afan
/
gitea
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
gitea源码
3 коммитов
2 веток
ветка: master
веток Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
gitea/services/auth/reverseproxy.go

reverseproxy.go 5.9KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2019 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. package auth

  6. 

  7. import (

  8. 	"net/http"

  9. 	"strings"

  10. 

  11. 	user_model "code.gitea.io/gitea/models/user"

  12. 	"code.gitea.io/gitea/modules/log"

  13. 	"code.gitea.io/gitea/modules/optional"

  14. 	"code.gitea.io/gitea/modules/setting"

  15. 

  16. 	gouuid "github.com/google/uuid"

  17. )

  18. 

  19. // Ensure the struct implements the interface.

  20. var (

  21. 	_ Method = &ReverseProxy{}

  22. )

  23. 

  24. // ReverseProxyMethodName is the constant name of the ReverseProxy authentication method

  25. const ReverseProxyMethodName = "reverse_proxy"

  26. 

  27. // ReverseProxy implements the Auth interface, but actually relies on

  28. // a reverse proxy for authentication of users.

  29. // On successful authentication the proxy is expected to populate the username in the

  30. // "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the

  31. // user in the "setting.ReverseProxyAuthEmail" header.

  32. type ReverseProxy struct{}

  33. 

  34. // getUserName extracts the username from the "setting.ReverseProxyAuthUser" header

  35. func (r *ReverseProxy) getUserName(req *http.Request) string {

  36. 	return strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))

  37. }

  38. 

  39. // Name represents the name of auth method

  40. func (r *ReverseProxy) Name() string {

  41. 	return ReverseProxyMethodName

  42. }

  43. 

  44. // getUserFromAuthUser extracts the username from the "setting.ReverseProxyAuthUser" header

  45. // of the request and returns the corresponding user object for that name.

  46. // Verification of header data is not performed as it should have already been done by

  47. // the reverse proxy.

  48. // If a username is available in the "setting.ReverseProxyAuthUser" header an existing

  49. // user object is returned (populated with username or email found in header).

  50. // Returns nil if header is empty.

  51. func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) (*user_model.User, error) {

  52. 	username := r.getUserName(req)

  53. 	if len(username) == 0 {

  54. 		return nil, nil

  55. 	}

  56. 	log.Trace("ReverseProxy Authorization: Found username: %s", username)

  57. 

  58. 	user, err := user_model.GetUserByName(req.Context(), username)

  59. 	if err != nil {

  60. 		if !user_model.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {

  61. 			log.Error("GetUserByName: %v", err)

  62. 			return nil, err

  63. 		}

  64. 		user = r.newUser(req)

  65. 	}

  66. 	return user, nil

  67. }

  68. 

  69. // getEmail extracts the email from the "setting.ReverseProxyAuthEmail" header

  70. func (r *ReverseProxy) getEmail(req *http.Request) string {

  71. 	return strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthEmail))

  72. }

  73. 

  74. // getUserFromAuthEmail extracts the username from the "setting.ReverseProxyAuthEmail" header

  75. // of the request and returns the corresponding user object for that email.

  76. // Verification of header data is not performed as it should have already been done by

  77. // the reverse proxy.

  78. // If an email is available in the "setting.ReverseProxyAuthEmail" header an existing

  79. // user object is returned (populated with the email found in header).

  80. // Returns nil if header is empty or if "setting.EnableReverseProxyEmail" is disabled.

  81. func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) *user_model.User {

  82. 	if !setting.Service.EnableReverseProxyEmail {

  83. 		return nil

  84. 	}

  85. 	email := r.getEmail(req)

  86. 	if len(email) == 0 {

  87. 		return nil

  88. 	}

  89. 	log.Trace("ReverseProxy Authorization: Found email: %s", email)

  90. 

  91. 	user, err := user_model.GetUserByEmail(req.Context(), email)

  92. 	if err != nil {

  93. 		// Do not allow auto-registration, we don't have a username here

  94. 		if !user_model.IsErrUserNotExist(err) {

  95. 			log.Error("GetUserByEmail: %v", err)

  96. 		}

  97. 		return nil

  98. 	}

  99. 	return user

  100. }

  101. 

  102. // Verify attempts to load a user object based on headers sent by the reverse proxy.

  103. // First it will attempt to load it based on the username (see docs for getUserFromAuthUser),

  104. // and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).

  105. // Returns nil if the headers are empty or the user is not found.

  106. func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {

  107. 	user, err := r.getUserFromAuthUser(req)

  108. 	if err != nil {

  109. 		return nil, err

  110. 	}

  111. 	if user == nil {

  112. 		user = r.getUserFromAuthEmail(req)

  113. 		if user == nil {

  114. 			return nil, nil

  115. 		}

  116. 	}

  117. 

  118. 	// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session

  119. 	detector := newAuthPathDetector(req)

  120. 	if !detector.isAPIPath() && !detector.isAttachmentDownload() && !detector.isGitRawOrAttachOrLFSPath() {

  121. 		if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {

  122. 			handleSignIn(w, req, sess, user)

  123. 		}

  124. 	}

  125. 	store.GetData()["IsReverseProxy"] = true

  126. 

  127. 	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)

  128. 	return user, nil

  129. }

  130. 

  131. // isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true

  132. func (r *ReverseProxy) isAutoRegisterAllowed() bool {

  133. 	return setting.Service.EnableReverseProxyAutoRegister

  134. }

  135. 

  136. // newUser creates a new user object for the purpose of automatic registration

  137. // and populates its name and email with the information present in request headers.

  138. func (r *ReverseProxy) newUser(req *http.Request) *user_model.User {

  139. 	username := r.getUserName(req)

  140. 	if len(username) == 0 {

  141. 		return nil

  142. 	}

  143. 

  144. 	email := gouuid.New().String() + "@localhost"

  145. 	if setting.Service.EnableReverseProxyEmail {

  146. 		webAuthEmail := req.Header.Get(setting.ReverseProxyAuthEmail)

  147. 		if len(webAuthEmail) > 0 {

  148. 			email = webAuthEmail

  149. 		}

  150. 	}

  151. 

  152. 	var fullname string

  153. 	if setting.Service.EnableReverseProxyFullName {

  154. 		fullname = req.Header.Get(setting.ReverseProxyAuthFullName)

  155. 	}

  156. 

  157. 	user := &user_model.User{

  158. 		Name:     username,

  159. 		Email:    email,

  160. 		FullName: fullname,

  161. 	}

  162. 

  163. 	overwriteDefault := user_model.CreateUserOverwriteOptions{

  164. 		IsActive: optional.Some(true),

  165. 	}

  166. 

  167. 	if err := user_model.CreateUser(req.Context(), user, &user_model.Meta{}, &overwriteDefault); err != nil {

  168. 		// FIXME: should I create a system notice?

  169. 		log.Error("CreateUser: %v", err)

  170. 		return nil

  171. 	}

  172. 

  173. 	return user

  174. }