Cleanup SyncOnLogin Handling

This commit is contained in:
Jan Eitzinger 2023-08-17 14:02:04 +02:00
parent 15231bc683
commit 29552fadc3
5 changed files with 34 additions and 22 deletions

View File

@ -22,7 +22,7 @@ import (
type Authenticator interface {
Init(config interface{}) error
CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) bool
CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool)
Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
}
@ -148,7 +148,7 @@ func (auth *Authentication) Login(
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
err := errors.New("no authenticator applied")
username := r.FormValue("username")
dbUser := (*schema.User)(nil)
var dbUser *schema.User
if username != "" {
dbUser, err = repository.GetUserRepository().GetUser(username)
@ -158,11 +158,13 @@ func (auth *Authentication) Login(
}
for _, authenticator := range auth.authenticators {
if !authenticator.CanLogin(dbUser, username, rw, r) {
var ok bool
var user *schema.User
if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok {
continue
}
user, err := authenticator.Login(dbUser, rw, r)
user, err = authenticator.Login(user, rw, r)
if err != nil {
log.Warnf("user login failed: %s", err.Error())
onfailure(rw, r, err)

View File

@ -11,6 +11,7 @@ import (
"net/http"
"os"
"github.com/ClusterCockpit/cc-backend/internal/repository"
"github.com/ClusterCockpit/cc-backend/pkg/log"
"github.com/ClusterCockpit/cc-backend/pkg/schema"
"github.com/golang-jwt/jwt/v4"
@ -88,7 +89,7 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
user *schema.User,
username string,
rw http.ResponseWriter,
r *http.Request) bool {
r *http.Request) (*schema.User, bool) {
cookieName := ""
if ja.config != nil && ja.config.CookieName != "" {
@ -100,11 +101,11 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
jwtCookie, err := r.Cookie(cookieName)
if err == nil && jwtCookie.Value != "" {
return true
return user, true
}
}
return false
return nil, false
}
func (ja *JWTCookieSessionAuthenticator) Login(
@ -194,6 +195,12 @@ func (ja *JWTCookieSessionAuthenticator) Login(
AuthType: schema.AuthSession,
AuthSource: schema.AuthViaToken,
}
if ja.config.SyncUserOnLogin {
if err := repository.GetUserRepository().AddUser(user); err != nil {
log.Errorf("Error while adding user '%s' to DB", user.Username)
}
}
}
return user, nil

View File

@ -44,9 +44,9 @@ func (ja *JWTSessionAuthenticator) CanLogin(
user *schema.User,
username string,
rw http.ResponseWriter,
r *http.Request) bool {
r *http.Request) (*schema.User, bool) {
return r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
return user, r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
}
func (ja *JWTSessionAuthenticator) Login(
@ -130,10 +130,12 @@ func (ja *JWTSessionAuthenticator) Login(
AuthSource: schema.AuthViaToken,
}
if ja.config.SyncUserOnLogin {
if err := repository.GetUserRepository().AddUser(user); err != nil {
log.Errorf("Error while adding user '%s' to DB", user.Username)
}
}
}
return user, nil
}

View File

@ -67,33 +67,34 @@ func (la *LdapAuthenticator) CanLogin(
user *schema.User,
username string,
rw http.ResponseWriter,
r *http.Request) bool {
r *http.Request) (*schema.User, bool) {
if user != nil && user.AuthSource == schema.AuthViaLDAP {
return true
return user, true
} else {
if la.config != nil && la.config.SyncUserOnLogin {
l, err := la.getLdapConnection(true)
if err != nil {
log.Error("LDAP connection error")
}
defer l.Close()
// Search for the given username
searchRequest := ldap.NewSearchRequest(
la.config.UserBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, username),
fmt.Sprintf("(&%s(uid=%s))", la.config.UserFilter, username),
[]string{"dn", "uid", "gecos"}, nil)
sr, err := l.Search(searchRequest)
if err != nil {
log.Warn(err)
return false
return user, false
}
if len(sr.Entries) != 1 {
log.Warn("User does not exist or too many entries returned")
return false
return user, false
}
entry := sr.Entries[0]
@ -113,7 +114,7 @@ func (la *LdapAuthenticator) CanLogin(
if err := repository.GetUserRepository().AddUser(user); err != nil {
log.Errorf("User '%s' LDAP: Insert into DB failed", username)
return false
return nil, false
}
// if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
@ -122,11 +123,11 @@ func (la *LdapAuthenticator) CanLogin(
// return false
// }
return true
return user, true
}
}
return false
return nil, false
}
func (la *LdapAuthenticator) Login(
@ -176,7 +177,7 @@ func (la *LdapAuthenticator) Sync() error {
ldapResults, err := l.Search(ldap.NewSearchRequest(
la.config.UserBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, "*"),
la.config.UserFilter,
[]string{"dn", "uid", "gecos"}, nil))
if err != nil {
log.Warn("LDAP search error")

View File

@ -29,9 +29,9 @@ func (la *LocalAuthenticator) CanLogin(
user *schema.User,
username string,
rw http.ResponseWriter,
r *http.Request) bool {
r *http.Request) (*schema.User, bool) {
return user != nil && user.AuthSource == schema.AuthViaLocalPassword
return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword
}
func (la *LocalAuthenticator) Login(