ProjectHentai/alist
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: sso compatibility mode (#5260)

Browse Source
This commit is contained in:
itsHenry 2023-09-22 16:45:51 +08:00 committed by GitHub
parent 106cf720c1
commit 30977cdc6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 104 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
internal/bootstrap/data/setting.go
View File

@ -165,6 +165,7 @@ func InitialSettings() []model.SettingItem {
{Key: conf.SSOAutoRegister, Value: "false", Type: conf.TypeBool, Group: model.SSO, Flag: model.PRIVATE}, {Key: conf.SSOAutoRegister, Value: "false", Type: conf.TypeBool, Group: model.SSO, Flag: model.PRIVATE},
{Key: conf.SSODefaultDir, Value: "/", Type: conf.TypeString, Group: model.SSO, Flag: model.PRIVATE}, {Key: conf.SSODefaultDir, Value: "/", Type: conf.TypeString, Group: model.SSO, Flag: model.PRIVATE},
{Key: conf.SSODefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.SSO, Flag: model.PRIVATE}, {Key: conf.SSODefaultPermission, Value: "0", Type: conf.TypeNumber, Group: model.SSO, Flag: model.PRIVATE},
{Key: conf.SSOCompatibilityMode, Value: "false", Type: conf.TypeBool, Group: model.SSO, Flag: model.PUBLIC},
// qbittorrent settings // qbittorrent settings
{Key: conf.QbittorrentUrl, Value: "http://admin:adminadmin@localhost:8080/", Type: conf.TypeString, Group: model.SINGLE, Flag: model.PRIVATE}, {Key: conf.QbittorrentUrl, Value: "http://admin:adminadmin@localhost:8080/", Type: conf.TypeString, Group: model.SINGLE, Flag: model.PRIVATE},

1
internal/conf/const.go
View File

@ -69,6 +69,7 @@ const (
SSOAutoRegister = "sso_auto_register" SSOAutoRegister = "sso_auto_register"
SSODefaultDir = "sso_default_dir" SSODefaultDir = "sso_default_dir"
SSODefaultPermission = "sso_default_permission" SSODefaultPermission = "sso_default_permission"
SSOCompatibilityMode = "sso_compatibility_mode"
// qbittorrent // qbittorrent
QbittorrentUrl = "qbittorrent_url" QbittorrentUrl = "qbittorrent_url"

153
server/handles/ssologin.go
View File

@ -6,6 +6,7 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"net/url" "net/url"
"path"
"strings" "strings"
"time" "time"
@ -36,71 +37,85 @@ var opts = totp.ValidateOpts{
func SSOLoginRedirect(c *gin.Context) { func SSOLoginRedirect(c *gin.Context) {
method := c.Query("method") method := c.Query("method")
usecompatibility := setting.GetBool(conf.SSOCompatibilityMode)
enabled := setting.GetBool(conf.SSOLoginEnabled) enabled := setting.GetBool(conf.SSOLoginEnabled)
clientId := setting.GetStr(conf.SSOClientId) clientId := setting.GetStr(conf.SSOClientId)
platform := setting.GetStr(conf.SSOLoginPlatform) platform := setting.GetStr(conf.SSOLoginPlatform)
var r_url string var r_url string
var redirect_uri string var redirect_uri string
if enabled { if !enabled {
urlValues := url.Values{}
if method == "" {
common.ErrorStrResp(c, "no method provided", 400)
return
}
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + method
urlValues.Add("response_type", "code")
urlValues.Add("redirect_uri", redirect_uri)
urlValues.Add("client_id", clientId)
switch platform {
case "Github":
r_url = "https://github.com/login/oauth/authorize?"
urlValues.Add("scope", "read:user")
case "Microsoft":
r_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?"
urlValues.Add("scope", "user.read")
urlValues.Add("response_mode", "query")
case "Google":
r_url = "https://accounts.google.com/o/oauth2/v2/auth?"
urlValues.Add("scope", "https://www.googleapis.com/auth/userinfo.profile")
case "Dingtalk":
r_url = "https://login.dingtalk.com/oauth2/auth?"
urlValues.Add("scope", "openid")
urlValues.Add("prompt", "consent")
urlValues.Add("response_type", "code")
case "Casdoor":
endpoint := strings.TrimSuffix(setting.GetStr(conf.SSOEndpointName), "/")
r_url = endpoint + "/login/oauth/authorize?"
urlValues.Add("scope", "profile")
urlValues.Add("state", endpoint)
case "OIDC":
oauth2Config, err := GetOIDCClient(c)
if err != nil {
common.ErrorStrResp(c, err.Error(), 400)
return
}
// generate state parameter
state, err := totp.GenerateCodeCustom(base32.StdEncoding.EncodeToString([]byte(oauth2Config.ClientSecret)), time.Now(), opts)
if err != nil {
common.ErrorStrResp(c, err.Error(), 400)
return
}
c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL(state))
return
default:
common.ErrorStrResp(c, "invalid platform", 400)
return
}
c.Redirect(302, r_url+urlValues.Encode())
} else {
common.ErrorStrResp(c, "Single sign-on is not enabled", 403) common.ErrorStrResp(c, "Single sign-on is not enabled", 403)
return
} }
urlValues := url.Values{}
if method == "" {
common.ErrorStrResp(c, "no method provided", 400)
return
}
if usecompatibility {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/" + method
} else {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + method
}
urlValues.Add("response_type", "code")
urlValues.Add("redirect_uri", redirect_uri)
urlValues.Add("client_id", clientId)
switch platform {
case "Github":
r_url = "https://github.com/login/oauth/authorize?"
urlValues.Add("scope", "read:user")
case "Microsoft":
r_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?"
urlValues.Add("scope", "user.read")
urlValues.Add("response_mode", "query")
case "Google":
r_url = "https://accounts.google.com/o/oauth2/v2/auth?"
urlValues.Add("scope", "https://www.googleapis.com/auth/userinfo.profile")
case "Dingtalk":
r_url = "https://login.dingtalk.com/oauth2/auth?"
urlValues.Add("scope", "openid")
urlValues.Add("prompt", "consent")
urlValues.Add("response_type", "code")
case "Casdoor":
endpoint := strings.TrimSuffix(setting.GetStr(conf.SSOEndpointName), "/")
r_url = endpoint + "/login/oauth/authorize?"
urlValues.Add("scope", "profile")
urlValues.Add("state", endpoint)
case "OIDC":
oauth2Config, err := GetOIDCClient(c)
if err != nil {
common.ErrorStrResp(c, err.Error(), 400)
return
}
// generate state parameter
state, err := totp.GenerateCodeCustom(base32.StdEncoding.EncodeToString([]byte(oauth2Config.ClientSecret)), time.Now(), opts)
if err != nil {
common.ErrorStrResp(c, err.Error(), 400)
return
}
c.Redirect(http.StatusFound, oauth2Config.AuthCodeURL(state))
return
default:
common.ErrorStrResp(c, "invalid platform", 400)
return
}
c.Redirect(302, r_url+urlValues.Encode())
} }
var ssoClient = resty.New().SetRetryCount(3) var ssoClient = resty.New().SetRetryCount(3)
func GetOIDCClient(c *gin.Context) (*oauth2.Config, error) { func GetOIDCClient(c *gin.Context) (*oauth2.Config, error) {
var redirect_uri string
usecompatibility := setting.GetBool(conf.SSOCompatibilityMode)
argument := c.Query("method") argument := c.Query("method")
redirect_uri := common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + argument if usecompatibility {
argument = path.Base(c.Request.URL.Path)
}
if usecompatibility {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/" + argument
} else {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + argument
}
endpoint := setting.GetStr(conf.SSOEndpointName) endpoint := setting.GetStr(conf.SSOEndpointName)
provider, err := oidc.NewProvider(c, endpoint) provider, err := oidc.NewProvider(c, endpoint)
if err != nil { if err != nil {
@ -152,7 +167,11 @@ func autoRegister(username, userID string, err error) (*model.User, error) {
} }
func OIDCLoginCallback(c *gin.Context) { func OIDCLoginCallback(c *gin.Context) {
usecompatibility := setting.GetBool(conf.SSOCompatibilityMode)
argument := c.Query("method") argument := c.Query("method")
if usecompatibility {
argument = path.Base(c.Request.URL.Path)
}
clientId := setting.GetStr(conf.SSOClientId) clientId := setting.GetStr(conf.SSOClientId)
endpoint := setting.GetStr(conf.SSOEndpointName) endpoint := setting.GetStr(conf.SSOEndpointName)
provider, err := oidc.NewProvider(c, endpoint) provider, err := oidc.NewProvider(c, endpoint)
@ -204,6 +223,10 @@ func OIDCLoginCallback(c *gin.Context) {
} }
UserID := claims.Name UserID := claims.Name
if argument == "get_sso_id" { if argument == "get_sso_id" {
if usecompatibility {
c.Redirect(302, common.GetApiUrl(c.Request)+"/@manage?sso_id="+UserID)
return
}
html := fmt.Sprintf(`<!DOCTYPE html> html := fmt.Sprintf(`<!DOCTYPE html>
<head></head> <head></head>
<body> <body>
@ -227,6 +250,10 @@ func OIDCLoginCallback(c *gin.Context) {
if err != nil { if err != nil {
common.ErrorResp(c, err, 400) common.ErrorResp(c, err, 400)
} }
if usecompatibility {
c.Redirect(302, common.GetApiUrl(c.Request)+"/@login?token="+token)
return
}
html := fmt.Sprintf(`<!DOCTYPE html> html := fmt.Sprintf(`<!DOCTYPE html>
<head></head> <head></head>
<body> <body>
@ -242,12 +269,18 @@ func OIDCLoginCallback(c *gin.Context) {
func SSOLoginCallback(c *gin.Context) { func SSOLoginCallback(c *gin.Context) {
enabled := setting.GetBool(conf.SSOLoginEnabled) enabled := setting.GetBool(conf.SSOLoginEnabled)
usecompatibility := setting.GetBool(conf.SSOCompatibilityMode)
if !enabled { if !enabled {
common.ErrorResp(c, errors.New("sso login is disabled"), 500) common.ErrorResp(c, errors.New("sso login is disabled"), 500)
return
} }
argument := c.Query("method") argument := c.Query("method")
if usecompatibility {
argument = path.Base(c.Request.URL.Path)
}
if !utils.SliceContains([]string{"get_sso_id", "sso_get_token"}, argument) { if !utils.SliceContains([]string{"get_sso_id", "sso_get_token"}, argument) {
common.ErrorResp(c, errors.New("invalid request"), 500) common.ErrorResp(c, errors.New("invalid request"), 500)
return
} }
clientId := setting.GetStr(conf.SSOClientId) clientId := setting.GetStr(conf.SSOClientId)
platform := setting.GetStr(conf.SSOLoginPlatform) platform := setting.GetStr(conf.SSOLoginPlatform)
@ -317,12 +350,18 @@ func SSOLoginCallback(c *gin.Context) {
}). }).
Post(tokenUrl) Post(tokenUrl)
} else { } else {
var redirect_uri string
if usecompatibility {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/" + argument
} else {
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + argument
}
resp, err = ssoClient.R().SetHeader("Accept", "application/json"). resp, err = ssoClient.R().SetHeader("Accept", "application/json").
SetFormData(map[string]string{ SetFormData(map[string]string{
"client_id": clientId, "client_id": clientId,
"client_secret": clientSecret, "client_secret": clientSecret,
"code": callbackCode, "code": callbackCode,
"redirect_uri": common.GetApiUrl(c.Request) + "/api/auth/sso_callback?method=" + argument, "redirect_uri": redirect_uri,
"scope": scope, "scope": scope,
}).SetFormData(additionalForm).Post(tokenUrl) }).SetFormData(additionalForm).Post(tokenUrl)
} }
@ -349,6 +388,10 @@ func SSOLoginCallback(c *gin.Context) {
return return
} }
if argument == "get_sso_id" { if argument == "get_sso_id" {
if usecompatibility {
c.Redirect(302, common.GetApiUrl(c.Request)+"/@manage?sso_id="+userID)
return
}
html := fmt.Sprintf(`<!DOCTYPE html> html := fmt.Sprintf(`<!DOCTYPE html>
<head></head> <head></head>
<body> <body>
@ -373,6 +416,10 @@ func SSOLoginCallback(c *gin.Context) {
if err != nil { if err != nil {
common.ErrorResp(c, err, 400) common.ErrorResp(c, err, 400)
} }
if usecompatibility {
c.Redirect(302, common.GetApiUrl(c.Request)+"/@login?token="+token)
return
}
html := fmt.Sprintf(`<!DOCTYPE html> html := fmt.Sprintf(`<!DOCTYPE html>
<head></head> <head></head>
<body> <body>

2
server/router.go
View File

@ -56,6 +56,8 @@ func Init(e *gin.Engine) {
// auth // auth
api.GET("/auth/sso", handles.SSOLoginRedirect) api.GET("/auth/sso", handles.SSOLoginRedirect)
api.GET("/auth/sso_callback", handles.SSOLoginCallback) api.GET("/auth/sso_callback", handles.SSOLoginCallback)
api.GET("/auth/get_sso_id", handles.SSOLoginCallback)
api.GET("/auth/sso_get_token", handles.SSOLoginCallback)
//webauthn //webauthn
webauthn.GET("/webauthn_begin_registration", handles.BeginAuthnRegistration) webauthn.GET("/webauthn_begin_registration", handles.BeginAuthnRegistration)