forgejo/services/auth/method/reverseproxy.go

// Copyright 2014 The Gogs Authors. All rights reserved.
// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package method

import (
	"errors"
	"fmt"
	"net/http"
	"strings"

	user_model "forgejo.org/models/user"
	"forgejo.org/modules/log"
	"forgejo.org/modules/optional"
	"forgejo.org/modules/setting"
	"forgejo.org/modules/util"
	"forgejo.org/services/auth"

	gouuid "github.com/google/uuid"
)

// Ensure the struct implements the interface.
var (
	_ auth.Method = &ReverseProxy{}
)

// ReverseProxyMethodName is the constant name of the ReverseProxy authentication method
const ReverseProxyMethodName = "reverse_proxy"

// ReverseProxy implements the Auth interface, but actually relies on
// a reverse proxy for authentication of users.
// On successful authentication the proxy is expected to populate the username in the
// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
// user in the "setting.ReverseProxyAuthEmail" header.
type ReverseProxy struct {
	// If true, create a session once a user authenticates.
	CreateSession bool
}

// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
func (r *ReverseProxy) getUserName(req *http.Request) string {
	return strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthUser))
}

// getUserFromAuthUser extracts the username from the "setting.ReverseProxyAuthUser" header
// of the request and returns the corresponding user object for that name.
// Verification of header data is not performed as it should have already been done by
// the reverse proxy.
// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
// user object is returned (populated with username or email found in header).
// Returns nil if header is empty.
func (r *ReverseProxy) getUserFromAuthUser(req *http.Request) (*user_model.User, error) {
	username := r.getUserName(req)
	if len(username) == 0 {
		return nil, util.ErrNotExist
	}
	log.Trace("ReverseProxy Authorization: Found username: %s", username)

	user, err := user_model.GetUserByName(req.Context(), username)
	if err != nil {
		if !user_model.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() {
			log.Error("GetUserByName: %v", err)
			return nil, err
		}
		user = r.newUser(req)
	}
	return user, nil
}

// getEmail extracts the email from the "setting.ReverseProxyAuthEmail" header
func (r *ReverseProxy) getEmail(req *http.Request) string {
	return strings.TrimSpace(req.Header.Get(setting.ReverseProxyAuthEmail))
}

// getUserFromAuthEmail extracts the username from the "setting.ReverseProxyAuthEmail" header
// of the request and returns the corresponding user object for that email.
// Verification of header data is not performed as it should have already been done by
// the reverse proxy.
// If an email is available in the "setting.ReverseProxyAuthEmail" header an existing
// user object is returned (populated with the email found in header).
// Returns nil if header is empty or if "setting.EnableReverseProxyEmail" is disabled.
func (r *ReverseProxy) getUserFromAuthEmail(req *http.Request) (*user_model.User, error) {
	if !setting.Service.EnableReverseProxyEmail {
		return nil, util.ErrNotExist
	}
	email := r.getEmail(req)
	if len(email) == 0 {
		return nil, util.ErrNotExist
	}
	log.Trace("ReverseProxy Authorization: Found email: %s", email)

	user, err := user_model.GetUserByEmail(req.Context(), email)
	if err != nil {
		// Do not allow auto-registration, we don't have a username here
		if !user_model.IsErrUserNotExist(err) {
			log.Error("GetUserByEmail: %v", err)
		}
		return nil, err
	}
	return user, nil
}

// Verify attempts to load a user object based on headers sent by the reverse proxy.
// First it will attempt to load it based on the username (see docs for getUserFromAuthUser),
// and failing that it will attempt to load it based on the email (see docs for getUserFromAuthEmail).
// Returns nil if the headers are empty or the user is not found.
func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, sess auth.SessionStore) auth.MethodOutput {
	user, err := r.getUserFromAuthUser(req)
	if err != nil && !errors.Is(err, util.ErrNotExist) {
		return &auth.AuthenticationError{Error: fmt.Errorf("reverse proxy getUserFromAuthUser: %w", err)}
	}
	if user == nil {
		user, err = r.getUserFromAuthEmail(req)
		if user == nil {
			if errors.Is(err, util.ErrNotExist) {
				// Not attempted is returned when no HTTP headers were provided, which is the cases that ErrNotExist
				// represents:
				return &auth.AuthenticationNotAttempted{}
			}
			return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("user not found")}
		}
	}

	if r.CreateSession {
		if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
			handleSignIn(w, req, sess, user)
		}
	}

	log.Trace("ReverseProxy Authorization: Logged in user %-v", user)
	return &auth.AuthenticationSuccess{Result: &reverseProxyAuthenticationResult{user: user}}
}

// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
func (r *ReverseProxy) isAutoRegisterAllowed() bool {
	return setting.Service.EnableReverseProxyAutoRegister
}

// newUser creates a new user object for the purpose of automatic registration
// and populates its name and email with the information present in request headers.
func (r *ReverseProxy) newUser(req *http.Request) *user_model.User {
	username := r.getUserName(req)
	if len(username) == 0 {
		return nil
	}

	email := gouuid.New().String() + "@localhost"
	if setting.Service.EnableReverseProxyEmail {
		webAuthEmail := req.Header.Get(setting.ReverseProxyAuthEmail)
		if len(webAuthEmail) > 0 {
			email = webAuthEmail
		}
	}

	var fullname string
	if setting.Service.EnableReverseProxyFullName {
		fullname = req.Header.Get(setting.ReverseProxyAuthFullName)
	}

	user := &user_model.User{
		Name:     username,
		Email:    email,
		FullName: fullname,
	}

	overwriteDefault := user_model.CreateUserOverwriteOptions{
		IsActive: optional.Some(true),
	}

	// The first user created should be an admin.
	if user_model.CountUsers(req.Context(), nil) == 0 {
		user.IsAdmin = true
	}

	if err := user_model.CreateUser(req.Context(), user, &overwriteDefault); err != nil {
		// FIXME: should I create a system notice?
		log.Error("CreateUser: %v", err)
		return nil
	}

	return user
}