Merge remote-tracking branch 'origin/main' into oidc-claims

Author: zeripath

cmd/admin_auth_ldap.go

@@ -93,6 +93,10 @@ var (
 			Name:  "skip-local-2fa",
 			Usage: "Set to true to skip local 2fa for users authenticated by this source",
 		},
+		cli.StringFlag{
+			Name:  "avatar-attribute",
+			Usage: "The attribute of the user’s LDAP record containing the user’s avatar.",
+		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -234,6 +238,9 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("public-ssh-key-attribute") {
 		config.AttributeSSHPublicKey = c.String("public-ssh-key-attribute")
 	}
+	if c.IsSet("avatar-attribute") {
+		config.AttributeAvatar = c.String("avatar-attribute")
+	}
 	if c.IsSet("page-size") {
 		config.SearchPageSize = uint32(c.Uint("page-size"))
 	}

cmd/admin_auth_ldap_test.go

@@ -45,6 +45,7 @@ func TestAddLdapBindDn(t *testing.T) {
 				"--surname-attribute", "sn-bind full",
 				"--email-attribute", "mail-bind full",
 				"--public-ssh-key-attribute", "publickey-bind full",
+				"--avatar-attribute", "avatar-bind full",
 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",
 				"--bind-password", "secret-bind-full",
 				"--attributes-in-bind",
@@ -71,6 +72,7 @@ func TestAddLdapBindDn(t *testing.T) {
 					AttributeMail:         "mail-bind full",
 					AttributesInBind:      true,
 					AttributeSSHPublicKey: "publickey-bind full",
+					AttributeAvatar:       "avatar-bind full",
 					SearchPageSize:        99,
 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -269,6 +271,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				"--surname-attribute", "sn-simple full",
 				"--email-attribute", "mail-simple full",
 				"--public-ssh-key-attribute", "publickey-simple full",
+				"--avatar-attribute", "avatar-simple full",
 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
 			},
 			loginSource: &login.Source{
@@ -288,6 +291,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 					AttributeSurname:      "sn-simple full",
 					AttributeMail:         "mail-simple full",
 					AttributeSSHPublicKey: "publickey-simple full",
+					AttributeAvatar:       "avatar-simple full",
 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",
@@ -501,6 +505,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				"--surname-attribute", "sn-bind full",
 				"--email-attribute", "mail-bind full",
 				"--public-ssh-key-attribute", "publickey-bind full",
+				"--avatar-attribute", "avatar-bind full",
 				"--bind-dn", "cn=readonly,dc=full-domain-bind,dc=org",
 				"--bind-password", "secret-bind-full",
 				"--synchronize-users",
@@ -534,6 +539,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 					AttributeMail:         "mail-bind full",
 					AttributesInBind:      false,
 					AttributeSSHPublicKey: "publickey-bind full",
+					AttributeAvatar:       "avatar-bind full",
 					SearchPageSize:        99,
 					Filter:                "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)",
@@ -932,6 +938,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				"--surname-attribute", "sn-simple full",
 				"--email-attribute", "mail-simple full",
 				"--public-ssh-key-attribute", "publickey-simple full",
+				"--avatar-attribute", "avatar-simple full",
 				"--user-dn", "cn=%s,ou=Users,dc=full-domain-simple,dc=org",
 			},
 			id: 7,
@@ -952,6 +959,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 					AttributeSurname:      "sn-simple full",
 					AttributeMail:         "mail-simple full",
 					AttributeSSHPublicKey: "publickey-simple full",
+					AttributeAvatar:       "avatar-simple full",
 					Filter:                "(&(objectClass=posixAccount)(full-simple-cn=%s))",
 					AdminFilter:           "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)",
 					RestrictedFilter:      "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)",

docs/content/doc/usage/command-line.en-us.md

@@ -166,6 +166,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
         - `--bind-password value`: The password for the Bind DN, if any.
         - `--attributes-in-bind`: Fetch attributes in bind DN context.
@@ -191,6 +192,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--bind-dn value`: The DN to bind to the LDAP server with when searching for the user.
         - `--bind-password value`: The password for the Bind DN, if any.
         - `--attributes-in-bind`: Fetch attributes in bind DN context.
@@ -216,6 +218,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address. Required.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--user-dn value`: The user’s DN. Required.
       - Examples:
         - `gitea admin auth add-ldap-simple --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-dn "cn=%s,ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(cn=%s))" --email-attribute mail`
@@ -237,6 +240,7 @@ Admin operations:
         - `--surname-attribute value`: The attribute of the user’s LDAP record containing the user’s surname.
         - `--email-attribute value`: The attribute of the user’s LDAP record containing the user’s email address.
         - `--public-ssh-key-attribute value`: The attribute of the user’s LDAP record containing the user’s public ssh key.
+        - `--avatar-attribute value`: The attribute of the user’s LDAP record containing the user’s avatar.
         - `--user-dn value`: The user’s DN.
       - Examples:
         - `gitea admin auth update-ldap-simple --id 1 --name "my ldap auth source"`

models/error.go

@@ -1876,25 +1876,6 @@ func (err ErrTeamNotExist) Error() string {
 	return fmt.Sprintf("team does not exist [org_id %d, team_id %d, name: %s]", err.OrgID, err.TeamID, err.Name)
 }
 
-//
-// Two-factor authentication
-//
-
-// ErrTwoFactorNotEnrolled indicates that a user is not enrolled in two-factor authentication.
-type ErrTwoFactorNotEnrolled struct {
-	UID int64
-}
-
-// IsErrTwoFactorNotEnrolled checks if an error is a ErrTwoFactorNotEnrolled.
-func IsErrTwoFactorNotEnrolled(err error) bool {
-	_, ok := err.(ErrTwoFactorNotEnrolled)
-	return ok
-}
-
-func (err ErrTwoFactorNotEnrolled) Error() string {
-	return fmt.Sprintf("user not enrolled in 2FA [uid: %d]", err.UID)
-}
-
 //  ____ ___        .__                    .___
 // |    |   \______ |  |   _________     __| _/
 // |    |   /\____ \|  |  /  _ \__  \   / __ |
@@ -1959,28 +1940,6 @@ func (err ErrExternalLoginUserNotExist) Error() string {
 	return fmt.Sprintf("external login user link does not exists [userID: %d, loginSourceID: %d]", err.UserID, err.LoginSourceID)
 }
 
-// ____ ________________________________              .__          __                 __  .__
-// |    |   \_____  \_   _____/\______   \ ____   ____ |__| _______/  |_____________ _/  |_|__| ____   ____
-// |    |   //  ____/|    __)   |       _// __ \ / ___\|  |/  ___/\   __\_  __ \__  \\   __\  |/  _ \ /    \
-// |    |  //       \|     \    |    |   \  ___// /_/  >  |\___ \  |  |  |  | \// __ \|  | |  (  <_> )   |  \
-// |______/ \_______ \___  /    |____|_  /\___  >___  /|__/____  > |__|  |__|  (____  /__| |__|\____/|___|  /
-// \/   \/            \/     \/_____/         \/                   \/                    \/
-
-// ErrU2FRegistrationNotExist represents a "ErrU2FRegistrationNotExist" kind of error.
-type ErrU2FRegistrationNotExist struct {
-	ID int64
-}
-
-func (err ErrU2FRegistrationNotExist) Error() string {
-	return fmt.Sprintf("U2F registration does not exist [id: %d]", err.ID)
-}
-
-// IsErrU2FRegistrationNotExist checks if an error is a ErrU2FRegistrationNotExist.
-func IsErrU2FRegistrationNotExist(err error) bool {
-	_, ok := err.(ErrU2FRegistrationNotExist)
-	return ok
-}
-
 // .___                            ________                                   .___                   .__
 // |   | ______ ________ __   ____ \______ \   ____ ______   ____   ____    __| _/____   ____   ____ |__| ____   ______
 // |   |/  ___//  ___/  |  \_/ __ \ |    |  \_/ __ \\____ \_/ __ \ /    \  / __ |/ __ \ /    \_/ ___\|  |/ __ \ /  ___/

models/login/main_test.go

@@ -17,5 +17,6 @@ func TestMain(m *testing.M) {
 		"oauth2_application.yml",
 		"oauth2_authorization_code.yml",
 		"oauth2_grant.yml",
+		"u2f_registration.yml",
 	)
 }

models/twofactor.go renamed to models/login/twofactor.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
-package models
+package login
 
 import (
 	"crypto/md5"
@@ -21,6 +21,25 @@ import (
 	"golang.org/x/crypto/pbkdf2"
 )
 
+//
+// Two-factor authentication
+//
+
+// ErrTwoFactorNotEnrolled indicates that a user is not enrolled in two-factor authentication.
+type ErrTwoFactorNotEnrolled struct {
+	UID int64
+}
+
+// IsErrTwoFactorNotEnrolled checks if an error is a ErrTwoFactorNotEnrolled.
+func IsErrTwoFactorNotEnrolled(err error) bool {
+	_, ok := err.(ErrTwoFactorNotEnrolled)
+	return ok
+}
+
+func (err ErrTwoFactorNotEnrolled) Error() string {
+	return fmt.Sprintf("user not enrolled in 2FA [uid: %d]", err.UID)
+}
+
 // TwoFactor represents a two-factor authentication token.
 type TwoFactor struct {
 	ID               int64 `xorm:"pk autoincr"`
@@ -44,11 +63,12 @@ func (t *TwoFactor) GenerateScratchToken() (string, error) {
 		return "", err
 	}
 	t.ScratchSalt, _ = util.RandomString(10)
-	t.ScratchHash = hashToken(token, t.ScratchSalt)
+	t.ScratchHash = HashToken(token, t.ScratchSalt)
 	return token, nil
 }
 
-func hashToken(token, salt string) string {
+// HashToken return the hashable salt
+func HashToken(token, salt string) string {
 	tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)
 	return fmt.Sprintf("%x", tempHash)
 }
@@ -58,7 +78,7 @@ func (t *TwoFactor) VerifyScratchToken(token string) bool {
 	if len(token) == 0 {
 		return false
 	}
-	tempHash := hashToken(token, t.ScratchSalt)
+	tempHash := HashToken(token, t.ScratchSalt)
 	return subtle.ConstantTimeCompare([]byte(t.ScratchHash), []byte(tempHash)) == 1
 }
 

models/u2f.go renamed to models/login/u2f.go

@@ -2,16 +2,40 @@
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
-package models
+package login
 
 import (
+	"fmt"
+
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
 
 	"github.com/tstranex/u2f"
 )
 
+// ____ ________________________________              .__          __                 __  .__
+// |    |   \_____  \_   _____/\______   \ ____   ____ |__| _______/  |_____________ _/  |_|__| ____   ____
+// |    |   //  ____/|    __)   |       _// __ \ / ___\|  |/  ___/\   __\_  __ \__  \\   __\  |/  _ \ /    \
+// |    |  //       \|     \    |    |   \  ___// /_/  >  |\___ \  |  |  |  | \// __ \|  | |  (  <_> )   |  \
+// |______/ \_______ \___  /    |____|_  /\___  >___  /|__/____  > |__|  |__|  (____  /__| |__|\____/|___|  /
+// \/   \/            \/     \/_____/         \/                   \/                    \/
+
+// ErrU2FRegistrationNotExist represents a "ErrU2FRegistrationNotExist" kind of error.
+type ErrU2FRegistrationNotExist struct {
+	ID int64
+}
+
+func (err ErrU2FRegistrationNotExist) Error() string {
+	return fmt.Sprintf("U2F registration does not exist [id: %d]", err.ID)
+}
+
+// IsErrU2FRegistrationNotExist checks if an error is a ErrU2FRegistrationNotExist.
+func IsErrU2FRegistrationNotExist(err error) bool {
+	_, ok := err.(ErrU2FRegistrationNotExist)
+	return ok
+}
+
 // U2FRegistration represents the registration data and counter of a security key
 type U2FRegistration struct {
 	ID          int64 `xorm:"pk autoincr"`
@@ -91,13 +115,13 @@ func GetU2FRegistrationsByUID(uid int64) (U2FRegistrationList, error) {
 	return getU2FRegistrationsByUID(db.GetEngine(db.DefaultContext), uid)
 }
 
-func createRegistration(e db.Engine, user *User, name string, reg *u2f.Registration) (*U2FRegistration, error) {
+func createRegistration(e db.Engine, userID int64, name string, reg *u2f.Registration) (*U2FRegistration, error) {
 	raw, err := reg.MarshalBinary()
 	if err != nil {
 		return nil, err
 	}
 	r := &U2FRegistration{
-		UserID:  user.ID,
+		UserID:  userID,
 		Name:    name,
 		Counter: 0,
 		Raw:     raw,
@@ -110,8 +134,8 @@ func createRegistration(e db.Engine, user *User, name string, reg *u2f.Registrat
 }
 
 // CreateRegistration will create a new U2FRegistration from the given Registration
-func CreateRegistration(user *User, name string, reg *u2f.Registration) (*U2FRegistration, error) {
-	return createRegistration(db.GetEngine(db.DefaultContext), user, name, reg)
+func CreateRegistration(userID int64, name string, reg *u2f.Registration) (*U2FRegistration, error) {
+	return createRegistration(db.GetEngine(db.DefaultContext), userID, name, reg)
 }
 
 // DeleteRegistration will delete U2FRegistration

models/u2f_test.go renamed to models/login/u2f_test.go

@@ -2,12 +2,13 @@
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
-package models
+package login
 
 import (
 	"testing"
 
 	"code.gitea.io/gitea/models/db"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/tstranex/u2f"
 )
@@ -55,14 +56,13 @@ func TestU2FRegistration_UpdateLargeCounter(t *testing.T) {
 
 func TestCreateRegistration(t *testing.T) {
 	assert.NoError(t, db.PrepareTestDatabase())
-	user := db.AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
 
-	res, err := CreateRegistration(user, "U2F Created Key", &u2f.Registration{Raw: []byte("Test")})
+	res, err := CreateRegistration(1, "U2F Created Key", &u2f.Registration{Raw: []byte("Test")})
 	assert.NoError(t, err)
 	assert.Equal(t, "U2F Created Key", res.Name)
 	assert.Equal(t, []byte("Test"), res.Raw)
 
-	db.AssertExistsIf(t, true, &U2FRegistration{Name: "U2F Created Key", UserID: user.ID})
+	db.AssertExistsIf(t, true, &U2FRegistration{Name: "U2F Created Key", UserID: 1})
 }
 
 func TestDeleteRegistration(t *testing.T) {

models/pull_sign.go

@@ -6,6 +6,7 @@ package models
 
 import (
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/login"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -44,8 +45,8 @@ Loop:
 				return false, "", nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
-			twofaModel, err := GetTwoFactorByUID(u.ID)
-			if err != nil && !IsErrTwoFactorNotEnrolled(err) {
+			twofaModel, err := login.GetTwoFactorByUID(u.ID)
+			if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
 				return false, "", nil, err
 			}
 			if twofaModel == nil {

models/repo_sign.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/login"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
@@ -129,8 +130,8 @@ Loop:
 				return false, "", nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
-			twofaModel, err := GetTwoFactorByUID(u.ID)
-			if err != nil && !IsErrTwoFactorNotEnrolled(err) {
+			twofaModel, err := login.GetTwoFactorByUID(u.ID)
+			if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
 				return false, "", nil, err
 			}
 			if twofaModel == nil {
@@ -165,8 +166,8 @@ Loop:
 				return false, "", nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
-			twofaModel, err := GetTwoFactorByUID(u.ID)
-			if err != nil && !IsErrTwoFactorNotEnrolled(err) {
+			twofaModel, err := login.GetTwoFactorByUID(u.ID)
+			if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
 				return false, "", nil, err
 			}
 			if twofaModel == nil {
@@ -218,8 +219,8 @@ Loop:
 				return false, "", nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
-			twofaModel, err := GetTwoFactorByUID(u.ID)
-			if err != nil && !IsErrTwoFactorNotEnrolled(err) {
+			twofaModel, err := login.GetTwoFactorByUID(u.ID)
+			if err != nil && !login.IsErrTwoFactorNotEnrolled(err) {
 				return false, "", nil, err
 			}
 			if twofaModel == nil {