Account autocreation from LDAP after reverse proxy authentication #12960
Conversation
Gitea allows autocreation of account from external source after successful basic auth but not after successful reverse proxy auth. This mod adds such feature. Unfortunaltely gitea does not sync all user attributes from LDAP for existing users on login like cron.sync_external_users does so changes of first name, surname, e-mail are not updated from LDAP on login for exiting users - only after first login and after sync_external_users task. Related: gogs/gogs#2498 Author-Change-Id: IB#1104925
|
BTW: please consider refactoring gitea code to separate authentication logic from authorization logic and from user data synchronization logic and moving all auth/authz/sync configuration from SQL to app.ini; mixing these things makes changes harder and error prone; configuration in SQL is a pain when using automated provisioning; also external passwords like LDAP are problably less secure when stored in SQL (and every SQL backup...). BTW2: please consider synchronization of user avatar from jpegPhoto LDAP attribute (if exists). BTW3: please consider disallowing local (in gitea) user attributes modifications for attributes imported from LDAP (i.e. first name, surname, e-mail, is active, is admin, etc.); LDAP synchronization often (always?) means that admin wants to manage this data in LDAP not in app. |
GiteaBot
added
the
lgtm/need 2
Codecov Report
@@ Coverage Diff @@
## master #12960 +/- ##
==========================================
- Coverage 42.84% 42.63% -0.21%
==========================================
Files 662 669 +7
Lines 73002 73506 +504
==========================================
+ Hits 31279 31341 +62
- Misses 36652 37077 +425
- Partials 5071 5088 +17
Continue to review full report at Codecov.
|
I don't agree as that loses ability to configure from UI and secrets in DB is maybe even more secure than in config file.
There is already issue for this. Avatar should probably be synchronized only on login not to have too much load on sync process.
Please submit separate issue for this. |
Current design does not allow application admin to be denied access for messing low level configuration like LDAP backends (this should be server admin not application admin business).
Please take a look at #13068 |
Gitea does not update user language on first login when in reverse proxy mode; this causes errors when user tries to update their settings without setting language. This mod sets language in reverse mode also like for regular logins in routers/user/auth.go > handleSignInFull(). Fixes: bd8361d Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 3df7fb6 Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 45ea55d Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 41ddcd0 Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 53a9b26 Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 22441d9 Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: 46304f2 Author-Change-Id: IB#1104925
Gitea does not initialize user session after login using reverse proxy header. This fixes it. Fixes: cb48990 Author-Change-Id: IB#1104925
|
Just fixed another problem with reverse proxy login - user lang was ignored and csrf error was fired on first user settings saving. Login with header use now session to avoid setting cookies with every request; session is skipped for API calls like in sspi_windows.go. |
GiteaBot
added
lgtm/need 1
|
agh wrong button! |
| if len(passwd) == 0 && !alreadyAuthenticated { | ||
| log.Debug("Auth. failed for %s, password cannot be empty", name) | ||
| return nil | ||
| } | ||
| if directBind && alreadyAuthenticated { | ||
| log.Debug("Cannot bind using user %s credentials - user already authenticated. BindDN must be used.", name) | ||
| return nil | ||
| } | ||
|
|
||
| if !ls.AttributesInBind && alreadyAuthenticated { | ||
| log.Debug("Cannot get attributes using user %s credentials - user already authenticated; --attributes-in-bind must be used.", name) | ||
| return nil | ||
| } | ||
|
|
There was a problem hiding this comment.
| if len(passwd) == 0 && !alreadyAuthenticated { | |
| log.Debug("Auth. failed for %s, password cannot be empty", name) | |
| return nil | |
| } | |
| if directBind && alreadyAuthenticated { | |
| log.Debug("Cannot bind using user %s credentials - user already authenticated. BindDN must be used.", name) | |
| return nil | |
| } | |
| if !ls.AttributesInBind && alreadyAuthenticated { | |
| log.Debug("Cannot get attributes using user %s credentials - user already authenticated; --attributes-in-bind must be used.", name) | |
| return nil | |
| } | |
| if alreadyAuthenticated { | |
| if directBind { | |
| log.Debug("Cannot bind pre-authenticated user %s. BindDN must be used.", name) | |
| return nil | |
| } | |
| if !ls.AttributesInBind { | |
| log.Debug("Cannot get attributes for pre-authenticated user %s without --attributes-in-bind.", name) | |
| return nil | |
| } | |
| } else if len(passwd) == 0 { | |
| log.Debug("Auth. failed for %s, password cannot be empty", name) | |
| return nil | |
| } |
| // UserSignIn validates user name and password. | ||
| func UserSignIn(username, password string) (*User, error) { | ||
| // UserSignIn validates user name and password. Password verification in LDAP skipped if already authenticated. | ||
| func UserSignIn(username, password string, alreadyAuthenticated bool) (*User, error) { |
There was a problem hiding this comment.
I guess one thing I don't really like about this is that the user has already signed in - we're just abusing this function to lookup the user in the external source - and only in one place (at least so far). Maybe we should be doing a ExternalUserLookup or something like that.
There was a problem hiding this comment.
Further if the user is in the db then this alreadyAuthenticated path fails.
There was a problem hiding this comment.
Further if the user is in the db then this alreadyAuthenticated path fails.
This mod works ok for us in scenario with LDAP user backend + reverse proxy auth using HTTP header. No problems with initial account creation nor logging in/updating existing accounts from LDAP. If you see any bug please describe how to reproduce.
Maybe we should be doing a ExternalUserLookup or something like that.
This mod was created for our needs with minimal changes in upstream code. Feel free to enhance it.
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions. |
|
@pboguslawski what is the current status if this? |
|
This mod was created for our needs with minimal changes in upstream code (which should be refactored as above IHMO) and works ok for us. Feel free to enhance it or close this PR if you don't like it. |
|
I guess this is going to miss 1.15 - My suspicion is that we need to think about authentication, authorization and user registration slightly differently. Currently registration is very tightly bound to the authentication source that it is associated with. I'm gonna move this to 1.16 but reference #16199 to remind myself. |
|
Replaced with #18452 |
Gitea allows autocreation of account from external source after successful
basic auth but not after successful reverse proxy auth. This mod adds such
feature.
Related: gogs/gogs#2498
Author-Change-Id: IB#1104925