Add single sign-on support via SSPI on Windows

models/login_source.go

@@ -334,6 +334,15 @@ func LoginSources() ([]*LoginSource, error) {
 	return auths, x.Find(&auths)
 }
 
+// LoginSourcesByType returns all sources of the specified type
+func LoginSourcesByType(loginType LoginType) ([]*LoginSource, error) {
+	sources := make([]*LoginSource, 0, 1)
+	if err := x.Where("type = ?", loginType).Find(&sources); err != nil {
+		return nil, err
+	}
+	return sources, nil
+}
+
 // ActiveLoginSources returns all active sources of the specified type
 func ActiveLoginSources(loginType LoginType) ([]*LoginSource, error) {
 	sources := make([]*LoginSource, 0, 1)

modules/auth/sso/sso.go

@@ -37,8 +37,6 @@ var ssoMethods []SingleSignOn = []SingleSignOn{
 // The purpose of the following three function variables is to let the linter know that
 // those functions are not dead code and are actually being used
 var (
-	_ = isPublicResource
-	_ = isPublicPage
 	_ = handleSignIn
 )
 
@@ -107,44 +105,6 @@ func isAttachmentDownload(ctx *macaron.Context) bool {
 	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
 }
 
-// isPublicResource checks if the url is of a public resource file that should be served
-// without authentication (eg. the Web App Manifest, the Service Worker script or the favicon)
-func isPublicResource(ctx *macaron.Context) bool {
-	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	return path == "/robots.txt" ||
-		path == "/favicon.ico" ||
-		path == "/favicon.png" ||
-		path == "/manifest.json" ||
-		path == "/serviceworker.js"
-}
-
-// isPublicPage checks if the url is of a public page that should not require authentication
-func isPublicPage(ctx *macaron.Context) bool {
-	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	homePage := strings.TrimSuffix(setting.AppSubURL, "/")
-	currentURL := homePage + path
-	return currentURL == homePage ||
-		path == "/user/login" ||
-		path == "/user/login/openid" ||
-		path == "/user/sign_up" ||
-		path == "/user/forgot_password" ||
-		path == "/user/openid/connect" ||
-		path == "/user/openid/register" ||
-		strings.HasPrefix(path, "/user/oauth2") ||
-		path == "/user/link_account" ||
-		path == "/user/link_account_signin" ||
-		path == "/user/link_account_signup" ||
-		path == "/user/two_factor" ||
-		path == "/user/two_factor/scratch" ||
-		path == "/user/u2f" ||
-		path == "/user/u2f/challenge" ||
-		path == "/user/u2f/sign" ||
-		(!setting.Service.RequireSignInView && (path == "/explore/repos" ||
-			path == "/explore/users" ||
-			path == "/explore/organizations" ||
-			path == "/explore/code"))
-}
-
 // handleSignIn clears existing session variables and stores new ones for the specified user object
 func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) {
 	_ = sess.Delete("openid_verified_uri")

modules/auth/sso/sspi_windows.go

@@ -139,14 +139,19 @@ func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
 	return sources[0].SSPI(), nil
 }
 
-func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) bool {
+func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
+	shouldAuth = false
 	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	if path == "/user/login" && ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
-		return false
-	} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
-		return true
+	if path == "/user/login" {
+		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
+			shouldAuth = false
+		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
+			shouldAuth = true
+		}
+	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
+		shouldAuth = true
 	}
-	return !isPublicPage(ctx) && !isPublicResource(ctx)
+	return
 }
 
 // newUser creates a new user object for the purpose of automatic registration

options/locale/locale_en-US.ini

@@ -1823,7 +1823,7 @@ auths.sspi_strip_domain_names_helper = If checked, domain names will be removed
 auths.sspi_separator_replacement = Separator to use instead of \, / and @
 auths.sspi_separator_replacement_helper = The character to use to replace the separators of down-level logon names (eg. the \ in "DOMAIN\user") and user principal names (eg. the @ in "user@example.org").
 auths.sspi_default_language = Default user language
-auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method
+auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
 auths.tips = Tips
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be: <host>/user/oauth2/<Authentication Name>/callback
@@ -1849,6 +1849,7 @@ auths.delete_auth_desc = Deleting an authentication source prevents users from u
 auths.still_in_used = The authentication source is still in use. Convert or delete any users using this authentication source first.
 auths.deletion_success = The authentication source has been deleted.
 auths.login_source_exist = The authentication source '%s' already exists.
+auths.login_source_of_type_exist = An authentication source of this type already exists.
 
 config.server_config = Server Configuration
 config.app_name = Site Title

routers/admin/auths.go

@@ -94,7 +94,7 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["SSPIAutoActivateUsers"] = true
 	ctx.Data["SSPIStripDomainNames"] = true
 	ctx.Data["SSPISeparatorReplacement"] = "_"
-	ctx.Data["SSPIDefaultLanguage"] = "en-US"
+	ctx.Data["SSPIDefaultLanguage"] = ""
 
 	// only the first as default
 	for key := range models.OAuth2Providers {
@@ -177,7 +177,7 @@ func parseSSPIConfig(ctx *context.Context, form auth.AuthenticationForm) (*model
 		return nil, errors.New(ctx.Tr("form.SSPISeparatorReplacement") + ctx.Tr("form.alpha_dash_dot_error"))
 	}
 
-	if !langCodePattern.MatchString(form.SSPIDefaultLanguage) {
+	if !util.IsEmptyString(form.SSPIDefaultLanguage) && !langCodePattern.MatchString(form.SSPIDefaultLanguage) {
 		ctx.Data["Err_SSPIDefaultLanguage"] = true
 		return nil, errors.New(ctx.Tr("form.lang_select_error"))
 	}
@@ -209,7 +209,7 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 	ctx.Data["SSPIAutoActivateUsers"] = true
 	ctx.Data["SSPIStripDomainNames"] = true
 	ctx.Data["SSPISeparatorReplacement"] = "_"
-	ctx.Data["SSPIDefaultLanguage"] = "en-US"
+	ctx.Data["SSPIDefaultLanguage"] = ""
 
 	hasTLS := false
 	var config core.Conversion
@@ -233,6 +233,12 @@ func NewAuthSourcePost(ctx *context.Context, form auth.AuthenticationForm) {
 			ctx.RenderWithErr(err.Error(), tplAuthNew, form)
 			return
 		}
+		existing, err := models.LoginSourcesByType(models.LoginSSPI)
+		if err != nil || len(existing) > 0 {
+			ctx.Data["Err_Type"] = true
+			ctx.RenderWithErr(ctx.Tr("admin.auths.login_source_of_type_exist"), tplAuthNew, form)
+			return
+		}
 	default:
 		ctx.Error(400)
 		return

templates/admin/auth/edit.tmpl

@@ -249,6 +249,7 @@
 							<i class="dropdown icon"></i>
 							<div class="text">{{range .AllLangs}}{{if eq $cfg.DefaultLanguage .Lang}}{{.Name}}{{end}}{{end}}</div>
 							<div class="menu">
+								<div class="item{{if not $.SSPIDefaultLanguage}} active selected{{end}}" data-value="">-</div>
 							{{range .AllLangs}}
 								<div class="item{{if eq $cfg.DefaultLanguage .Lang}} active selected{{end}}" data-value="{{.Lang}}">{{.Name}}</div>
 							{{end}}

templates/admin/auth/source/sspi.tmpl

@@ -32,6 +32,7 @@
 			<i class="dropdown icon"></i>
 			<div class="text">{{range .AllLangs}}{{if eq $.SSPIDefaultLanguage .Lang}}{{.Name}}{{end}}{{end}}</div>
 			<div class="menu">
+				<div class="item{{if not $.SSPIDefaultLanguage}} active selected{{end}}" data-value="">-</div>
 			{{range .AllLangs}}
 				<div class="item{{if eq $.SSPIDefaultLanguage .Lang}} active selected{{end}}" data-value="{{.Lang}}">{{.Name}}</div>
 			{{end}}