Support instance-wide OAuth2 applications (#21335)
Support OAuth2 applications created by admins on the admin panel, they aren't owned by anybody. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
parent
c41b30760b
commit
a902af75f4
|
@ -0,0 +1,93 @@
|
||||||
|
// Copyright 2022 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package admin
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/models/auth"
|
||||||
|
"code.gitea.io/gitea/modules/base"
|
||||||
|
"code.gitea.io/gitea/modules/context"
|
||||||
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
user_setting "code.gitea.io/gitea/routers/web/user/setting"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
tplSettingsApplications base.TplName = "admin/applications/list"
|
||||||
|
tplSettingsOauth2ApplicationEdit base.TplName = "admin/applications/oauth2_edit"
|
||||||
|
)
|
||||||
|
|
||||||
|
func newOAuth2CommonHandlers() *user_setting.OAuth2CommonHandlers {
|
||||||
|
return &user_setting.OAuth2CommonHandlers{
|
||||||
|
OwnerID: 0,
|
||||||
|
BasePathList: fmt.Sprintf("%s/admin/applications", setting.AppSubURL),
|
||||||
|
BasePathEditPrefix: fmt.Sprintf("%s/admin/applications/oauth2", setting.AppSubURL),
|
||||||
|
TplAppEdit: tplSettingsOauth2ApplicationEdit,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Applications render org applications page (for org, at the moment, there are only OAuth2 applications)
|
||||||
|
func Applications(ctx *context.Context) {
|
||||||
|
ctx.Data["Title"] = ctx.Tr("settings.applications")
|
||||||
|
ctx.Data["PageIsAdmin"] = true
|
||||||
|
ctx.Data["PageIsAdminApplications"] = true
|
||||||
|
|
||||||
|
apps, err := auth.GetOAuth2ApplicationsByUserID(ctx, 0)
|
||||||
|
if err != nil {
|
||||||
|
ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx.Data["Applications"] = apps
|
||||||
|
|
||||||
|
ctx.HTML(http.StatusOK, tplSettingsApplications)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ApplicationsPost response for adding an oauth2 application
|
||||||
|
func ApplicationsPost(ctx *context.Context) {
|
||||||
|
ctx.Data["Title"] = ctx.Tr("settings.applications")
|
||||||
|
ctx.Data["PageIsAdmin"] = true
|
||||||
|
ctx.Data["PageIsAdminApplications"] = true
|
||||||
|
|
||||||
|
oa := newOAuth2CommonHandlers()
|
||||||
|
oa.AddApp(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EditApplication displays the given application
|
||||||
|
func EditApplication(ctx *context.Context) {
|
||||||
|
ctx.Data["PageIsAdmin"] = true
|
||||||
|
ctx.Data["PageIsAdminApplications"] = true
|
||||||
|
|
||||||
|
oa := newOAuth2CommonHandlers()
|
||||||
|
oa.EditShow(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
// EditApplicationPost response for editing oauth2 application
|
||||||
|
func EditApplicationPost(ctx *context.Context) {
|
||||||
|
ctx.Data["Title"] = ctx.Tr("settings.applications")
|
||||||
|
ctx.Data["PageIsAdmin"] = true
|
||||||
|
ctx.Data["PageIsAdminApplications"] = true
|
||||||
|
|
||||||
|
oa := newOAuth2CommonHandlers()
|
||||||
|
oa.EditSave(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
// ApplicationsRegenerateSecret handles the post request for regenerating the secret
|
||||||
|
func ApplicationsRegenerateSecret(ctx *context.Context) {
|
||||||
|
ctx.Data["Title"] = ctx.Tr("settings")
|
||||||
|
ctx.Data["PageIsAdmin"] = true
|
||||||
|
ctx.Data["PageIsAdminApplications"] = true
|
||||||
|
|
||||||
|
oa := newOAuth2CommonHandlers()
|
||||||
|
oa.RegenerateSecret(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteApplication deletes the given oauth2 application
|
||||||
|
func DeleteApplication(ctx *context.Context) {
|
||||||
|
oa := newOAuth2CommonHandlers()
|
||||||
|
oa.DeleteApp(ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: revokes the grant with the given id
|
|
@ -380,11 +380,14 @@ func AuthorizeOAuth(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := user_model.GetUserByID(app.UID)
|
var user *user_model.User
|
||||||
|
if app.UID != 0 {
|
||||||
|
user, err = user_model.GetUserByID(app.UID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.ServerError("GetUserByID", err)
|
ctx.ServerError("GetUserByID", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !app.ContainsRedirectURI(form.RedirectURI) {
|
if !app.ContainsRedirectURI(form.RedirectURI) {
|
||||||
handleAuthorizeError(ctx, AuthorizeError{
|
handleAuthorizeError(ctx, AuthorizeError{
|
||||||
|
@ -475,7 +478,11 @@ func AuthorizeOAuth(ctx *context.Context) {
|
||||||
ctx.Data["State"] = form.State
|
ctx.Data["State"] = form.State
|
||||||
ctx.Data["Scope"] = form.Scope
|
ctx.Data["Scope"] = form.Scope
|
||||||
ctx.Data["Nonce"] = form.Nonce
|
ctx.Data["Nonce"] = form.Nonce
|
||||||
ctx.Data["ApplicationUserLinkHTML"] = "<a href=\"" + html.EscapeString(user.HTMLURL()) + "\">@" + html.EscapeString(user.Name) + "</a>"
|
if user != nil {
|
||||||
|
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))
|
||||||
|
} else {
|
||||||
|
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))
|
||||||
|
}
|
||||||
ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
|
ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
|
||||||
// TODO document SESSION <=> FORM
|
// TODO document SESSION <=> FORM
|
||||||
err = ctx.Session.Set("client_id", app.ClientID)
|
err = ctx.Session.Set("client_id", app.ClientID)
|
||||||
|
|
|
@ -569,6 +569,23 @@ func RegisterRoutes(m *web.Route) {
|
||||||
m.Post("/delete", admin.DeleteNotices)
|
m.Post("/delete", admin.DeleteNotices)
|
||||||
m.Post("/empty", admin.EmptyNotices)
|
m.Post("/empty", admin.EmptyNotices)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
m.Group("/applications", func() {
|
||||||
|
m.Get("", admin.Applications)
|
||||||
|
m.Post("/oauth2", bindIgnErr(forms.EditOAuth2ApplicationForm{}), admin.ApplicationsPost)
|
||||||
|
m.Group("/oauth2/{id}", func() {
|
||||||
|
m.Combo("").Get(admin.EditApplication).Post(bindIgnErr(forms.EditOAuth2ApplicationForm{}), admin.EditApplicationPost)
|
||||||
|
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
|
||||||
|
m.Post("/delete", admin.DeleteApplication)
|
||||||
|
})
|
||||||
|
}, func(ctx *context.Context) {
|
||||||
|
if !setting.OAuth2.Enable {
|
||||||
|
ctx.Error(http.StatusForbidden)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}, func(ctx *context.Context) {
|
||||||
|
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
|
||||||
}, adminReq)
|
}, adminReq)
|
||||||
// ***** END: Admin *****
|
// ***** END: Admin *****
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
{{template "base/head" .}}
|
||||||
|
<div class="page-content admin config">
|
||||||
|
{{template "admin/navbar" .}}
|
||||||
|
<div class="ui container">
|
||||||
|
<div class="twelve wide column content">
|
||||||
|
{{template "base/alert" .}}
|
||||||
|
<h4 class="ui top attached header">
|
||||||
|
{{.locale.Tr "settings.applications"}}
|
||||||
|
</h4>
|
||||||
|
{{template "user/settings/applications_oauth2_list" .}}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
{{template "base/footer" .}}
|
|
@ -0,0 +1,7 @@
|
||||||
|
{{template "base/head" .}}
|
||||||
|
<div class="page-content admin config">
|
||||||
|
{{template "admin/navbar" .}}
|
||||||
|
|
||||||
|
{{template "user/settings/applications_oauth2_edit_form" .}}
|
||||||
|
</div>
|
||||||
|
{{template "base/footer" .}}
|
|
@ -26,6 +26,11 @@
|
||||||
<a class="{{if .PageIsAdminEmails}}active{{end}} item" href="{{AppSubUrl}}/admin/emails">
|
<a class="{{if .PageIsAdminEmails}}active{{end}} item" href="{{AppSubUrl}}/admin/emails">
|
||||||
{{.locale.Tr "admin.emails"}}
|
{{.locale.Tr "admin.emails"}}
|
||||||
</a>
|
</a>
|
||||||
|
{{if .EnableOAuth2}}
|
||||||
|
<a class="{{if .PageIsAdminApplications}}active{{end}} item" href="{{AppSubUrl}}/admin/applications">
|
||||||
|
{{.locale.Tr "settings.applications"}}
|
||||||
|
</a>
|
||||||
|
{{end}}
|
||||||
<a class="{{if .PageIsAdminConfig}}active{{end}} item" href="{{AppSubUrl}}/admin/config">
|
<a class="{{if .PageIsAdminConfig}}active{{end}} item" href="{{AppSubUrl}}/admin/config">
|
||||||
{{.locale.Tr "admin.config"}}
|
{{.locale.Tr "admin.config"}}
|
||||||
</a>
|
</a>
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
{{template "base/alert" .}}
|
{{template "base/alert" .}}
|
||||||
<p>
|
<p>
|
||||||
<b>{{.locale.Tr "auth.authorize_application_description"}}</b><br/>
|
<b>{{.locale.Tr "auth.authorize_application_description"}}</b><br/>
|
||||||
{{.locale.Tr "auth.authorize_application_created_by" .ApplicationUserLinkHTML | Str2html}}
|
{{.locale.Tr "auth.authorize_application_created_by" .ApplicationCreatorLinkHTML | Str2html}}
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
<div class="ui attached segment">
|
<div class="ui attached segment">
|
||||||
|
|
Loading…
Reference in New Issue