2019-06-17 20:32:20 +02:00
|
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2021-09-24 13:32:56 +02:00
|
|
|
|
"code.gitea.io/gitea/models/login"
|
2021-07-24 12:16:34 +02:00
|
|
|
|
"code.gitea.io/gitea/services/auth/source/ldap"
|
2019-06-17 20:32:20 +02:00
|
|
|
|
|
|
|
|
|
"github.com/urfave/cli"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type (
|
|
|
|
|
authService struct {
|
|
|
|
|
initDB func() error
|
2021-09-24 13:32:56 +02:00
|
|
|
|
createLoginSource func(loginSource *login.Source) error
|
|
|
|
|
updateLoginSource func(loginSource *login.Source) error
|
|
|
|
|
getLoginSourceByID func(id int64) (*login.Source, error)
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
commonLdapCLIFlags = []cli.Flag{
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "name",
|
|
|
|
|
Usage: "Authentication name.",
|
|
|
|
|
},
|
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "not-active",
|
|
|
|
|
Usage: "Deactivate the authentication source.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "security-protocol",
|
|
|
|
|
Usage: "Security protocol name.",
|
|
|
|
|
},
|
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "skip-tls-verify",
|
|
|
|
|
Usage: "Disable TLS verification.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "host",
|
|
|
|
|
Usage: "The address where the LDAP server can be reached.",
|
|
|
|
|
},
|
|
|
|
|
cli.IntFlag{
|
|
|
|
|
Name: "port",
|
|
|
|
|
Usage: "The port to use when connecting to the LDAP server.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "user-search-base",
|
|
|
|
|
Usage: "The LDAP base at which user accounts will be searched for.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "user-filter",
|
|
|
|
|
Usage: "An LDAP filter declaring how to find the user record that is attempting to authenticate.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "admin-filter",
|
|
|
|
|
Usage: "An LDAP filter specifying if a user should be given administrator privileges.",
|
|
|
|
|
},
|
2020-03-05 07:30:33 +01:00
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "restricted-filter",
|
|
|
|
|
Usage: "An LDAP filter specifying if a user should be given restricted status.",
|
|
|
|
|
},
|
2020-01-20 04:47:39 +01:00
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "allow-deactivate-all",
|
|
|
|
|
Usage: "Allow empty search results to deactivate all users.",
|
|
|
|
|
},
|
2019-06-17 20:32:20 +02:00
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "username-attribute",
|
|
|
|
|
Usage: "The attribute of the user’s LDAP record containing the user name.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "firstname-attribute",
|
|
|
|
|
Usage: "The attribute of the user’s LDAP record containing the user’s first name.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "surname-attribute",
|
|
|
|
|
Usage: "The attribute of the user’s LDAP record containing the user’s surname.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "email-attribute",
|
|
|
|
|
Usage: "The attribute of the user’s LDAP record containing the user’s email address.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "public-ssh-key-attribute",
|
|
|
|
|
Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
|
|
|
|
|
},
|
2021-09-17 13:43:47 +02:00
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "skip-local-2fa",
|
|
|
|
|
Usage: "Set to true to skip local 2fa for users authenticated by this source",
|
|
|
|
|
},
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ldapBindDnCLIFlags = append(commonLdapCLIFlags,
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "bind-dn",
|
|
|
|
|
Usage: "The DN to bind to the LDAP server with when searching for the user.",
|
|
|
|
|
},
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "bind-password",
|
|
|
|
|
Usage: "The password for the Bind DN, if any.",
|
|
|
|
|
},
|
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "attributes-in-bind",
|
|
|
|
|
Usage: "Fetch attributes in bind DN context.",
|
|
|
|
|
},
|
|
|
|
|
cli.BoolFlag{
|
|
|
|
|
Name: "synchronize-users",
|
|
|
|
|
Usage: "Enable user synchronization.",
|
|
|
|
|
},
|
|
|
|
|
cli.UintFlag{
|
|
|
|
|
Name: "page-size",
|
|
|
|
|
Usage: "Search page size.",
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
ldapSimpleAuthCLIFlags = append(commonLdapCLIFlags,
|
|
|
|
|
cli.StringFlag{
|
|
|
|
|
Name: "user-dn",
|
|
|
|
|
Usage: "The user’s DN.",
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
cmdAuthAddLdapBindDn = cli.Command{
|
|
|
|
|
Name: "add-ldap",
|
|
|
|
|
Usage: "Add new LDAP (via Bind DN) authentication source",
|
|
|
|
|
Action: func(c *cli.Context) error {
|
|
|
|
|
return newAuthService().addLdapBindDn(c)
|
|
|
|
|
},
|
|
|
|
|
Flags: ldapBindDnCLIFlags,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmdAuthUpdateLdapBindDn = cli.Command{
|
|
|
|
|
Name: "update-ldap",
|
|
|
|
|
Usage: "Update existing LDAP (via Bind DN) authentication source",
|
|
|
|
|
Action: func(c *cli.Context) error {
|
|
|
|
|
return newAuthService().updateLdapBindDn(c)
|
|
|
|
|
},
|
|
|
|
|
Flags: append([]cli.Flag{idFlag}, ldapBindDnCLIFlags...),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmdAuthAddLdapSimpleAuth = cli.Command{
|
|
|
|
|
Name: "add-ldap-simple",
|
|
|
|
|
Usage: "Add new LDAP (simple auth) authentication source",
|
|
|
|
|
Action: func(c *cli.Context) error {
|
|
|
|
|
return newAuthService().addLdapSimpleAuth(c)
|
|
|
|
|
},
|
|
|
|
|
Flags: ldapSimpleAuthCLIFlags,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmdAuthUpdateLdapSimpleAuth = cli.Command{
|
|
|
|
|
Name: "update-ldap-simple",
|
|
|
|
|
Usage: "Update existing LDAP (simple auth) authentication source",
|
|
|
|
|
Action: func(c *cli.Context) error {
|
|
|
|
|
return newAuthService().updateLdapSimpleAuth(c)
|
|
|
|
|
},
|
|
|
|
|
Flags: append([]cli.Flag{idFlag}, ldapSimpleAuthCLIFlags...),
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// newAuthService creates a service with default functions.
|
|
|
|
|
func newAuthService() *authService {
|
|
|
|
|
return &authService{
|
|
|
|
|
initDB: initDB,
|
2021-09-24 13:32:56 +02:00
|
|
|
|
createLoginSource: login.CreateSource,
|
|
|
|
|
updateLoginSource: login.UpdateSource,
|
|
|
|
|
getLoginSourceByID: login.GetSourceByID,
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parseLoginSource assigns values on loginSource according to command line flags.
|
2021-09-24 13:32:56 +02:00
|
|
|
|
func parseLoginSource(c *cli.Context, loginSource *login.Source) {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if c.IsSet("name") {
|
|
|
|
|
loginSource.Name = c.String("name")
|
|
|
|
|
}
|
|
|
|
|
if c.IsSet("not-active") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
loginSource.IsActive = !c.Bool("not-active")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("synchronize-users") {
|
|
|
|
|
loginSource.IsSyncEnabled = c.Bool("synchronize-users")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parseLdapConfig assigns values on config according to command line flags.
|
2021-07-24 12:16:34 +02:00
|
|
|
|
func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if c.IsSet("name") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.Name = c.String("name")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("host") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.Host = c.String("host")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("port") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.Port = c.Int("port")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("security-protocol") {
|
|
|
|
|
p, ok := findLdapSecurityProtocolByName(c.String("security-protocol"))
|
|
|
|
|
if !ok {
|
|
|
|
|
return fmt.Errorf("Unknown security protocol name: %s", c.String("security-protocol"))
|
|
|
|
|
}
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.SecurityProtocol = p
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("skip-tls-verify") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.SkipVerify = c.Bool("skip-tls-verify")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("bind-dn") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.BindDN = c.String("bind-dn")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("user-dn") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.UserDN = c.String("user-dn")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("bind-password") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.BindPassword = c.String("bind-password")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("user-search-base") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.UserBase = c.String("user-search-base")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("username-attribute") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributeUsername = c.String("username-attribute")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("firstname-attribute") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributeName = c.String("firstname-attribute")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("surname-attribute") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributeSurname = c.String("surname-attribute")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("email-attribute") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributeMail = c.String("email-attribute")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("attributes-in-bind") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributesInBind = c.Bool("attributes-in-bind")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("public-ssh-key-attribute") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("page-size") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.SearchPageSize = uint32(c.Uint("page-size"))
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("user-filter") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.Filter = c.String("user-filter")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
if c.IsSet("admin-filter") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AdminFilter = c.String("admin-filter")
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
2020-03-05 07:30:33 +01:00
|
|
|
|
if c.IsSet("restricted-filter") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.RestrictedFilter = c.String("restricted-filter")
|
2020-03-05 07:30:33 +01:00
|
|
|
|
}
|
2020-01-20 04:47:39 +01:00
|
|
|
|
if c.IsSet("allow-deactivate-all") {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
config.AllowDeactivateAll = c.Bool("allow-deactivate-all")
|
2020-01-20 04:47:39 +01:00
|
|
|
|
}
|
2021-09-17 13:43:47 +02:00
|
|
|
|
if c.IsSet("skip-local-2fa") {
|
|
|
|
|
config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-17 20:32:20 +02:00
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// findLdapSecurityProtocolByName finds security protocol by its name ignoring case.
|
|
|
|
|
// It returns the value of the security protocol and if it was found.
|
|
|
|
|
func findLdapSecurityProtocolByName(name string) (ldap.SecurityProtocol, bool) {
|
2021-07-24 12:16:34 +02:00
|
|
|
|
for i, n := range ldap.SecurityProtocolNames {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if strings.EqualFold(name, n) {
|
|
|
|
|
return i, true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0, false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getLoginSource gets the login source by its id defined in the command line flags.
|
|
|
|
|
// It returns an error if the id is not set, does not match any source or if the source is not of expected type.
|
2021-09-24 13:32:56 +02:00
|
|
|
|
func (a *authService) getLoginSource(c *cli.Context, loginType login.Type) (*login.Source, error) {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if err := argsSet(c, "id"); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
loginSource, err := a.getLoginSourceByID(c.Int64("id"))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if loginSource.Type != loginType {
|
2021-09-24 13:32:56 +02:00
|
|
|
|
return nil, fmt.Errorf("Invalid authentication type. expected: %s, actual: %s", loginType.String(), loginSource.Type.String())
|
2019-06-17 20:32:20 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return loginSource, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// addLdapBindDn adds a new LDAP via Bind DN authentication source.
|
|
|
|
|
func (a *authService) addLdapBindDn(c *cli.Context) error {
|
|
|
|
|
if err := argsSet(c, "name", "security-protocol", "host", "port", "user-search-base", "user-filter", "email-attribute"); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := a.initDB(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-24 13:32:56 +02:00
|
|
|
|
loginSource := &login.Source{
|
|
|
|
|
Type: login.LDAP,
|
2021-07-24 12:16:34 +02:00
|
|
|
|
IsActive: true, // active by default
|
|
|
|
|
Cfg: &ldap.Source{
|
|
|
|
|
Enabled: true, // always true
|
2019-06-17 20:32:20 +02:00
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parseLoginSource(c, loginSource)
|
2021-07-24 12:16:34 +02:00
|
|
|
|
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.createLoginSource(loginSource)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// updateLdapBindDn updates a new LDAP via Bind DN authentication source.
|
|
|
|
|
func (a *authService) updateLdapBindDn(c *cli.Context) error {
|
|
|
|
|
if err := a.initDB(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-24 13:32:56 +02:00
|
|
|
|
loginSource, err := a.getLoginSource(c, login.LDAP)
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parseLoginSource(c, loginSource)
|
2021-07-24 12:16:34 +02:00
|
|
|
|
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.updateLoginSource(loginSource)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// addLdapSimpleAuth adds a new LDAP (simple auth) authentication source.
|
|
|
|
|
func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
|
|
|
|
|
if err := argsSet(c, "name", "security-protocol", "host", "port", "user-dn", "user-filter", "email-attribute"); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := a.initDB(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-24 13:32:56 +02:00
|
|
|
|
loginSource := &login.Source{
|
|
|
|
|
Type: login.DLDAP,
|
2021-07-24 12:16:34 +02:00
|
|
|
|
IsActive: true, // active by default
|
|
|
|
|
Cfg: &ldap.Source{
|
|
|
|
|
Enabled: true, // always true
|
2019-06-17 20:32:20 +02:00
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parseLoginSource(c, loginSource)
|
2021-07-24 12:16:34 +02:00
|
|
|
|
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.createLoginSource(loginSource)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// updateLdapBindDn updates a new LDAP (simple auth) authentication source.
|
|
|
|
|
func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
|
|
|
|
|
if err := a.initDB(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-24 13:32:56 +02:00
|
|
|
|
loginSource, err := a.getLoginSource(c, login.DLDAP)
|
2019-06-17 20:32:20 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parseLoginSource(c, loginSource)
|
2021-07-24 12:16:34 +02:00
|
|
|
|
if err := parseLdapConfig(c, loginSource.Cfg.(*ldap.Source)); err != nil {
|
2019-06-17 20:32:20 +02:00
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return a.updateLoginSource(loginSource)
|
|
|
|
|
}
|