mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-06-07 23:27:41 +00:00
55d8910255
Some checks failed
/ release (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-e2e (push) Blocked by required conditions
testing / test-remote-cacher (redis) (push) Blocked by required conditions
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
testing / test-remote-cacher (redict) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
Integration tests for the release process / release-simulation (push) Has been cancelled
urfave/cli v2 will eventually become unmaintained, switch over to v3 which is the latest supported version. Note: the `docs` command would be a lot of work to restore with v3 ([the package is still in alpha](https://github.com/urfave/cli-docs)) An alternative to avoid a breaking change would be to not upgrade from v2 to v3 for that reason alone. Note: these commits were cherry-picked from https://code.forgejo.org/forgefriends/forgefriends Note: it is best reviewed side by side with no display of whitespace changes (there are a lot of those when converting vars to func). - a few functional changes were necessary and are noted in context in the file changes tab - https://cli.urfave.org/migrate-v2-to-v3/ upgrade instructions were followed in the most minimal way possible - upgrade gof3 to v3.10.8 which includes and upgrade from urfave/cli v2 to urfave/cli v3 - upgrade gitlab.com/gitlab-org/api/client-go v0.129.0 because it is an indirect dependency of gof3 and requires a change because of a deprecated field that otherwise triggers a lint error but nothing else otherwise - verified that the [script](https://codeberg.org/forgejo/docs/src/branch/next/scripts/cli-docs.sh) that generates the [CLI documentation](https://codeberg.org/forgejo/docs/src/branch/next/scripts/cli-docs.sh) still works. There are cosmetic differences and the **help** subcommand is no longer advertised (although it is still supported) but the `--help` option is advertised as expected so it is fine. - end-to-end tests [passed](https://code.forgejo.org/forgejo/end-to-end/pulls/667) (they use the Forgejo CLI to some extent) ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/8035): <!--number 8035 --><!--line 0 --><!--description VGhlIGBmb3JnZWpvIGRvY3NgIGNvbW1hbmQgaXMgZGVwcmVjYXRlZCBhbmQgQ0xJIGVycm9ycyBhcmUgbm93IGRpc3BsYXllZCBvbiBzdGRlcnIgaW5zdGVhZCBvZiBzdGRvdXQuIFRoZXNlIGJyZWFraW5nIGNoYW5nZXMgaGFwcGVuZWQgYmVjYXVzZSB0aGUgcGFja2FnZSB1c2VkIHRvIHBhcnNlIHRoZSBjb21tYW5kIGxpbmUgYXJndW1lbnRzIHdhcyBbdXBncmFkZWQgZnJvbSB2MiB0byB2M10oaHR0cHM6Ly9jbGkudXJmYXZlLm9yZy9taWdyYXRlLXYyLXRvLXYzLykuIEEgW3NlcGFyYXRlIHByb2plY3Qgd2FzIGluaXRpYXRlZF0oaHR0cHM6Ly9naXRodWIuY29tL3VyZmF2ZS9jbGktZG9jcykgdG8gcmUtaW1wbGVtZW50IHRoZSBgZG9jc2AgY29tbWFuZCwgYnV0IGl0IGlzIG5vdCB5ZXQgcHJvZHVjdGlvbiByZWFkeS4=-->The `forgejo docs` command is deprecated and CLI errors are now displayed on stderr instead of stdout. These breaking changes happened because the package used to parse the command line arguments was [upgraded from v2 to v3](https://cli.urfave.org/migrate-v2-to-v3/). A [separate project was initiated](https://github.com/urfave/cli-docs) to re-implement the `docs` command, but it is not yet production ready.<!--description--> <!--end release-notes-assistant--> Co-authored-by: limiting-factor <limiting-factor@posteo.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8035 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
304 lines
8.2 KiB
Go
304 lines
8.2 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
"forgejo.org/services/auth/source/oauth2"
|
|
|
|
"github.com/urfave/cli/v3"
|
|
)
|
|
|
|
func oauthCLIFlags() []cli.Flag {
|
|
return []cli.Flag{
|
|
&cli.StringFlag{
|
|
Name: "name",
|
|
Value: "",
|
|
Usage: "Application Name",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "provider",
|
|
Value: "",
|
|
Usage: "OAuth2 Provider",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "key",
|
|
Value: "",
|
|
Usage: "Client ID (Key)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "secret",
|
|
Value: "",
|
|
Usage: "Client Secret",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "auto-discover-url",
|
|
Value: "",
|
|
Usage: "OpenID Connect Auto Discovery URL (only required when using OpenID Connect as provider)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "use-custom-urls",
|
|
Value: "false",
|
|
Usage: "Use custom URLs for GitLab/GitHub OAuth endpoints",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "custom-tenant-id",
|
|
Value: "",
|
|
Usage: "Use custom Tenant ID for OAuth endpoints",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "custom-auth-url",
|
|
Value: "",
|
|
Usage: "Use a custom Authorization URL (option for GitLab/GitHub)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "custom-token-url",
|
|
Value: "",
|
|
Usage: "Use a custom Token URL (option for GitLab/GitHub)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "custom-profile-url",
|
|
Value: "",
|
|
Usage: "Use a custom Profile URL (option for GitLab/GitHub)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "custom-email-url",
|
|
Value: "",
|
|
Usage: "Use a custom Email URL (option for GitHub)",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "icon-url",
|
|
Value: "",
|
|
Usage: "Custom icon URL for OAuth2 login source",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "skip-local-2fa",
|
|
Usage: "Set to true to skip local 2fa for users authenticated by this source",
|
|
},
|
|
&cli.StringSliceFlag{
|
|
Name: "scopes",
|
|
Value: nil,
|
|
Usage: "Scopes to request when to authenticate against this OAuth2 source",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "required-claim-name",
|
|
Value: "",
|
|
Usage: "Claim name that has to be set to allow users to login with this source",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "required-claim-value",
|
|
Value: "",
|
|
Usage: "Claim value that has to be set to allow users to login with this source",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "group-claim-name",
|
|
Value: "",
|
|
Usage: "Claim name providing group names for this source",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "admin-group",
|
|
Value: "",
|
|
Usage: "Group Claim value for administrator users",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "restricted-group",
|
|
Value: "",
|
|
Usage: "Group Claim value for restricted users",
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "group-team-map",
|
|
Value: "",
|
|
Usage: "JSON mapping between groups and org teams",
|
|
},
|
|
&cli.BoolFlag{
|
|
Name: "group-team-map-removal",
|
|
Usage: "Activate automatic team membership removal depending on groups",
|
|
},
|
|
}
|
|
}
|
|
|
|
func microcmdAuthAddOauth() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "add-oauth",
|
|
Usage: "Add new Oauth authentication source",
|
|
Action: runAddOauth,
|
|
Flags: oauthCLIFlags(),
|
|
}
|
|
}
|
|
|
|
func microcmdAuthUpdateOauth() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "update-oauth",
|
|
Usage: "Update existing Oauth authentication source",
|
|
Action: runUpdateOauth,
|
|
Flags: append(oauthCLIFlags()[:1], append([]cli.Flag{idFlag()}, oauthCLIFlags()[1:]...)...),
|
|
}
|
|
}
|
|
|
|
func parseOAuth2Config(_ context.Context, c *cli.Command) *oauth2.Source {
|
|
var customURLMapping *oauth2.CustomURLMapping
|
|
if c.IsSet("use-custom-urls") {
|
|
customURLMapping = &oauth2.CustomURLMapping{
|
|
TokenURL: c.String("custom-token-url"),
|
|
AuthURL: c.String("custom-auth-url"),
|
|
ProfileURL: c.String("custom-profile-url"),
|
|
EmailURL: c.String("custom-email-url"),
|
|
Tenant: c.String("custom-tenant-id"),
|
|
}
|
|
} else {
|
|
customURLMapping = nil
|
|
}
|
|
return &oauth2.Source{
|
|
Provider: c.String("provider"),
|
|
ClientID: c.String("key"),
|
|
ClientSecret: c.String("secret"),
|
|
OpenIDConnectAutoDiscoveryURL: c.String("auto-discover-url"),
|
|
CustomURLMapping: customURLMapping,
|
|
IconURL: c.String("icon-url"),
|
|
SkipLocalTwoFA: c.Bool("skip-local-2fa"),
|
|
Scopes: c.StringSlice("scopes"),
|
|
RequiredClaimName: c.String("required-claim-name"),
|
|
RequiredClaimValue: c.String("required-claim-value"),
|
|
GroupClaimName: c.String("group-claim-name"),
|
|
AdminGroup: c.String("admin-group"),
|
|
RestrictedGroup: c.String("restricted-group"),
|
|
GroupTeamMap: c.String("group-team-map"),
|
|
GroupTeamMapRemoval: c.Bool("group-team-map-removal"),
|
|
}
|
|
}
|
|
|
|
func runAddOauth(ctx context.Context, c *cli.Command) error {
|
|
ctx, cancel := installSignals(ctx)
|
|
defer cancel()
|
|
|
|
if err := initDB(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
config := parseOAuth2Config(ctx, c)
|
|
if config.Provider == "openidConnect" {
|
|
discoveryURL, err := url.Parse(config.OpenIDConnectAutoDiscoveryURL)
|
|
if err != nil || (discoveryURL.Scheme != "http" && discoveryURL.Scheme != "https") {
|
|
return fmt.Errorf("invalid Auto Discovery URL: %s (this must be a valid URL starting with http:// or https://)", config.OpenIDConnectAutoDiscoveryURL)
|
|
}
|
|
}
|
|
|
|
return auth_model.CreateSource(ctx, &auth_model.Source{
|
|
Type: auth_model.OAuth2,
|
|
Name: c.String("name"),
|
|
IsActive: true,
|
|
Cfg: config,
|
|
})
|
|
}
|
|
|
|
func runUpdateOauth(ctx context.Context, c *cli.Command) error {
|
|
if !c.IsSet("id") {
|
|
return errors.New("--id flag is missing")
|
|
}
|
|
|
|
ctx, cancel := installSignals(ctx)
|
|
defer cancel()
|
|
|
|
if err := initDB(ctx); err != nil {
|
|
return err
|
|
}
|
|
|
|
source, err := auth_model.GetSourceByID(ctx, c.Int64("id"))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
oAuth2Config := source.Cfg.(*oauth2.Source)
|
|
|
|
if c.IsSet("name") {
|
|
source.Name = c.String("name")
|
|
}
|
|
|
|
if c.IsSet("provider") {
|
|
oAuth2Config.Provider = c.String("provider")
|
|
}
|
|
|
|
if c.IsSet("key") {
|
|
oAuth2Config.ClientID = c.String("key")
|
|
}
|
|
|
|
if c.IsSet("secret") {
|
|
oAuth2Config.ClientSecret = c.String("secret")
|
|
}
|
|
|
|
if c.IsSet("auto-discover-url") {
|
|
oAuth2Config.OpenIDConnectAutoDiscoveryURL = c.String("auto-discover-url")
|
|
}
|
|
|
|
if c.IsSet("icon-url") {
|
|
oAuth2Config.IconURL = c.String("icon-url")
|
|
}
|
|
|
|
if c.IsSet("scopes") {
|
|
oAuth2Config.Scopes = c.StringSlice("scopes")
|
|
}
|
|
|
|
if c.IsSet("required-claim-name") {
|
|
oAuth2Config.RequiredClaimName = c.String("required-claim-name")
|
|
}
|
|
if c.IsSet("required-claim-value") {
|
|
oAuth2Config.RequiredClaimValue = c.String("required-claim-value")
|
|
}
|
|
|
|
if c.IsSet("group-claim-name") {
|
|
oAuth2Config.GroupClaimName = c.String("group-claim-name")
|
|
}
|
|
if c.IsSet("admin-group") {
|
|
oAuth2Config.AdminGroup = c.String("admin-group")
|
|
}
|
|
if c.IsSet("restricted-group") {
|
|
oAuth2Config.RestrictedGroup = c.String("restricted-group")
|
|
}
|
|
if c.IsSet("group-team-map") {
|
|
oAuth2Config.GroupTeamMap = c.String("group-team-map")
|
|
}
|
|
if c.IsSet("group-team-map-removal") {
|
|
oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
|
|
}
|
|
|
|
// update custom URL mapping
|
|
customURLMapping := &oauth2.CustomURLMapping{}
|
|
|
|
if oAuth2Config.CustomURLMapping != nil {
|
|
customURLMapping.TokenURL = oAuth2Config.CustomURLMapping.TokenURL
|
|
customURLMapping.AuthURL = oAuth2Config.CustomURLMapping.AuthURL
|
|
customURLMapping.ProfileURL = oAuth2Config.CustomURLMapping.ProfileURL
|
|
customURLMapping.EmailURL = oAuth2Config.CustomURLMapping.EmailURL
|
|
customURLMapping.Tenant = oAuth2Config.CustomURLMapping.Tenant
|
|
}
|
|
if c.IsSet("use-custom-urls") && c.IsSet("custom-token-url") {
|
|
customURLMapping.TokenURL = c.String("custom-token-url")
|
|
}
|
|
|
|
if c.IsSet("use-custom-urls") && c.IsSet("custom-auth-url") {
|
|
customURLMapping.AuthURL = c.String("custom-auth-url")
|
|
}
|
|
|
|
if c.IsSet("use-custom-urls") && c.IsSet("custom-profile-url") {
|
|
customURLMapping.ProfileURL = c.String("custom-profile-url")
|
|
}
|
|
|
|
if c.IsSet("use-custom-urls") && c.IsSet("custom-email-url") {
|
|
customURLMapping.EmailURL = c.String("custom-email-url")
|
|
}
|
|
|
|
if c.IsSet("use-custom-urls") && c.IsSet("custom-tenant-id") {
|
|
customURLMapping.Tenant = c.String("custom-tenant-id")
|
|
}
|
|
|
|
oAuth2Config.CustomURLMapping = customURLMapping
|
|
source.Cfg = oAuth2Config
|
|
|
|
return auth_model.UpdateSource(ctx, source)
|
|
}
|