Fork to maintain patches against the official gitea for https://code.ceondo.com https://github.com/go-gitea/gitea

login_source.go 18KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681
  1. // Copyright 2014 The Gogs Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "crypto/tls"
  7. "encoding/json"
  8. "errors"
  9. "fmt"
  10. "net/smtp"
  11. "net/textproto"
  12. "strings"
  13. "time"
  14. "github.com/Unknwon/com"
  15. "github.com/go-macaron/binding"
  16. "github.com/go-xorm/core"
  17. "github.com/go-xorm/xorm"
  18. "code.gitea.io/gitea/modules/auth/ldap"
  19. "code.gitea.io/gitea/modules/auth/oauth2"
  20. "code.gitea.io/gitea/modules/auth/pam"
  21. "code.gitea.io/gitea/modules/log"
  22. )
  23. // LoginType represents an login type.
  24. type LoginType int
  25. // Note: new type must append to the end of list to maintain compatibility.
  26. const (
  27. LoginNoType LoginType = iota
  28. LoginPlain // 1
  29. LoginLDAP // 2
  30. LoginSMTP // 3
  31. LoginPAM // 4
  32. LoginDLDAP // 5
  33. LoginOAuth2 // 6
  34. )
  35. // LoginNames contains the name of LoginType values.
  36. var LoginNames = map[LoginType]string{
  37. LoginLDAP: "LDAP (via BindDN)",
  38. LoginDLDAP: "LDAP (simple auth)", // Via direct bind
  39. LoginSMTP: "SMTP",
  40. LoginPAM: "PAM",
  41. LoginOAuth2: "OAuth2",
  42. }
  43. // SecurityProtocolNames contains the name of SecurityProtocol values.
  44. var SecurityProtocolNames = map[ldap.SecurityProtocol]string{
  45. ldap.SecurityProtocolUnencrypted: "Unencrypted",
  46. ldap.SecurityProtocolLDAPS: "LDAPS",
  47. ldap.SecurityProtocolStartTLS: "StartTLS",
  48. }
  49. // Ensure structs implemented interface.
  50. var (
  51. _ core.Conversion = &LDAPConfig{}
  52. _ core.Conversion = &SMTPConfig{}
  53. _ core.Conversion = &PAMConfig{}
  54. _ core.Conversion = &OAuth2Config{}
  55. )
  56. // LDAPConfig holds configuration for LDAP login source.
  57. type LDAPConfig struct {
  58. *ldap.Source
  59. }
  60. // FromDB fills up a LDAPConfig from serialized format.
  61. func (cfg *LDAPConfig) FromDB(bs []byte) error {
  62. return json.Unmarshal(bs, &cfg)
  63. }
  64. // ToDB exports a LDAPConfig to a serialized format.
  65. func (cfg *LDAPConfig) ToDB() ([]byte, error) {
  66. return json.Marshal(cfg)
  67. }
  68. // SecurityProtocolName returns the name of configured security
  69. // protocol.
  70. func (cfg *LDAPConfig) SecurityProtocolName() string {
  71. return SecurityProtocolNames[cfg.SecurityProtocol]
  72. }
  73. // SMTPConfig holds configuration for the SMTP login source.
  74. type SMTPConfig struct {
  75. Auth string
  76. Host string
  77. Port int
  78. AllowedDomains string `xorm:"TEXT"`
  79. TLS bool
  80. SkipVerify bool
  81. }
  82. // FromDB fills up an SMTPConfig from serialized format.
  83. func (cfg *SMTPConfig) FromDB(bs []byte) error {
  84. return json.Unmarshal(bs, cfg)
  85. }
  86. // ToDB exports an SMTPConfig to a serialized format.
  87. func (cfg *SMTPConfig) ToDB() ([]byte, error) {
  88. return json.Marshal(cfg)
  89. }
  90. // PAMConfig holds configuration for the PAM login source.
  91. type PAMConfig struct {
  92. ServiceName string // pam service (e.g. system-auth)
  93. }
  94. // FromDB fills up a PAMConfig from serialized format.
  95. func (cfg *PAMConfig) FromDB(bs []byte) error {
  96. return json.Unmarshal(bs, &cfg)
  97. }
  98. // ToDB exports a PAMConfig to a serialized format.
  99. func (cfg *PAMConfig) ToDB() ([]byte, error) {
  100. return json.Marshal(cfg)
  101. }
  102. // OAuth2Config holds configuration for the OAuth2 login source.
  103. type OAuth2Config struct {
  104. Provider string
  105. ClientID string
  106. ClientSecret string
  107. OpenIDConnectAutoDiscoveryURL string
  108. CustomURLMapping *oauth2.CustomURLMapping
  109. }
  110. // FromDB fills up an OAuth2Config from serialized format.
  111. func (cfg *OAuth2Config) FromDB(bs []byte) error {
  112. return json.Unmarshal(bs, cfg)
  113. }
  114. // ToDB exports an SMTPConfig to a serialized format.
  115. func (cfg *OAuth2Config) ToDB() ([]byte, error) {
  116. return json.Marshal(cfg)
  117. }
  118. // LoginSource represents an external way for authorizing users.
  119. type LoginSource struct {
  120. ID int64 `xorm:"pk autoincr"`
  121. Type LoginType
  122. Name string `xorm:"UNIQUE"`
  123. IsActived bool `xorm:"INDEX NOT NULL DEFAULT false"`
  124. IsSyncEnabled bool `xorm:"INDEX NOT NULL DEFAULT false"`
  125. Cfg core.Conversion `xorm:"TEXT"`
  126. Created time.Time `xorm:"-"`
  127. CreatedUnix int64 `xorm:"INDEX created"`
  128. Updated time.Time `xorm:"-"`
  129. UpdatedUnix int64 `xorm:"INDEX updated"`
  130. }
  131. // Cell2Int64 converts a xorm.Cell type to int64,
  132. // and handles possible irregular cases.
  133. func Cell2Int64(val xorm.Cell) int64 {
  134. switch (*val).(type) {
  135. case []uint8:
  136. log.Trace("Cell2Int64 ([]uint8): %v", *val)
  137. return com.StrTo(string((*val).([]uint8))).MustInt64()
  138. }
  139. return (*val).(int64)
  140. }
  141. // BeforeSet is invoked from XORM before setting the value of a field of this object.
  142. func (source *LoginSource) BeforeSet(colName string, val xorm.Cell) {
  143. switch colName {
  144. case "type":
  145. switch LoginType(Cell2Int64(val)) {
  146. case LoginLDAP, LoginDLDAP:
  147. source.Cfg = new(LDAPConfig)
  148. case LoginSMTP:
  149. source.Cfg = new(SMTPConfig)
  150. case LoginPAM:
  151. source.Cfg = new(PAMConfig)
  152. case LoginOAuth2:
  153. source.Cfg = new(OAuth2Config)
  154. default:
  155. panic("unrecognized login source type: " + com.ToStr(*val))
  156. }
  157. }
  158. }
  159. // AfterLoad is invoked from XORM after setting the values of all fields of this object.
  160. func (source *LoginSource) AfterLoad() {
  161. source.Created = time.Unix(source.CreatedUnix, 0).Local()
  162. source.Updated = time.Unix(source.UpdatedUnix, 0).Local()
  163. }
  164. // TypeName return name of this login source type.
  165. func (source *LoginSource) TypeName() string {
  166. return LoginNames[source.Type]
  167. }
  168. // IsLDAP returns true of this source is of the LDAP type.
  169. func (source *LoginSource) IsLDAP() bool {
  170. return source.Type == LoginLDAP
  171. }
  172. // IsDLDAP returns true of this source is of the DLDAP type.
  173. func (source *LoginSource) IsDLDAP() bool {
  174. return source.Type == LoginDLDAP
  175. }
  176. // IsSMTP returns true of this source is of the SMTP type.
  177. func (source *LoginSource) IsSMTP() bool {
  178. return source.Type == LoginSMTP
  179. }
  180. // IsPAM returns true of this source is of the PAM type.
  181. func (source *LoginSource) IsPAM() bool {
  182. return source.Type == LoginPAM
  183. }
  184. // IsOAuth2 returns true of this source is of the OAuth2 type.
  185. func (source *LoginSource) IsOAuth2() bool {
  186. return source.Type == LoginOAuth2
  187. }
  188. // HasTLS returns true of this source supports TLS.
  189. func (source *LoginSource) HasTLS() bool {
  190. return ((source.IsLDAP() || source.IsDLDAP()) &&
  191. source.LDAP().SecurityProtocol > ldap.SecurityProtocolUnencrypted) ||
  192. source.IsSMTP()
  193. }
  194. // UseTLS returns true of this source is configured to use TLS.
  195. func (source *LoginSource) UseTLS() bool {
  196. switch source.Type {
  197. case LoginLDAP, LoginDLDAP:
  198. return source.LDAP().SecurityProtocol != ldap.SecurityProtocolUnencrypted
  199. case LoginSMTP:
  200. return source.SMTP().TLS
  201. }
  202. return false
  203. }
  204. // SkipVerify returns true if this source is configured to skip SSL
  205. // verification.
  206. func (source *LoginSource) SkipVerify() bool {
  207. switch source.Type {
  208. case LoginLDAP, LoginDLDAP:
  209. return source.LDAP().SkipVerify
  210. case LoginSMTP:
  211. return source.SMTP().SkipVerify
  212. }
  213. return false
  214. }
  215. // LDAP returns LDAPConfig for this source, if of LDAP type.
  216. func (source *LoginSource) LDAP() *LDAPConfig {
  217. return source.Cfg.(*LDAPConfig)
  218. }
  219. // SMTP returns SMTPConfig for this source, if of SMTP type.
  220. func (source *LoginSource) SMTP() *SMTPConfig {
  221. return source.Cfg.(*SMTPConfig)
  222. }
  223. // PAM returns PAMConfig for this source, if of PAM type.
  224. func (source *LoginSource) PAM() *PAMConfig {
  225. return source.Cfg.(*PAMConfig)
  226. }
  227. // OAuth2 returns OAuth2Config for this source, if of OAuth2 type.
  228. func (source *LoginSource) OAuth2() *OAuth2Config {
  229. return source.Cfg.(*OAuth2Config)
  230. }
  231. // CreateLoginSource inserts a LoginSource in the DB if not already
  232. // existing with the given name.
  233. func CreateLoginSource(source *LoginSource) error {
  234. has, err := x.Get(&LoginSource{Name: source.Name})
  235. if err != nil {
  236. return err
  237. } else if has {
  238. return ErrLoginSourceAlreadyExist{source.Name}
  239. }
  240. // Synchronization is only aviable with LDAP for now
  241. if !source.IsLDAP() {
  242. source.IsSyncEnabled = false
  243. }
  244. _, err = x.Insert(source)
  245. if err == nil && source.IsOAuth2() && source.IsActived {
  246. oAuth2Config := source.OAuth2()
  247. err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)
  248. err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)
  249. if err != nil {
  250. // remove the LoginSource in case of errors while registering OAuth2 providers
  251. x.Delete(source)
  252. }
  253. }
  254. return err
  255. }
  256. // LoginSources returns a slice of all login sources found in DB.
  257. func LoginSources() ([]*LoginSource, error) {
  258. auths := make([]*LoginSource, 0, 6)
  259. return auths, x.Find(&auths)
  260. }
  261. // GetLoginSourceByID returns login source by given ID.
  262. func GetLoginSourceByID(id int64) (*LoginSource, error) {
  263. source := new(LoginSource)
  264. has, err := x.ID(id).Get(source)
  265. if err != nil {
  266. return nil, err
  267. } else if !has {
  268. return nil, ErrLoginSourceNotExist{id}
  269. }
  270. return source, nil
  271. }
  272. // UpdateSource updates a LoginSource record in DB.
  273. func UpdateSource(source *LoginSource) error {
  274. var originalLoginSource *LoginSource
  275. if source.IsOAuth2() {
  276. // keep track of the original values so we can restore in case of errors while registering OAuth2 providers
  277. var err error
  278. if originalLoginSource, err = GetLoginSourceByID(source.ID); err != nil {
  279. return err
  280. }
  281. }
  282. _, err := x.ID(source.ID).AllCols().Update(source)
  283. if err == nil && source.IsOAuth2() && source.IsActived {
  284. oAuth2Config := source.OAuth2()
  285. err = oauth2.RegisterProvider(source.Name, oAuth2Config.Provider, oAuth2Config.ClientID, oAuth2Config.ClientSecret, oAuth2Config.OpenIDConnectAutoDiscoveryURL, oAuth2Config.CustomURLMapping)
  286. err = wrapOpenIDConnectInitializeError(err, source.Name, oAuth2Config)
  287. if err != nil {
  288. // restore original values since we cannot update the provider it self
  289. x.ID(source.ID).AllCols().Update(originalLoginSource)
  290. }
  291. }
  292. return err
  293. }
  294. // DeleteSource deletes a LoginSource record in DB.
  295. func DeleteSource(source *LoginSource) error {
  296. count, err := x.Count(&User{LoginSource: source.ID})
  297. if err != nil {
  298. return err
  299. } else if count > 0 {
  300. return ErrLoginSourceInUse{source.ID}
  301. }
  302. count, err = x.Count(&ExternalLoginUser{LoginSourceID: source.ID})
  303. if err != nil {
  304. return err
  305. } else if count > 0 {
  306. return ErrLoginSourceInUse{source.ID}
  307. }
  308. if source.IsOAuth2() {
  309. oauth2.RemoveProvider(source.Name)
  310. }
  311. _, err = x.ID(source.ID).Delete(new(LoginSource))
  312. return err
  313. }
  314. // CountLoginSources returns number of login sources.
  315. func CountLoginSources() int64 {
  316. count, _ := x.Count(new(LoginSource))
  317. return count
  318. }
  319. // .____ ________ _____ __________
  320. // | | \______ \ / _ \\______ \
  321. // | | | | \ / /_\ \| ___/
  322. // | |___ | ` \/ | \ |
  323. // |_______ \/_______ /\____|__ /____|
  324. // \/ \/ \/
  325. func composeFullName(firstname, surname, username string) string {
  326. switch {
  327. case len(firstname) == 0 && len(surname) == 0:
  328. return username
  329. case len(firstname) == 0:
  330. return surname
  331. case len(surname) == 0:
  332. return firstname
  333. default:
  334. return firstname + " " + surname
  335. }
  336. }
  337. // LoginViaLDAP queries if login/password is valid against the LDAP directory pool,
  338. // and create a local user if success when enabled.
  339. func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
  340. sr := source.Cfg.(*LDAPConfig).SearchEntry(login, password, source.Type == LoginDLDAP)
  341. if sr == nil {
  342. // User not in LDAP, do nothing
  343. return nil, ErrUserNotExist{0, login, 0}
  344. }
  345. if !autoRegister {
  346. return user, nil
  347. }
  348. // Fallback.
  349. if len(sr.Username) == 0 {
  350. sr.Username = login
  351. }
  352. // Validate username make sure it satisfies requirement.
  353. if binding.AlphaDashDotPattern.MatchString(sr.Username) {
  354. return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)
  355. }
  356. if len(sr.Mail) == 0 {
  357. sr.Mail = fmt.Sprintf("%s@localhost", sr.Username)
  358. }
  359. user = &User{
  360. LowerName: strings.ToLower(sr.Username),
  361. Name: sr.Username,
  362. FullName: composeFullName(sr.Name, sr.Surname, sr.Username),
  363. Email: sr.Mail,
  364. LoginType: source.Type,
  365. LoginSource: source.ID,
  366. LoginName: login,
  367. IsActive: true,
  368. IsAdmin: sr.IsAdmin,
  369. }
  370. return user, CreateUser(user)
  371. }
  372. // _________ __________________________
  373. // / _____/ / \__ ___/\______ \
  374. // \_____ \ / \ / \| | | ___/
  375. // / \/ Y \ | | |
  376. // /_______ /\____|__ /____| |____|
  377. // \/ \/
  378. type smtpLoginAuth struct {
  379. username, password string
  380. }
  381. func (auth *smtpLoginAuth) Start(server *smtp.ServerInfo) (string, []byte, error) {
  382. return "LOGIN", []byte(auth.username), nil
  383. }
  384. func (auth *smtpLoginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
  385. if more {
  386. switch string(fromServer) {
  387. case "Username:":
  388. return []byte(auth.username), nil
  389. case "Password:":
  390. return []byte(auth.password), nil
  391. }
  392. }
  393. return nil, nil
  394. }
  395. // SMTP authentication type names.
  396. const (
  397. SMTPPlain = "PLAIN"
  398. SMTPLogin = "LOGIN"
  399. )
  400. // SMTPAuths contains available SMTP authentication type names.
  401. var SMTPAuths = []string{SMTPPlain, SMTPLogin}
  402. // SMTPAuth performs an SMTP authentication.
  403. func SMTPAuth(a smtp.Auth, cfg *SMTPConfig) error {
  404. c, err := smtp.Dial(fmt.Sprintf("%s:%d", cfg.Host, cfg.Port))
  405. if err != nil {
  406. return err
  407. }
  408. defer c.Close()
  409. if err = c.Hello("gogs"); err != nil {
  410. return err
  411. }
  412. if cfg.TLS {
  413. if ok, _ := c.Extension("STARTTLS"); ok {
  414. if err = c.StartTLS(&tls.Config{
  415. InsecureSkipVerify: cfg.SkipVerify,
  416. ServerName: cfg.Host,
  417. }); err != nil {
  418. return err
  419. }
  420. } else {
  421. return errors.New("SMTP server unsupports TLS")
  422. }
  423. }
  424. if ok, _ := c.Extension("AUTH"); ok {
  425. return c.Auth(a)
  426. }
  427. return ErrUnsupportedLoginType
  428. }
  429. // LoginViaSMTP queries if login/password is valid against the SMTP,
  430. // and create a local user if success when enabled.
  431. func LoginViaSMTP(user *User, login, password string, sourceID int64, cfg *SMTPConfig, autoRegister bool) (*User, error) {
  432. // Verify allowed domains.
  433. if len(cfg.AllowedDomains) > 0 {
  434. idx := strings.Index(login, "@")
  435. if idx == -1 {
  436. return nil, ErrUserNotExist{0, login, 0}
  437. } else if !com.IsSliceContainsStr(strings.Split(cfg.AllowedDomains, ","), login[idx+1:]) {
  438. return nil, ErrUserNotExist{0, login, 0}
  439. }
  440. }
  441. var auth smtp.Auth
  442. if cfg.Auth == SMTPPlain {
  443. auth = smtp.PlainAuth("", login, password, cfg.Host)
  444. } else if cfg.Auth == SMTPLogin {
  445. auth = &smtpLoginAuth{login, password}
  446. } else {
  447. return nil, errors.New("Unsupported SMTP auth type")
  448. }
  449. if err := SMTPAuth(auth, cfg); err != nil {
  450. // Check standard error format first,
  451. // then fallback to worse case.
  452. tperr, ok := err.(*textproto.Error)
  453. if (ok && tperr.Code == 535) ||
  454. strings.Contains(err.Error(), "Username and Password not accepted") {
  455. return nil, ErrUserNotExist{0, login, 0}
  456. }
  457. return nil, err
  458. }
  459. if !autoRegister {
  460. return user, nil
  461. }
  462. username := login
  463. idx := strings.Index(login, "@")
  464. if idx > -1 {
  465. username = login[:idx]
  466. }
  467. user = &User{
  468. LowerName: strings.ToLower(username),
  469. Name: strings.ToLower(username),
  470. Email: login,
  471. Passwd: password,
  472. LoginType: LoginSMTP,
  473. LoginSource: sourceID,
  474. LoginName: login,
  475. IsActive: true,
  476. }
  477. return user, CreateUser(user)
  478. }
  479. // __________ _____ _____
  480. // \______ \/ _ \ / \
  481. // | ___/ /_\ \ / \ / \
  482. // | | / | \/ Y \
  483. // |____| \____|__ /\____|__ /
  484. // \/ \/
  485. // LoginViaPAM queries if login/password is valid against the PAM,
  486. // and create a local user if success when enabled.
  487. func LoginViaPAM(user *User, login, password string, sourceID int64, cfg *PAMConfig, autoRegister bool) (*User, error) {
  488. if err := pam.Auth(cfg.ServiceName, login, password); err != nil {
  489. if strings.Contains(err.Error(), "Authentication failure") {
  490. return nil, ErrUserNotExist{0, login, 0}
  491. }
  492. return nil, err
  493. }
  494. if !autoRegister {
  495. return user, nil
  496. }
  497. user = &User{
  498. LowerName: strings.ToLower(login),
  499. Name: login,
  500. Email: login,
  501. Passwd: password,
  502. LoginType: LoginPAM,
  503. LoginSource: sourceID,
  504. LoginName: login,
  505. IsActive: true,
  506. }
  507. return user, CreateUser(user)
  508. }
  509. // ExternalUserLogin attempts a login using external source types.
  510. func ExternalUserLogin(user *User, login, password string, source *LoginSource, autoRegister bool) (*User, error) {
  511. if !source.IsActived {
  512. return nil, ErrLoginSourceNotActived
  513. }
  514. switch source.Type {
  515. case LoginLDAP, LoginDLDAP:
  516. return LoginViaLDAP(user, login, password, source, autoRegister)
  517. case LoginSMTP:
  518. return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
  519. case LoginPAM:
  520. return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
  521. }
  522. return nil, ErrUnsupportedLoginType
  523. }
  524. // UserSignIn validates user name and password.
  525. func UserSignIn(username, password string) (*User, error) {
  526. var user *User
  527. if strings.Contains(username, "@") {
  528. user = &User{Email: strings.ToLower(strings.TrimSpace(username))}
  529. // check same email
  530. cnt, err := x.Count(user)
  531. if err != nil {
  532. return nil, err
  533. }
  534. if cnt > 1 {
  535. return nil, ErrEmailAlreadyUsed{
  536. Email: user.Email,
  537. }
  538. }
  539. } else {
  540. trimmedUsername := strings.TrimSpace(username)
  541. if len(trimmedUsername) == 0 {
  542. return nil, ErrUserNotExist{0, username, 0}
  543. }
  544. user = &User{LowerName: strings.ToLower(trimmedUsername)}
  545. }
  546. hasUser, err := x.Get(user)
  547. if err != nil {
  548. return nil, err
  549. }
  550. if hasUser {
  551. switch user.LoginType {
  552. case LoginNoType, LoginPlain, LoginOAuth2:
  553. if user.ValidatePassword(password) {
  554. return user, nil
  555. }
  556. return nil, ErrUserNotExist{user.ID, user.Name, 0}
  557. default:
  558. var source LoginSource
  559. hasSource, err := x.ID(user.LoginSource).Get(&source)
  560. if err != nil {
  561. return nil, err
  562. } else if !hasSource {
  563. return nil, ErrLoginSourceNotExist{user.LoginSource}
  564. }
  565. return ExternalUserLogin(user, user.LoginName, password, &source, false)
  566. }
  567. }
  568. sources := make([]*LoginSource, 0, 5)
  569. if err = x.Where("is_actived = ?", true).Find(&sources); err != nil {
  570. return nil, err
  571. }
  572. for _, source := range sources {
  573. if source.IsOAuth2() {
  574. // don't try to authenticate against OAuth2 sources
  575. continue
  576. }
  577. authUser, err := ExternalUserLogin(nil, username, password, source, true)
  578. if err == nil {
  579. return authUser, nil
  580. }
  581. log.Warn("Failed to login '%s' via '%s': %v", username, source.Name, err)
  582. }
  583. return nil, ErrUserNotExist{user.ID, user.Name, 0}
  584. }