mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2024-11-10 00:47:26 +01:00
fix: Fix buggy logic and simplify code if ValidateUser enabled
This commit is contained in:
parent
7a5ccff6da
commit
4b06fa788d
@ -6,6 +6,7 @@ package auth
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/ed25519"
|
"crypto/ed25519"
|
||||||
|
"database/sql"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
@ -166,16 +167,20 @@ func (ja *JWTCookieSessionAuthenticator) Login(
|
|||||||
}
|
}
|
||||||
|
|
||||||
var roles []string
|
var roles []string
|
||||||
|
projects := make([]string, 0)
|
||||||
|
|
||||||
if jc.ValidateUser {
|
if jc.ValidateUser {
|
||||||
|
var err error
|
||||||
|
user, err = repository.GetUserRepository().GetUser(sub)
|
||||||
|
if err != nil && err != sql.ErrNoRows {
|
||||||
|
log.Errorf("Error while loading user '%v'", sub)
|
||||||
|
}
|
||||||
|
|
||||||
// Deny any logins for unknown usernames
|
// Deny any logins for unknown usernames
|
||||||
if user == nil {
|
if user == nil {
|
||||||
log.Warn("Could not find user from JWT in internal database.")
|
log.Warn("Could not find user from JWT in internal database.")
|
||||||
return nil, errors.New("unknown user")
|
return nil, errors.New("unknown user")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Take user roles from database instead of trusting the JWT
|
|
||||||
roles = user.Roles
|
|
||||||
} else {
|
} else {
|
||||||
// Extract roles from JWT (if present)
|
// Extract roles from JWT (if present)
|
||||||
if rawroles, ok := claims["roles"].([]interface{}); ok {
|
if rawroles, ok := claims["roles"].([]interface{}); ok {
|
||||||
@ -185,20 +190,6 @@ func (ja *JWTCookieSessionAuthenticator) Login(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// (Ask browser to) Delete JWT cookie
|
|
||||||
deletedCookie := &http.Cookie{
|
|
||||||
Name: jc.CookieName,
|
|
||||||
Value: "",
|
|
||||||
Path: "/",
|
|
||||||
MaxAge: -1,
|
|
||||||
HttpOnly: true,
|
|
||||||
}
|
|
||||||
http.SetCookie(rw, deletedCookie)
|
|
||||||
|
|
||||||
if user == nil {
|
|
||||||
projects := make([]string, 0)
|
|
||||||
user = &schema.User{
|
user = &schema.User{
|
||||||
Username: sub,
|
Username: sub,
|
||||||
Name: name,
|
Name: name,
|
||||||
@ -215,5 +206,15 @@ func (ja *JWTCookieSessionAuthenticator) Login(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// (Ask browser to) Delete JWT cookie
|
||||||
|
deletedCookie := &http.Cookie{
|
||||||
|
Name: jc.CookieName,
|
||||||
|
Value: "",
|
||||||
|
Path: "/",
|
||||||
|
MaxAge: -1,
|
||||||
|
HttpOnly: true,
|
||||||
|
}
|
||||||
|
http.SetCookie(rw, deletedCookie)
|
||||||
|
|
||||||
return user, nil
|
return user, nil
|
||||||
}
|
}
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
package auth
|
package auth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"database/sql"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
@ -92,16 +93,20 @@ func (ja *JWTSessionAuthenticator) Login(
|
|||||||
}
|
}
|
||||||
|
|
||||||
var roles []string
|
var roles []string
|
||||||
|
projects := make([]string, 0)
|
||||||
|
|
||||||
if config.Keys.JwtConfig.ValidateUser {
|
if config.Keys.JwtConfig.ValidateUser {
|
||||||
|
var err error
|
||||||
|
user, err = repository.GetUserRepository().GetUser(sub)
|
||||||
|
if err != nil && err != sql.ErrNoRows {
|
||||||
|
log.Errorf("Error while loading user '%v'", sub)
|
||||||
|
}
|
||||||
|
|
||||||
// Deny any logins for unknown usernames
|
// Deny any logins for unknown usernames
|
||||||
if user == nil {
|
if user == nil {
|
||||||
log.Warn("Could not find user from JWT in internal database.")
|
log.Warn("Could not find user from JWT in internal database.")
|
||||||
return nil, errors.New("unknown user")
|
return nil, errors.New("unknown user")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Take user roles from database instead of trusting the JWT
|
|
||||||
roles = user.Roles
|
|
||||||
} else {
|
} else {
|
||||||
// Extract roles from JWT (if present)
|
// Extract roles from JWT (if present)
|
||||||
if rawroles, ok := claims["roles"].([]interface{}); ok {
|
if rawroles, ok := claims["roles"].([]interface{}); ok {
|
||||||
@ -113,23 +118,17 @@ func (ja *JWTSessionAuthenticator) Login(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
projects := make([]string, 0)
|
if rawprojs, ok := claims["projects"].([]interface{}); ok {
|
||||||
// Java/Grails Issued Token
|
for _, pp := range rawprojs {
|
||||||
// if rawprojs, ok := claims["projects"].([]interface{}); ok {
|
if p, ok := pp.(string); ok {
|
||||||
// for _, pp := range rawprojs {
|
projects = append(projects, p)
|
||||||
// if p, ok := pp.(string); ok {
|
}
|
||||||
// projects = append(projects, p)
|
}
|
||||||
// }
|
} else if rawprojs, ok := claims["projects"]; ok {
|
||||||
// }
|
projects = append(projects, rawprojs.([]string)...)
|
||||||
// } else if rawprojs, ok := claims["projects"]; ok {
|
}
|
||||||
// for _, p := range rawprojs.([]string) {
|
|
||||||
// projects = append(projects, p)
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
|
|
||||||
if user == nil {
|
|
||||||
user = &schema.User{
|
user = &schema.User{
|
||||||
Username: sub,
|
Username: sub,
|
||||||
Name: name,
|
Name: name,
|
||||||
|
Loading…
Reference in New Issue
Block a user