Map OIDC groups to Orgs/Teams (#21441)

Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-08 07:44:42 +01:00 · 2023-02-08 07:44:42 +01:00 · e8186f1c0f
commit e8186f1c0f
parent 2c6cc0b8c9
34 changed files with 504 additions and 427 deletions
--- a/services/auth/middleware.go
+++ b/services/auth/middleware.go
@ -0,0 +1,60 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/web/middleware"
+)
+
+// Auth is a middleware to authenticate a web user
+func Auth(authMethod Method) func(*context.Context) {
+	return func(ctx *context.Context) {
+		if err := authShared(ctx, authMethod); err != nil {
+			log.Error("Failed to verify user: %v", err)
+			ctx.Error(http.StatusUnauthorized, "Verify")
+			return
+		}
+		if ctx.Doer == nil {
+			// ensure the session uid is deleted
+			_ = ctx.Session.Delete("uid")
+		}
+	}
+}
+
+// APIAuth is a middleware to authenticate an api user
+func APIAuth(authMethod Method) func(*context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if err := authShared(ctx.Context, authMethod); err != nil {
+			ctx.Error(http.StatusUnauthorized, "APIAuth", err)
+		}
+	}
+}
+
+func authShared(ctx *context.Context, authMethod Method) error {
+	var err error
+	ctx.Doer, err = authMethod.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+	if err != nil {
+		return err
+	}
+	if ctx.Doer != nil {
+		if ctx.Locale.Language() != ctx.Doer.Language {
+			ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+		}
+		ctx.IsBasicAuth = ctx.Data["AuthedMethod"].(string) == BasicMethodName
+		ctx.IsSigned = true
+		ctx.Data["IsSigned"] = ctx.IsSigned
+		ctx.Data["SignedUser"] = ctx.Doer
+		ctx.Data["SignedUserID"] = ctx.Doer.ID
+		ctx.Data["SignedUserName"] = ctx.Doer.Name
+		ctx.Data["IsAdmin"] = ctx.Doer.IsAdmin
+	} else {
+		ctx.Data["SignedUserID"] = int64(0)
+		ctx.Data["SignedUserName"] = ""
+	}
+	return nil
+}