mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-16 06:28:50 +00:00
This is a continuation of #3346 based on the advise of https://codeberg.org/forgejo/forgejo/issues/1452#issuecomment-14591307. fixes: #1452 docs: https://codeberg.org/forgejo/docs/pulls/1938 Extends the `oauth2_client` `USERNAME` setting to be able to use the `preferred_username` claim. Co-authored-by: thepaperpilot <thepaperpilot@gmail.com> Co-authored-by: Anthony Lawn <thepaperpilot@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12504 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
163 lines
5.6 KiB
Go
163 lines
5.6 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"math"
|
|
"sync/atomic"
|
|
|
|
"forgejo.org/modules/generate"
|
|
"forgejo.org/modules/jwtx"
|
|
"forgejo.org/modules/log"
|
|
)
|
|
|
|
// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
|
|
type OAuth2UsernameType string
|
|
|
|
const (
|
|
// OAuth2UsernameUserid oauth2 userid field will be used as gitea name
|
|
OAuth2UsernameUserid OAuth2UsernameType = "userid"
|
|
// OAuth2UsernameNickname oauth2 nickname field will be used as gitea name
|
|
OAuth2UsernameNickname OAuth2UsernameType = "nickname"
|
|
// OAuth2UsernameEmail username of oauth2 email field will be used as gitea name
|
|
OAuth2UsernameEmail OAuth2UsernameType = "email"
|
|
// @OAuth2UsernamePreferredUsername oauth2 preferred_username field will be used as gitea name
|
|
OAuth2UsernamePreferredUsername OAuth2UsernameType = "preferred_username"
|
|
)
|
|
|
|
func (username OAuth2UsernameType) isValid() bool {
|
|
switch username {
|
|
case OAuth2UsernameUserid, OAuth2UsernameNickname, OAuth2UsernameEmail, OAuth2UsernamePreferredUsername:
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// OAuth2AccountLinkingType is enum describing behaviour of linking with existing account
|
|
type OAuth2AccountLinkingType string
|
|
|
|
const (
|
|
// OAuth2AccountLinkingDisabled error will be displayed if account exist
|
|
OAuth2AccountLinkingDisabled OAuth2AccountLinkingType = "disabled"
|
|
// OAuth2AccountLinkingLogin account linking login will be displayed if account exist
|
|
OAuth2AccountLinkingLogin OAuth2AccountLinkingType = "login"
|
|
// OAuth2AccountLinkingAuto account will be automatically linked if account exist
|
|
OAuth2AccountLinkingAuto OAuth2AccountLinkingType = "auto"
|
|
)
|
|
|
|
func (accountLinking OAuth2AccountLinkingType) isValid() bool {
|
|
switch accountLinking {
|
|
case OAuth2AccountLinkingDisabled, OAuth2AccountLinkingLogin, OAuth2AccountLinkingAuto:
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// OAuth2Client settings
|
|
var OAuth2Client struct {
|
|
RegisterEmailConfirm bool
|
|
OpenIDConnectScopes []string
|
|
EnableAutoRegistration bool
|
|
Username OAuth2UsernameType
|
|
UpdateAvatar bool
|
|
AccountLinking OAuth2AccountLinkingType
|
|
}
|
|
|
|
func loadOAuth2ClientFrom(rootCfg ConfigProvider) {
|
|
sec := rootCfg.Section("oauth2_client")
|
|
OAuth2Client.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
|
|
OAuth2Client.OpenIDConnectScopes = parseScopes(sec, "OPENID_CONNECT_SCOPES")
|
|
OAuth2Client.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
|
|
OAuth2Client.Username = OAuth2UsernameType(sec.Key("USERNAME").MustString(string(OAuth2UsernameNickname)))
|
|
if !OAuth2Client.Username.isValid() {
|
|
log.Warn("Username setting is not valid: '%s', will fallback to '%s'", OAuth2Client.Username, OAuth2UsernameNickname)
|
|
OAuth2Client.Username = OAuth2UsernameNickname
|
|
}
|
|
OAuth2Client.UpdateAvatar = sec.Key("UPDATE_AVATAR").MustBool()
|
|
OAuth2Client.AccountLinking = OAuth2AccountLinkingType(sec.Key("ACCOUNT_LINKING").MustString(string(OAuth2AccountLinkingLogin)))
|
|
if !OAuth2Client.AccountLinking.isValid() {
|
|
log.Warn("Account linking setting is not valid: '%s', will fallback to '%s'", OAuth2Client.AccountLinking, OAuth2AccountLinkingLogin)
|
|
OAuth2Client.AccountLinking = OAuth2AccountLinkingLogin
|
|
}
|
|
}
|
|
|
|
func parseScopes(sec ConfigSection, name string) []string {
|
|
parts := sec.Key(name).Strings(" ")
|
|
scopes := make([]string, 0, len(parts))
|
|
for _, scope := range parts {
|
|
if scope != "" {
|
|
scopes = append(scopes, scope)
|
|
}
|
|
}
|
|
return scopes
|
|
}
|
|
|
|
var OAuth2 = struct {
|
|
Enabled bool
|
|
AccessTokenExpirationTime int64
|
|
RefreshTokenExpirationTime int64
|
|
InvalidateRefreshTokens bool
|
|
MaxTokenLength int
|
|
DefaultApplications []string
|
|
EnableAdditionalGrantScopes bool
|
|
KeyCfg *jwtx.KeyCfg
|
|
}{
|
|
Enabled: true,
|
|
AccessTokenExpirationTime: 3600,
|
|
RefreshTokenExpirationTime: 730,
|
|
InvalidateRefreshTokens: true,
|
|
MaxTokenLength: math.MaxInt16,
|
|
DefaultApplications: []string{"git-credential-oauth", "git-credential-manager", "tea"},
|
|
EnableAdditionalGrantScopes: false,
|
|
}
|
|
|
|
func loadOAuth2From(rootCfg ConfigProvider) {
|
|
sec := rootCfg.Section("oauth2")
|
|
if err := sec.MapTo(&OAuth2); err != nil {
|
|
log.Fatal("Failed to map OAuth2 settings: %v", err)
|
|
return
|
|
}
|
|
|
|
// Handle the rename of ENABLE to ENABLED
|
|
deprecatedSetting(rootCfg, "oauth2", "ENABLE", "oauth2", "ENABLED", "v1.23.0")
|
|
if sec.HasKey("ENABLE") && !sec.HasKey("ENABLED") {
|
|
OAuth2.Enabled = sec.Key("ENABLE").MustBool(OAuth2.Enabled)
|
|
}
|
|
|
|
// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
|
|
// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
|
|
// Including: CSRF token, account validation token, etc ...
|
|
// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
|
|
if InstallLock {
|
|
signingKey, err := loadSymmeticSigningKeyCfg(rootCfg, sec, "JWT_")
|
|
if err != nil {
|
|
log.Fatal("%v", err)
|
|
}
|
|
generalSigningSecret.Store(signingKey)
|
|
}
|
|
|
|
if !OAuth2.Enabled {
|
|
return
|
|
}
|
|
|
|
var err error
|
|
OAuth2.KeyCfg, err = loadKeyCfg(rootCfg, "oauth2", "JWT_", "RS256", "jwt/private.pem")
|
|
if err != nil {
|
|
log.Fatal("oauth2 key initialization failed: %v", err)
|
|
}
|
|
}
|
|
|
|
var generalSigningSecret atomic.Pointer[[]byte]
|
|
|
|
func GetGeneralTokenSigningSecret() []byte {
|
|
old := generalSigningSecret.Load()
|
|
if old == nil || len(*old) == 0 {
|
|
jwtSecret, _ := generate.NewJwtSecret()
|
|
if generalSigningSecret.CompareAndSwap(old, &jwtSecret) {
|
|
return jwtSecret
|
|
}
|
|
return *generalSigningSecret.Load()
|
|
}
|
|
return *old
|
|
}
|