osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Beobachten 15
Favorisieren 7
Wiki 捐赠
本站源代码
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
Struktur: 4f0cac5ea6
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „4f0cac5ea6“
${ noResults }
com/routers/user/auth_openid.go

465 Zeilen
13KB
Originalformat Blame Verlauf 

  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"fmt"

  9. 	"net/url"

  10. 

  11. 	"code.gitea.io/gitea/models"

  12. 	"code.gitea.io/gitea/modules/auth"

  13. 	"code.gitea.io/gitea/modules/auth/openid"

  14. 	"code.gitea.io/gitea/modules/base"

  15. 	"code.gitea.io/gitea/modules/context"

  16. 	"code.gitea.io/gitea/modules/generate"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/recaptcha"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 	"code.gitea.io/gitea/modules/timeutil"

  21. 	"code.gitea.io/gitea/services/mailer"

  22. 

  23. 	"gitea.com/macaron/captcha"

  24. )

  25. 

  26. const (

  27. 	tplSignInOpenID base.TplName = "user/auth/signin_openid"

  28. 	tplConnectOID   base.TplName = "user/auth/signup_openid_connect"

  29. 	tplSignUpOID    base.TplName = "user/auth/signup_openid_register"

  30. )

  31. 

  32. // SignInOpenID render sign in page

  33. func SignInOpenID(ctx *context.Context) {

  34. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  35. 

  36. 	if ctx.Query("openid.return_to") != "" {

  37. 		signInOpenIDVerify(ctx)

  38. 		return

  39. 	}

  40. 

  41. 	// Check auto-login.

  42. 	isSucceed, err := AutoSignIn(ctx)

  43. 	if err != nil {

  44. 		ctx.ServerError("AutoSignIn", err)

  45. 		return

  46. 	}

  47. 

  48. 	redirectTo := ctx.Query("redirect_to")

  49. 	if len(redirectTo) > 0 {

  50. 		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)

  51. 	} else {

  52. 		redirectTo = ctx.GetCookie("redirect_to")

  53. 	}

  54. 

  55. 	if isSucceed {

  56. 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)

  57. 		ctx.RedirectToFirst(redirectTo)

  58. 		return

  59. 	}

  60. 

  61. 	ctx.Data["PageIsSignIn"] = true

  62. 	ctx.Data["PageIsLoginOpenID"] = true

  63. 	ctx.HTML(200, tplSignInOpenID)

  64. }

  65. 

  66. // Check if the given OpenID URI is allowed by blacklist/whitelist

  67. func allowedOpenIDURI(uri string) (err error) {

  68. 

  69. 	// In case a Whitelist is present, URI must be in it

  70. 	// in order to be accepted

  71. 	if len(setting.Service.OpenIDWhitelist) != 0 {

  72. 		for _, pat := range setting.Service.OpenIDWhitelist {

  73. 			if pat.MatchString(uri) {

  74. 				return nil // pass

  75. 			}

  76. 		}

  77. 		// must match one of this or be refused

  78. 		return fmt.Errorf("URI not allowed by whitelist")

  79. 	}

  80. 

  81. 	// A blacklist match expliclty forbids

  82. 	for _, pat := range setting.Service.OpenIDBlacklist {

  83. 		if pat.MatchString(uri) {

  84. 			return fmt.Errorf("URI forbidden by blacklist")

  85. 		}

  86. 	}

  87. 

  88. 	return nil

  89. }

  90. 

  91. // SignInOpenIDPost response for openid sign in request

  92. func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {

  93. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  94. 	ctx.Data["PageIsSignIn"] = true

  95. 	ctx.Data["PageIsLoginOpenID"] = true

  96. 

  97. 	if ctx.HasError() {

  98. 		ctx.HTML(200, tplSignInOpenID)

  99. 		return

  100. 	}

  101. 

  102. 	id, err := openid.Normalize(form.Openid)

  103. 	if err != nil {

  104. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  105. 		return

  106. 	}

  107. 	form.Openid = id

  108. 

  109. 	log.Trace("OpenID uri: " + id)

  110. 

  111. 	err = allowedOpenIDURI(id)

  112. 	if err != nil {

  113. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  114. 		return

  115. 	}

  116. 

  117. 	redirectTo := setting.AppURL + "user/login/openid"

  118. 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)

  119. 	if err != nil {

  120. 		log.Error("Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())

  121. 		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)

  122. 		return

  123. 	}

  124. 

  125. 	// Request optional nickname and email info

  126. 	// NOTE: change to `openid.sreg.required` to require it

  127. 	url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"

  128. 	url += "&openid.sreg.optional=nickname%2Cemail"

  129. 

  130. 	log.Trace("Form-passed openid-remember: %t", form.Remember)

  131. 	err = ctx.Session.Set("openid_signin_remember", form.Remember)

  132. 	if err != nil {

  133. 		log.Error("SignInOpenIDPost: Could not set session: %v", err.Error())

  134. 	}

  135. 

  136. 	ctx.Redirect(url)

  137. }

  138. 

  139. // signInOpenIDVerify handles response from OpenID provider

  140. func signInOpenIDVerify(ctx *context.Context) {

  141. 

  142. 	log.Trace("Incoming call to: " + ctx.Req.Request.URL.String())

  143. 

  144. 	fullURL := setting.AppURL + ctx.Req.Request.URL.String()[1:]

  145. 	log.Trace("Full URL: " + fullURL)

  146. 

  147. 	var id, err = openid.Verify(fullURL)

  148. 	if err != nil {

  149. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  150. 			Openid: id,

  151. 		})

  152. 		return

  153. 	}

  154. 

  155. 	log.Trace("Verified ID: " + id)

  156. 

  157. 	/* Now we should seek for the user and log him in, or prompt

  158. 	 * to register if not found */

  159. 

  160. 	u, err := models.GetUserByOpenID(id)

  161. 	if err != nil {

  162. 		if !models.IsErrUserNotExist(err) {

  163. 			ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  164. 				Openid: id,

  165. 			})

  166. 			return

  167. 		}

  168. 		log.Error("signInOpenIDVerify: %v", err)

  169. 	}

  170. 	if u != nil {

  171. 		log.Trace("User exists, logging in")

  172. 		remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  173. 		log.Trace("Session stored openid-remember: %t", remember)

  174. 		handleSignIn(ctx, u, remember)

  175. 		return

  176. 	}

  177. 

  178. 	log.Trace("User with openid " + id + " does not exist, should connect or register")

  179. 

  180. 	parsedURL, err := url.Parse(fullURL)

  181. 	if err != nil {

  182. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  183. 			Openid: id,

  184. 		})

  185. 		return

  186. 	}

  187. 	values, err := url.ParseQuery(parsedURL.RawQuery)

  188. 	if err != nil {

  189. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  190. 			Openid: id,

  191. 		})

  192. 		return

  193. 	}

  194. 	email := values.Get("openid.sreg.email")

  195. 	nickname := values.Get("openid.sreg.nickname")

  196. 

  197. 	log.Trace("User has email=" + email + " and nickname=" + nickname)

  198. 

  199. 	if email != "" {

  200. 		u, err = models.GetUserByEmail(email)

  201. 		if err != nil {

  202. 			if !models.IsErrUserNotExist(err) {

  203. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  204. 					Openid: id,

  205. 				})

  206. 				return

  207. 			}

  208. 			log.Error("signInOpenIDVerify: %v", err)

  209. 		}

  210. 		if u != nil {

  211. 			log.Trace("Local user " + u.LowerName + " has OpenID provided email " + email)

  212. 		}

  213. 	}

  214. 

  215. 	if u == nil && nickname != "" {

  216. 		u, _ = models.GetUserByName(nickname)

  217. 		if err != nil {

  218. 			if !models.IsErrUserNotExist(err) {

  219. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  220. 					Openid: id,

  221. 				})

  222. 				return

  223. 			}

  224. 		}

  225. 		if u != nil {

  226. 			log.Trace("Local user " + u.LowerName + " has OpenID provided nickname " + nickname)

  227. 		}

  228. 	}

  229. 

  230. 	err = ctx.Session.Set("openid_verified_uri", id)

  231. 	if err != nil {

  232. 		log.Error("signInOpenIDVerify: Could not set session: %v", err.Error())

  233. 	}

  234. 

  235. 	err = ctx.Session.Set("openid_determined_email", email)

  236. 	if err != nil {

  237. 		log.Error("signInOpenIDVerify: Could not set session: %v", err.Error())

  238. 	}

  239. 

  240. 	if u != nil {

  241. 		nickname = u.LowerName

  242. 	}

  243. 

  244. 	err = ctx.Session.Set("openid_determined_username", nickname)

  245. 	if err != nil {

  246. 		log.Error("signInOpenIDVerify: Could not set session: %v", err.Error())

  247. 	}

  248. 

  249. 	if u != nil || !setting.Service.EnableOpenIDSignUp {

  250. 		ctx.Redirect(setting.AppSubURL + "/user/openid/connect")

  251. 	} else {

  252. 		ctx.Redirect(setting.AppSubURL + "/user/openid/register")

  253. 	}

  254. }

  255. 

  256. // ConnectOpenID shows a form to connect an OpenID URI to an existing account

  257. func ConnectOpenID(ctx *context.Context) {

  258. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  259. 	if oid == "" {

  260. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  261. 		return

  262. 	}

  263. 	ctx.Data["Title"] = "OpenID connect"

  264. 	ctx.Data["PageIsSignIn"] = true

  265. 	ctx.Data["PageIsOpenIDConnect"] = true

  266. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  267. 	ctx.Data["OpenID"] = oid

  268. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  269. 	if userName != "" {

  270. 		ctx.Data["user_name"] = userName

  271. 	}

  272. 	ctx.HTML(200, tplConnectOID)

  273. }

  274. 

  275. // ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account

  276. func ConnectOpenIDPost(ctx *context.Context, form auth.ConnectOpenIDForm) {

  277. 

  278. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  279. 	if oid == "" {

  280. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  281. 		return

  282. 	}

  283. 	ctx.Data["Title"] = "OpenID connect"

  284. 	ctx.Data["PageIsSignIn"] = true

  285. 	ctx.Data["PageIsOpenIDConnect"] = true

  286. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  287. 	ctx.Data["OpenID"] = oid

  288. 

  289. 	u, err := models.UserSignIn(form.UserName, form.Password)

  290. 	if err != nil {

  291. 		if models.IsErrUserNotExist(err) {

  292. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)

  293. 		} else {

  294. 			ctx.ServerError("ConnectOpenIDPost", err)

  295. 		}

  296. 		return

  297. 	}

  298. 

  299. 	// add OpenID for the user

  300. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  301. 	if err = models.AddUserOpenID(userOID); err != nil {

  302. 		if models.IsErrOpenIDAlreadyUsed(err) {

  303. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)

  304. 			return

  305. 		}

  306. 		ctx.ServerError("AddUserOpenID", err)

  307. 		return

  308. 	}

  309. 

  310. 	ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))

  311. 

  312. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  313. 	log.Trace("Session stored openid-remember: %t", remember)

  314. 	handleSignIn(ctx, u, remember)

  315. }

  316. 

  317. // RegisterOpenID shows a form to create a new user authenticated via an OpenID URI

  318. func RegisterOpenID(ctx *context.Context) {

  319. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  320. 	if oid == "" {

  321. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  322. 		return

  323. 	}

  324. 	ctx.Data["Title"] = "OpenID signup"

  325. 	ctx.Data["PageIsSignIn"] = true

  326. 	ctx.Data["PageIsOpenIDRegister"] = true

  327. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  328. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  329. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  330. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  331. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  332. 	ctx.Data["OpenID"] = oid

  333. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  334. 	if userName != "" {

  335. 		ctx.Data["user_name"] = userName

  336. 	}

  337. 	email, _ := ctx.Session.Get("openid_determined_email").(string)

  338. 	if email != "" {

  339. 		ctx.Data["email"] = email

  340. 	}

  341. 	ctx.HTML(200, tplSignUpOID)

  342. }

  343. 

  344. // RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI

  345. func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.SignUpOpenIDForm) {

  346. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  347. 	if oid == "" {

  348. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  349. 		return

  350. 	}

  351. 

  352. 	ctx.Data["Title"] = "OpenID signup"

  353. 	ctx.Data["PageIsSignIn"] = true

  354. 	ctx.Data["PageIsOpenIDRegister"] = true

  355. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  356. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  357. 	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL

  358. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  359. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  360. 	ctx.Data["OpenID"] = oid

  361. 

  362. 	if setting.Service.EnableCaptcha {

  363. 		var valid bool

  364. 		switch setting.Service.CaptchaType {

  365. 		case setting.ImageCaptcha:

  366. 			valid = cpt.VerifyReq(ctx.Req)

  367. 		case setting.ReCaptcha:

  368. 			err := ctx.Req.ParseForm()

  369. 			if err != nil {

  370. 				ctx.ServerError("", err)

  371. 				return

  372. 			}

  373. 			valid, _ = recaptcha.Verify(form.GRecaptchaResponse)

  374. 		default:

  375. 			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))

  376. 			return

  377. 		}

  378. 

  379. 		if !valid {

  380. 			ctx.Data["Err_Captcha"] = true

  381. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)

  382. 			return

  383. 		}

  384. 	}

  385. 

  386. 	length := setting.MinPasswordLength

  387. 	if length < 256 {

  388. 		length = 256

  389. 	}

  390. 	password, err := generate.GetRandomString(length)

  391. 	if err != nil {

  392. 		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)

  393. 		return

  394. 	}

  395. 

  396. 	// TODO: abstract a finalizeSignUp function ?

  397. 	u := &models.User{

  398. 		Name:     form.UserName,

  399. 		Email:    form.Email,

  400. 		Passwd:   password,

  401. 		IsActive: !setting.Service.RegisterEmailConfirm,

  402. 	}

  403. 	if err := models.CreateUser(u); err != nil {

  404. 		switch {

  405. 		case models.IsErrUserAlreadyExist(err):

  406. 			ctx.Data["Err_UserName"] = true

  407. 			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUpOID, &form)

  408. 		case models.IsErrEmailAlreadyUsed(err):

  409. 			ctx.Data["Err_Email"] = true

  410. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUpOID, &form)

  411. 		case models.IsErrNameReserved(err):

  412. 			ctx.Data["Err_UserName"] = true

  413. 			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUpOID, &form)

  414. 		case models.IsErrNamePatternNotAllowed(err):

  415. 			ctx.Data["Err_UserName"] = true

  416. 			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUpOID, &form)

  417. 		default:

  418. 			ctx.ServerError("CreateUser", err)

  419. 		}

  420. 		return

  421. 	}

  422. 	log.Trace("Account created: %s", u.Name)

  423. 

  424. 	// add OpenID for the user

  425. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  426. 	if err = models.AddUserOpenID(userOID); err != nil {

  427. 		if models.IsErrOpenIDAlreadyUsed(err) {

  428. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)

  429. 			return

  430. 		}

  431. 		ctx.ServerError("AddUserOpenID", err)

  432. 		return

  433. 	}

  434. 

  435. 	// Auto-set admin for the only user.

  436. 	if models.CountUsers() == 1 {

  437. 		u.IsAdmin = true

  438. 		u.IsActive = true

  439. 		u.SetLastLogin()

  440. 		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {

  441. 			ctx.ServerError("UpdateUser", err)

  442. 			return

  443. 		}

  444. 	}

  445. 

  446. 	// Send confirmation email, no need for social account.

  447. 	if setting.Service.RegisterEmailConfirm && u.ID > 1 {

  448. 		mailer.SendActivateAccountMail(ctx.Locale, u)

  449. 

  450. 		ctx.Data["IsSendRegisterMail"] = true

  451. 		ctx.Data["Email"] = u.Email

  452. 		ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  453. 		ctx.HTML(200, TplActivate)

  454. 

  455. 		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  456. 			log.Error("Set cache(MailResendLimit) fail: %v", err)

  457. 		}

  458. 		return

  459. 	}

  460. 

  461. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  462. 	log.Trace("Session stored openid-remember: %t", remember)

  463. 	handleSignIn(ctx, u, remember)

  464. }
上海开阖软件有限公司 沪ICP备12045867号-1