Stop doing multiple authentication checks in git and lfs, and ensure that reverseproxy creates a session

Signed-off-by: Andrew Thornton <[email protected]>

Author: zeripath

modules/context/context.go

@@ -640,6 +640,9 @@ func Contexter() func(next http.Handler) http.Handler {
 			} else {
 				ctx.Data["SignedUserID"] = int64(0)
 				ctx.Data["SignedUserName"] = ""
+
+				// delete the session uid
+				_ = ctx.Session.Delete("uid")
 			}
 
 			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)

modules/lfs/server.go

@@ -16,7 +16,6 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -723,66 +722,7 @@ func parseToken(authorization string, target *models.Repository, mode models.Acc
 	case "bearer":
 		fallthrough
 	case "token":
-		u, err := handleLFSToken(tokenSHA, target, mode)
-		if err != nil || u != nil {
-			return u, err
-		}
-		u, err = handleOAuth2Token(tokenSHA)
-		if u == nil && err == nil {
-			u, err = handleStandardToken(tokenSHA)
-		}
-		if err != nil {
-			return nil, err
-		}
-		if u != nil {
-			perm, err := models.GetUserRepoPermission(target, u)
-			if err != nil {
-				log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", u, target)
-				return nil, err
-			}
-			if perm.CanAccess(mode, models.UnitTypeCode) {
-				return u, nil
-			}
-		}
-	case "basic":
-		uname, passwd, _ := base.BasicAuthDecode(tokenSHA)
-		if len(uname) == 0 && len(passwd) == 0 {
-			return nil, fmt.Errorf("token not found")
-		}
-		// Check if username or password is a token
-		isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
-		// Assume username is token
-		tokenSHA = uname
-		if !isUsernameToken {
-			// Assume password is token
-			tokenSHA = passwd
-		}
-		u, err := handleOAuth2Token(tokenSHA)
-		if u == nil && err == nil {
-			u, err = handleStandardToken(tokenSHA)
-		}
-		if u == nil && err == nil {
-			if !setting.Service.EnableBasicAuth {
-				return nil, fmt.Errorf("token not found")
-			}
-			u, err = models.UserSignIn(uname, passwd)
-		}
-		if err != nil {
-			if !models.IsErrUserNotExist(err) {
-				log.Error("UserSignIn: %v", err)
-			}
-			return nil, fmt.Errorf("basic auth failed")
-		}
-		if u != nil {
-			perm, err := models.GetUserRepoPermission(target, u)
-			if err != nil {
-				log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", u, target)
-				return nil, err
-			}
-			if perm.CanAccess(mode, models.UnitTypeCode) {
-				return u, nil
-			}
-		}
+		return handleLFSToken(tokenSHA, target, mode)
 	}
 	return nil, fmt.Errorf("token not found")
 }

routers/repo/http.go

@@ -22,16 +22,13 @@ import (
 	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
-	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
-	"code.gitea.io/gitea/services/auth"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
 
@@ -168,111 +165,25 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 
 	// check access
 	if askAuth {
-		// FIXME: middlewares/context.go did basic auth check already,
-		// maybe could use that one.
-		if setting.Service.EnableReverseProxyAuth {
-			authUsername := ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
-			if len(authUsername) > 0 {
-				authUser, err = models.GetUserByName(authUsername)
-				if err != nil {
-					ctx.HandleText(401, "reverse proxy login error, got error while running GetUserByName")
-					return
-				}
-			}
+		// rely on the results of Contexter
+		if !ctx.IsSigned {
+			// TODO: support digit auth - which would be Authorization header with digit
+			ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")
+			ctx.Error(http.StatusUnauthorized)
+			return
 		}
-		if authUser == nil {
-			authHead := ctx.Req.Header.Get("Authorization")
-			if len(authHead) == 0 {
-				ctx.Resp.Header().Set("WWW-Authenticate", "Basic realm=\".\"")
-				ctx.Error(http.StatusUnauthorized)
-				return
-			}
-
-			auths := strings.SplitN(authHead, " ", 2)
-			// currently check basic auth
-			// TODO: support digit auth
-			if len(auths) != 2 || strings.ToLower(auths[0]) != "basic" {
-				ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
-				return
-			}
-			authUsername, authPasswd, err := base.BasicAuthDecode(auths[1])
-			if err != nil || (len(authUsername) == 0 && len(authPasswd) == 0) {
-				ctx.HandleText(http.StatusUnauthorized, "no basic auth and digit auth")
-				return
-			}
-
-			// Check if username or password is a token
-			isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
-			// Assume username is token
-			authToken := authUsername
-			if !isUsernameToken {
-				// Assume password is token
-				authToken = authPasswd
-			}
-			uid := auth.CheckOAuthAccessToken(authToken)
-			if uid != 0 {
-				ctx.Data["IsApiToken"] = true
-
-				authUser, err = models.GetUserByID(uid)
-				if err != nil {
-					ctx.ServerError("GetUserByID", err)
-					return
-				}
-			}
 
-			if authUser == nil {
-				// Assume password is a token.
-				token, err := models.GetAccessTokenBySHA(authToken)
-				if err == nil {
-					authUser, err = models.GetUserByID(token.UID)
-					if err != nil {
-						ctx.ServerError("GetUserByID", err)
-						return
-					}
-
-					ctx.Data["IsApiToken"] = true
-
-					token.UpdatedUnix = timeutil.TimeStampNow()
-					if err = models.UpdateAccessToken(token); err != nil {
-						ctx.ServerError("UpdateAccessToken", err)
-					}
-				} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
-					log.Error("GetAccessTokenBySha: %v", err)
-				}
-			}
+		authUser = ctx.User
 
-			if authUser == nil && !setting.Service.EnableBasicAuth {
-				ctx.HandleText(http.StatusUnauthorized, fmt.Sprintf("invalid credentials from %s", ctx.RemoteAddr()))
+		if ctx.IsBasicAuth {
+			_, err = models.GetTwoFactorByUID(authUser.ID)
+			if err == nil {
+				// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
+				ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
+				return
+			} else if !models.IsErrTwoFactorNotEnrolled(err) {
+				ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
 				return
-			}
-
-			if authUser == nil {
-				// Check username and password
-				authUser, err = models.UserSignIn(authUsername, authPasswd)
-				if err != nil {
-					if models.IsErrUserProhibitLogin(err) {
-						ctx.HandleText(http.StatusForbidden, "User is not permitted to login")
-						return
-					} else if !models.IsErrUserNotExist(err) {
-						ctx.ServerError("UserSignIn error: %v", err)
-						return
-					}
-				}
-
-				if authUser == nil {
-					ctx.HandleText(http.StatusUnauthorized, fmt.Sprintf("invalid credentials from %s", ctx.RemoteAddr()))
-					return
-				}
-
-				_, err = models.GetTwoFactorByUID(authUser.ID)
-				if err == nil {
-					// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
-					ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
-					return
-				} else if !models.IsErrTwoFactorNotEnrolled(err) {
-					ctx.ServerError("IsErrTwoFactorNotEnrolled", err)
-					return
-				}
 			}
 		}
 

services/auth/authenticators.go

@@ -9,10 +9,12 @@ import (
 	"fmt"
 	"net/http"
 	"reflect"
+	"regexp"
 	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 )
 
@@ -27,9 +29,9 @@ import (
 // for users that have already signed in.
 var authMethods = []Authenticator{
 	&OAuth2{},
-	&Session{},
 	&ReverseProxy{},
 	&Basic{},
+	&Session{},
 }
 
 // AuthenticationMechanism represents possible authentication mechanisms
@@ -101,6 +103,20 @@ func isAttachmentDownload(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
 }
 
+var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)`)
+var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
+
+func isGitOrLFSPath(req *http.Request) bool {
+	log.Info("Checking: %q", req.URL.Path)
+	if gitPathRe.MatchString(req.URL.Path) {
+		return true
+	}
+	if setting.LFS.StartServer {
+		return lfsPathRe.MatchString(req.URL.Path)
+	}
+	return false
+}
+
 // handleSignIn clears existing session variables and stores new ones for the specified user object
 func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *models.User) {
 	_ = sess.Delete("openid_verified_uri")

services/auth/basic.go

@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web/middleware"
 )
 
 // BasicAuthenticationMechanism represents authentication using Basic authentication
@@ -51,6 +52,13 @@ func (b *Basic) IsEnabled() bool {
 // name/token on successful validation.
 // Returns nil if header is empty or validation fails.
 func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
+	// Basic authentication should only fire on API, Download or on Git or LFSPaths
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+		log.Info("Skipping BASIC authentication")
+		return nil
+	}
+	log.Info("Doing BASIC authentication")
+
 	baHead := req.Header.Get("Authorization")
 	if len(baHead) == 0 {
 		return nil

services/auth/oauth2.go

@@ -130,7 +130,7 @@ func (o *OAuth2) VerifyAuthData(req *http.Request, w http.ResponseWriter, store
 		return nil
 	}
 
-	if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
 		return nil
 	}
 

services/auth/reverseproxy.go

@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
 
 	gouuid "github.com/google/uuid"
 )
@@ -71,12 +72,16 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 
 	user, err := models.GetUserByName(username)
 	if err != nil {
-		if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
-			store.GetData()["AuthenticationMechanism"] = ReverseProxyMechanism
-			return r.newUser(req)
+		if !models.IsErrUserNotExist(err) || r.isAutoRegisterAllowed() {
+			log.Error("GetUserByName: %v", err)
+			return nil
 		}
-		log.Error("GetUserByName: %v", err)
-		return nil
+		user = r.newUser(req)
+	}
+
+	// Make sure requests to API paths and PWA resources do not create a new session
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+		handleSignIn(w, req, sess, user)
 	}
 
 	store.GetData()["AuthenticationMechanism"] = ReverseProxyMechanism