Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page

quasoft · quasoft · commit be85ea74fd84 · 2019-11-22T10:00:21.000+02:00
diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
@@ -37,8 +37,6 @@ var ssoMethods []SingleSignOn = []SingleSignOn{
 // The purpose of the following three function variables is to let the linter know that
 // those functions are not dead code and are actually being used
 var (
-	_ = isPublicResource
-	_ = isPublicPage
 	_ = handleSignIn
 )
 
@@ -107,44 +105,6 @@ func isAttachmentDownload(ctx *macaron.Context) bool {
 	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
 }
 
-// isPublicResource checks if the url is of a public resource file that should be served
-// without authentication (eg. the Web App Manifest, the Service Worker script or the favicon)
-func isPublicResource(ctx *macaron.Context) bool {
-	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	return path == "/robots.txt" ||
-		path == "/favicon.ico" ||
-		path == "/favicon.png" ||
-		path == "/manifest.json" ||
-		path == "/serviceworker.js"
-}
-
-// isPublicPage checks if the url is of a public page that should not require authentication
-func isPublicPage(ctx *macaron.Context) bool {
-	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	homePage := strings.TrimSuffix(setting.AppSubURL, "/")
-	currentURL := homePage + path
-	return currentURL == homePage ||
-		path == "/user/login" ||
-		path == "/user/login/openid" ||
-		path == "/user/sign_up" ||
-		path == "/user/forgot_password" ||
-		path == "/user/openid/connect" ||
-		path == "/user/openid/register" ||
-		strings.HasPrefix(path, "/user/oauth2") ||
-		path == "/user/link_account" ||
-		path == "/user/link_account_signin" ||
-		path == "/user/link_account_signup" ||
-		path == "/user/two_factor" ||
-		path == "/user/two_factor/scratch" ||
-		path == "/user/u2f" ||
-		path == "/user/u2f/challenge" ||
-		path == "/user/u2f/sign" ||
-		(!setting.Service.RequireSignInView && (path == "/explore/repos" ||
-			path == "/explore/users" ||
-			path == "/explore/organizations" ||
-			path == "/explore/code"))
-}
-
 // handleSignIn clears existing session variables and stores new ones for the specified user object
 func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) {
 	_ = sess.Delete("openid_verified_uri")
diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go
@@ -139,14 +139,19 @@ func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
 	return sources[0].SSPI(), nil
 }
 
-func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) bool {
+func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
+	shouldAuth = false
 	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
-	if path == "/user/login" && ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
-		return false
-	} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
-		return true
+	if path == "/user/login" {
+		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
+			shouldAuth = false
+		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
+			shouldAuth = true
+		}
+	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
+		shouldAuth = true
 	}
-	return !isPublicPage(ctx) && !isPublicResource(ctx)
+	return
 }
 
 // newUser creates a new user object for the purpose of automatic registration
