mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2024-12-24 12:29:05 +01:00
Cleanup SyncOnLogin Handling
This commit is contained in:
parent
15231bc683
commit
29552fadc3
@ -22,7 +22,7 @@ import (
|
|||||||
|
|
||||||
type Authenticator interface {
|
type Authenticator interface {
|
||||||
Init(config interface{}) error
|
Init(config interface{}) error
|
||||||
CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) bool
|
CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool)
|
||||||
Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
|
Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -148,7 +148,7 @@ func (auth *Authentication) Login(
|
|||||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
err := errors.New("no authenticator applied")
|
err := errors.New("no authenticator applied")
|
||||||
username := r.FormValue("username")
|
username := r.FormValue("username")
|
||||||
dbUser := (*schema.User)(nil)
|
var dbUser *schema.User
|
||||||
|
|
||||||
if username != "" {
|
if username != "" {
|
||||||
dbUser, err = repository.GetUserRepository().GetUser(username)
|
dbUser, err = repository.GetUserRepository().GetUser(username)
|
||||||
@ -158,11 +158,13 @@ func (auth *Authentication) Login(
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, authenticator := range auth.authenticators {
|
for _, authenticator := range auth.authenticators {
|
||||||
if !authenticator.CanLogin(dbUser, username, rw, r) {
|
var ok bool
|
||||||
|
var user *schema.User
|
||||||
|
if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
user, err := authenticator.Login(dbUser, rw, r)
|
user, err = authenticator.Login(user, rw, r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warnf("user login failed: %s", err.Error())
|
log.Warnf("user login failed: %s", err.Error())
|
||||||
onfailure(rw, r, err)
|
onfailure(rw, r, err)
|
||||||
|
@ -11,6 +11,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
|
"github.com/ClusterCockpit/cc-backend/internal/repository"
|
||||||
"github.com/ClusterCockpit/cc-backend/pkg/log"
|
"github.com/ClusterCockpit/cc-backend/pkg/log"
|
||||||
"github.com/ClusterCockpit/cc-backend/pkg/schema"
|
"github.com/ClusterCockpit/cc-backend/pkg/schema"
|
||||||
"github.com/golang-jwt/jwt/v4"
|
"github.com/golang-jwt/jwt/v4"
|
||||||
@ -88,7 +89,7 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
|
|||||||
user *schema.User,
|
user *schema.User,
|
||||||
username string,
|
username string,
|
||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) bool {
|
r *http.Request) (*schema.User, bool) {
|
||||||
|
|
||||||
cookieName := ""
|
cookieName := ""
|
||||||
if ja.config != nil && ja.config.CookieName != "" {
|
if ja.config != nil && ja.config.CookieName != "" {
|
||||||
@ -100,11 +101,11 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
|
|||||||
jwtCookie, err := r.Cookie(cookieName)
|
jwtCookie, err := r.Cookie(cookieName)
|
||||||
|
|
||||||
if err == nil && jwtCookie.Value != "" {
|
if err == nil && jwtCookie.Value != "" {
|
||||||
return true
|
return user, true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ja *JWTCookieSessionAuthenticator) Login(
|
func (ja *JWTCookieSessionAuthenticator) Login(
|
||||||
@ -194,6 +195,12 @@ func (ja *JWTCookieSessionAuthenticator) Login(
|
|||||||
AuthType: schema.AuthSession,
|
AuthType: schema.AuthSession,
|
||||||
AuthSource: schema.AuthViaToken,
|
AuthSource: schema.AuthViaToken,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ja.config.SyncUserOnLogin {
|
||||||
|
if err := repository.GetUserRepository().AddUser(user); err != nil {
|
||||||
|
log.Errorf("Error while adding user '%s' to DB", user.Username)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return user, nil
|
return user, nil
|
||||||
|
@ -44,9 +44,9 @@ func (ja *JWTSessionAuthenticator) CanLogin(
|
|||||||
user *schema.User,
|
user *schema.User,
|
||||||
username string,
|
username string,
|
||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) bool {
|
r *http.Request) (*schema.User, bool) {
|
||||||
|
|
||||||
return r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
|
return user, r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ja *JWTSessionAuthenticator) Login(
|
func (ja *JWTSessionAuthenticator) Login(
|
||||||
@ -130,8 +130,10 @@ func (ja *JWTSessionAuthenticator) Login(
|
|||||||
AuthSource: schema.AuthViaToken,
|
AuthSource: schema.AuthViaToken,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := repository.GetUserRepository().AddUser(user); err != nil {
|
if ja.config.SyncUserOnLogin {
|
||||||
log.Errorf("Error while adding user '%s' to DB", user.Username)
|
if err := repository.GetUserRepository().AddUser(user); err != nil {
|
||||||
|
log.Errorf("Error while adding user '%s' to DB", user.Username)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -67,33 +67,34 @@ func (la *LdapAuthenticator) CanLogin(
|
|||||||
user *schema.User,
|
user *schema.User,
|
||||||
username string,
|
username string,
|
||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) bool {
|
r *http.Request) (*schema.User, bool) {
|
||||||
|
|
||||||
if user != nil && user.AuthSource == schema.AuthViaLDAP {
|
if user != nil && user.AuthSource == schema.AuthViaLDAP {
|
||||||
return true
|
return user, true
|
||||||
} else {
|
} else {
|
||||||
if la.config != nil && la.config.SyncUserOnLogin {
|
if la.config != nil && la.config.SyncUserOnLogin {
|
||||||
l, err := la.getLdapConnection(true)
|
l, err := la.getLdapConnection(true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("LDAP connection error")
|
log.Error("LDAP connection error")
|
||||||
}
|
}
|
||||||
|
defer l.Close()
|
||||||
|
|
||||||
// Search for the given username
|
// Search for the given username
|
||||||
searchRequest := ldap.NewSearchRequest(
|
searchRequest := ldap.NewSearchRequest(
|
||||||
la.config.UserBase,
|
la.config.UserBase,
|
||||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, username),
|
fmt.Sprintf("(&%s(uid=%s))", la.config.UserFilter, username),
|
||||||
[]string{"dn", "uid", "gecos"}, nil)
|
[]string{"dn", "uid", "gecos"}, nil)
|
||||||
|
|
||||||
sr, err := l.Search(searchRequest)
|
sr, err := l.Search(searchRequest)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warn(err)
|
log.Warn(err)
|
||||||
return false
|
return user, false
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(sr.Entries) != 1 {
|
if len(sr.Entries) != 1 {
|
||||||
log.Warn("User does not exist or too many entries returned")
|
log.Warn("User does not exist or too many entries returned")
|
||||||
return false
|
return user, false
|
||||||
}
|
}
|
||||||
|
|
||||||
entry := sr.Entries[0]
|
entry := sr.Entries[0]
|
||||||
@ -113,7 +114,7 @@ func (la *LdapAuthenticator) CanLogin(
|
|||||||
|
|
||||||
if err := repository.GetUserRepository().AddUser(user); err != nil {
|
if err := repository.GetUserRepository().AddUser(user); err != nil {
|
||||||
log.Errorf("User '%s' LDAP: Insert into DB failed", username)
|
log.Errorf("User '%s' LDAP: Insert into DB failed", username)
|
||||||
return false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
// if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
|
// if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
|
||||||
@ -122,11 +123,11 @@ func (la *LdapAuthenticator) CanLogin(
|
|||||||
// return false
|
// return false
|
||||||
// }
|
// }
|
||||||
|
|
||||||
return true
|
return user, true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (la *LdapAuthenticator) Login(
|
func (la *LdapAuthenticator) Login(
|
||||||
@ -176,7 +177,7 @@ func (la *LdapAuthenticator) Sync() error {
|
|||||||
ldapResults, err := l.Search(ldap.NewSearchRequest(
|
ldapResults, err := l.Search(ldap.NewSearchRequest(
|
||||||
la.config.UserBase,
|
la.config.UserBase,
|
||||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, "*"),
|
la.config.UserFilter,
|
||||||
[]string{"dn", "uid", "gecos"}, nil))
|
[]string{"dn", "uid", "gecos"}, nil))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Warn("LDAP search error")
|
log.Warn("LDAP search error")
|
||||||
|
@ -29,9 +29,9 @@ func (la *LocalAuthenticator) CanLogin(
|
|||||||
user *schema.User,
|
user *schema.User,
|
||||||
username string,
|
username string,
|
||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) bool {
|
r *http.Request) (*schema.User, bool) {
|
||||||
|
|
||||||
return user != nil && user.AuthSource == schema.AuthViaLocalPassword
|
return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword
|
||||||
}
|
}
|
||||||
|
|
||||||
func (la *LocalAuthenticator) Login(
|
func (la *LocalAuthenticator) Login(
|
||||||
|
Loading…
Reference in New Issue
Block a user