.Source, gothUser *g
return isAdmin, isRestricted
}
func showLinkingLogin(ctx *context.Context, gothUser goth.User, authType auth.Type) {
func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
if err := updateSession(ctx, nil, map[string]any{
"linkAccountUser": auth.LinkAccountUser{
Type: authType,
GothUser: gothUser,
},
"linkAccountGothUser": gothUser,
}); err != nil {
ctx.ServerError("updateSession", err)
return
@ -1147,7 +1144,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model
}
// update external user information
if err := externalaccount.UpdateExternalUser(ctx, u, gothUser, auth.OAuth2); err != nil {
if err := externalaccount.UpdateExternalUser(ctx, u, gothUser); err != nil {
if !errors.Is(err, util.ErrNotExist) {
log.Error("UpdateExternalUser failed: %v", err)
}

View File

@ -8,7 +8,6 @@ import (
"net/http"
"net/url"
auth_model "code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base"
@ -364,7 +363,7 @@ func RegisterOpenIDPost(ctx *context.Context) {
Email: form.Email,
Passwd: password,
}
if !createUserInContext(ctx, tplSignUpOID, form, u, nil, nil, false, auth_model.NoType) {
if !createUserInContext(ctx, tplSignUpOID, form, u, nil, nil, false) {
// error already handled
return
}
@ -380,7 +379,7 @@ func RegisterOpenIDPost(ctx *context.Context) {
return
}
if !handleUserCreated(ctx, u, nil, auth_model.NoType) {
if !handleUserCreated(ctx, u, nil) {
// error already handled
return
}

View File

@ -1,172 +0,0 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package auth
import (
"errors"
"fmt"
"net/http"
"strings"
"code.gitea.io/gitea/models/auth"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/modules/web/middleware"
"code.gitea.io/gitea/services/auth/source/saml"
"code.gitea.io/gitea/services/externalaccount"
"github.com/markbates/goth"
)
func SignInSAML(ctx *context.Context) {
provider := ctx.Params(":provider")
loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
if err != nil || loginSource == nil {
ctx.NotFound("SAMLMetadata", err)
return
}
if err = loginSource.Cfg.(*saml.Source).Callout(ctx.Req, ctx.Resp); err != nil {
if strings.Contains(err.Error(), "no provider for ") {
ctx.Error(http.StatusNotFound)
return
}
ctx.ServerError("SignIn", err)
}
}
func SignInSAMLCallback(ctx *context.Context) {
provider := ctx.Params(":provider")
loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
if err != nil || loginSource == nil {
ctx.NotFound("SignInSAMLCallback", err)
return
}
if loginSource == nil {
ctx.ServerError("SignIn", fmt.Errorf("no valid provider found, check configured callback url in provider"))
return
}
u, gothUser, err := samlUserLoginCallback(*ctx, loginSource, ctx.Req, ctx.Resp)
if err != nil {
ctx.ServerError("SignInSAMLCallback", err)
return
}
if u == nil {
if ctx.Doer != nil {
// attach user to already logged in user
err = externalaccount.LinkAccountToUser(ctx, ctx.Doer, gothUser, auth.SAML)
if err != nil {
ctx.ServerError("LinkAccountToUser", err)
return
}
ctx.Redirect(setting.AppSubURL + "/user/settings/security")
return
} else if !setting.Service.AllowOnlyInternalRegistration && false {
// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
} else {
// no existing user is found, request attach or new account
showLinkingLogin(ctx, gothUser, auth.SAML)
return
}
}
handleSamlSignIn(ctx, loginSource, u, gothUser)
}
func handleSamlSignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) {
if err := updateSession(ctx, nil, map[string]any{
"uid": u.ID,
"uname": u.Name,
}); err != nil {
ctx.ServerError("updateSession", err)
return
}
// Clear whatever CSRF cookie has right now, force to generate a new one
ctx.Csrf.DeleteCookie(ctx)
// Register last login
u.SetLastLogin()
// update external user information
if err := externalaccount.UpdateExternalUser(ctx, u, gothUser, auth.SAML); err != nil {
if !errors.Is(err, util.ErrNotExist) {
log.Error("UpdateExternalUser failed: %v", err)
}
}
if err := resetLocale(ctx, u); err != nil {
ctx.ServerError("resetLocale", err)
return
}
if redirectTo := ctx.GetSiteCookie("redirect_to"); len(redirectTo) > 0 {
middleware.DeleteRedirectToCookie(ctx.Resp)
ctx.RedirectToFirst(redirectTo)
return
}
ctx.Redirect(setting.AppSubURL + "/")
}
func samlUserLoginCallback(ctx context.Context, authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
samlSource := authSource.Cfg.(*saml.Source)
gothUser, err := samlSource.Callback(request, response)
if err != nil {
return nil, gothUser, err
}
user := &user_model.User{
LoginName: gothUser.UserID,
LoginType: auth.SAML,
LoginSource: authSource.ID,
}
hasUser, err := user_model.GetUser(ctx, user)
if err != nil {
return nil, goth.User{}, err
}
if hasUser {
return user, gothUser, nil
}
// search in external linked users
externalLoginUser := &user_model.ExternalLoginUser{
ExternalID: gothUser.UserID,
LoginSourceID: authSource.ID,
}
hasUser, err = user_model.GetExternalLogin(ctx, externalLoginUser)
if err != nil {
return nil, goth.User{}, err
}
if hasUser {
user, err = user_model.GetUserByID(request.Context(), externalLoginUser.UserID)
return user, gothUser, err
}
// no user found to login
return nil, gothUser, nil
}
func SAMLMetadata(ctx *context.Context) {
provider := ctx.Params(":provider")
loginSource, err := auth.GetActiveAuthSourceByName(ctx, provider, auth.SAML)
if err != nil || loginSource == nil {
ctx.NotFound("SAMLMetadata", err)
return
}
if err = loginSource.Cfg.(*saml.Source).Metadata(ctx.Req, ctx.Resp); err != nil {
ctx.ServerError("SAMLMetadata", err)
}
}

View File

@ -667,11 +667,6 @@ func registerRoutes(m *web.Route) {
m.Get("/{provider}", auth.SignInOAuth)
m.Get("/{provider}/callback", auth.SignInOAuthCallback)
})
m.Group("/saml", func() {
m.Get("/{provider}", auth.SignInSAML) // redir to SAML IDP
m.Post("/{provider}/acs", auth.SignInSAMLCallback)
m.Get("/{provider}/metadata", auth.SAMLMetadata)
})
})
// ***** END: User *****

View File

@ -1,22 +0,0 @@
// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package saml_test
import (
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/saml"
)
// This test file exists to assert that our Source exposes the interfaces that we expect
// It tightly binds the interfaces and implementation without breaking go import cycles
type sourceInterface interface {
auth_model.Config
auth_model.SourceSettable
auth_model.RegisterableSource
auth.PasswordAuthenticator
}
var _ (sourceInterface) = &saml.Source{}

View File

@ -1,29 +0,0 @@
// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package saml
import (
"context"
"sync"
"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/log"
)
var samlRWMutex = sync.RWMutex{}
func Init(ctx context.Context) error {
loginSources, _ := auth.GetActiveAuthProviderSources(ctx, auth.SAML)
for _, source := range loginSources {
samlSource, ok := source.Cfg.(*Source)
if !ok {
continue
}
err := samlSource.RegisterSource()
if err != nil {
log.Error("Unable to register source: %s due to Error: %v.", source.Name, err)
}
}
return nil
}

View File

@ -1,38 +0,0 @@
// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package saml
type NameIDFormat int
const (
SAML11Email NameIDFormat = iota + 1
SAML11Persistent
SAML11Unspecified
SAML20Email
SAML20Persistent
SAML20Transient
SAML20Unspecified
)
const DefaultNameIDFormat NameIDFormat = SAML20Persistent
var NameIDFormatNames = map[NameIDFormat]string{
SAML11Email: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
SAML11Persistent: "urn:oasis:names:tc:SAML:1.1:nameid-format:persistent",
SAML11Unspecified: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
SAML20Email: "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
SAML20Persistent: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
SAML20Transient: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
SAML20Unspecified: "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
}
// String returns the name of the NameIDFormat
func (n NameIDFormat) String() string {
return NameIDFormatNames[n]
}
// Int returns the int value of the NameIDFormat
func (n NameIDFormat) Int() int {
return int(n)
}

View File

@ -1,109 +0,0 @@
// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package saml
import (
"context"
"fmt"
"html"
"html/template"
"io"
"net/http"
"sort"
"time"
"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/httplib"
"code.gitea.io/gitea/modules/svg"
"code.gitea.io/gitea/modules/util"
)
// Providers is list of known/available providers.
type Providers map[string]Source
var providers = Providers{}
// Provider is an interface for describing a single SAML provider
type Provider interface {
Name() string
IconHTML(size int) template.HTML
}
// AuthSourceProvider is a SAML provider
type AuthSourceProvider struct {
sourceName, iconURL string
}
func (p *AuthSourceProvider) Name() string {
return p.sourceName
}
func (p *AuthSourceProvider) IconHTML(size int) template.HTML {
if p.iconURL != "" {
return template.HTML(fmt.Sprintf(`<img class="gt-object-contain gt-mr-3" width="%d" height="%d" src="%s" alt="%s">`,
size,
size,
html.EscapeString(p.iconURL), html.EscapeString(p.Name()),
))
}
return svg.RenderHTML("gitea-lock-cog", size, "gt-mr-3")
}
func readIdentityProviderMetadata(ctx context.Context, source *Source) ([]byte, error) {
if source.IdentityProviderMetadata != "" {
return []byte(source.IdentityProviderMetadata), nil
}
req := httplib.NewRequest(source.IdentityProviderMetadataURL, "GET")
req.SetTimeout(20*time.Second, time.Minute)
resp, err := req.Response()
if err != nil {
return nil, fmt.Errorf("Unable to contact gitea: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, err
}
data, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
return data, nil
}
func createProviderFromSource(source *auth.Source) (Provider, error) {
samlCfg, ok := source.Cfg.(*Source)
if !ok {
return nil, fmt.Errorf("invalid SAML source config: %v", samlCfg)
}
return &AuthSourceProvider{sourceName: source.Name, iconURL: samlCfg.IconURL}, nil
}
// GetSAMLProviders returns the list of configured SAML providers
func GetSAMLProviders(ctx context.Context, isActive util.OptionalBool) ([]Provider, error) {
authSources, err := db.Find[auth.Source](ctx, auth.FindSourcesOptions{
IsActive: isActive,
LoginType: auth.SAML,
})
if err != nil {
return nil, err
}
samlProviders := make([]Provider, 0, len(authSources))
for _, source := range authSources {
p, err := createProviderFromSource(source)
if err != nil {
return nil, err
}
samlProviders = append(samlProviders, p)
}
sort.Slice(samlProviders, func(i, j int) bool {
return samlProviders[i].Name() < samlProviders[j].Name()
})
return samlProviders, nil
}

View File

@ -1,202 +0,0 @@
// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package saml
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"encoding/xml"
"errors"
"fmt"
"math/big"
"net/url"
"time"
"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
saml2 "github.com/russellhaering/gosaml2"
"github.com/russellhaering/gosaml2/types"
dsig "github.com/russellhaering/goxmldsig"
)
// Source holds configuration for the SAML login source.
type Source struct {
// IdentityProviderMetadata description: The SAML Identity Provider metadata XML contents (for static configuration of the SAML Service Provider). The value of this field should be an XML document whose root element is `<EntityDescriptor>` or `<EntityDescriptors>`. To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
IdentityProviderMetadata string
// IdentityProviderMetadataURL description: The SAML Identity Provider metadata URL (for dynamic configuration of the SAML Service Provider).
IdentityProviderMetadataURL string
// InsecureSkipAssertionSignatureValidation description: Whether the Service Provider should (insecurely) accept assertions from the Identity Provider without a valid signature.
InsecureSkipAssertionSignatureValidation bool
// NameIDFormat description: The SAML NameID format to use when performing user authentication.
NameIDFormat NameIDFormat
// ServiceProviderCertificate description: The SAML Service Provider certificate in X.509 encoding (begins with "-----BEGIN CERTIFICATE-----"). This certificate is used by the Identity Provider to validate the Service Provider's AuthnRequests and LogoutRequests. It corresponds to the Service Provider's private key (`serviceProviderPrivateKey`). To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
ServiceProviderCertificate string
// ServiceProviderIssuer description: The SAML Service Provider name, used to identify this Service Provider. This is required if the "externalURL" field is not set (as the SAML metadata endpoint is computed as "<externalURL>.auth/saml/metadata"), or when using multiple SAML authentication providers.
ServiceProviderIssuer string
// ServiceProviderPrivateKey description: The SAML Service Provider private key in PKCS#8 encoding (begins with "-----BEGIN PRIVATE KEY-----"). This private key is used to sign AuthnRequests and LogoutRequests. It corresponds to the Service Provider's certificate (`serviceProviderCertificate`). To escape the value into a JSON string, you may want to use a tool like https://json-escape-text.now.sh.
ServiceProviderPrivateKey string
CallbackURL string
IconURL string
// EmailAssertionKey description: Assertion key for user.Email
EmailAssertionKey string
// NameAssertionKey description: Assertion key for user.NickName
NameAssertionKey string
// UsernameAssertionKey description: Assertion key for user.Name
UsernameAssertionKey string
// reference to the authSource
authSource *auth.Source