mirror of
https://github.com/go-gitea/gitea
synced 2025-07-05 18:17:19 +00:00
Add single sign-on support via SSPI on Windows (#8463)
* Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
This commit is contained in:
QuaSoft
Lauris BH
43
vendor/golang.org/x/sys/unix/syscall_linux.go
generated
vendored
43
vendor/golang.org/x/sys/unix/syscall_linux.go
generated
vendored
@ -1222,6 +1222,34 @@ func KeyctlDHCompute(params *KeyctlDHParams, buffer []byte) (size int, err error
|
||||
return keyctlDH(KEYCTL_DH_COMPUTE, params, buffer)
|
||||
}
|
||||
|
||||
// KeyctlRestrictKeyring implements the KEYCTL_RESTRICT_KEYRING command. This
|
||||
// command limits the set of keys that can be linked to the keyring, regardless
|
||||
// of keyring permissions. The command requires the "setattr" permission.
|
||||
//
|
||||
// When called with an empty keyType the command locks the keyring, preventing
|
||||
// any further keys from being linked to the keyring.
|
||||
//
|
||||
// The "asymmetric" keyType defines restrictions requiring key payloads to be
|
||||
// DER encoded X.509 certificates signed by keys in another keyring. Restrictions
|
||||
// for "asymmetric" include "builtin_trusted", "builtin_and_secondary_trusted",
|
||||
// "key_or_keyring:<key>", and "key_or_keyring:<key>:chain".
|
||||
//
|
||||
// As of Linux 4.12, only the "asymmetric" keyType defines type-specific
|
||||
// restrictions.
|
||||
//
|
||||
// See the full documentation at:
|
||||
// http://man7.org/linux/man-pages/man3/keyctl_restrict_keyring.3.html
|
||||
// http://man7.org/linux/man-pages/man2/keyctl.2.html
|
||||
func KeyctlRestrictKeyring(ringid int, keyType string, restriction string) error {
|
||||
if keyType == "" {
|
||||
return keyctlRestrictKeyring(KEYCTL_RESTRICT_KEYRING, ringid)
|
||||
}
|
||||
return keyctlRestrictKeyringByType(KEYCTL_RESTRICT_KEYRING, ringid, keyType, restriction)
|
||||
}
|
||||
|
||||
//sys keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) = SYS_KEYCTL
|
||||
//sys keyctlRestrictKeyring(cmd int, arg2 int) (err error) = SYS_KEYCTL
|
||||
|
||||
func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
|
||||
var msg Msghdr
|
||||
var rsa RawSockaddrAny
|
||||
@ -1465,8 +1493,12 @@ func PtraceSyscall(pid int, signal int) (err error) {
|
||||
|
||||
func PtraceSingleStep(pid int) (err error) { return ptrace(PTRACE_SINGLESTEP, pid, 0, 0) }
|
||||
|
||||
func PtraceInterrupt(pid int) (err error) { return ptrace(PTRACE_INTERRUPT, pid, 0, 0) }
|
||||
|
||||
func PtraceAttach(pid int) (err error) { return ptrace(PTRACE_ATTACH, pid, 0, 0) }
|
||||
|
||||
func PtraceSeize(pid int) (err error) { return ptrace(PTRACE_SEIZE, pid, 0, 0) }
|
||||
|
||||
func PtraceDetach(pid int) (err error) { return ptrace(PTRACE_DETACH, pid, 0, 0) }
|
||||
|
||||
//sys reboot(magic1 uint, magic2 uint, cmd int, arg string) (err error)
|
||||
@ -1823,6 +1855,17 @@ func OpenByHandleAt(mountFD int, handle FileHandle, flags int) (fd int, err erro
|
||||
return openByHandleAt(mountFD, handle.fileHandle, flags)
|
||||
}
|
||||
|
||||
// Klogset wraps the sys_syslog system call; it sets console_loglevel to
|
||||
// the value specified by arg and passes a dummy pointer to bufp.
|
||||
func Klogset(typ int, arg int) (err error) {
|
||||
var p unsafe.Pointer
|
||||
_, _, errno := Syscall(SYS_SYSLOG, uintptr(typ), uintptr(p), uintptr(arg))
|
||||
if errno != 0 {
|
||||
return errnoErr(errno)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
/*
|
||||
* Unimplemented
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user