| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | // Copyright 2021 The Gitea Authors. All rights reserved. | 
					
						
							| 
									
										
										
										
											2022-11-27 13:20:29 -05:00
										 |  |  | // SPDX-License-Identifier: MIT | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | package pam | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | 	"context" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	"fmt" | 
					
						
							|  |  |  | 	"strings" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-27 20:13:05 +00:00
										 |  |  | 	"forgejo.org/models/auth" | 
					
						
							|  |  |  | 	user_model "forgejo.org/models/user" | 
					
						
							|  |  |  | 	"forgejo.org/modules/auth/pam" | 
					
						
							|  |  |  | 	"forgejo.org/modules/optional" | 
					
						
							|  |  |  | 	"forgejo.org/modules/setting" | 
					
						
							|  |  |  | 	"forgejo.org/modules/validation" | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	"github.com/google/uuid" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Authenticate queries if login/password is valid against the PAM, | 
					
						
							|  |  |  | // and create a local user if success when enabled. | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | func (source *Source) Authenticate(ctx context.Context, user *user_model.User, userName, password string) (*user_model.User, error) { | 
					
						
							| 
									
										
										
										
											2021-09-24 19:32:56 +08:00
										 |  |  | 	pamLogin, err := pam.Auth(source.ServiceName, userName, password) | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		if strings.Contains(err.Error(), "Authentication failure") { | 
					
						
							| 
									
										
										
										
											2021-11-24 17:49:20 +08:00
										 |  |  | 			return nil, user_model.ErrUserNotExist{Name: userName} | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		} | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if user != nil { | 
					
						
							|  |  |  | 		return user, nil | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	// Allow PAM sources with `@` in their name, like from Active Directory | 
					
						
							|  |  |  | 	username := pamLogin | 
					
						
							|  |  |  | 	email := pamLogin | 
					
						
							|  |  |  | 	idx := strings.Index(pamLogin, "@") | 
					
						
							|  |  |  | 	if idx > -1 { | 
					
						
							|  |  |  | 		username = pamLogin[:idx] | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2024-08-28 16:56:35 -06:00
										 |  |  | 	if validation.ValidateEmail(email) != nil { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		if source.EmailDomain != "" { | 
					
						
							|  |  |  | 			email = fmt.Sprintf("%s@%s", username, source.EmailDomain) | 
					
						
							|  |  |  | 		} else { | 
					
						
							|  |  |  | 			email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress) | 
					
						
							|  |  |  | 		} | 
					
						
							| 
									
										
										
										
											2024-08-28 16:56:35 -06:00
										 |  |  | 		if validation.ValidateEmail(email) != nil { | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 			email = uuid.New().String() + "@localhost" | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-24 17:49:20 +08:00
										 |  |  | 	user = &user_model.User{ | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 		LowerName:   strings.ToLower(username), | 
					
						
							|  |  |  | 		Name:        username, | 
					
						
							|  |  |  | 		Email:       email, | 
					
						
							|  |  |  | 		Passwd:      password, | 
					
						
							| 
									
										
										
										
											2022-01-02 21:12:35 +08:00
										 |  |  | 		LoginType:   auth.PAM, | 
					
						
							|  |  |  | 		LoginSource: source.authSource.ID, | 
					
						
							| 
									
										
										
										
											2021-09-24 19:32:56 +08:00
										 |  |  | 		LoginName:   userName, // This is what the user typed in | 
					
						
							| 
									
										
										
										
											2022-04-29 21:38:11 +02:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	overwriteDefault := &user_model.CreateUserOverwriteOptions{ | 
					
						
							| 
									
										
										
										
											2024-02-23 03:18:33 +01:00
										 |  |  | 		IsActive: optional.Some(true), | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2021-08-12 08:26:33 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-09-14 19:09:32 +02:00
										 |  |  | 	if err := user_model.CreateUser(ctx, user, overwriteDefault); err != nil { | 
					
						
							| 
									
										
										
										
											2021-08-12 08:26:33 +01:00
										 |  |  | 		return user, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return user, nil | 
					
						
							| 
									
										
										
										
											2021-07-24 11:16:34 +01:00
										 |  |  | } | 
					
						
							| 
									
										
										
										
											2021-09-27 02:02:01 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | // IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication | 
					
						
							|  |  |  | func (source *Source) IsSkipLocalTwoFA() bool { | 
					
						
							|  |  |  | 	return source.SkipLocalTwoFA | 
					
						
							|  |  |  | } |