fix: Revert "allow synchronizing user status from OAuth2 login providers (#31572)"

This commit has a fundamental flaw, in order to syncronize if external users are still active the commit checks if the refresh token is accepted by the OAuth provider, if that is not the case it sees that as the user is disabled and sets the is active field to `false` to signal that. Because it might be possible (this commit makes this a highly likelyhood) that the OAuth provider still recognizes this user the commit introduces code to allow users to re-active themselves via the oauth flow if they were disabled because of this. However this code makes no distinction in why the user was disabled and always re-actives the user. Thus the reactivation via the OAuth flow allows users to bypass the manually activation setting (`[service].REGISTER_MANUAL_CONFIRM`) or if the admin for other reasons disabled the user. This reverts commit 21fdd28f08.
2024-12-09 06:58:58 +01:00 · 2024-12-09 06:58:58 +01:00 · 7f8f9b878f
commit 7f8f9b878f
parent 80179a373d
13 changed files with 48 additions and 371 deletions
--- a/services/auth/source/oauth2/main_test.go
+++ b/services/auth/source/oauth2/main_test.go
@ -1,14 +0,0 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"testing"
-
-	"code.gitea.io/gitea/models/unittest"
-)
-
-func TestMain(m *testing.M) {
-	unittest.MainTest(m, &unittest.TestOptions{})
-}
--- a/services/auth/source/oauth2/providers_test.go
+++ b/services/auth/source/oauth2/providers_test.go
@ -1,62 +0,0 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"time"
-
-	"github.com/markbates/goth"
-	"golang.org/x/oauth2"
-)
-
-type fakeProvider struct{}
-
-func (p *fakeProvider) Name() string {
-	return "fake"
-}
-
-func (p *fakeProvider) SetName(name string) {}
-
-func (p *fakeProvider) BeginAuth(state string) (goth.Session, error) {
-	return nil, nil
-}
-
-func (p *fakeProvider) UnmarshalSession(string) (goth.Session, error) {
-	return nil, nil
-}
-
-func (p *fakeProvider) FetchUser(goth.Session) (goth.User, error) {
-	return goth.User{}, nil
-}
-
-func (p *fakeProvider) Debug(bool) {
-}
-
-func (p *fakeProvider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
-	switch refreshToken {
-	case "expired":
-		return nil, &oauth2.RetrieveError{
-			ErrorCode: "invalid_grant",
-		}
-	default:
-		return &oauth2.Token{
-			AccessToken:  "token",
-			TokenType:    "Bearer",
-			RefreshToken: "refresh",
-			Expiry:       time.Now().Add(time.Hour),
-		}, nil
-	}
-}
-
-func (p *fakeProvider) RefreshTokenAvailable() bool {
-	return true
-}
-
-func init() {
-	RegisterGothProvider(
-		NewSimpleProvider("fake", "Fake", []string{"account"},
-			func(clientKey, secret, callbackURL string, scopes ...string) goth.Provider {
-				return &fakeProvider{}
-			}))
-}
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@ -36,7 +36,7 @@ func (source *Source) FromDB(bs []byte) error {
 	return json.UnmarshalHandleDoubleEncode(bs, &source)
 }

-// ToDB exports an OAuth2Config to a serialized format.
+// ToDB exports an SMTPConfig to a serialized format.
 func (source *Source) ToDB() ([]byte, error) {
 	return json.Marshal(source)
 }
--- a/services/auth/source/oauth2/source_sync.go
+++ b/services/auth/source/oauth2/source_sync.go
@ -1,114 +0,0 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"context"
-	"time"
-
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/db"
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/log"
-
-	"github.com/markbates/goth"
-	"golang.org/x/oauth2"
-)
-
-// Sync causes this OAuth2 source to synchronize its users with the db.
-func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
-	log.Trace("Doing: SyncExternalUsers[%s] %d", source.authSource.Name, source.authSource.ID)
-
-	if !updateExisting {
-		log.Info("SyncExternalUsers[%s] not running since updateExisting is false", source.authSource.Name)
-		return nil
-	}
-
-	provider, err := createProvider(source.authSource.Name, source)
-	if err != nil {
-		return err
-	}
-
-	if !provider.RefreshTokenAvailable() {
-		log.Trace("SyncExternalUsers[%s] provider doesn't support refresh tokens, can't synchronize", source.authSource.Name)
-		return nil
-	}
-
-	opts := user_model.FindExternalUserOptions{
-		HasRefreshToken: true,
-		Expired:         true,
-		LoginSourceID:   source.authSource.ID,
-	}
-
-	return user_model.IterateExternalLogin(ctx, opts, func(ctx context.Context, u *user_model.ExternalLoginUser) error {
-		return source.refresh(ctx, provider, u)
-	})
-}
-
-func (source *Source) refresh(ctx context.Context, provider goth.Provider, u *user_model.ExternalLoginUser) error {
-	log.Trace("Syncing login_source_id=%d external_id=%s expiration=%s", u.LoginSourceID, u.ExternalID, u.ExpiresAt)
-
-	shouldDisable := false
-
-	token, err := provider.RefreshToken(u.RefreshToken)
-	if err != nil {
-		if err, ok := err.(*oauth2.RetrieveError); ok && err.ErrorCode == "invalid_grant" {
-			// this signals that the token is not valid and the user should be disabled
-			shouldDisable = true
-		} else {
-			return err
-		}
-	}
-
-	user := &user_model.User{
-		LoginName:   u.ExternalID,
-		LoginType:   auth.OAuth2,
-		LoginSource: u.LoginSourceID,
-	}
-
-	hasUser, err := user_model.GetUser(ctx, user)
-	if err != nil {
-		return err
-	}
-
-	// If the grant is no longer valid, disable the user and
-	// delete local tokens. If the OAuth2 provider still
-	// recognizes them as a valid user, they will be able to login
-	// via their provider and reactivate their account.
-	if shouldDisable {
-		log.Info("SyncExternalUsers[%s] disabling user %d", source.authSource.Name, user.ID)
-
-		return db.WithTx(ctx, func(ctx context.Context) error {
-			if hasUser {
-				user.IsActive = false
-				err := user_model.UpdateUserCols(ctx, user, "is_active")
-				if err != nil {
-					return err
-				}
-			}
-
-			// Delete stored tokens, since they are invalid. This
-			// also provents us from checking this in subsequent runs.
-			u.AccessToken = ""
-			u.RefreshToken = ""
-			u.ExpiresAt = time.Time{}
-
-			return user_model.UpdateExternalUserByExternalID(ctx, u)
-		})
-	}
-
-	// Otherwise, update the tokens
-	u.AccessToken = token.AccessToken
-	u.ExpiresAt = token.Expiry
-
-	// Some providers only update access tokens provide a new
-	// refresh token, so avoid updating it if it's empty
-	if token.RefreshToken != "" {
-		u.RefreshToken = token.RefreshToken
-	}
-
-	err = user_model.UpdateExternalUserByExternalID(ctx, u)
-
-	return err
-}
--- a/services/auth/source/oauth2/source_sync_test.go
+++ b/services/auth/source/oauth2/source_sync_test.go
@ -1,101 +0,0 @@
-// Copyright 2024 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package oauth2
-
-import (
-	"context"
-	"testing"
-
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/unittest"
-	user_model "code.gitea.io/gitea/models/user"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSource(t *testing.T) {
-	require.NoError(t, unittest.PrepareTestDatabase())
-
-	source := &Source{
-		Provider: "fake",
-		authSource: &auth.Source{
-			ID:            12,
-			Type:          auth.OAuth2,
-			Name:          "fake",
-			IsActive:      true,
-			IsSyncEnabled: true,
-		},
-	}
-
-	user := &user_model.User{
-		LoginName:   "external",
-		LoginType:   auth.OAuth2,
-		LoginSource: source.authSource.ID,
-		Name:        "test",
-		Email:       "external@example.com",
-	}
-
-	err := user_model.CreateUser(context.Background(), user, &user_model.CreateUserOverwriteOptions{})
-	require.NoError(t, err)
-
-	e := &user_model.ExternalLoginUser{
-		ExternalID:    "external",
-		UserID:        user.ID,
-		LoginSourceID: user.LoginSource,
-		RefreshToken:  "valid",
-	}
-	err = user_model.LinkExternalToUser(context.Background(), user, e)
-	require.NoError(t, err)
-
-	provider, err := createProvider(source.authSource.Name, source)
-	require.NoError(t, err)
-
-	t.Run("refresh", func(t *testing.T) {
-		t.Run("valid", func(t *testing.T) {
-			err := source.refresh(context.Background(), provider, e)
-			require.NoError(t, err)
-
-			e := &user_model.ExternalLoginUser{
-				ExternalID:    e.ExternalID,
-				LoginSourceID: e.LoginSourceID,
-			}
-
-			ok, err := user_model.GetExternalLogin(context.Background(), e)
-			require.NoError(t, err)
-			assert.True(t, ok)
-			assert.Equal(t, "refresh", e.RefreshToken)
-			assert.Equal(t, "token", e.AccessToken)
-
-			u, err := user_model.GetUserByID(context.Background(), user.ID)
-			require.NoError(t, err)
-			assert.True(t, u.IsActive)
-		})
-
-		t.Run("expired", func(t *testing.T) {
-			err := source.refresh(context.Background(), provider, &user_model.ExternalLoginUser{
-				ExternalID:    "external",
-				UserID:        user.ID,
-				LoginSourceID: user.LoginSource,
-				RefreshToken:  "expired",
-			})
-			require.NoError(t, err)
-
-			e := &user_model.ExternalLoginUser{
-				ExternalID:    e.ExternalID,
-				LoginSourceID: e.LoginSourceID,
-			}
-
-			ok, err := user_model.GetExternalLogin(context.Background(), e)
-			require.NoError(t, err)
-			assert.True(t, ok)
-			assert.Equal(t, "", e.RefreshToken)
-			assert.Equal(t, "", e.AccessToken)
-
-			u, err := user_model.GetUserByID(context.Background(), user.ID)
-			require.NoError(t, err)
-			assert.False(t, u.IsActive)
-		})
-	})
-}