Support instance-wide OAuth2 applications (#21335)

Support OAuth2 applications created by admins on the admin panel, they
aren't owned by anybody.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
qwerty287 2022-10-12 16:08:29 +02:00 committed by GitHub
parent c41b30760b
commit a902af75f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 149 additions and 6 deletions

View file

@ -0,0 +1,93 @@
// Copyright 2022 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package admin
import (
"fmt"
"net/http"
"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting"
user_setting "code.gitea.io/gitea/routers/web/user/setting"
)
var (
tplSettingsApplications base.TplName = "admin/applications/list"
tplSettingsOauth2ApplicationEdit base.TplName = "admin/applications/oauth2_edit"
)
func newOAuth2CommonHandlers() *user_setting.OAuth2CommonHandlers {
return &user_setting.OAuth2CommonHandlers{
OwnerID: 0,
BasePathList: fmt.Sprintf("%s/admin/applications", setting.AppSubURL),
BasePathEditPrefix: fmt.Sprintf("%s/admin/applications/oauth2", setting.AppSubURL),
TplAppEdit: tplSettingsOauth2ApplicationEdit,
}
}
// Applications render org applications page (for org, at the moment, there are only OAuth2 applications)
func Applications(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings.applications")
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminApplications"] = true
apps, err := auth.GetOAuth2ApplicationsByUserID(ctx, 0)
if err != nil {
ctx.ServerError("GetOAuth2ApplicationsByUserID", err)
return
}
ctx.Data["Applications"] = apps
ctx.HTML(http.StatusOK, tplSettingsApplications)
}
// ApplicationsPost response for adding an oauth2 application
func ApplicationsPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings.applications")
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminApplications"] = true
oa := newOAuth2CommonHandlers()
oa.AddApp(ctx)
}
// EditApplication displays the given application
func EditApplication(ctx *context.Context) {
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminApplications"] = true
oa := newOAuth2CommonHandlers()
oa.EditShow(ctx)
}
// EditApplicationPost response for editing oauth2 application
func EditApplicationPost(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings.applications")
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminApplications"] = true
oa := newOAuth2CommonHandlers()
oa.EditSave(ctx)
}
// ApplicationsRegenerateSecret handles the post request for regenerating the secret
func ApplicationsRegenerateSecret(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsAdmin"] = true
ctx.Data["PageIsAdminApplications"] = true
oa := newOAuth2CommonHandlers()
oa.RegenerateSecret(ctx)
}
// DeleteApplication deletes the given oauth2 application
func DeleteApplication(ctx *context.Context) {
oa := newOAuth2CommonHandlers()
oa.DeleteApp(ctx)
}
// TODO: revokes the grant with the given id

View file

@ -380,10 +380,13 @@ func AuthorizeOAuth(ctx *context.Context) {
return return
} }
user, err := user_model.GetUserByID(app.UID) var user *user_model.User
if err != nil { if app.UID != 0 {
ctx.ServerError("GetUserByID", err) user, err = user_model.GetUserByID(app.UID)
return if err != nil {
ctx.ServerError("GetUserByID", err)
return
}
} }
if !app.ContainsRedirectURI(form.RedirectURI) { if !app.ContainsRedirectURI(form.RedirectURI) {
@ -475,7 +478,11 @@ func AuthorizeOAuth(ctx *context.Context) {
ctx.Data["State"] = form.State ctx.Data["State"] = form.State
ctx.Data["Scope"] = form.Scope ctx.Data["Scope"] = form.Scope
ctx.Data["Nonce"] = form.Nonce ctx.Data["Nonce"] = form.Nonce
ctx.Data["ApplicationUserLinkHTML"] = "<a href=\"" + html.EscapeString(user.HTMLURL()) + "\">@" + html.EscapeString(user.Name) + "</a>" if user != nil {
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))
} else {
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))
}
ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>" ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
// TODO document SESSION <=> FORM // TODO document SESSION <=> FORM
err = ctx.Session.Set("client_id", app.ClientID) err = ctx.Session.Set("client_id", app.ClientID)

View file

@ -569,6 +569,23 @@ func RegisterRoutes(m *web.Route) {
m.Post("/delete", admin.DeleteNotices) m.Post("/delete", admin.DeleteNotices)
m.Post("/empty", admin.EmptyNotices) m.Post("/empty", admin.EmptyNotices)
}) })
m.Group("/applications", func() {
m.Get("", admin.Applications)
m.Post("/oauth2", bindIgnErr(forms.EditOAuth2ApplicationForm{}), admin.ApplicationsPost)
m.Group("/oauth2/{id}", func() {
m.Combo("").Get(admin.EditApplication).Post(bindIgnErr(forms.EditOAuth2ApplicationForm{}), admin.EditApplicationPost)
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
m.Post("/delete", admin.DeleteApplication)
})
}, func(ctx *context.Context) {
if !setting.OAuth2.Enable {
ctx.Error(http.StatusForbidden)
return
}
})
}, func(ctx *context.Context) {
ctx.Data["EnableOAuth2"] = setting.OAuth2.Enable
}, adminReq) }, adminReq)
// ***** END: Admin ***** // ***** END: Admin *****

View file

@ -0,0 +1,14 @@
{{template "base/head" .}}
<div class="page-content admin config">
{{template "admin/navbar" .}}
<div class="ui container">
<div class="twelve wide column content">
{{template "base/alert" .}}
<h4 class="ui top attached header">
{{.locale.Tr "settings.applications"}}
</h4>
{{template "user/settings/applications_oauth2_list" .}}
</div>
</div>
</div>
{{template "base/footer" .}}

View file

@ -0,0 +1,7 @@
{{template "base/head" .}}
<div class="page-content admin config">
{{template "admin/navbar" .}}
{{template "user/settings/applications_oauth2_edit_form" .}}
</div>
{{template "base/footer" .}}

View file

@ -26,6 +26,11 @@
<a class="{{if .PageIsAdminEmails}}active{{end}} item" href="{{AppSubUrl}}/admin/emails"> <a class="{{if .PageIsAdminEmails}}active{{end}} item" href="{{AppSubUrl}}/admin/emails">
{{.locale.Tr "admin.emails"}} {{.locale.Tr "admin.emails"}}
</a> </a>
{{if .EnableOAuth2}}
<a class="{{if .PageIsAdminApplications}}active{{end}} item" href="{{AppSubUrl}}/admin/applications">
{{.locale.Tr "settings.applications"}}
</a>
{{end}}
<a class="{{if .PageIsAdminConfig}}active{{end}} item" href="{{AppSubUrl}}/admin/config"> <a class="{{if .PageIsAdminConfig}}active{{end}} item" href="{{AppSubUrl}}/admin/config">
{{.locale.Tr "admin.config"}} {{.locale.Tr "admin.config"}}
</a> </a>

View file

@ -9,7 +9,7 @@
{{template "base/alert" .}} {{template "base/alert" .}}
<p> <p>
<b>{{.locale.Tr "auth.authorize_application_description"}}</b><br/> <b>{{.locale.Tr "auth.authorize_application_description"}}</b><br/>
{{.locale.Tr "auth.authorize_application_created_by" .ApplicationUserLinkHTML | Str2html}} {{.locale.Tr "auth.authorize_application_created_by" .ApplicationCreatorLinkHTML | Str2html}}
</p> </p>
</div> </div>
<div class="ui attached segment"> <div class="ui attached segment">