mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-29 13:43:09 -04:00
c84cbd56a1
Add support for OIDC workload identity federation.
Add ID_TOKEN_SIGNING_ALGORITHM, ID_TOKEN_SIGNING_PRIVATE_KEY_FILE, and
ID_TOKEN_EXPIRATION_TIME settings to settings.actions to allow for admin
configuration of this functionality.
Add OIDC endpoints (/.well-known/openid-configuration and /.well-known/keys)
underneath the "/api/actions" route.
Add a token generation endpoint (/_apis/pipelines/workflows/{run_id}/idtoken)
underneath the "/api/actions" route.
Depends on: https://code.forgejo.org/forgejo/runner/pulls/1232
Docs PR: https://codeberg.org/forgejo/docs/pulls/1667
Signed-off-by: Mario Minardi <mminardi@shaw.ca>
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10481
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Mario Minardi <mminardi@shaw.ca>
Co-committed-by: Mario Minardi <mminardi@shaw.ca>
92 lines
2.2 KiB
Go
92 lines
2.2 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package oauth2
|
|
|
|
import (
|
|
"context"
|
|
"encoding/gob"
|
|
"net/http"
|
|
"sync"
|
|
|
|
"forgejo.org/models/auth"
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/modules/jwtx"
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/optional"
|
|
"forgejo.org/modules/setting"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/gorilla/sessions"
|
|
"github.com/markbates/goth/gothic"
|
|
)
|
|
|
|
var gothRWMutex = sync.RWMutex{}
|
|
|
|
// UsersStoreKey is the key for the store
|
|
const UsersStoreKey = "gitea-oauth2-sessions"
|
|
|
|
// ProviderHeaderKey is the HTTP header key
|
|
const ProviderHeaderKey = "gitea-oauth2-provider"
|
|
|
|
// DefaultSigningKey is the default signing key for JWTs.
|
|
var DefaultSigningKey jwtx.SigningKey
|
|
|
|
// Init initializes the oauth source
|
|
func Init(ctx context.Context) error {
|
|
var err error
|
|
DefaultSigningKey, err = jwtx.InitSigningKey(setting.GetGeneralTokenSigningSecret, setting.OAuth2.JWTSigningPrivateKeyFile, setting.OAuth2.JWTSigningAlgorithm)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Lock our mutex
|
|
gothRWMutex.Lock()
|
|
|
|
gob.Register(&sessions.Session{})
|
|
|
|
gothic.Store = &SessionsStore{
|
|
maxLength: int64(setting.OAuth2.MaxTokenLength),
|
|
}
|
|
|
|
gothic.SetState = func(req *http.Request) string {
|
|
return uuid.New().String()
|
|
}
|
|
|
|
gothic.GetProviderName = func(req *http.Request) (string, error) {
|
|
return req.Header.Get(ProviderHeaderKey), nil
|
|
}
|
|
|
|
// Unlock our mutex
|
|
gothRWMutex.Unlock()
|
|
|
|
return initOAuth2Sources(ctx)
|
|
}
|
|
|
|
// ResetOAuth2 clears existing OAuth2 providers and loads them from DB
|
|
func ResetOAuth2(ctx context.Context) error {
|
|
ClearProviders()
|
|
return initOAuth2Sources(ctx)
|
|
}
|
|
|
|
// initOAuth2Sources is used to load and register all active OAuth2 providers
|
|
func initOAuth2Sources(ctx context.Context) error {
|
|
authSources, err := db.Find[auth.Source](ctx, auth.FindSourcesOptions{
|
|
IsActive: optional.Some(true),
|
|
LoginType: auth.OAuth2,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, source := range authSources {
|
|
oauth2Source, ok := source.Cfg.(*Source)
|
|
if !ok {
|
|
continue
|
|
}
|
|
err := oauth2Source.RegisterSource()
|
|
if err != nil {
|
|
log.Critical("Unable to register source: %s due to Error: %v.", source.Name, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|