Merge remote-tracking branch 'origin/main' into oidc-claims

go-gitea · lunny · Dec 14, 2021 · Aug 21, 2021 · Aug 20, 2021 · Aug 20, 2021
commit a730e6b103fbc028c1420d4870bb911215ff212a
diff --git a/cmd/admin.go b/cmd/admin.go
@@ -292,8 +292,8 @@ var (
 			Usage: "Custom icon URL for OAuth2 login source",
 		},
 		cli.BoolFlag{
-			Name:  "override-local-2fa",
-			Usage: "Set to true to override local 2fa settings",
+			Name:  "skip-local-2fa",
+			Usage: "Set to true to skip local 2fa for users authenticated by this source",
 		},
 		cli.StringSliceFlag{
 			Name:  "scopes",
@@ -653,7 +653,7 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 		OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
 		CustomURLMapping:              customURLMapping,
 		IconURL:                       c.String("icon-url"),
-		OverrideLocalTwoFA:            c.Bool("override-local-2fa"),
+		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
 		Scopes:                        c.StringSlice("scopes"),
 		RequiredClaimName:             c.String("required-claim-name"),
 		RequiredClaimValue:            c.String("required-claim-value"),

diff --git a/models/external_login_user.go b/models/external_login_user.go
@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/login"
 	"code.gitea.io/gitea/modules/structs"
 
 	"xorm.io/builder"
@@ -106,7 +105,7 @@ func GetUserIDByExternalUserID(provider, userID string) (int64, error) {
 
 // UpdateExternalUserByExternalID updates an external user's information
 func UpdateExternalUserByExternalID(external *ExternalLoginUser) error {
-	has, err := x.Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).
+	has, err := db.GetEngine(db.DefaultContext).Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).
 		NoAutoCondition().
 		Exist(external)
 	if err != nil {
@@ -115,7 +114,7 @@ func UpdateExternalUserByExternalID(external *ExternalLoginUser) error {
 		return ErrExternalLoginUserNotExist{external.UserID, external.LoginSourceID}
 	}
 
-	_, err = x.Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).AllCols().Update(external)
+	_, err = db.GetEngine(db.DefaultContext).Where("external_id=? AND login_source_id=?", external.ExternalID, external.LoginSourceID).AllCols().Update(external)
 	return err
 }
 

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -2458,8 +2458,8 @@ auths.oauth2_tokenURL = Token URL
 auths.oauth2_authURL = Authorize URL
 auths.oauth2_profileURL = Profile URL
 auths.oauth2_emailURL = Email URL
-auths.override_local_two_fa = Override local 2FA
-auths.override_local_two_fa_helper = Leaving unset means local users with 2FA set will still have to pass 2FA to log on
+auths.skip_local_two_fa = Skip local 2FA
+auths.skip_local_two_fa_helper = Leaving unset means local users with 2FA set will still have to pass 2FA to log on
 auths.oauth2_tenant = Tenant
 auths.oauth2_scopes = Additional Scopes
 auths.oauth2_required_claim_name = Required Claim Name

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
@@ -185,10 +185,10 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source {
 		OpenIDConnectAutoDiscoveryURL: form.OpenIDConnectAutoDiscoveryURL,
 		CustomURLMapping:              customURLMapping,
 		IconURL:                       form.Oauth2IconURL,
-		OverrideLocalTwoFA:            form.OverrideLocalTwoFA,
 		Scopes:                        strings.Split(form.Oauth2Scopes, ","),
 		RequiredClaimName:             form.Oauth2RequiredClaimName,
 		RequiredClaimValue:            form.Oauth2RequiredClaimValue,
+		SkipLocalTwoFA:                form.SkipLocalTwoFA,
 	}
 }
 

diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
@@ -683,7 +683,7 @@ func claimValueToStringSlice(claimValue interface{}) []string {
 	return groups
 }
 
-func setUserGroupClaims(loginSource *models.LoginSource, u *models.User, gothUser *goth.User) bool {
+func setUserGroupClaims(loginSource *login.Source, u *models.User, gothUser *goth.User) bool {
 
 	source := loginSource.Cfg.(*oauth2.Source)
 	if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") {
@@ -756,11 +756,11 @@ func updateAvatarIfNeed(url string, u *models.User) {
 	}
 }
 
-func handleOAuth2SignIn(ctx *context.Context, source *models.LoginSource, u *models.User, gothUser goth.User) {
+func handleOAuth2SignIn(ctx *context.Context, source *login.Source, u *models.User, gothUser goth.User) {
 	updateAvatarIfNeed(gothUser.AvatarURL, u)
 
 	needs2FA := false
-	if !source.Cfg.(*oauth2.Source).OverrideLocalTwoFA {
+	if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
 		_, err := models.GetTwoFactorByUID(u.ID)
 		if err != nil && !models.IsErrTwoFactorNotEnrolled(err) {
 			ctx.ServerError("UserSignIn", err)
@@ -846,7 +846,7 @@ func handleOAuth2SignIn(ctx *context.Context, source *models.LoginSource, u *mod
 
 // OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
 // login the user
-func oAuth2UserLoginCallback(loginSource *models.LoginSource, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) {
+func oAuth2UserLoginCallback(loginSource *login.Source, request *http.Request, response http.ResponseWriter) (*models.User, goth.User, error) {
 	oauth2Source := loginSource.Cfg.(*oauth2.Source)
 
 	gothUser, err := oauth2Source.Callback(request, response)

diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go
@@ -25,14 +25,14 @@ type Source struct {
 	OpenIDConnectAutoDiscoveryURL string
 	CustomURLMapping              *CustomURLMapping
 	IconURL                       string
-	OverrideLocalTwoFA            bool
 
 	Scopes             []string
 	RequiredClaimName  string
 	RequiredClaimValue string
 	GroupClaimName     string
 	AdminGroup         string
 	RestrictedGroup    string
+	SkipLocalTwoFA     bool
 
 	// reference to the loginSource
 	loginSource *login.Source

diff --git a/services/externalaccount/user.go b/services/externalaccount/user.go
@@ -15,7 +15,7 @@ import (
 )
 
 func toExternalLoginUser(user *models.User, gothUser goth.User) (*models.ExternalLoginUser, error) {
-	loginSource, err := models.GetActiveOAuth2LoginSourceByName(gothUser.Provider)
+	loginSource, err := login.GetActiveOAuth2LoginSourceByName(gothUser.Provider)
 	if err != nil {
 		return nil, err
 	}

diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
@@ -66,13 +66,13 @@ type AuthenticationForm struct {
 	Oauth2EmailURL                string
 	Oauth2IconURL                 string
 	Oauth2Tenant                  string
-	OverrideLocalTwoFA            bool
 	Oauth2Scopes                  string
 	Oauth2RequiredClaimName       string
 	Oauth2RequiredClaimValue      string
 	Oauth2GroupClaimName          string
 	Oauth2AdminGroup              string
 	Oauth2RestrictedGroup         string
+	SkipLocalTwoFA                bool
 	SSPIAutoCreateUsers           bool
 	SSPIAutoActivateUsers         bool
 	SSPIStripDomainNames          bool

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
@@ -264,15 +264,9 @@
 					</div>
 					<div class="optional field">
 						<div class="ui checkbox">
-							<label for="override_local_two_fa"><strong>{{.i18n.Tr "admin.auths.override_local_two_fa"}}</strong></label>
-							<input id="override_local_two_fa" name="override_local_two_fa" type="checkbox" {{if $cfg.OverrideLocalTwoFA}}checked{{end}}>
-							<p class="help">{{.i18n.Tr "admin.auths.override_local_two_fa_helper"}}</p>
+							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
+							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 						</div>
-					</div>
-
-					<div class="oauth2_use_custom_url inline field">
-						<div class="ui checkbox">
-							<label><strong>{{.i18n.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label>
 							<input id="oauth2_use_custom_url" name="oauth2_use_custom_url" type="checkbox" {{if $cfg.CustomURLMapping}}checked{{end}}>
 						</div>
 					</div>

diff --git a/templates/admin/auth/source/oauth.tmpl b/templates/admin/auth/source/oauth.tmpl
@@ -30,9 +30,9 @@
 	</div>
 	<div class="optional field">
 		<div class="ui checkbox">
-			<label for="override_local_two_fa"><strong>{{.i18n.Tr "admin.auths.override_local_two_fa"}}</strong></label>
-			<input id="override_local_two_fa" name="override_local_two_fa" type="checkbox" {{if .override_local_two_fa}}checked{{end}}>
-			<p class="help">{{.i18n.Tr "admin.auths.override_local_two_fa_helper"}}</p>
+			<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+			<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
+			<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 		</div>
 	</div>