forked from Shiloh/githaven
e8186f1c0f
Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
61 lines
1.6 KiB
Go
61 lines
1.6 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package auth
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"code.gitea.io/gitea/modules/context"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/web/middleware"
|
|
)
|
|
|
|
// Auth is a middleware to authenticate a web user
|
|
func Auth(authMethod Method) func(*context.Context) {
|
|
return func(ctx *context.Context) {
|
|
if err := authShared(ctx, authMethod); err != nil {
|
|
log.Error("Failed to verify user: %v", err)
|
|
ctx.Error(http.StatusUnauthorized, "Verify")
|
|
return
|
|
}
|
|
if ctx.Doer == nil {
|
|
// ensure the session uid is deleted
|
|
_ = ctx.Session.Delete("uid")
|
|
}
|
|
}
|
|
}
|
|
|
|
// APIAuth is a middleware to authenticate an api user
|
|
func APIAuth(authMethod Method) func(*context.APIContext) {
|
|
return func(ctx *context.APIContext) {
|
|
if err := authShared(ctx.Context, authMethod); err != nil {
|
|
ctx.Error(http.StatusUnauthorized, "APIAuth", err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func authShared(ctx *context.Context, authMethod Method) error {
|
|
var err error
|
|
ctx.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if ctx.Doer != nil {
|
|
if ctx.Locale.Language() != ctx.Doer.Language {
|
|
ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
|
|
}
|
|
ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == BasicMethodName
|
|
ctx.IsSigned = true
|
|
ctx.Data["IsSigned"] = ctx.IsSigned
|
|
ctx.Data["SignedUser"] = ctx.Doer
|
|
ctx.Data["SignedUserID"] = ctx.Doer.ID
|
|
ctx.Data["SignedUserName"] = ctx.Doer.Name
|
|
ctx.Data["IsAdmin"] = ctx.Doer.IsAdmin
|
|
} else {
|
|
ctx.Data["SignedUserID"] = int64(0)
|
|
ctx.Data["SignedUserName"] = ""
|
|
}
|
|
return nil
|
|
}
|