mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-29 15:13:53 +03:00
e8186f1c0f
Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
209 lines
5.1 KiB
Go
209 lines
5.1 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package validation
|
|
|
|
import (
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/auth"
|
|
"code.gitea.io/gitea/modules/git"
|
|
|
|
"gitea.com/go-chi/binding"
|
|
"github.com/gobwas/glob"
|
|
)
|
|
|
|
const (
|
|
// ErrGitRefName is git reference name error
|
|
ErrGitRefName = "GitRefNameError"
|
|
// ErrGlobPattern is returned when glob pattern is invalid
|
|
ErrGlobPattern = "GlobPattern"
|
|
// ErrRegexPattern is returned when a regex pattern is invalid
|
|
ErrRegexPattern = "RegexPattern"
|
|
// ErrUsername is username error
|
|
ErrUsername = "UsernameError"
|
|
// ErrInvalidGroupTeamMap is returned when a group team mapping is invalid
|
|
ErrInvalidGroupTeamMap = "InvalidGroupTeamMap"
|
|
)
|
|
|
|
// AddBindingRules adds additional binding rules
|
|
func AddBindingRules() {
|
|
addGitRefNameBindingRule()
|
|
addValidURLBindingRule()
|
|
addValidSiteURLBindingRule()
|
|
addGlobPatternRule()
|
|
addRegexPatternRule()
|
|
addGlobOrRegexPatternRule()
|
|
addUsernamePatternRule()
|
|
addValidGroupTeamMapRule()
|
|
}
|
|
|
|
func addGitRefNameBindingRule() {
|
|
// Git refname validation rule
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return strings.HasPrefix(rule, "GitRefName")
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
|
|
if !git.IsValidRefPattern(str) {
|
|
errs.Add([]string{name}, ErrGitRefName, "GitRefName")
|
|
return false, errs
|
|
}
|
|
return true, errs
|
|
},
|
|
})
|
|
}
|
|
|
|
func addValidURLBindingRule() {
|
|
// URL validation rule
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return strings.HasPrefix(rule, "ValidUrl")
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
if len(str) != 0 && !IsValidURL(str) {
|
|
errs.Add([]string{name}, binding.ERR_URL, "Url")
|
|
return false, errs
|
|
}
|
|
|
|
return true, errs
|
|
},
|
|
})
|
|
}
|
|
|
|
func addValidSiteURLBindingRule() {
|
|
// URL validation rule
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return strings.HasPrefix(rule, "ValidSiteUrl")
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
if len(str) != 0 && !IsValidSiteURL(str) {
|
|
errs.Add([]string{name}, binding.ERR_URL, "Url")
|
|
return false, errs
|
|
}
|
|
|
|
return true, errs
|
|
},
|
|
})
|
|
}
|
|
|
|
func addGlobPatternRule() {
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return rule == "GlobPattern"
|
|
},
|
|
IsValid: globPatternValidator,
|
|
})
|
|
}
|
|
|
|
func globPatternValidator(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
|
|
if len(str) != 0 {
|
|
if _, err := glob.Compile(str); err != nil {
|
|
errs.Add([]string{name}, ErrGlobPattern, err.Error())
|
|
return false, errs
|
|
}
|
|
}
|
|
|
|
return true, errs
|
|
}
|
|
|
|
func addRegexPatternRule() {
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return rule == "RegexPattern"
|
|
},
|
|
IsValid: regexPatternValidator,
|
|
})
|
|
}
|
|
|
|
func regexPatternValidator(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
|
|
if _, err := regexp.Compile(str); err != nil {
|
|
errs.Add([]string{name}, ErrRegexPattern, err.Error())
|
|
return false, errs
|
|
}
|
|
|
|
return true, errs
|
|
}
|
|
|
|
func addGlobOrRegexPatternRule() {
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return rule == "GlobOrRegexPattern"
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := strings.TrimSpace(fmt.Sprintf("%v", val))
|
|
|
|
if len(str) >= 2 && strings.HasPrefix(str, "/") && strings.HasSuffix(str, "/") {
|
|
return regexPatternValidator(errs, name, str[1:len(str)-1])
|
|
}
|
|
return globPatternValidator(errs, name, val)
|
|
},
|
|
})
|
|
}
|
|
|
|
func addUsernamePatternRule() {
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return rule == "Username"
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
str := fmt.Sprintf("%v", val)
|
|
if !IsValidUsername(str) {
|
|
errs.Add([]string{name}, ErrUsername, "invalid username")
|
|
return false, errs
|
|
}
|
|
return true, errs
|
|
},
|
|
})
|
|
}
|
|
|
|
func addValidGroupTeamMapRule() {
|
|
binding.AddRule(&binding.Rule{
|
|
IsMatch: func(rule string) bool {
|
|
return strings.HasPrefix(rule, "ValidGroupTeamMap")
|
|
},
|
|
IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
|
|
_, err := auth.UnmarshalGroupTeamMapping(fmt.Sprintf("%v", val))
|
|
if err != nil {
|
|
errs.Add([]string{name}, ErrInvalidGroupTeamMap, err.Error())
|
|
return false, errs
|
|
}
|
|
|
|
return true, errs
|
|
},
|
|
})
|
|
}
|
|
|
|
func portOnly(hostport string) string {
|
|
colon := strings.IndexByte(hostport, ':')
|
|
if colon == -1 {
|
|
return ""
|
|
}
|
|
if i := strings.Index(hostport, "]:"); i != -1 {
|
|
return hostport[i+len("]:"):]
|
|
}
|
|
if strings.Contains(hostport, "]") {
|
|
return ""
|
|
}
|
|
return hostport[colon+len(":"):]
|
|
}
|
|
|
|
func validPort(p string) bool {
|
|
for _, r := range []byte(p) {
|
|
if r < '0' || r > '9' {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|