From 29552fadc3d15ec3136e207315b8a6d3cb65899d Mon Sep 17 00:00:00 2001 From: Jan Eitzinger Date: Thu, 17 Aug 2023 14:02:04 +0200 Subject: [PATCH] Cleanup SyncOnLogin Handling --- internal/auth/auth.go | 10 ++++++---- internal/auth/jwtCookieSession.go | 13 ++++++++++--- internal/auth/jwtSession.go | 10 ++++++---- internal/auth/ldap.go | 19 ++++++++++--------- internal/auth/local.go | 4 ++-- 5 files changed, 34 insertions(+), 22 deletions(-) diff --git a/internal/auth/auth.go b/internal/auth/auth.go index cc2bcb4..8da45da 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -22,7 +22,7 @@ import ( type Authenticator interface { Init(config interface{}) error - CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) bool + CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool) Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error) } @@ -148,7 +148,7 @@ func (auth *Authentication) Login( return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { err := errors.New("no authenticator applied") username := r.FormValue("username") - dbUser := (*schema.User)(nil) + var dbUser *schema.User if username != "" { dbUser, err = repository.GetUserRepository().GetUser(username) @@ -158,11 +158,13 @@ func (auth *Authentication) Login( } for _, authenticator := range auth.authenticators { - if !authenticator.CanLogin(dbUser, username, rw, r) { + var ok bool + var user *schema.User + if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok { continue } - user, err := authenticator.Login(dbUser, rw, r) + user, err = authenticator.Login(user, rw, r) if err != nil { log.Warnf("user login failed: %s", err.Error()) onfailure(rw, r, err) diff --git a/internal/auth/jwtCookieSession.go b/internal/auth/jwtCookieSession.go index ad0b033..42ebcd2 100644 --- a/internal/auth/jwtCookieSession.go +++ b/internal/auth/jwtCookieSession.go @@ -11,6 +11,7 @@ import ( "net/http" "os" + "github.com/ClusterCockpit/cc-backend/internal/repository" "github.com/ClusterCockpit/cc-backend/pkg/log" "github.com/ClusterCockpit/cc-backend/pkg/schema" "github.com/golang-jwt/jwt/v4" @@ -88,7 +89,7 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin( user *schema.User, username string, rw http.ResponseWriter, - r *http.Request) bool { + r *http.Request) (*schema.User, bool) { cookieName := "" if ja.config != nil && ja.config.CookieName != "" { @@ -100,11 +101,11 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin( jwtCookie, err := r.Cookie(cookieName) if err == nil && jwtCookie.Value != "" { - return true + return user, true } } - return false + return nil, false } func (ja *JWTCookieSessionAuthenticator) Login( @@ -194,6 +195,12 @@ func (ja *JWTCookieSessionAuthenticator) Login( AuthType: schema.AuthSession, AuthSource: schema.AuthViaToken, } + + if ja.config.SyncUserOnLogin { + if err := repository.GetUserRepository().AddUser(user); err != nil { + log.Errorf("Error while adding user '%s' to DB", user.Username) + } + } } return user, nil diff --git a/internal/auth/jwtSession.go b/internal/auth/jwtSession.go index 5a29360..d9dce85 100644 --- a/internal/auth/jwtSession.go +++ b/internal/auth/jwtSession.go @@ -44,9 +44,9 @@ func (ja *JWTSessionAuthenticator) CanLogin( user *schema.User, username string, rw http.ResponseWriter, - r *http.Request) bool { + r *http.Request) (*schema.User, bool) { - return r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != "" + return user, r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != "" } func (ja *JWTSessionAuthenticator) Login( @@ -130,8 +130,10 @@ func (ja *JWTSessionAuthenticator) Login( AuthSource: schema.AuthViaToken, } - if err := repository.GetUserRepository().AddUser(user); err != nil { - log.Errorf("Error while adding user '%s' to DB", user.Username) + if ja.config.SyncUserOnLogin { + if err := repository.GetUserRepository().AddUser(user); err != nil { + log.Errorf("Error while adding user '%s' to DB", user.Username) + } } } diff --git a/internal/auth/ldap.go b/internal/auth/ldap.go index c3bde4a..a20e415 100644 --- a/internal/auth/ldap.go +++ b/internal/auth/ldap.go @@ -67,33 +67,34 @@ func (la *LdapAuthenticator) CanLogin( user *schema.User, username string, rw http.ResponseWriter, - r *http.Request) bool { + r *http.Request) (*schema.User, bool) { if user != nil && user.AuthSource == schema.AuthViaLDAP { - return true + return user, true } else { if la.config != nil && la.config.SyncUserOnLogin { l, err := la.getLdapConnection(true) if err != nil { log.Error("LDAP connection error") } + defer l.Close() // Search for the given username searchRequest := ldap.NewSearchRequest( la.config.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, - fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, username), + fmt.Sprintf("(&%s(uid=%s))", la.config.UserFilter, username), []string{"dn", "uid", "gecos"}, nil) sr, err := l.Search(searchRequest) if err != nil { log.Warn(err) - return false + return user, false } if len(sr.Entries) != 1 { log.Warn("User does not exist or too many entries returned") - return false + return user, false } entry := sr.Entries[0] @@ -113,7 +114,7 @@ func (la *LdapAuthenticator) CanLogin( if err := repository.GetUserRepository().AddUser(user); err != nil { log.Errorf("User '%s' LDAP: Insert into DB failed", username) - return false + return nil, false } // if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`, @@ -122,11 +123,11 @@ func (la *LdapAuthenticator) CanLogin( // return false // } - return true + return user, true } } - return false + return nil, false } func (la *LdapAuthenticator) Login( @@ -176,7 +177,7 @@ func (la *LdapAuthenticator) Sync() error { ldapResults, err := l.Search(ldap.NewSearchRequest( la.config.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, - fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, "*"), + la.config.UserFilter, []string{"dn", "uid", "gecos"}, nil)) if err != nil { log.Warn("LDAP search error") diff --git a/internal/auth/local.go b/internal/auth/local.go index 0c6303a..dd6ec2c 100644 --- a/internal/auth/local.go +++ b/internal/auth/local.go @@ -29,9 +29,9 @@ func (la *LocalAuthenticator) CanLogin( user *schema.User, username string, rw http.ResponseWriter, - r *http.Request) bool { + r *http.Request) (*schema.User, bool) { - return user != nil && user.AuthSource == schema.AuthViaLocalPassword + return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword } func (la *LocalAuthenticator) Login(