diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-10-11 10:27:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-10-11 10:27:00 +0000 |
commit | 65aa53fc52ff15efe54df4147564828d535837f8 (patch) | |
tree | 31c51dad04fdcca80e6d3043c8bd49d2f1a51f83 /modules/setting/oauth2.go | |
parent | Initial commit. (diff) | |
download | forgejo-65aa53fc52ff15efe54df4147564828d535837f8.tar.xz forgejo-65aa53fc52ff15efe54df4147564828d535837f8.zip |
Adding upstream version 8.0.3.HEADupstream/8.0.3upstreamdebian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/setting/oauth2.go')
-rw-r--r-- | modules/setting/oauth2.go | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go new file mode 100644 index 00000000..76820adf --- /dev/null +++ b/modules/setting/oauth2.go @@ -0,0 +1,172 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package setting + +import ( + "math" + "path/filepath" + "sync/atomic" + + "code.gitea.io/gitea/modules/generate" + "code.gitea.io/gitea/modules/log" +) + +// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data +type OAuth2UsernameType string + +const ( + // OAuth2UsernameUserid oauth2 userid field will be used as gitea name + OAuth2UsernameUserid OAuth2UsernameType = "userid" + // OAuth2UsernameNickname oauth2 nickname field will be used as gitea name + OAuth2UsernameNickname OAuth2UsernameType = "nickname" + // OAuth2UsernameEmail username of oauth2 email field will be used as gitea name + OAuth2UsernameEmail OAuth2UsernameType = "email" +) + +func (username OAuth2UsernameType) isValid() bool { + switch username { + case OAuth2UsernameUserid, OAuth2UsernameNickname, OAuth2UsernameEmail: + return true + } + return false +} + +// OAuth2AccountLinkingType is enum describing behaviour of linking with existing account +type OAuth2AccountLinkingType string + +const ( + // OAuth2AccountLinkingDisabled error will be displayed if account exist + OAuth2AccountLinkingDisabled OAuth2AccountLinkingType = "disabled" + // OAuth2AccountLinkingLogin account linking login will be displayed if account exist + OAuth2AccountLinkingLogin OAuth2AccountLinkingType = "login" + // OAuth2AccountLinkingAuto account will be automatically linked if account exist + OAuth2AccountLinkingAuto OAuth2AccountLinkingType = "auto" +) + +func (accountLinking OAuth2AccountLinkingType) isValid() bool { + switch accountLinking { + case OAuth2AccountLinkingDisabled, OAuth2AccountLinkingLogin, OAuth2AccountLinkingAuto: + return true + } + return false +} + +// OAuth2Client settings +var OAuth2Client struct { + RegisterEmailConfirm bool + OpenIDConnectScopes []string + EnableAutoRegistration bool + Username OAuth2UsernameType + UpdateAvatar bool + AccountLinking OAuth2AccountLinkingType +} + +func loadOAuth2ClientFrom(rootCfg ConfigProvider) { + sec := rootCfg.Section("oauth2_client") + OAuth2Client.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm) + OAuth2Client.OpenIDConnectScopes = parseScopes(sec, "OPENID_CONNECT_SCOPES") + OAuth2Client.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool() + OAuth2Client.Username = OAuth2UsernameType(sec.Key("USERNAME").MustString(string(OAuth2UsernameNickname))) + if !OAuth2Client.Username.isValid() { + log.Warn("Username setting is not valid: '%s', will fallback to '%s'", OAuth2Client.Username, OAuth2UsernameNickname) + OAuth2Client.Username = OAuth2UsernameNickname + } + OAuth2Client.UpdateAvatar = sec.Key("UPDATE_AVATAR").MustBool() + OAuth2Client.AccountLinking = OAuth2AccountLinkingType(sec.Key("ACCOUNT_LINKING").MustString(string(OAuth2AccountLinkingLogin))) + if !OAuth2Client.AccountLinking.isValid() { + log.Warn("Account linking setting is not valid: '%s', will fallback to '%s'", OAuth2Client.AccountLinking, OAuth2AccountLinkingLogin) + OAuth2Client.AccountLinking = OAuth2AccountLinkingLogin + } +} + +func parseScopes(sec ConfigSection, name string) []string { + parts := sec.Key(name).Strings(" ") + scopes := make([]string, 0, len(parts)) + for _, scope := range parts { + if scope != "" { + scopes = append(scopes, scope) + } + } + return scopes +} + +var OAuth2 = struct { + Enabled bool + AccessTokenExpirationTime int64 + RefreshTokenExpirationTime int64 + InvalidateRefreshTokens bool + JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"` + JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"` + MaxTokenLength int + DefaultApplications []string +}{ + Enabled: true, + AccessTokenExpirationTime: 3600, + RefreshTokenExpirationTime: 730, + InvalidateRefreshTokens: false, + JWTSigningAlgorithm: "RS256", + JWTSigningPrivateKeyFile: "jwt/private.pem", + MaxTokenLength: math.MaxInt16, + DefaultApplications: []string{"git-credential-oauth", "git-credential-manager", "tea"}, +} + +func loadOAuth2From(rootCfg ConfigProvider) { + sec := rootCfg.Section("oauth2") + if err := sec.MapTo(&OAuth2); err != nil { + log.Fatal("Failed to map OAuth2 settings: %v", err) + return + } + + // Handle the rename of ENABLE to ENABLED + deprecatedSetting(rootCfg, "oauth2", "ENABLE", "oauth2", "ENABLED", "v1.23.0") + if sec.HasKey("ENABLE") && !sec.HasKey("ENABLED") { + OAuth2.Enabled = sec.Key("ENABLE").MustBool(OAuth2.Enabled) + } + + if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) { + OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile) + } + + // FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET" + // Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems). + // Including: CSRF token, account validation token, etc ... + // In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...) + jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET") + if InstallLock { + jwtSecretBytes, err := generate.DecodeJwtSecret(jwtSecretBase64) + if err != nil { + jwtSecretBytes, jwtSecretBase64, err = generate.NewJwtSecret() + if err != nil { + log.Fatal("error generating JWT secret: %v", err) + } + saveCfg, err := rootCfg.PrepareSaving() + if err != nil { + log.Fatal("save oauth2.JWT_SECRET failed: %v", err) + } + rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64) + saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64) + if err := saveCfg.Save(); err != nil { + log.Fatal("save oauth2.JWT_SECRET failed: %v", err) + } + } + generalSigningSecret.Store(&jwtSecretBytes) + } +} + +var generalSigningSecret atomic.Pointer[[]byte] + +func GetGeneralTokenSigningSecret() []byte { + old := generalSigningSecret.Load() + if old == nil || len(*old) == 0 { + jwtSecret, _, err := generate.NewJwtSecret() + if err != nil { + log.Fatal("Unable to generate general JWT secret: %v", err) + } + if generalSigningSecret.CompareAndSwap(old, &jwtSecret) { + return jwtSecret + } + return *generalSigningSecret.Load() + } + return *old +} |