gitea-fork-majority-judgment/modules/auth/sso/sspi_windows.go

// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package sso

import (
	"errors"
	"reflect"
	"strings"

	"code.gitea.io/gitea/models"
	"code.gitea.io/gitea/modules/base"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"

	"gitea.com/macaron/macaron"
	"gitea.com/macaron/session"

	"github.com/quasoft/websspi"
	gouuid "github.com/satori/go.uuid"
)

const (
	tplSignIn base.TplName = "user/auth/signin"
)

var (
	// sspiAuth is a global instance of the websspi authentication package,
	// which is used to avoid acquiring the server credential handle on
	// every request
	sspiAuth *websspi.Authenticator

	// Ensure the struct implements the interface.
	_ SingleSignOn = &SSPI{}
)

// SSPI implements the SingleSignOn interface and authenticates requests
// via the built-in SSPI module in Windows for SPNEGO authentication.
// On successful authentication returns a valid user object.
// Returns nil if authentication fails.
type SSPI struct {
}

// Init creates a new global websspi.Authenticator object
func (s *SSPI) Init() error {
	config := websspi.NewConfig()
	var err error
	sspiAuth, err = websspi.New(config)
	return err
}

// Free releases resources used by the global websspi.Authenticator object
func (s *SSPI) Free() error {
	return sspiAuth.Free()
}

// IsEnabled checks if there is an active SSPI authentication source
func (s *SSPI) IsEnabled() bool {
	return models.IsSSPIEnabled()
}

// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
// If authentication is successful, returs the corresponding user object.
// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
// response code, as required by the SPNEGO protocol.
func (s *SSPI) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
	if !s.shouldAuthenticate(ctx) {
		return nil
	}

	cfg, err := s.getConfig()
	if err != nil {
		log.Error("could not get SSPI config: %v", err)
		return nil
	}

	userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp)
	if err != nil {
		log.Warn("Authentication failed with error: %v\n", err)
		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)

		// Include the user login page in the 401 response to allow the user
		// to login with another authentication method if SSPI authentication
		// fails
		addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed"))
		ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
		ctx.Data["EnableSSPI"] = true
		ctx.HTML(401, string(tplSignIn))
		return nil
	}
	if outToken != "" {
		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
	}

	username := sanitizeUsername(userInfo.Username, cfg)
	if len(username) == 0 {
		return nil
	}
	log.Info("Authenticated as %s\n", username)

	user, err := models.GetUserByName(username)
	if err != nil {
		if !models.IsErrUserNotExist(err) {
			log.Error("GetUserByName: %v", err)
			return nil
		}
		if !cfg.AutoCreateUsers {
			log.Error("User '%s' not found", username)
			return nil
		}
		user, err = s.newUser(ctx, username, cfg)
		if err != nil {
			log.Error("CreateUser: %v", err)
			return nil
		}
	}

	// Make sure requests to API paths and PWA resources do not create a new session
	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
		handleSignIn(ctx, sess, user)
	}

	return user
}

// getConfig retrieves the SSPI configuration from login sources
func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
	sources, err := models.ActiveLoginSources(models.LoginSSPI)
	if err != nil {
		return nil, err
	}
	if len(sources) == 0 {
		return nil, errors.New("no active login sources of type SSPI found")
	}
	if len(sources) > 1 {
		return nil, errors.New("more than one active login source of type SSPI found")
	}
	return sources[0].SSPI(), nil
}

func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
	shouldAuth = false
	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
	if path == "/user/login" {
		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
			shouldAuth = false
		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
			shouldAuth = true
		}
	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
		shouldAuth = true
	}
	return
}

// newUser creates a new user object for the purpose of automatic registration
// and populates its name and email with the information present in request headers.
func (s *SSPI) newUser(ctx *macaron.Context, username string, cfg *models.SSPIConfig) (*models.User, error) {
	email := gouuid.NewV4().String() + "@localhost.localdomain"
	user := &models.User{
		Name:                         username,
		Email:                        email,
		KeepEmailPrivate:             true,
		Passwd:                       gouuid.NewV4().String(),
		IsActive:                     cfg.AutoActivateUsers,
		Language:                     cfg.DefaultLanguage,
		UseCustomAvatar:              true,
		Avatar:                       base.DefaultAvatarLink(),
		EmailNotificationsPreference: models.EmailNotificationsDisabled,
	}
	if err := models.CreateUser(user); err != nil {
		return nil, err
	}
	return user, nil
}

// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
// from UPNs (eg. "user@domain.local" becomes "user")
func stripDomainNames(username string) string {
	if strings.Contains(username, "\\") {
		parts := strings.SplitN(username, "\\", 2)
		if len(parts) > 1 {
			username = parts[1]
		}
	} else if strings.Contains(username, "@") {
		parts := strings.Split(username, "@")
		if len(parts) > 1 {
			username = parts[0]
		}
	}
	return username
}

func replaceSeparators(username string, cfg *models.SSPIConfig) string {
	newSep := cfg.SeparatorReplacement
	username = strings.ReplaceAll(username, "\\", newSep)
	username = strings.ReplaceAll(username, "/", newSep)
	username = strings.ReplaceAll(username, "@", newSep)
	return username
}

func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
	if len(username) == 0 {
		return ""
	}
	if cfg.StripDomainNames {
		username = stripDomainNames(username)
	}
	// Replace separators even if we have already stripped the domain name part,
	// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
	username = replaceSeparators(username, cfg)
	return username
}

// addFlashErr adds an error message to the Flash object mapped to a macaron.Context
func addFlashErr(ctx *macaron.Context, err string) {
	fv := ctx.GetVal(reflect.TypeOf(&session.Flash{}))
	if !fv.IsValid() {
		return
	}
	flash, ok := fv.Interface().(*session.Flash)
	if !ok {
		return
	}
	flash.Error(err)
	ctx.Data["Flash"] = flash
}

// init registers the SSPI auth method as the last method in the list.
// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
// fails (or if negotiation should continue), which would prevent other authentication methods
// to execute at all.
func init() {
	Register(&SSPI{})
}
Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted 4 years ago			`// Copyright 2019 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package sso`

			`import (`
			`"errors"`
			`"reflect"`
			`"strings"`

			`"code.gitea.io/gitea/models"`
			`"code.gitea.io/gitea/modules/base"`
			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`

			`"gitea.com/macaron/macaron"`
			`"gitea.com/macaron/session"`

			`"github.com/quasoft/websspi"`
			`gouuid "github.com/satori/go.uuid"`
			`)`

			`const (`
			`tplSignIn base.TplName = "user/auth/signin"`
			`)`

			`var (`
			`// sspiAuth is a global instance of the websspi authentication package,`
			`// which is used to avoid acquiring the server credential handle on`
			`// every request`
			`sspiAuth *websspi.Authenticator`

			`// Ensure the struct implements the interface.`
			`_ SingleSignOn = &SSPI{}`
			`)`

			`// SSPI implements the SingleSignOn interface and authenticates requests`
			`// via the built-in SSPI module in Windows for SPNEGO authentication.`
			`// On successful authentication returns a valid user object.`
			`// Returns nil if authentication fails.`
			`type SSPI struct {`
			`}`

			`// Init creates a new global websspi.Authenticator object`
			`func (s *SSPI) Init() error {`
			`config := websspi.NewConfig()`
			`var err error`
			`sspiAuth, err = websspi.New(config)`
			`return err`
			`}`

			`// Free releases resources used by the global websspi.Authenticator object`
			`func (s *SSPI) Free() error {`
			`return sspiAuth.Free()`
			`}`

			`// IsEnabled checks if there is an active SSPI authentication source`
			`func (s *SSPI) IsEnabled() bool {`
			`return models.IsSSPIEnabled()`
			`}`

			`// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.`
			`// If authentication is successful, returs the corresponding user object.`
			`// If negotiation should continue or authentication fails, immediately returns a 401 HTTP`
			`// response code, as required by the SPNEGO protocol.`
			`func (s SSPI) VerifyAuthData(ctx macaron.Context, sess session.Store) *models.User {`
			`if !s.shouldAuthenticate(ctx) {`
			`return nil`
			`}`

			`cfg, err := s.getConfig()`
			`if err != nil {`
			`log.Error("could not get SSPI config: %v", err)`
			`return nil`
			`}`

			`userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp)`
			`if err != nil {`
			`log.Warn("Authentication failed with error: %v\n", err)`
			`sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)`

			`// Include the user login page in the 401 response to allow the user`
			`// to login with another authentication method if SSPI authentication`
			`// fails`
			`addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed"))`
			`ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn`
			`ctx.Data["EnableSSPI"] = true`
			`ctx.HTML(401, string(tplSignIn))`
			`return nil`
			`}`
			`if outToken != "" {`
			`sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)`
			`}`

			`username := sanitizeUsername(userInfo.Username, cfg)`
			`if len(username) == 0 {`
			`return nil`
			`}`
			`log.Info("Authenticated as %s\n", username)`

			`user, err := models.GetUserByName(username)`
			`if err != nil {`
			`if !models.IsErrUserNotExist(err) {`
			`log.Error("GetUserByName: %v", err)`
			`return nil`
			`}`
			`if !cfg.AutoCreateUsers {`
			`log.Error("User '%s' not found", username)`
			`return nil`
			`}`
			`user, err = s.newUser(ctx, username, cfg)`
			`if err != nil {`
			`log.Error("CreateUser: %v", err)`
			`return nil`
			`}`
			`}`

			`// Make sure requests to API paths and PWA resources do not create a new session`
			`if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {`
			`handleSignIn(ctx, sess, user)`
			`}`

			`return user`
			`}`

			`// getConfig retrieves the SSPI configuration from login sources`
			`func (s SSPI) getConfig() (models.SSPIConfig, error) {`
			`sources, err := models.ActiveLoginSources(models.LoginSSPI)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(sources) == 0 {`
			`return nil, errors.New("no active login sources of type SSPI found")`
			`}`
			`if len(sources) > 1 {`
			`return nil, errors.New("more than one active login source of type SSPI found")`
			`}`
			`return sources[0].SSPI(), nil`
			`}`

			`func (s SSPI) shouldAuthenticate(ctx macaron.Context) (shouldAuth bool) {`
			`shouldAuth = false`
			`path := strings.TrimSuffix(ctx.Req.URL.Path, "/")`
			`if path == "/user/login" {`
			`if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {`
			`shouldAuth = false`
			`} else if ctx.Req.FormValue("auth_with_sspi") == "1" {`
			`shouldAuth = true`
			`}`
			`} else if isAPIPath(ctx) \|\| isAttachmentDownload(ctx) {`
			`shouldAuth = true`
			`}`
			`return`
			`}`

			`// newUser creates a new user object for the purpose of automatic registration`
			`// and populates its name and email with the information present in request headers.`
			`func (s SSPI) newUser(ctx macaron.Context, username string, cfg models.SSPIConfig) (models.User, error) {`
			`email := gouuid.NewV4().String() + "@localhost.localdomain"`
			`user := &models.User{`
			`Name: username,`
			`Email: email,`
			`KeepEmailPrivate: true,`
			`Passwd: gouuid.NewV4().String(),`
			`IsActive: cfg.AutoActivateUsers,`
			`Language: cfg.DefaultLanguage,`
			`UseCustomAvatar: true,`
			`Avatar: base.DefaultAvatarLink(),`
			`EmailNotificationsPreference: models.EmailNotificationsDisabled,`
			`}`
			`if err := models.CreateUser(user); err != nil {`
			`return nil, err`
			`}`
			`return user, nil`
			`}`

			`// stripDomainNames removes NETBIOS domain name and separator from down-level logon names`
			`// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator`
			`// from UPNs (eg. "user@domain.local" becomes "user")`
			`func stripDomainNames(username string) string {`
			`if strings.Contains(username, "\\") {`
			`parts := strings.SplitN(username, "\\", 2)`
			`if len(parts) > 1 {`
			`username = parts[1]`
			`}`
			`} else if strings.Contains(username, "@") {`
			`parts := strings.Split(username, "@")`
			`if len(parts) > 1 {`
			`username = parts[0]`
			`}`
			`}`
			`return username`
			`}`

			`func replaceSeparators(username string, cfg *models.SSPIConfig) string {`
			`newSep := cfg.SeparatorReplacement`
			`username = strings.ReplaceAll(username, "\\", newSep)`
			`username = strings.ReplaceAll(username, "/", newSep)`
			`username = strings.ReplaceAll(username, "@", newSep)`
			`return username`
			`}`

			`func sanitizeUsername(username string, cfg *models.SSPIConfig) string {`
			`if len(username) == 0 {`
			`return ""`
			`}`
			`if cfg.StripDomainNames {`
			`username = stripDomainNames(username)`
			`}`
			`// Replace separators even if we have already stripped the domain name part,`
			`// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"`
			`username = replaceSeparators(username, cfg)`
			`return username`
			`}`

			`// addFlashErr adds an error message to the Flash object mapped to a macaron.Context`
			`func addFlashErr(ctx *macaron.Context, err string) {`
			`fv := ctx.GetVal(reflect.TypeOf(&session.Flash{}))`
			`if !fv.IsValid() {`
			`return`
			`}`
			`flash, ok := fv.Interface().(*session.Flash)`
			`if !ok {`
			`return`
			`}`
			`flash.Error(err)`
			`ctx.Data["Flash"] = flash`
			`}`

			`// init registers the SSPI auth method as the last method in the list.`
			`// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation`
			`// fails (or if negotiation should continue), which would prevent other authentication methods`
			`// to execute at all.`
			`func init() {`
			`Register(&SSPI{})`
			`}`