From f582ec4e5367f77d6b3085540a56fed818d6c638 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sat, 15 May 2021 19:33:13 +0100 Subject: [PATCH] Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username (#15304) * Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix #2407 * add testcase Signed-off-by: Andrew Thornton --- modules/auth/sso/reverseproxy.go | 19 ++++++++++++++----- templates/user/settings/profile.tmpl | 4 ++-- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go index 62598a15cd..d4fae9d5f4 100644 --- a/modules/auth/sso/reverseproxy.go +++ b/modules/auth/sso/reverseproxy.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/web/middleware" gouuid "github.com/google/uuid" ) @@ -69,13 +70,21 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter, user, err := models.GetUserByName(username) if err != nil { - if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() { - return r.newUser(req) + if !models.IsErrUserNotExist(err) || !r.isAutoRegisterAllowed() { + log.Error("GetUserByName: %v", err) + return nil } - log.Error("GetUserByName: %v", err) - return nil + user = r.newUser(req) } + // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session + if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) { + if sess.Get("uid").(int64) != user.ID { + handleSignIn(w, req, sess, user) + } + } + store.GetData()["IsReverseProxy"] = true + log.Trace("ReverseProxy Authorization: Logged in user %-v", user) return user } @@ -104,7 +113,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User { user := &models.User{ Name: username, Email: email, - Passwd: username, IsActive: true, } if err := models.CreateUser(user); err != nil { @@ -112,5 +120,6 @@ func (r *ReverseProxy) newUser(req *http.Request) *models.User { log.Error("CreateUser: %v", err) return nil } + return user } diff --git a/templates/user/settings/profile.tmpl b/templates/user/settings/profile.tmpl index ee3cc58904..9f07226632 100644 --- a/templates/user/settings/profile.tmpl +++ b/templates/user/settings/profile.tmpl @@ -15,8 +15,8 @@ {{.i18n.Tr "settings.change_username_prompt"}} {{.i18n.Tr "settings.change_username_redirect_prompt"}} - - {{if not .SignedUser.IsLocal}} + + {{if or (not .SignedUser.IsLocal) .IsReverseProxy}}

{{$.i18n.Tr "settings.password_username_disabled"}}

{{end}}