Restore PAM user autocreation functionality (#15825)

* Restore PAM user autocreation functionality

PAM autoregistration of users currently fails due to email invalidity.
This PR adds a new setting to PAM to allow an email domain to be set
or just sets the email to the noreply address and if that fails falls
back to uuid@localhost

Fix #15702

Signed-off-by: Andrew Thornton <art27@cantab.net>

* As per KN4CKER

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-05-13 23:11:47 +01:00 committed by GitHub
parent 9545c345a8
commit d234d37aa8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 24 additions and 1 deletions

View file

@ -21,6 +21,7 @@ import (
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
gouuid "github.com/google/uuid"
jsoniter "github.com/json-iterator/go" jsoniter "github.com/json-iterator/go"
"xorm.io/xorm" "xorm.io/xorm"
@ -116,6 +117,7 @@ func (cfg *SMTPConfig) ToDB() ([]byte, error) {
// PAMConfig holds configuration for the PAM login source. // PAMConfig holds configuration for the PAM login source.
type PAMConfig struct { type PAMConfig struct {
ServiceName string // pam service (e.g. system-auth) ServiceName string // pam service (e.g. system-auth)
EmailDomain string
} }
// FromDB fills up a PAMConfig from serialized format. // FromDB fills up a PAMConfig from serialized format.
@ -696,15 +698,26 @@ func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMCon
// Allow PAM sources with `@` in their name, like from Active Directory // Allow PAM sources with `@` in their name, like from Active Directory
username := pamLogin username := pamLogin
email := pamLogin
idx := strings.Index(pamLogin, "@") idx := strings.Index(pamLogin, "@")
if idx > -1 { if idx > -1 {
username = pamLogin[:idx] username = pamLogin[:idx]
} }
if ValidateEmail(email) != nil {
if cfg.EmailDomain != "" {
email = fmt.Sprintf("%s@%s", username, cfg.EmailDomain)
} else {
email = fmt.Sprintf("%s@%s", username, setting.Service.NoReplyAddress)
}
if ValidateEmail(email) != nil {
email = gouuid.New().String() + "@localhost"
}
}
user = &User{ user = &User{
LowerName: strings.ToLower(username), LowerName: strings.ToLower(username),
Name: username, Name: username,
Email: pamLogin, Email: email,
Passwd: password, Passwd: password,
LoginType: LoginPAM, LoginType: LoginPAM,
LoginSource: sourceID, LoginSource: sourceID,

View file

@ -2313,6 +2313,7 @@ auths.allowed_domains_helper = Leave empty to allow all domains. Separate multip
auths.enable_tls = Enable TLS Encryption auths.enable_tls = Enable TLS Encryption
auths.skip_tls_verify = Skip TLS Verify auths.skip_tls_verify = Skip TLS Verify
auths.pam_service_name = PAM Service Name auths.pam_service_name = PAM Service Name
auths.pam_email_domain = PAM Email Domain (optional)
auths.oauth2_provider = OAuth2 Provider auths.oauth2_provider = OAuth2 Provider
auths.oauth2_icon_url = Icon URL auths.oauth2_icon_url = Icon URL
auths.oauth2_clientID = Client ID (Key) auths.oauth2_clientID = Client ID (Key)

View file

@ -240,6 +240,7 @@ func NewAuthSourcePost(ctx *context.Context) {
case models.LoginPAM: case models.LoginPAM:
config = &models.PAMConfig{ config = &models.PAMConfig{
ServiceName: form.PAMServiceName, ServiceName: form.PAMServiceName,
EmailDomain: form.PAMEmailDomain,
} }
case models.LoginOAuth2: case models.LoginOAuth2:
config = parseOAuth2Config(form) config = parseOAuth2Config(form)
@ -347,6 +348,7 @@ func EditAuthSourcePost(ctx *context.Context) {
case models.LoginPAM: case models.LoginPAM:
config = &models.PAMConfig{ config = &models.PAMConfig{
ServiceName: form.PAMServiceName, ServiceName: form.PAMServiceName,
EmailDomain: form.PAMEmailDomain,
} }
case models.LoginOAuth2: case models.LoginOAuth2:
config = parseOAuth2Config(form) config = parseOAuth2Config(form)

View file

@ -51,6 +51,7 @@ type AuthenticationForm struct {
TLS bool TLS bool
SkipVerify bool SkipVerify bool
PAMServiceName string PAMServiceName string
PAMEmailDomain string
Oauth2Provider string Oauth2Provider string
Oauth2Key string Oauth2Key string
Oauth2Secret string Oauth2Secret string

View file

@ -188,6 +188,10 @@
<label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label> <label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
<input id="pam_service_name" name="pam_service_name" value="{{$cfg.ServiceName}}" required> <input id="pam_service_name" name="pam_service_name" value="{{$cfg.ServiceName}}" required>
</div> </div>
<div class="field">
<label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
<input id="pam_email_domain" name="pam_email_domain" value="{{$cfg.EmailDomain}}">
</div>
{{end}} {{end}}
<!-- OAuth2 --> <!-- OAuth2 -->

View file

@ -38,6 +38,8 @@
<div class="pam required field {{if not (eq .type 4)}}hide{{end}}"> <div class="pam required field {{if not (eq .type 4)}}hide{{end}}">
<label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label> <label for="pam_service_name">{{.i18n.Tr "admin.auths.pam_service_name"}}</label>
<input id="pam_service_name" name="pam_service_name" value="{{.pam_service_name}}" /> <input id="pam_service_name" name="pam_service_name" value="{{.pam_service_name}}" />
<label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
<input id="pam_email_domain" name="pam_email_domain" value="{{.pam_email_domain}}">
</div> </div>
<!-- OAuth2 --> <!-- OAuth2 -->