login_source.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558
  1. // Copyright 2014 The Gogs Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "crypto/tls"
  7. "encoding/json"
  8. "errors"
  9. "fmt"
  10. "net/smtp"
  11. "net/textproto"
  12. "strings"
  13. "time"
  14. "github.com/Unknwon/com"
  15. "github.com/go-macaron/binding"
  16. "github.com/go-xorm/core"
  17. "github.com/go-xorm/xorm"
  18. log "gopkg.in/clog.v1"
  19. "github.com/gogits/gogs/modules/auth/ldap"
  20. "github.com/gogits/gogs/modules/auth/pam"
  21. )
  22. type LoginType int
  23. // Note: new type must append to the end of list to maintain compatibility.
  24. const (
  25. LOGIN_NOTYPE LoginType = iota
  26. LOGIN_PLAIN // 1
  27. LOGIN_LDAP // 2
  28. LOGIN_SMTP // 3
  29. LOGIN_PAM // 4
  30. LOGIN_DLDAP // 5
  31. )
  32. var LoginNames = map[LoginType]string{
  33. LOGIN_LDAP: "LDAP (via BindDN)",
  34. LOGIN_DLDAP: "LDAP (simple auth)", // Via direct bind
  35. LOGIN_SMTP: "SMTP",
  36. LOGIN_PAM: "PAM",
  37. }
  38. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{
  39. ldap.SECURITY_PROTOCOL_UNENCRYPTED: "Unencrypted",
  40. ldap.SECURITY_PROTOCOL_LDAPS: "LDAPS",
  41. ldap.SECURITY_PROTOCOL_START_TLS: "StartTLS",
  42. }
  43. // Ensure structs implemented interface.
  44. var (
  45. _ core.Conversion = &LDAPConfig{}
  46. _ core.Conversion = &SMTPConfig{}
  47. _ core.Conversion = &PAMConfig{}
  48. )
  49. type LDAPConfig struct {
  50. *ldap.Source
  51. }
  52. func (cfg *LDAPConfig) FromDB(bs []byte) error {
  53. return json.Unmarshal(bs, &cfg)
  54. }
  55. func (cfg *LDAPConfig) ToDB() ([]byte, error) {
  56. return json.Marshal(cfg)
  57. }
  58. func (cfg *LDAPConfig) SecurityProtocolName() string {
  59. return SecurityProtocolNames[cfg.SecurityProtocol]
  60. }
  61. type SMTPConfig struct {
  62. Auth string
  63. Host string
  64. Port int
  65. AllowedDomains string `xorm:"TEXT"`
  66. TLS bool
  67. SkipVerify bool
  68. }
  69. func (cfg *SMTPConfig) FromDB(bs []byte) error {
  70. return json.Unmarshal(bs, cfg)
  71. }
  72. func (cfg *SMTPConfig) ToDB() ([]byte, error) {
  73. return json.Marshal(cfg)
  74. }
  75. type PAMConfig struct {
  76. ServiceName string // pam service (e.g. system-auth)
  77. }
  78. func (cfg *PAMConfig) FromDB(bs []byte) error {
  79. return json.Unmarshal(bs, &cfg)
  80. }
  81. func (cfg *PAMConfig) ToDB() ([]byte, error) {
  82. return json.Marshal(cfg)
  83. }
  84. // LoginSource represents an external way for authorizing users.
  85. type LoginSource struct {
  86. ID int64 `xorm:"pk autoincr"`
  87. Type LoginType
  88. Name string `xorm:"UNIQUE"`
  89. IsActived bool `xorm:"NOT NULL DEFAULT false"`
  90. Cfg core.Conversion `xorm:"TEXT"`
  91. Created time.Time `xorm:"-"`
  92. CreatedUnix int64
  93. Updated time.Time `xorm:"-"`
  94. UpdatedUnix int64
  95. }
  96. func (s *LoginSource) BeforeInsert() {
  97. s.CreatedUnix = time.Now().Unix()
  98. s.UpdatedUnix = s.CreatedUnix
  99. }
  100. func (s *LoginSource) BeforeUpdate() {
  101. s.UpdatedUnix = time.Now().Unix()
  102. }
  103. // Cell2Int64 converts a xorm.Cell type to int64,
  104. // and handles possible irregular cases.
  105. func Cell2Int64(val xorm.Cell) int64 {
  106. switch (*val).(type) {
  107. case []uint8:
  108. log.Trace("Cell2Int64 ([]uint8): %v", *val)
  109. return com.StrTo(string((*val).([]uint8))).MustInt64()
  110. }
  111. return (*val).(int64)
  112. }
  113. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
  114. switch colName {
  115. case "type":
  116. switch LoginType(Cell2Int64(val)) {
  117. case LOGIN_LDAP, LOGIN_DLDAP:
  118. source.Cfg = new(LDAPConfig)
  119. case LOGIN_SMTP:
  120. source.Cfg = new(SMTPConfig)
  121. case LOGIN_PAM:
  122. source.Cfg = new(PAMConfig)
  123. default:
  124. panic("unrecognized login source type: " + com.ToStr(*val))
  125. }
  126. }
  127. }
  128. func (s *LoginSource) AfterSet(colName string, _ xorm.Cell) {
  129. switch colName {
  130. case "created_unix":
  131. s.Created = time.Unix(s.CreatedUnix, 0).Local()
  132. case "updated_unix":
  133. s.Updated = time.Unix(s.UpdatedUnix, 0).Local()
  134. }
  135. }
  136. func (source *LoginSource) TypeName() string {
  137. return LoginNames[source.Type]
  138. }
  139. func (source *LoginSource) IsLDAP() bool {
  140. return source.Type == LOGIN_LDAP
  141. }
  142. func (source *LoginSource) IsDLDAP() bool {
  143. return source.Type == LOGIN_DLDAP
  144. }
  145. func (source *LoginSource) IsSMTP() bool {
  146. return source.Type == LOGIN_SMTP
  147. }
  148. func (source *LoginSource) IsPAM() bool {
  149. return source.Type == LOGIN_PAM
  150. }
  151. func (source *LoginSource) HasTLS() bool {
  152. return ((source.IsLDAP() || source.IsDLDAP()) &&
  153. source.LDAP().SecurityProtocol > ldap.SECURITY_PROTOCOL_UNENCRYPTED) ||
  154. source.IsSMTP()
  155. }
  156. func (source *LoginSource) UseTLS() bool {
  157. switch source.Type {
  158. case LOGIN_LDAP, LOGIN_DLDAP:
  159. return source.LDAP().SecurityProtocol != ldap.SECURITY_PROTOCOL_UNENCRYPTED
  160. case LOGIN_SMTP:
  161. return source.SMTP().TLS
  162. }
  163. return false
  164. }
  165. func (source *LoginSource) SkipVerify() bool {
  166. switch source.Type {
  167. case LOGIN_LDAP, LOGIN_DLDAP:
  168. return source.LDAP().SkipVerify
  169. case LOGIN_SMTP:
  170. return source.SMTP().SkipVerify
  171. }
  172. return false
  173. }
  174. func (source *LoginSource) LDAP() *LDAPConfig {
  175. return source.Cfg.(*LDAPConfig)
  176. }
  177. func (source *LoginSource) SMTP() *SMTPConfig {
  178. return source.Cfg.(*SMTPConfig)
  179. }
  180. func (source *LoginSource) PAM() *PAMConfig {
  181. return source.Cfg.(*PAMConfig)
  182. }
  183. func CreateLoginSource(source *LoginSource) error {
  184. has, err := x.Get(&LoginSource{Name: source.Name})
  185. if err != nil {
  186. return err
  187. } else if has {
  188. return ErrLoginSourceAlreadyExist{source.Name}
  189. }
  190. _, err = x.Insert(source)
  191. return err
  192. }
  193. func LoginSources() ([]*LoginSource, error) {
  194. auths := make([]*LoginSource, 0, 5)
  195. return auths, x.Find(&auths)
  196. }
  197. // GetLoginSourceByID returns login source by given ID.
  198. func GetLoginSourceByID(id int64) (*LoginSource, error) {
  199. source := new(LoginSource)
  200. has, err := x.Id(id).Get(source)
  201. if err != nil {
  202. return nil, err
  203. } else if !has {
  204. return nil, ErrLoginSourceNotExist{id}
  205. }
  206. return source, nil
  207. }
  208. func UpdateSource(source *LoginSource) error {
  209. _, err := x.Id(source.ID).AllCols().Update(source)
  210. return err
  211. }
  212. func DeleteSource(source *LoginSource) error {
  213. count, err := x.Count(&User{LoginSource: source.ID})
  214. if err != nil {
  215. return err
  216. } else if count > 0 {
  217. return ErrLoginSourceInUse{source.ID}
  218. }
  219. _, err = x.Id(source.ID).Delete(new(LoginSource))
  220. return err
  221. }
  222. // CountLoginSources returns number of login sources.
  223. func CountLoginSources() int64 {
  224. count, _ := x.Count(new(LoginSource))
  225. return count
  226. }
  227. // .____ ________ _____ __________
  228. // | | \______ \ / _ \\______ \
  229. // | | | | \ / /_\ \| ___/
  230. // | |___ | ` \/ | \ |
  231. // |_______ \/_______ /\____|__ /____|
  232. // \/ \/ \/
  233. func composeFullName(firstname, surname, username string) string {
  234. switch {
  235. case len(firstname) == 0 && len(surname) == 0:
  236. return username
  237. case len(firstname) == 0:
  238. return surname
  239. case len(surname) == 0:
  240. return firstname
  241. default:
  242. return firstname + " " + surname
  243. }
  244. }
  245. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,
  246. // and create a local user if success when enabled.
  247. func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
  248. username, fn, sn, mail, isAdmin, succeed := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LOGIN_DLDAP)
  249. if !succeed {
  250. // User not in LDAP, do nothing
  251. return nil, ErrUserNotExist{0, login}
  252. }
  253. if !autoRegister {
  254. return user, nil
  255. }
  256. // Fallback.
  257. if len(username) == 0 {
  258. username = login
  259. }
  260. // Validate username make sure it satisfies requirement.
  261. if binding.AlphaDashDotPattern.MatchString(username) {
  262. return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", username)
  263. }
  264. if len(mail) == 0 {
  265. mail = fmt.Sprintf("%s@localhost", username)
  266. }
  267. user = &User{
  268. LowerName: strings.ToLower(username),
  269. Name: username,
  270. FullName: composeFullName(fn, sn, username),
  271. Email: mail,
  272. LoginType: source.Type,
  273. LoginSource: source.ID,
  274. LoginName: login,
  275. IsActive: true,
  276. IsAdmin: isAdmin,
  277. }
  278. return user, CreateUser(user)
  279. }
  280. // _________ __________________________
  281. // / _____/ / \__ ___/\______ \
  282. // \_____ \ / \ / \| | | ___/
  283. // / \/ Y \ | | |
  284. // /_______ /\____|__ /____| |____|
  285. // \/ \/
  286. type smtpLoginAuth struct {
  287. username, password string
  288. }
  289. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
  290. return "LOGIN", []byte(auth.username), nil
  291. }
  292. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
  293. if more {
  294. switch string(fromServer) {
  295. case "Username:":
  296. return []byte(auth.username), nil
  297. case "Password:":
  298. return []byte(auth.password), nil
  299. }
  300. }
  301. return nil, nil
  302. }
  303. const (
  304. SMTP_PLAIN = "PLAIN"
  305. SMTP_LOGIN = "LOGIN"
  306. )
  307. var SMTPAuths = []string{SMTP_PLAIN, SMTP_LOGIN}
  308. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {
  309. c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))
  310. if err != nil {
  311. return err
  312. }
  313. defer c.Close()
  314. if err = c.Hello("gogs"); err != nil {
  315. return err
  316. }
  317. if cfg.TLS {
  318. if ok, _ := c.Extension("STARTTLS"); ok {
  319. if err = c.StartTLS(&tls.Config{
  320. InsecureSkipVerify: cfg.SkipVerify,
  321. ServerName: cfg.Host,
  322. }); err != nil {
  323. return err
  324. }
  325. } else {
  326. return errors.New("SMTP server unsupports TLS")
  327. }
  328. }
  329. if ok, _ := c.Extension("AUTH"); ok {
  330. if err = c.Auth(a); err != nil {
  331. return err
  332. }
  333. return nil
  334. }
  335. return ErrUnsupportedLoginType
  336. }
  337. // LoginViaSMTP queries if login/password is valid against the SMTP,
  338. // and create a local user if success when enabled.
  339. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {
  340. // Verify allowed domains.
  341. if len(cfg.AllowedDomains) > 0 {
  342. idx := strings.Index(login, "@")
  343. if idx == -1 {
  344. return nil, ErrUserNotExist{0, login}
  345. } else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {
  346. return nil, ErrUserNotExist{0, login}
  347. }
  348. }
  349. var auth smtp.Auth
  350. if cfg.Auth == SMTP_PLAIN {
  351. auth = smtp.PlainAuth("", login, password, cfg.Host)
  352. } else if cfg.Auth == SMTP_LOGIN {
  353. auth = &smtpLoginAuth{login, password}
  354. } else {
  355. return nil, errors.New("Unsupported SMTP auth type")
  356. }
  357. if err := SMTPAuth(auth, cfg); err != nil {
  358. // Check standard error format first,
  359. // then fallback to worse case.
  360. tperr, ok := err.(*textproto.Error)
  361. if (ok && tperr.Code == 535) ||
  362. strings.Contains(err.Error(), "Username and Password not accepted") {
  363. return nil, ErrUserNotExist{0, login}
  364. }
  365. return nil, err
  366. }
  367. if !autoRegister {
  368. return user, nil
  369. }
  370. username := login
  371. idx := strings.Index(login, "@")
  372. if idx > -1 {
  373. username = login[:idx]
  374. }
  375. user = &User{
  376. LowerName: strings.ToLower(username),
  377. Name: strings.ToLower(username),
  378. Email: login,
  379. Passwd: password,
  380. LoginType: LOGIN_SMTP,
  381. LoginSource: sourceID,
  382. LoginName: login,
  383. IsActive: true,
  384. }
  385. return user, CreateUser(user)
  386. }
  387. // __________ _____ _____
  388. // \______ \/ _ \ / \
  389. // | ___/ /_\ \ / \ / \
  390. // | | / | \/ Y \
  391. // |____| \____|__ /\____|__ /
  392. // \/ \/
  393. // LoginViaPAM queries if login/password is valid against the PAM,
  394. // and create a local user if success when enabled.
  395. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {
  396. if err := pam.PAMAuth(cfg.ServiceName, login, password); err != nil {
  397. if strings.Contains(err.Error(), "Authentication failure") {
  398. return nil, ErrUserNotExist{0, login}
  399. }
  400. return nil, err
  401. }
  402. if !autoRegister {
  403. return user, nil
  404. }
  405. user = &User{
  406. LowerName: strings.ToLower(login),
  407. Name: login,
  408. Email: login,
  409. Passwd: password,
  410. LoginType: LOGIN_PAM,
  411. LoginSource: sourceID,
  412. LoginName: login,
  413. IsActive: true,
  414. }
  415. return user, CreateUser(user)
  416. }
  417. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
  418. if !source.IsActived {
  419. return nil, ErrLoginSourceNotActived
  420. }
  421. switch source.Type {
  422. case LOGIN_LDAP, LOGIN_DLDAP:
  423. return LoginViaLDAP(user, login, password, source, autoRegister)
  424. case LOGIN_SMTP:
  425. return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
  426. case LOGIN_PAM:
  427. return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
  428. }
  429. return nil, ErrUnsupportedLoginType
  430. }
  431. // UserSignIn validates user name and password.
  432. func UserSignIn(username, password string) (*User, error) {
  433. var user *User
  434. if strings.Contains(username, "@") {
  435. user = &User{Email: strings.ToLower(username)}
  436. } else {
  437. user = &User{LowerName: strings.ToLower(username)}
  438. }
  439. hasUser, err := x.Get(user)
  440. if err != nil {
  441. return nil, err
  442. }
  443. if hasUser {
  444. switch user.LoginType {
  445. case LOGIN_NOTYPE, LOGIN_PLAIN:
  446. if user.ValidatePassword(password) {
  447. return user, nil
  448. }
  449. return nil, ErrUserNotExist{user.ID, user.Name}
  450. default:
  451. var source LoginSource
  452. hasSource, err := x.Id(user.LoginSource).Get(&source)
  453. if err != nil {
  454. return nil, err
  455. } else if !hasSource {
  456. return nil, ErrLoginSourceNotExist{user.LoginSource}
  457. }
  458. return ExternalUserLogin(user, user.LoginName, password, &source, false)
  459. }
  460. }
  461. sources := make([]*LoginSource, 0, 3)
  462. if err = x.UseBool().Find(&sources, &LoginSource{IsActived: true}); err != nil {
  463. return nil, err
  464. }
  465. for _, source := range sources {
  466. authUser, err := ExternalUserLogin(nil, username, password, source, true)
  467. if err == nil {
  468. return authUser, nil
  469. }
  470. log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)
  471. }
  472. return nil, ErrUserNotExist{user.ID, user.Name}
  473. }