web/forgejo
10
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions4
forgejo/services/auth/source/ldap/source_authenticate.go
zeripath 27b351aba5
Make LDAP be able to skip local 2FA () 
This PR extends  to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-17 12:43:47 +01:00

104 lines
2.8 KiB
Go
Raw Blame History

// Copyright 2021 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package ldap
import (
"fmt"
"strings"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/services/mailer"
)
// Authenticate queries if login/password is valid against the LDAP directory pool,
// and create a local user if success when enabled.
func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) {
sr := source.SearchEntry(login, password, source.loginSource.Type == models.LoginDLDAP)
if sr == nil {
// User not in LDAP, do nothing
return nil, models.ErrUserNotExist{Name: login}
}
isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
// Update User admin flag if exist
if isExist, err := models.IsUserExist(0, sr.Username); err != nil {
return nil, err
} else if isExist {
if user == nil {
user, err = models.GetUserByName(sr.Username)
if err != nil {
return nil, err
}
}
if user != nil && !user.ProhibitLogin {
cols := make([]string, 0)
if len(source.AdminFilter) > 0 && user.IsAdmin != sr.IsAdmin {
// Change existing admin flag only if AdminFilter option is set
user.IsAdmin = sr.IsAdmin
cols = append(cols, "is_admin")
}
if !user.IsAdmin && len(source.RestrictedFilter) > 0 && user.IsRestricted != sr.IsRestricted {
// Change existing restricted flag only if RestrictedFilter option is set
user.IsRestricted = sr.IsRestricted
cols = append(cols, "is_restricted")
}
if len(cols) > 0 {
err = models.UpdateUserCols(user, cols...)
if err != nil {
return nil, err
}
}
}
}
if user != nil {
if isAttributeSSHPublicKeySet && models.SynchronizePublicKeys(user, source.loginSource, sr.SSHPublicKey) {
return user, models.RewriteAllPublicKeys()
}
return user, nil
}
// Fallback.
if len(sr.Username) == 0 {
sr.Username = login
}
if len(sr.Mail) == 0 {
sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)
}
user = &models.User{
LowerName: strings.ToLower(sr.Username),
Name: sr.Username,
FullName: composeFullName(sr.Name, sr.Surname, sr.Username),
Email: sr.Mail,
LoginType: source.loginSource.Type,
LoginSource: source.loginSource.ID,
LoginName: login,
IsActive: true,
IsAdmin: sr.IsAdmin,
IsRestricted: sr.IsRestricted,
}
err := models.CreateUser(user)
if err != nil {
return user, err
}
mailer.SendRegisterNotifyMail(user)
if isAttributeSSHPublicKeySet && models.AddPublicKeysBySource(user, source.loginSource, sr.SSHPublicKey) {
err = models.RewriteAllPublicKeys()
}
return user, err
}
// IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
func (source *Source) IsSkipLocalTwoFA() bool {
return source.SkipLocalTwoFA
}
Reference in a new issue View git blame Copy permalink