fix env formatting

techknowlogick · Nov 8, 2023 · 4c76ec1 · 4c76ec1
1 parent 4d403df
commit 4c76ec1
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 14 deletions.
diff --git a/.github/workflows/pull-db-tests.yml b/.github/workflows/pull-db-tests.yml
@@ -42,9 +42,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -76,9 +76,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -185,9 +185,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
@@ -226,9 +226,9 @@ jobs:
         ports:
           - "8080:8080"
         env:
-          - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
-          - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
-          - SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:3000/user/saml/test-sp/metadata
+          SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:3000/user/saml/test-sp/acs
+          SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:3000/user/saml/test-sp/acs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -1528,6 +1528,19 @@ LEVEL = Info
 ;; auto = link directly with the account
 ;ACCOUNT_LINKING = login
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[saml_service_provider]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; Automatically create user accounts for new saml users
+;ENABLE_AUTO_REGISTRATION = false
+;;
+;; Whether a new auto registered saml user needs to confirm their email.
+;; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
+;REGISTER_EMAIL_CONFIRM =
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[webhook]

diff --git a/modules/setting/saml.go b/modules/setting/saml.go
@@ -0,0 +1,16 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+// SAMLServiceProvider settings
+var SAMLServiceProvider struct {
+	RegisterEmailConfirm   bool
+	EnableAutoRegistration bool
+}
+
+func loadSAMLServiceProviderFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("saml_service_provider")
+	SAMLServiceProvider.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
+	SAMLServiceProvider.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -205,6 +205,7 @@ func LoadSettings() {
 	loadDBSetting(CfgProvider)
 	loadServiceFrom(CfgProvider)
 	loadOAuth2ClientFrom(CfgProvider)
+	loadSAMLServiceProviderFrom(CfgProvider)
 	loadCacheFrom(CfgProvider)
 	loadSessionFrom(CfgProvider)
 	loadCorsFrom(CfgProvider)

diff --git a/routers/web/auth/saml.go b/routers/web/auth/saml.go
@@ -11,6 +11,7 @@ import (
 
 	"code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -73,8 +74,41 @@ func SignInSAMLCallback(ctx *context.Context) {
 
 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")
 			return
-		} else if !setting.Service.AllowOnlyInternalRegistration && false {
-			// TODO: allow auto registration from saml users (OAuth2 uses the following setting.OAuth2Client.EnableAutoRegistration)
+		} else if !setting.Service.AllowOnlyInternalRegistration && setting.SAMLServiceProvider.EnableAutoRegistration {
+			var missingFields []string
+			if gothUser.UserID == "" {
+				missingFields = append(missingFields, "nameID")
+			}
+			if gothUser.Email == "" {
+				missingFields = append(missingFields, "email")
+			}
+			if gothUser.NickName == "" {
+				missingFields = append(missingFields, "nickname")
+			}
+			if len(missingFields) > 0 {
+				log.Error("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields)
+				ctx.ServerError("CreateUser", fmt.Errorf("SAML Provider %s returned empty or missing fields: %s", loginSource.Name, missingFields))
+				return
+			}
+			u = &user_model.User{
+				Name:        getUserName(&gothUser),
+				FullName:    gothUser.Name,
+				Email:       gothUser.Email,
+				LoginType:   auth.OAuth2,
+				LoginSource: loginSource.ID,
+				LoginName:   gothUser.UserID,
+			}
+
+			overwriteDefault := &user_model.CreateUserOverwriteOptions{
+				IsActive: util.OptionalBoolOf(!setting.SAMLServiceProvider.RegisterEmailConfirm && !setting.Service.RegisterManualConfirm),
+			}
+
+			// TODO add account linking setting to match oauth?
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, true, auth.OAuth2) {
+				// error already handled
+				return
+			}
+			// TODO group mapping
 		} else {
 			// no existing user is found, request attach or new account
 			showLinkingLogin(ctx, gothUser, auth.SAML)