✨ 支持cloudflare access OIDC认证 (#354)

2025-01-22 12:48:14 -05:00 · 2024-05-03 08:47:53 +08:00 · 2024-05-03 08:47:53 +08:00 · 25e7f8a912
commit 25e7f8a912
parent 5c7652f047
4 changed files with 55 additions and 5 deletions
--- a/cmd/dashboard/controller/guest_page.go
+++ b/cmd/dashboard/controller/guest_page.go
@ -49,6 +49,9 @@ func (gp *guestPage) login(c *gin.Context) {
 	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeGitea {
 		LoginType = "Gitea"
 		RegistrationLink = fmt.Sprintf("%s/user/sign_up", singleton.Conf.Oauth2.Endpoint)
+	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeCloudflare {
+		LoginType = "Cloudflare"
+		RegistrationLink = "https://dash.cloudflare.com/sign-up/teams"
 	}
 	c.HTML(http.StatusOK, "dashboard-"+singleton.Conf.Site.DashboardTheme+"/login", mygin.CommonEnvironment(c, gin.H{
 		"Title":            singleton.Localizer.MustLocalize(&i18n.LocalizeConfig{MessageID: "Login"}),
--- a/cmd/dashboard/controller/oauth2.go
+++ b/cmd/dashboard/controller/oauth2.go
@ -2,8 +2,10 @@ package controller

 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/naiba/nezha/pkg/oidc/cloudflare"
 	"net/http"
 	"net/url"
 	"strings"
@ -74,6 +76,17 @@ func (oa *oauth2controller) getCommonOauth2Config(c *gin.Context) *oauth2.Config
 			},
 			RedirectURL: oa.getRedirectURL(c),
 		}
+	} else if singleton.Conf.Oauth2.Type == model.ConfigTypeCloudflare {
+		return &oauth2.Config{
+			ClientID:     singleton.Conf.Oauth2.ClientID,
+			ClientSecret: singleton.Conf.Oauth2.ClientSecret,
+			Scopes:       []string{"openid", "email", "profile", "groups"},
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  fmt.Sprintf("%s/cdn-cgi/access/sso/oidc/%s/authorization", singleton.Conf.Oauth2.Endpoint, singleton.Conf.Oauth2.ClientID),
+				TokenURL: fmt.Sprintf("%s/cdn-cgi/access/sso/oidc/%s/token", singleton.Conf.Oauth2.Endpoint, singleton.Conf.Oauth2.ClientID),
+			},
+			RedirectURL: oa.getRedirectURL(c),
+		}
 	} else {
 		return &oauth2.Config{
 			ClientID:     singleton.Conf.Oauth2.ClientID,
@ -155,6 +168,17 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 			if err == nil {
 				user = model.NewUserFromGitea(u)
 			}
+		} else if singleton.Conf.Oauth2.Type == model.ConfigTypeCloudflare {
+			client := oauth2Config.Client(context.Background(), otk)
+			resp, err := client.Get(fmt.Sprintf("%s/cdn-cgi/access/sso/oidc/%s/userinfo", singleton.Conf.Oauth2.Endpoint, singleton.Conf.Oauth2.ClientID))
+			if err == nil {
+				defer resp.Body.Close()
+				var cloudflareUserInfo *cloudflare.UserInfo
+				if err := json.NewDecoder(resp.Body).Decode(&cloudflareUserInfo); err == nil {
+					user = cloudflareUserInfo.MapToNezhaUser()
+				}
+			}
+
 		} else {
 			var client *GitHubAPI.Client
 			oc := oauth2Config.Client(ctx, otk)
--- a/model/config.go
+++ b/model/config.go
@ -37,6 +37,7 @@ const (
 	ConfigTypeGitlab     = "gitlab"
 	ConfigTypeJihulab    = "jihulab"
 	ConfigTypeGitea      = "gitea"
+	ConfigTypeCloudflare = "cloudflare"
 )

 const (
--- a/pkg/oidc/cloudflare/cloudflare.go
+++ b/pkg/oidc/cloudflare/cloudflare.go
@ -0,0 +1,22 @@
+package cloudflare
+
+import (
+	"github.com/naiba/nezha/model"
+	"github.com/naiba/nezha/service/singleton"
+)
+
+type UserInfo struct {
+	Sub    string   `json:"sub"`
+	Email  string   `json:"email"`
+	Name   string   `json:"name"`
+	Groups []string `json:"groups"`
+}
+
+func (u UserInfo) MapToNezhaUser() model.User {
+	var user model.User
+	singleton.DB.Where("login = ?", u.Sub).First(&user)
+	user.Login = u.Sub
+	user.Email = u.Email
+	user.Name = u.Name
+	return user
+}