1ee59f0fa3
We have some instances that only allow using an external authentication source for authentication. In this case, users changing their email, password, or linked OpenID connections will not have any effect, and we'd like to prevent showing that to them to prevent confusion. Included in this are several changes to support this: * A new setting to disable user managed authentication credentials (email, password & OpenID connections) * A new setting to disable user managed MFA (2FA codes & WebAuthn) * Fix an issue where some templates had separate logic for determining if a feature was disabled since it didn't check the globally disabled features * Hide more user setting pages in the navbar when their settings aren't enabled --------- Co-authored-by: Kyle D <kdumontnu@gmail.com>
139 lines
4.0 KiB
Go
139 lines
4.0 KiB
Go
// Copyright 2018 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package security
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"strconv"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/models/auth"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
wa "code.gitea.io/gitea/modules/auth/webauthn"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/modules/web"
|
|
"code.gitea.io/gitea/services/context"
|
|
"code.gitea.io/gitea/services/forms"
|
|
|
|
"github.com/go-webauthn/webauthn/protocol"
|
|
"github.com/go-webauthn/webauthn/webauthn"
|
|
)
|
|
|
|
// WebAuthnRegister initializes the webauthn registration procedure
|
|
func WebAuthnRegister(ctx *context.Context) {
|
|
if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {
|
|
ctx.Error(http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
form := web.GetForm(ctx).(*forms.WebauthnRegistrationForm)
|
|
if form.Name == "" {
|
|
// Set name to the hexadecimal of the current time
|
|
form.Name = strconv.FormatInt(time.Now().UnixNano(), 16)
|
|
}
|
|
|
|
cred, err := auth.GetWebAuthnCredentialByName(ctx, ctx.Doer.ID, form.Name)
|
|
if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {
|
|
ctx.ServerError("GetWebAuthnCredentialsByUID", err)
|
|
return
|
|
}
|
|
if cred != nil {
|
|
ctx.Error(http.StatusConflict, "Name already taken")
|
|
return
|
|
}
|
|
|
|
_ = ctx.Session.Delete("webauthnRegistration")
|
|
if err := ctx.Session.Set("webauthnName", form.Name); err != nil {
|
|
ctx.ServerError("Unable to set session key for webauthnName", err)
|
|
return
|
|
}
|
|
|
|
credentialOptions, sessionData, err := wa.WebAuthn.BeginRegistration((*wa.User)(ctx.Doer), webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{
|
|
ResidentKey: protocol.ResidentKeyRequirementRequired,
|
|
}))
|
|
if err != nil {
|
|
ctx.ServerError("Unable to BeginRegistration", err)
|
|
return
|
|
}
|
|
|
|
// Save the session data as marshaled JSON
|
|
if err = ctx.Session.Set("webauthnRegistration", sessionData); err != nil {
|
|
ctx.ServerError("Unable to set session", err)
|
|
return
|
|
}
|
|
|
|
ctx.JSON(http.StatusOK, credentialOptions)
|
|
}
|
|
|
|
// WebauthnRegisterPost receives the response of the security key
|
|
func WebauthnRegisterPost(ctx *context.Context) {
|
|
if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {
|
|
ctx.Error(http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
name, ok := ctx.Session.Get("webauthnName").(string)
|
|
if !ok || name == "" {
|
|
ctx.ServerError("Get webauthnName", errors.New("no webauthnName"))
|
|
return
|
|
}
|
|
|
|
// Load the session data
|
|
sessionData, ok := ctx.Session.Get("webauthnRegistration").(*webauthn.SessionData)
|
|
if !ok || sessionData == nil {
|
|
ctx.ServerError("Get registration", errors.New("no registration"))
|
|
return
|
|
}
|
|
defer func() {
|
|
_ = ctx.Session.Delete("webauthnRegistration")
|
|
}()
|
|
|
|
// Verify that the challenge succeeded
|
|
cred, err := wa.WebAuthn.FinishRegistration((*wa.User)(ctx.Doer), *sessionData, ctx.Req)
|
|
if err != nil {
|
|
if pErr, ok := err.(*protocol.Error); ok {
|
|
log.Error("Unable to finish registration due to error: %v\nDevInfo: %s", pErr, pErr.DevInfo)
|
|
}
|
|
ctx.ServerError("CreateCredential", err)
|
|
return
|
|
}
|
|
|
|
dbCred, err := auth.GetWebAuthnCredentialByName(ctx, ctx.Doer.ID, name)
|
|
if err != nil && !auth.IsErrWebAuthnCredentialNotExist(err) {
|
|
ctx.ServerError("GetWebAuthnCredentialsByUID", err)
|
|
return
|
|
}
|
|
if dbCred != nil {
|
|
ctx.Error(http.StatusConflict, "Name already taken")
|
|
return
|
|
}
|
|
|
|
// Create the credential
|
|
_, err = auth.CreateCredential(ctx, ctx.Doer.ID, name, cred)
|
|
if err != nil {
|
|
ctx.ServerError("CreateCredential", err)
|
|
return
|
|
}
|
|
_ = ctx.Session.Delete("webauthnName")
|
|
|
|
ctx.JSON(http.StatusCreated, cred)
|
|
}
|
|
|
|
// WebauthnDelete deletes an security key by id
|
|
func WebauthnDelete(ctx *context.Context) {
|
|
if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {
|
|
ctx.Error(http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
form := web.GetForm(ctx).(*forms.WebauthnDeleteForm)
|
|
if _, err := auth.DeleteCredential(ctx, form.ID, ctx.Doer.ID); err != nil {
|
|
ctx.ServerError("GetWebAuthnCredentialByID", err)
|
|
return
|
|
}
|
|
ctx.JSONRedirect(setting.AppSubURL + "/user/settings/security")
|
|
}
|