Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SAML authentication #25165

Merged
merged 113 commits into from
Feb 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
113 commits
Select commit Hold shift + click to select a range
58f0598
feat(auth): add SAML
techknowlogick Jun 9, 2023
83975b0
make vendor & make fmt
techknowlogick Jun 9, 2023
a96ead2
add copy headers
techknowlogick Jun 9, 2023
961c714
add translations
techknowlogick Jun 9, 2023
36ca421
make tidy
techknowlogick Jun 9, 2023
fa79ccf
patch missed the missing imports
techknowlogick Jun 9, 2023
afa118a
Merge branch 'main' into saml
techknowlogick Jun 9, 2023
c89ce7f
Merge branch 'main' into saml
techknowlogick Aug 21, 2023
8b24ebd
make vendor tidy
techknowlogick Aug 21, 2023
2798cc1
fix settings templates
techknowlogick Aug 30, 2023
4400f9b
Merge branch 'main' into saml
techknowlogick Aug 31, 2023
c11d8e3
make fmt tidy
techknowlogick Aug 31, 2023
eb0e267
add button to login page
techknowlogick Aug 31, 2023
7ccc232
cleanup template
techknowlogick Aug 31, 2023
b46e5de
update comment
techknowlogick Aug 31, 2023
7ad1370
loading spinner (not a fan of the code duplication in this commit)
techknowlogick Aug 31, 2023
cfbd719
handle callback
techknowlogick Aug 31, 2023
d1af443
fix new saml provider form, add fields for specifying assertion keys
jackHay22 Sep 14, 2023
36219f8
fix whitespace change
jackHay22 Sep 14, 2023
5c7d549
revert comment change
jackHay22 Sep 14, 2023
f5466c9
remove extra character
jackHay22 Sep 14, 2023
68340b4
Merge pull request #1962 from jackHay22/jh/saml
techknowlogick Sep 26, 2023
d699b84
Merge remote-tracking branch 'upstream/main' into saml
techknowlogick Sep 26, 2023
7a92296
make tidy
techknowlogick Sep 26, 2023
6a6dc12
WIP: add auth type to external account linking
jackHay22 Sep 27, 2023
3042a08
fixes for account link
jackHay22 Sep 29, 2023
1dae9fd
rebase cleanup
jackHay22 Oct 2, 2023
d555cf9
whitespace fix
jackHay22 Oct 2, 2023
f8b3a2a
Merge pull request #1963 from jackHay22/jh/saml
techknowlogick Oct 8, 2023
85ba490
Merge remote-tracking branch 'upstream/main' into saml
techknowlogick Oct 15, 2023
10c6ca9
fix merge
techknowlogick Oct 15, 2023
9b90e35
fix merge
techknowlogick Oct 15, 2023
17f0fe5
return error for malformed xml to avoid panic, fix external link bug
jackHay22 Oct 30, 2023
503f652
Merge remote-tracking branch 'upstream/main' into saml
techknowlogick Oct 31, 2023
ece1d3c
pass ctx
techknowlogick Oct 31, 2023
e844904
fix func call
techknowlogick Oct 31, 2023
94aac36
pass ctx
techknowlogick Oct 31, 2023
f7d2246
ctx
techknowlogick Oct 31, 2023
47eaae4
ctx
techknowlogick Oct 31, 2023
0c92ddf
ctx
techknowlogick Oct 31, 2023
c4f7865
Merge pull request #1964 from jackHay22/jh/saml
techknowlogick Oct 31, 2023
99785b5
make tidy
techknowlogick Oct 31, 2023
1af96f1
Merge branch 'saml' of github.com:techknowlogick/gitea into techknowl…
lunny Nov 3, 2023
c07ad6c
Merge branch 'main' into saml
techknowlogick Nov 4, 2023
1f50dbb
Update auths.go
techknowlogick Nov 4, 2023
8b63e79
Merge branch 'main' into saml
techknowlogick Nov 8, 2023
0b90260
Merge branch 'main' into saml
techknowlogick Nov 13, 2023
80c9af9
ui fixes, docs
jackHay22 Dec 1, 2023
e9c1b0b
add saml integration test
jackHay22 Nov 8, 2023
449f5ff
add saml container to db test action
jackHay22 Nov 8, 2023
6f94f26
cleanup
jackHay22 Nov 8, 2023
721d453
fix env formatting
jackHay22 Nov 8, 2023
54c66b3
fix env vars
jackHay22 Nov 8, 2023
b1eaf6e
fix yaml lint
jackHay22 Nov 8, 2023
048de02
cleanup
jackHay22 Nov 8, 2023
0d84083
update port
jackHay22 Nov 9, 2023
9d064de
disable saml test when not in ci
jackHay22 Nov 9, 2023
44bdd31
add host mapping
jackHay22 Nov 9, 2023
2a93fcb
update urls
jackHay22 Nov 9, 2023
13f240d
use localhost
jackHay22 Nov 9, 2023
48cb4fa
update ports
jackHay22 Nov 9, 2023
567ea6c
cleanup
jackHay22 Nov 9, 2023
e26ba32
update docs
jackHay22 Nov 9, 2023
0636425
update test to work with simplesamlphp 2.1.0
jackHay22 Nov 15, 2023
eb6a58b
switch to use updated image
jackHay22 Nov 15, 2023
06c7818
disable saml tests for other db types
jackHay22 Nov 27, 2023
04d5b13
whitespace fix
jackHay22 Dec 1, 2023
2ff56a8
fix md formatting
jackHay22 Dec 1, 2023
3a25eb3
Merge pull request #1965 from jackHay22/jh/saml
techknowlogick Dec 1, 2023
156bc28
reorganize docs
jackHay22 Dec 6, 2023
37322f9
fix templates for edit page
jackHay22 Dec 7, 2023
acd00f8
documentation, improvements, clean up form and validation
jackHay22 Dec 7, 2023
c89b217
fix formatting
jackHay22 Dec 7, 2023
271e042
markdown linting fix
jackHay22 Dec 7, 2023
4d464a7
Merge pull request #1966 from jackHay22/jh/saml
techknowlogick Dec 7, 2023
9909373
omit cert, private key in test
jackHay22 Dec 8, 2023
f374036
Merge pull request #1967 from jackHay22/jh/saml
techknowlogick Dec 10, 2023
5b2acda
add optional saml icon
jackHay22 Dec 12, 2023
e355550
formatting fix
jackHay22 Dec 12, 2023
326b20c
Merge pull request #1968 from jackHay22/jh/saml
techknowlogick Dec 12, 2023
a39fd9f
Merge branch 'main' into saml
techknowlogick Dec 21, 2023
f18b8d4
update FindSources to generic db.Find
jackHay22 Dec 22, 2023
8b0cb4a
Use information from previous blame parts (#28572)
KN4CK3R Dec 21, 2023
041436d
improve possible performance bottleneck (#28547)
lunny Dec 21, 2023
b488887
Fix 500 error of searching commits (#28576)
wxiaoguang Dec 21, 2023
de0585a
Convert to url auth to header auth in tests (#28484)
KN4CK3R Dec 21, 2023
1b26247
Add more ways to try (#28581)
wolfogre Dec 22, 2023
896456a
Fix 405 method not allowed CORS / OIDC (#28583)
morphelinho Dec 22, 2023
e1502fb
Fix `status_check_contexts` matching bug (#28582)
Zettat123 Dec 22, 2023
9cee7e4
Fix wrong due date rendering in issue list page (#28588)
yardenshoham Dec 22, 2023
db26967
fix integration test
jackHay22 Dec 22, 2023
2d890d2
add header
jackHay22 Dec 22, 2023
88816c9
Merge branch 'main' into saml
6543 Dec 23, 2023
5a88198
Merge branch 'main' into saml
6543 Jan 20, 2024
231070d
Merge branch 'main' into saml
6543 Jan 22, 2024
1e6fde2
Apply suggestions from code review
techknowlogick Jan 22, 2024
7ff1ca7
clean up TODOs, update docs with missing features
jackHay22 Jan 23, 2024
0d72f35
cleanup
jackHay22 Jan 23, 2024
e95e5ca
apply review feedback
jackHay22 Jan 23, 2024
ee03122
whitespace fix
jackHay22 Jan 23, 2024
7053bdd
fix comment
jackHay22 Jan 23, 2024
a4044d5
Merge branch 'main' into saml
techknowlogick Jan 24, 2024
35248c8
make fmt
techknowlogick Jan 25, 2024
96b17bb
rm "this is a comment" ...
6543 Jan 25, 2024
808189d
Merge branch 'main' into saml
6543 Jan 25, 2024
3f9d230
Merge branch 'main' into saml
6543 Jan 26, 2024
33687ff
Merge branch 'main' into saml
6543 Jan 31, 2024
2fd7141
Merge branch 'main' into saml
6543 Feb 16, 2024
9cd1877
Merge branch 'main' into saml
silverwind Feb 16, 2024
d6ad033
document
6543 Feb 22, 2024
a813112
Merge branch 'main' into saml
6543 Feb 22, 2024
e36a88e
adjust to current codebase
6543 Feb 22, 2024
a4352ba
Merge branch 'main' into saml
GiteaBot Feb 22, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/pull-db-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@ jobs:
MINIO_ROOT_PASSWORD: 12345678
ports:
- "9000:9000"
simplesaml:
image: allspice/simple-saml
ports:
- "8080:8080"
env:
SIMPLESAMLPHP_SP_ENTITY_ID: http://localhost:3002/user/saml/test-sp/metadata
SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: http://localhost:3002/user/saml/test-sp/acs
SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE: http://localhost:3002/user/saml/test-sp/acs
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
Expand Down
25 changes: 25 additions & 0 deletions assets/go-licenses.json

Large diffs are not rendered by default.

69 changes: 69 additions & 0 deletions docs/content/usage/authentication.en-us.md
Original file line number Diff line number Diff line change
Expand Up @@ -349,3 +349,72 @@ If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WE
You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.

Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.

## SAML

### Configuring Gitea as a SAML 2.0 Service Provider

- Navigate to `Site Administration > Identity & Access > Authentication Sources`.
- Click the `Add Authentication Source` button.
- Select `SAML` as the authentication type.

#### Features Not Yet Supported

Currently, auto-registration is not supported for SAML. During the external account linking process the user will be prompted to set a username and email address or link to an existing account.

SAML group mapping is not supported.

#### Settings

- `Authentication Name` **(required)**

- The name of this authentication source (appears in the Gitea ACS and metadata URLs)

- `SAML NameID Format` **(required)**

- This specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.

- `Icon URL` (optional)

- URL of an icon to display on the Sign-In page for this authentication source.

- `[Insecure] Skip Assertion Signature Validation` (optional)

- This option is not recommended and disables integrity verification of IdP SAML assertions.

- `Identity Provider Metadata URL` (optional if XML set)

- The URL of the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata XML` is left blank.

- `Identity Provider Metadata XML` (optional if URL set)

- The XML returned by the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata URL` is left blank.

- `Service Provider Certificate` (optional)

- X.509-formatted certificate (with `Service Provider Private Key`) used for signing SAML requests.
- A certificate will be generated if this field is left blank.

- `Service Provider Private Key` (optional)

- DSA/RSA private key (with `Service Provider Certificate`) used for signing SAML requests.
- A private key will be generated if this field is left blank.

- `Email Assertion Key` (optional)

- The SAML assertion key used for the IdP user's email (depends on provider configuration).

- `Name Assertion Key` (optional)

- The SAML assertion key used for the IdP user's nickname (depends on provider configuration).

- `Username Assertion Key` (optional)

- The SAML assertion key used for the IdP user's username (depends on provider configuration).

### Configuring a SAML 2.0 Identity Provider to use Gitea

- The service provider assertion consumer service url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/acs`.
- The service provider metadata url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/metadata`.
5 changes: 5 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ require (
github.com/quasoft/websspi v1.1.2
github.com/redis/go-redis/v9 v9.4.0
github.com/robfig/cron/v3 v3.0.1
github.com/russellhaering/gosaml2 v0.9.1
github.com/russellhaering/goxmldsig v1.3.0
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
github.com/sassoftware/go-rpmutils v0.2.1-0.20240124161140-277b154961dd
github.com/sergi/go-diff v1.3.1
Expand Down Expand Up @@ -143,6 +145,7 @@ require (
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/beevik/etree v1.1.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bits-and-blooms/bitset v1.13.0 // indirect
github.com/blevesearch/bleve_index_api v1.1.5 // indirect
Expand Down Expand Up @@ -216,6 +219,7 @@ require (
github.com/imdario/mergo v0.3.16 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jessevdk/go-flags v1.5.0 // indirect
github.com/jonboulle/clockwork v0.3.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/pgzip v1.2.6 // indirect
Expand All @@ -225,6 +229,7 @@ require (
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/markbates/going v1.0.3 // indirect
github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mholt/acmez v1.2.0 // indirect
Expand Down
12 changes: 12 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bits-and-blooms/bitset v1.1.10/go.mod h1:w0XsmFg8qg6cmpTtJ0z3pKgjTDBMMnI/+I2syrE6XBE=
Expand Down Expand Up @@ -566,6 +568,9 @@ github.com/jhillyerd/enmime v1.1.0 h1:ubaIzg68VY7CMCe2YbHe6nkRvU9vujixTkNz3EBvZO
github.com/jhillyerd/enmime v1.1.0/go.mod h1:FRFuUPCLh8PByQv+8xRcLO9QHqaqTqreYhopv5eyk4I=
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg=
github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
Expand Down Expand Up @@ -634,6 +639,8 @@ github.com/markbates/going v1.0.3 h1:mY45T5TvW+Xz5A6jY7lf4+NLg9D8+iuStIHyR7M8qsE
github.com/markbates/going v1.0.3/go.mod h1:fQiT6v6yQar9UD6bd/D4Z5Afbk9J6BBVBtLiyY4gp2o=
github.com/markbates/goth v1.78.0 h1:7VEIFDycJp9deyVv3YraGBPdD0ZYQW93Y3Aw1eVP3BY=
github.com/markbates/goth v1.78.0/go.mod h1:X6xdNgpapSENS0O35iTBBcMHoJDQDfI9bJl+APCkYMc=
github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
Expand Down Expand Up @@ -766,12 +773,17 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/russellhaering/gosaml2 v0.9.1 h1:H/whrl8NuSoxyW46Ww5lKPskm+5K+qYLw9afqJ/Zef0=
github.com/russellhaering/gosaml2 v0.9.1/go.mod h1:ja+qgbayxm+0mxBRLMSUuX3COqy+sb0RRhIGun/W2kc=
github.com/russellhaering/goxmldsig v1.3.0 h1:DllIWUgMy0cRUMfGiASiYEa35nsieyD3cigIwLonTPM=
github.com/russellhaering/goxmldsig v1.3.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
Expand Down
20 changes: 5 additions & 15 deletions models/auth/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"crypto/sha256"
"encoding/base32"
"encoding/base64"
"encoding/gob"
"fmt"
"net"
"net/url"
Expand Down Expand Up @@ -81,6 +82,10 @@ func Init(ctx context.Context) error {
builtinAllClientIDs = append(builtinAllClientIDs, clientID)
}

// This is needed in order to encode and store the struct in the goth/gothic session
// during the process of linking the external user.
gob.Register(LinkAccountUser{})
6543 marked this conversation as resolved.
Show resolved Hide resolved

var registeredApps []*OAuth2Application
if err := db.GetEngine(ctx).In("client_id", builtinAllClientIDs).Find(&registeredApps); err != nil {
return err
Expand Down Expand Up @@ -605,21 +610,6 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
return util.ErrNotExist
}

// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {
authSource := new(Source)
has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
if err != nil {
return nil, err
}

if !has {
return nil, fmt.Errorf("oauth2 source not found, name: %q", name)
}

return authSource, nil
}

func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})

Expand Down
38 changes: 38 additions & 0 deletions models/auth/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"

"github.com/markbates/goth"
"xorm.io/builder"
"xorm.io/xorm"
"xorm.io/xorm/convert"
Expand All @@ -32,6 +33,7 @@ const (
DLDAP // 5
OAuth2 // 6
SSPI // 7
SAML // 8
)

// String returns the string name of the LoginType
Expand All @@ -52,6 +54,7 @@ var Names = map[Type]string{
PAM: "PAM",
OAuth2: "OAuth2",
SSPI: "SPNEGO with SSPI",
SAML: "SAML",
}

// Config represents login config as far as the db is concerned
Expand Down Expand Up @@ -121,6 +124,12 @@ type Source struct {
UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"`
}

// LinkAccountUser is used to link an external user with a local user
type LinkAccountUser struct {
Type Type
GothUser goth.User
}

// TableName xorm will read the table name from this method
func (Source) TableName() string {
return "login_source"
Expand Down Expand Up @@ -180,6 +189,11 @@ func (source *Source) IsSSPI() bool {
return source.Type == SSPI
}

// IsSAML returns true of this source is of the SAML type.
func (source *Source) IsSAML() bool {
return source.Type == SAML
}

// HasTLS returns true of this source supports TLS.
func (source *Source) HasTLS() bool {
hasTLSer, ok := source.Cfg.(HasTLSer)
Expand Down Expand Up @@ -392,3 +406,27 @@ func IsErrSourceInUse(err error) bool {
func (err ErrSourceInUse) Error() string {
return fmt.Sprintf("login source is still used by some users [id: %d]", err.ID)
}

// GetActiveAuthProviderSources returns all activated sources
func GetActiveAuthProviderSources(ctx context.Context, authType Type) ([]*Source, error) {
sources := make([]*Source, 0, 1)
if err := db.GetEngine(ctx).Where("is_active = ? and type = ?", true, authType).Find(&sources); err != nil {
return nil, err
}
return sources, nil
}

// GetActiveAuthSourceByName returns an AuthSource based on the given name and type
func GetActiveAuthSourceByName(ctx context.Context, name string, authType Type) (*Source, error) {
authSource := new(Source)
has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, authType, true).Get(authSource)
if err != nil {
return nil, err
}

if !has {
return nil, fmt.Errorf("auth source not found, name: %q", name)
}

return authSource, nil
}
14 changes: 14 additions & 0 deletions options/locale/locale_en-US.ini
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,9 @@ Content = Content
SSPISeparatorReplacement = Separator
SSPIDefaultLanguage = Default Language

SAMLMetadata = Either SAML Identity Provider metadata URL or XML
SAMLMetadataURL = SAML Identity Provider metadata URL is invalid

require_error = ` cannot be empty.`
alpha_dash_error = ` should contain only alphanumeric, dash ('-') and underscore ('_') characters.`
alpha_dash_dot_error = ` should contain only alphanumeric, dash ('-'), underscore ('_') and dot ('.') characters.`
Expand Down Expand Up @@ -3026,7 +3029,18 @@ auths.sspi_separator_replacement = Separator to use instead of \, / and @
auths.sspi_separator_replacement_helper = The character to use to replace the separators of down-level logon names (eg. the \ in "DOMAIN\user") and user principal names (eg. the @ in "user@example.org").
auths.sspi_default_language = Default user language
auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
auths.saml_nameidformat = SAML NameID Format
auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
auths.saml_identity_provider_metadata = Identity Provider Metadata XML
auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
auths.saml_service_provider_certificate = Service Provider Certificate
auths.saml_service_provider_private_key = Service Provider Private Key
auths.saml_identity_provider_email_assertion_key = Email Assertion Key
auths.saml_identity_provider_name_assertion_key = Name Assertion Key
auths.saml_identity_provider_username_assertion_key = Username Assertion Key
auths.saml_icon_url = Icon URL
auths.tips = Tips
auths.tips.saml = Documentation can be found at https://docs.gitea.com/usage/authentication#saml
auths.tips.oauth2.general = OAuth2 Authentication
auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:
auths.tip.oauth2_provider = OAuth2 Provider
Expand Down
2 changes: 2 additions & 0 deletions routers/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import (
actions_service "code.gitea.io/gitea/services/actions"
"code.gitea.io/gitea/services/auth"
"code.gitea.io/gitea/services/auth/source/oauth2"
"code.gitea.io/gitea/services/auth/source/saml"
"code.gitea.io/gitea/services/automerge"
"code.gitea.io/gitea/services/cron"
feed_service "code.gitea.io/gitea/services/feed"
Expand Down Expand Up @@ -138,6 +139,7 @@ func InitWebInstalled(ctx context.Context) {
log.Info("ORM engine initialization successful!")
mustInit(system.Init)
mustInitCtx(ctx, oauth2.Init)
mustInitCtx(ctx, saml.Init)

mustInit(release_service.Init)

Expand Down
Loading
Loading