Map OIDC groups to Orgs/Teams (#21441)

Fixes #19555 Test-Instructions: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 This PR implements the mapping of user groups provided by OIDC providers to orgs teams in Gitea. The main part is a refactoring of the existing LDAP code to make it usable from different providers. Refactorings: - Moved the router auth code from module to service because of import cycles - Changed some model methods to take a `Context` parameter - Moved the mapping code from LDAP to a common location I've tested it with Keycloak but other providers should work too. The JSON mapping format is the same as for LDAP. ![grafik](https://user-images.githubusercontent.com/1666336/195634392-3fc540fc-b229-4649-99ac-91ae8e19df2d.png) --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2025-11-04 16:40:24 +08:00 · 2023-02-08 07:44:42 +01:00
parent 2c6cc0b8c9
commit e8186f1c0f
34 changed files with 504 additions and 427 deletions
--- a/modules/validation/binding.go
+++ b/modules/validation/binding.go
@@ -8,6 +8,7 @@ import (
 	"regexp"
 	"strings"

+	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/git"

 	"gitea.com/go-chi/binding"
@@ -17,15 +18,14 @@ import (
 const (
 	// ErrGitRefName is git reference name error
 	ErrGitRefName = "GitRefNameError"
-
 	// ErrGlobPattern is returned when glob pattern is invalid
 	ErrGlobPattern = "GlobPattern"
-
 	// ErrRegexPattern is returned when a regex pattern is invalid
 	ErrRegexPattern = "RegexPattern"
-
 	// ErrUsername is username error
 	ErrUsername = "UsernameError"
+	// ErrInvalidGroupTeamMap is returned when a group team mapping is invalid
+	ErrInvalidGroupTeamMap = "InvalidGroupTeamMap"
 )

 // AddBindingRules adds additional binding rules
@@ -37,6 +37,7 @@ func AddBindingRules() {
 	addRegexPatternRule()
 	addGlobOrRegexPatternRule()
 	addUsernamePatternRule()
+	addValidGroupTeamMapRule()
 }

 func addGitRefNameBindingRule() {
@@ -167,6 +168,23 @@ func addUsernamePatternRule() {
 	})
 }

+func addValidGroupTeamMapRule() {
+	binding.AddRule(&binding.Rule{
+		IsMatch: func(rule string) bool {
+			return strings.HasPrefix(rule, "ValidGroupTeamMap")
+		},
+		IsValid: func(errs binding.Errors, name string, val interface{}) (bool, binding.Errors) {
+			_, err := auth.UnmarshalGroupTeamMapping(fmt.Sprintf("%v", val))
+			if err != nil {
+				errs.Add([]string{name}, ErrInvalidGroupTeamMap, err.Error())
+				return false, errs
+			}
+
+			return true, errs
+		},
+	})
+}
+
 func portOnly(hostport string) string {
 	colon := strings.IndexByte(hostport, ':')
 	if colon == -1 {