2022-07-29 06:29:21 +02:00
|
|
|
// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
|
|
|
|
|
// All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
2022-07-07 14:08:37 +02:00
|
|
|
package auth
|
2022-07-07 13:40:38 +02:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"database/sql"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/ClusterCockpit/cc-backend/internal/graph/model"
|
|
|
|
|
"github.com/ClusterCockpit/cc-backend/pkg/log"
|
|
|
|
|
sq "github.com/Masterminds/squirrel"
|
|
|
|
|
"github.com/jmoiron/sqlx"
|
2022-07-26 11:00:41 +02:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
2022-07-07 13:40:38 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (auth *Authentication) GetUser(username string) (*User, error) {
|
2022-09-07 12:24:45 +02:00
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
user := &User{Username: username}
|
2023-02-17 15:45:31 +01:00
|
|
|
var hashedPassword, name, rawRoles, email, rawProjects sql.NullString
|
|
|
|
|
if err := sq.Select("password", "ldap", "name", "roles", "email", "projects").From("user").
|
2022-07-07 13:40:38 +02:00
|
|
|
Where("user.username = ?", username).RunWith(auth.db).
|
2023-02-17 15:45:31 +01:00
|
|
|
QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email, &rawProjects); err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warnf("Error while querying user '%v' from database", username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user.Password = hashedPassword.String
|
|
|
|
|
user.Name = name.String
|
|
|
|
|
user.Email = email.String
|
|
|
|
|
if rawRoles.Valid {
|
|
|
|
|
if err := json.Unmarshal([]byte(rawRoles.String), &user.Roles); err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Error while unmarshaling raw roles from DB")
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-17 15:45:31 +01:00
|
|
|
if rawProjects.Valid {
|
|
|
|
|
if err := json.Unmarshal([]byte(rawProjects.String), &user.Projects); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-07-07 13:40:38 +02:00
|
|
|
|
|
|
|
|
return user, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (auth *Authentication) AddUser(user *User) error {
|
2022-09-07 12:24:45 +02:00
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
rolesJson, _ := json.Marshal(user.Roles)
|
2023-02-17 15:45:31 +01:00
|
|
|
projectsJson, _ := json.Marshal(user.Projects)
|
|
|
|
|
|
|
|
|
|
cols := []string{"username", "roles", "projects"}
|
|
|
|
|
vals := []interface{}{user.Username, string(rolesJson), string(projectsJson)}
|
2022-07-26 11:00:41 +02:00
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
if user.Name != "" {
|
|
|
|
|
cols = append(cols, "name")
|
|
|
|
|
vals = append(vals, user.Name)
|
|
|
|
|
}
|
|
|
|
|
if user.Email != "" {
|
|
|
|
|
cols = append(cols, "email")
|
|
|
|
|
vals = append(vals, user.Email)
|
|
|
|
|
}
|
2022-07-26 13:50:54 +02:00
|
|
|
if user.Password != "" {
|
|
|
|
|
password, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
|
|
|
|
|
if err != nil {
|
2023-01-31 18:28:44 +01:00
|
|
|
log.Error("Error while encrypting new user password")
|
2022-07-26 13:50:54 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
cols = append(cols, "password")
|
|
|
|
|
vals = append(vals, string(password))
|
|
|
|
|
}
|
2022-07-07 13:40:38 +02:00
|
|
|
|
|
|
|
|
if _, err := sq.Insert("user").Columns(cols...).Values(vals...).RunWith(auth.db).Exec(); err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Errorf("Error while inserting new user '%v' into DB", user.Username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
log.Infof("new user %#v created (roles: %s, auth-source: %d, projects: %s)", user.Username, rolesJson, user.AuthSource, projectsJson)
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (auth *Authentication) DelUser(username string) error {
|
2022-09-07 12:24:45 +02:00
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
_, err := auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username)
|
2023-01-31 18:28:44 +01:00
|
|
|
log.Errorf("Error while deleting user '%s' from DB", username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
|
2022-09-07 12:24:45 +02:00
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
q := sq.Select("username", "name", "email", "roles", "projects").From("user")
|
2022-07-07 13:40:38 +02:00
|
|
|
if specialsOnly {
|
|
|
|
|
q = q.Where("(roles != '[\"user\"]' AND roles != '[]')")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rows, err := q.RunWith(auth.db).Query()
|
|
|
|
|
if err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Error while querying user list")
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
users := make([]*User, 0)
|
|
|
|
|
defer rows.Close()
|
|
|
|
|
for rows.Next() {
|
|
|
|
|
rawroles := ""
|
2023-02-17 15:45:31 +01:00
|
|
|
rawprojects := ""
|
2022-07-07 13:40:38 +02:00
|
|
|
user := &User{}
|
2023-02-17 15:45:31 +01:00
|
|
|
var name, email sql.NullString
|
|
|
|
|
if err := rows.Scan(&user.Username, &name, &email, &rawroles, &rawprojects); err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Error while scanning user list")
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := json.Unmarshal([]byte(rawroles), &user.Roles); err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Error while unmarshaling raw role list")
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
if err := json.Unmarshal([]byte(rawprojects), &user.Projects); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
user.Name = name.String
|
|
|
|
|
user.Email = email.String
|
|
|
|
|
users = append(users, user)
|
|
|
|
|
}
|
|
|
|
|
return users, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-07 12:24:45 +02:00
|
|
|
func (auth *Authentication) AddRole(
|
|
|
|
|
ctx context.Context,
|
|
|
|
|
username string,
|
|
|
|
|
role string) error {
|
|
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
user, err := auth.GetUser(username)
|
|
|
|
|
if err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warnf("Could not load user '%s'", username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-25 16:59:16 +01:00
|
|
|
if !IsValidRole(role) {
|
2023-02-01 11:58:27 +01:00
|
|
|
return fmt.Errorf("Invalid user role: %v", role)
|
2022-07-07 13:40:38 +02:00
|
|
|
}
|
|
|
|
|
|
2023-01-25 16:59:16 +01:00
|
|
|
if user.HasRole(role) {
|
|
|
|
|
return fmt.Errorf("user %#v already has role %#v", username, role)
|
2022-07-07 13:40:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
roles, _ := json.Marshal(append(user.Roles, role))
|
|
|
|
|
if _, err := sq.Update("user").Set("roles", roles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
|
2023-01-31 18:28:44 +01:00
|
|
|
log.Errorf("Error while adding new role for user '%s'", user.Username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-26 15:15:36 +02:00
|
|
|
func (auth *Authentication) RemoveRole(ctx context.Context, username string, role string) error {
|
|
|
|
|
user, err := auth.GetUser(username)
|
|
|
|
|
if err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warnf("Could not load user '%s'", username)
|
2022-08-26 15:15:36 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-25 16:59:16 +01:00
|
|
|
if !IsValidRole(role) {
|
2023-02-21 17:17:41 +01:00
|
|
|
return fmt.Errorf("Invalid user role: %#v", role)
|
2022-08-26 15:15:36 +02:00
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
if role == RoleManager && len(user.Projects) != 0 {
|
|
|
|
|
return fmt.Errorf("Cannot remove role 'manager' while user %s still has an assigned project(s) : %v", username, user.Projects)
|
2023-01-27 18:36:58 +01:00
|
|
|
}
|
|
|
|
|
|
2022-08-26 15:15:36 +02:00
|
|
|
var exists bool
|
|
|
|
|
var newroles []string
|
|
|
|
|
for _, r := range user.Roles {
|
|
|
|
|
if r != role {
|
2023-02-17 15:45:31 +01:00
|
|
|
newroles = append(newroles, r) // Append all roles not matching requested to be deleted role
|
2022-08-26 15:15:36 +02:00
|
|
|
} else {
|
|
|
|
|
exists = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
if exists == true {
|
2022-08-26 15:15:36 +02:00
|
|
|
var mroles, _ = json.Marshal(newroles)
|
|
|
|
|
if _, err := sq.Update("user").Set("roles", mroles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
|
2023-01-31 18:28:44 +01:00
|
|
|
log.Errorf("Error while removing role for user '%s'", user.Username)
|
2022-08-26 15:15:36 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
} else {
|
2023-02-01 11:58:27 +01:00
|
|
|
return fmt.Errorf("User '%v' already does not have role: %v", username, role)
|
2022-08-26 15:15:36 +02:00
|
|
|
}
|
|
|
|
|
}
|
2022-09-07 12:24:45 +02:00
|
|
|
|
2023-01-27 18:36:58 +01:00
|
|
|
func (auth *Authentication) AddProject(
|
|
|
|
|
ctx context.Context,
|
|
|
|
|
username string,
|
|
|
|
|
project string) error {
|
|
|
|
|
|
|
|
|
|
user, err := auth.GetUser(username)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !user.HasRole(RoleManager) {
|
2023-02-17 15:45:31 +01:00
|
|
|
return fmt.Errorf("user '%s' is not a manager!", username)
|
2023-01-27 18:36:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.HasProject(project) {
|
2023-02-17 15:45:31 +01:00
|
|
|
return fmt.Errorf("user '%s' already manages project '%s'", username, project)
|
2023-01-27 18:36:58 +01:00
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
projects, _ := json.Marshal(append(user.Projects, project))
|
|
|
|
|
if _, err := sq.Update("user").Set("projects", projects).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
|
2023-01-27 18:36:58 +01:00
|
|
|
return err
|
|
|
|
|
}
|
2023-02-17 15:45:31 +01:00
|
|
|
|
2023-01-27 18:36:58 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (auth *Authentication) RemoveProject(ctx context.Context, username string, project string) error {
|
|
|
|
|
user, err := auth.GetUser(username)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !user.HasRole(RoleManager) {
|
|
|
|
|
return fmt.Errorf("user '%#v' is not a manager!", username)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !user.HasProject(project) {
|
|
|
|
|
return fmt.Errorf("user '%#v': Cannot remove project '%#v' - Does not match!", username, project)
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 15:45:31 +01:00
|
|
|
var exists bool
|
|
|
|
|
var newprojects []string
|
|
|
|
|
for _, p := range user.Projects {
|
|
|
|
|
if p != project {
|
|
|
|
|
newprojects = append(newprojects, p) // Append all projects not matching requested to be deleted project
|
|
|
|
|
} else {
|
|
|
|
|
exists = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if exists == true {
|
|
|
|
|
var result interface{}
|
|
|
|
|
if len(newprojects) == 0 {
|
|
|
|
|
result = "[]"
|
|
|
|
|
} else {
|
|
|
|
|
result, _ = json.Marshal(newprojects)
|
|
|
|
|
}
|
|
|
|
|
if _, err := sq.Update("user").Set("projects", result).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
} else {
|
|
|
|
|
return fmt.Errorf("user %s already does not manage project %s", username, project)
|
2023-01-27 18:36:58 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-07 13:40:38 +02:00
|
|
|
func FetchUser(ctx context.Context, db *sqlx.DB, username string) (*model.User, error) {
|
|
|
|
|
me := GetUser(ctx)
|
2023-01-27 18:36:58 +01:00
|
|
|
if me != nil && me.Username != username && me.HasNotRoles([]string{RoleAdmin, RoleSupport, RoleManager}) {
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, errors.New("forbidden")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user := &model.User{Username: username}
|
|
|
|
|
var name, email sql.NullString
|
|
|
|
|
if err := sq.Select("name", "email").From("user").Where("user.username = ?", username).
|
|
|
|
|
RunWith(db).QueryRow().Scan(&name, &email); err != nil {
|
|
|
|
|
if err == sql.ErrNoRows {
|
2023-02-01 11:58:27 +01:00
|
|
|
/* This warning will be logged *often* for non-local users, i.e. users mentioned only in job-table or archive, */
|
|
|
|
|
/* since FetchUser will be called to retrieve full name and mail for every job in query/list */
|
|
|
|
|
// log.Warnf("User '%s' Not found in DB", username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warnf("Error while fetching user '%s'", username)
|
2022-07-07 13:40:38 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user.Name = name.String
|
|
|
|
|
user.Email = email.String
|
|
|
|
|
return user, nil
|
|
|
|
|
}
|
