forgejo/services/auth/group.go

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package auth

import (
	"net/http"
	"strings"

	user_model "code.gitea.io/gitea/models/user"
)

// Ensure the struct implements the interface.
var (
	_ Method = &Group{}
)

// Group implements the Auth interface with serval Auth.
type Group struct {
	methods []Method
}

// NewGroup creates a new auth group
func NewGroup(methods ...Method) *Group {
	return &Group{
		methods: methods,
	}
}

// Add adds a new method to group
func (b *Group) Add(method Method) {
	b.methods = append(b.methods, method)
}

// Name returns group's methods name
func (b *Group) Name() string {
	names := make([]string, 0, len(b.methods))
	for _, m := range b.methods {
		names = append(names, m.Name())
	}
	return strings.Join(names, ",")
}

func (b *Group) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
	// Try to sign in with each of the enabled plugins
	var retErr error
	for _, m := range b.methods {
		user, err := m.Verify(req, w, store, sess)
		if err != nil {
			if retErr == nil {
				retErr = err
			}
			// Try other methods if this one failed.
			// Some methods may share the same protocol to detect if they are matched.
			// For example, OAuth2 and conan.Auth both read token from "Authorization: Bearer <token>" header,
			// If OAuth2 returns error, we should give conan.Auth a chance to try.
			continue
		}

		// If any method returns a user, we can stop trying.
		// Return the user and ignore any error returned by previous methods.
		if user != nil {
			if store.GetData()["AuthedMethod"] == nil {
				store.GetData()["AuthedMethod"] = m.Name()
			}
			return user, nil
		}
	}

	// If no method returns a user, return the error returned by the first method.
	return nil, retErr
}
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`// Copyright 2021 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 18:20:29 +00:00			`// SPDX-License-Identifier: MIT`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00
			`package auth`

			`import (`
			`"net/http"`
Let web and API routes have different auth methods group (#19168) * remove the global methods but create dynamiclly * Fix lint * Fix windows lint * Fix windows lint * some improvements Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2022-03-28 04:46:28 +00:00			`"strings"`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge 2021-11-24 09:49:20 +00:00			`user_model "code.gitea.io/gitea/models/user"`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`)`

			`// Ensure the struct implements the interface.`
			`var (`
Refactor web package and context package (#25298) 1. The "web" package shouldn't depends on "modules/context" package, instead, let each "web context" register themselves to the "web" package. 2. The old Init/Free doesn't make sense, so simplify it * The ctx in "Init(ctx)" is never used, and shouldn't be used that way * The "Free" is never called and shouldn't be called because the SSPI instance is shared --------- Co-authored-by: Giteabot <teabot@gitea.io> 2023-06-18 07:59:09 +00:00			`_ Method = &Group{}`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`)`

			`// Group implements the Auth interface with serval Auth.`
			`type Group struct {`
Refactor: Move login out of models (#16199) `models` does far too much. In particular it handles all `UserSignin`. It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in. Therefore we should move this code out of `models`. This code has to depend on `models` - therefore it belongs in `services`. There is a package in `services` called `auth` and clearly this functionality belongs in there. Plan: - [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication. - [x] Move `models.UserSignIn` into `auth` - [x] Move `models.ExternalUserLogin` - [x] Move most of the `LoginVia` methods to `auth` or subpackages - [x] Move Resynchronize functionality to `auth` - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files. - [x] Move the rest of the LDAP functionality in to the ldap subpackage - [x] Re-factor the login sources to express an interfaces `auth.Source`? - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future - [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable - [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2 - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models. - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 - [x] More simplifications of login_source.go may need to be done - Allow wiring in of notify registration - this can now easily be done - but I think we should do it in another PR* - see #16178 - More refactors...? - OpenID should probably become an auth Method but I think that can be left for another PR - Methods should also probably be cleaned up - again another PR I think. - SSPI still needs more refactors.* Rename auth.Auth auth.Method * Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-07-24 10:16:34 +00:00			`methods []Method`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`}`

			`// NewGroup creates a new auth group`
Refactor: Move login out of models (#16199) `models` does far too much. In particular it handles all `UserSignin`. It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in. Therefore we should move this code out of `models`. This code has to depend on `models` - therefore it belongs in `services`. There is a package in `services` called `auth` and clearly this functionality belongs in there. Plan: - [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication. - [x] Move `models.UserSignIn` into `auth` - [x] Move `models.ExternalUserLogin` - [x] Move most of the `LoginVia` methods to `auth` or subpackages - [x] Move Resynchronize functionality to `auth` - Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files. - [x] Move the rest of the LDAP functionality in to the ldap subpackage - [x] Re-factor the login sources to express an interfaces `auth.Source`? - I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future - [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable - [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2 - [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models. - [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2 - [x] More simplifications of login_source.go may need to be done - Allow wiring in of notify registration - this can now easily be done - but I think we should do it in another PR* - see #16178 - More refactors...? - OpenID should probably become an auth Method but I think that can be left for another PR - Methods should also probably be cleaned up - again another PR I think. - SSPI still needs more refactors.* Rename auth.Auth auth.Method * Restructure ssh_key.go - move functions from models/user.go that relate to ssh_key to ssh_key - split ssh_key.go to try create clearer function domains for allow for future refactors here. Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-07-24 10:16:34 +00:00			`func NewGroup(methods ...Method) *Group {`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`return &Group{`
			`methods: methods,`
			`}`
			`}`

Let web and API routes have different auth methods group (#19168) * remove the global methods but create dynamiclly * Fix lint * Fix windows lint * Fix windows lint * some improvements Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2022-03-28 04:46:28 +00:00			`// Add adds a new method to group`
			`func (b *Group) Add(method Method) {`
			`b.methods = append(b.methods, method)`
			`}`

			`// Name returns group's methods name`
			`func (b *Group) Name() string {`
			`names := make([]string, 0, len(b.methods))`
			`for _, m := range b.methods {`
Remove `Named` interface (#26913) `Named` is implemented by every `Method` and future implementations should implement the method too. 2023-09-05 15:58:30 +00:00			`names = append(names, m.Name())`
Let web and API routes have different auth methods group (#19168) * remove the global methods but create dynamiclly * Fix lint * Fix windows lint * Fix windows lint * some improvements Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> 2022-03-28 04:46:28 +00:00			`}`
			`return strings.Join(names, ",")`
			`}`

refactor auth interface to return error when verify failure (#22119) This PR changed the Auth interface signature from `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) user_model.User` to `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (user_model.User, error)`. There is a new return argument `error` which means the verification condition matched but verify process failed, we should stop the auth process. Before this PR, when return a `nil` user, we don't know the reason why it returned `nil`. If the match condition is not satisfied or it verified failure? For these two different results, we should have different handler. If the match condition is not satisfied, we should try next auth method and if there is no more auth method, it's an anonymous user. If the condition matched but verify failed, the auth process should be stop and return immediately. This will fix #20563 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Jason Song <i@wolfogre.com> 2022-12-28 05:53:28 +00:00			`func (b Group) Verify(req http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`// Try to sign in with each of the enabled plugins`
Fix the error message when the token is incorrect (#25701) we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-07-11 02:04:28 +00:00			`var retErr error`
Remove `Named` interface (#26913) `Named` is implemented by every `Method` and future implementations should implement the method too. 2023-09-05 15:58:30 +00:00			`for _, m := range b.methods {`
			`user, err := m.Verify(req, w, store, sess)`
refactor auth interface to return error when verify failure (#22119) This PR changed the Auth interface signature from `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) user_model.User` to `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (user_model.User, error)`. There is a new return argument `error` which means the verification condition matched but verify process failed, we should stop the auth process. Before this PR, when return a `nil` user, we don't know the reason why it returned `nil`. If the match condition is not satisfied or it verified failure? For these two different results, we should have different handler. If the match condition is not satisfied, we should try next auth method and if there is no more auth method, it's an anonymous user. If the condition matched but verify failed, the auth process should be stop and return immediately. This will fix #20563 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Jason Song <i@wolfogre.com> 2022-12-28 05:53:28 +00:00			`if err != nil {`
Fix the error message when the token is incorrect (#25701) we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-07-11 02:04:28 +00:00			`if retErr == nil {`
			`retErr = err`
			`}`
			`// Try other methods if this one failed.`
			`// Some methods may share the same protocol to detect if they are matched.`
			`// For example, OAuth2 and conan.Auth both read token from "Authorization: Bearer <token>" header,`
			`// If OAuth2 returns error, we should give conan.Auth a chance to try.`
			`continue`
refactor auth interface to return error when verify failure (#22119) This PR changed the Auth interface signature from `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) user_model.User` to `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (user_model.User, error)`. There is a new return argument `error` which means the verification condition matched but verify process failed, we should stop the auth process. Before this PR, when return a `nil` user, we don't know the reason why it returned `nil`. If the match condition is not satisfied or it verified failure? For these two different results, we should have different handler. If the match condition is not satisfied, we should try next auth method and if there is no more auth method, it's an anonymous user. If the condition matched but verify failed, the auth process should be stop and return immediately. This will fix #20563 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Jason Song <i@wolfogre.com> 2022-12-28 05:53:28 +00:00			`}`

Fix the error message when the token is incorrect (#25701) we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-07-11 02:04:28 +00:00			`// If any method returns a user, we can stop trying.`
			`// Return the user and ignore any error returned by previous methods.`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`if user != nil {`
			`if store.GetData()["AuthedMethod"] == nil {`
Remove `Named` interface (#26913) `Named` is implemented by every `Method` and future implementations should implement the method too. 2023-09-05 15:58:30 +00:00			`store.GetData()["AuthedMethod"] = m.Name()`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`}`
refactor auth interface to return error when verify failure (#22119) This PR changed the Auth interface signature from `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) user_model.User` to `Verify(http http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (user_model.User, error)`. There is a new return argument `error` which means the verification condition matched but verify process failed, we should stop the auth process. Before this PR, when return a `nil` user, we don't know the reason why it returned `nil`. If the match condition is not satisfied or it verified failure? For these two different results, we should have different handler. If the match condition is not satisfied, we should try next auth method and if there is no more auth method, it's an anonymous user. If the condition matched but verify failed, the auth process should be stop and return immediately. This will fix #20563 Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Jason Song <i@wolfogre.com> 2022-12-28 05:53:28 +00:00			`return user, nil`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`}`
			`}`

Fix the error message when the token is incorrect (#25701) we refactored `userIDFromToken` for the token parsing part into a new function `parseToken`. `parseToken` returns the string `token` from request, and a boolean `ok` representing whether the token exists or not. So we can distinguish between token non-existence and token inconsistency in the `verfity` function, thus solving the problem of no proper error message when the token is inconsistent. close #24439 related #22119 --------- Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: Giteabot <teabot@gitea.io> 2023-07-11 02:04:28 +00:00			`// If no method returns a user, return the error returned by the first method.`
			`return nil, retErr`
Add sso.Group, context.Auth, context.APIAuth to allow auth special routes (#16086) * Add sso.Group, context.Auth, context.APIAuth to allow auth special routes * Remove unnecessary check * Rename sso -> auth * remove unused method of Auth interface 2021-06-09 17:53:16 +00:00			`}`