diff --git a/controllers/auth.go b/controllers/auth.go index 275d85e..5469420 100644 --- a/controllers/auth.go +++ b/controllers/auth.go @@ -79,6 +79,16 @@ func RegisterUser(c *gin.Context) { return } + if len(input.UserName) == 0 { + c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified"}) + return + } + + if len(input.Password) == 0 { + c.JSON(http.StatusBadRequest, gin.H{"error": "no password specified"}) + return + } + u := models.User{} //u.RoleId = 1 u.UserName = input.UserName @@ -86,7 +96,7 @@ func RegisterUser(c *gin.Context) { // Default to regular user role if not specified if input.RoleId == 0 { - log.Printf("Register no role specified, defaulting to RoleId of 2.\n") + log.Printf("Register no role specified, defaulting to builtin role UserRole with id 2.\n") u.RoleId = 2 } else { u.RoleId = input.RoleId diff --git a/models/ldap.go b/models/ldap.go index 53dff91..b9940ce 100644 --- a/models/ldap.go +++ b/models/ldap.go @@ -233,7 +233,7 @@ func GetLdapGroupMembership(username string, password string) ([]string, error) defer ldaps.Close() // try an authenticated bind to AD to verify credentials - log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password)) + log.Printf("GetLdapGroupMembership Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password)) err = ldaps.Bind(username, password) if err != nil { if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials { @@ -241,17 +241,17 @@ func GetLdapGroupMembership(username string, password string) ([]string, error) log.Print(errString) return nil, errors.New(errString) } else { - errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err) + errString := fmt.Sprintf("GetLdapGroupMembership error binding to LDAP with supplied credentials : '%s'\n", err) log.Print(errString) return nil, errors.New(errString) } } else { - log.Printf("VerifyLdapCreds successfully bound to LDAP\n") + log.Printf("GetLdapGroupMembership successfully bound to LDAP\n") } groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps) if err != nil { - errString := fmt.Sprintf("VerifyLdapCreds group search error : '%s'\n", err) + errString := fmt.Sprintf("GetLdapGroupMembership group search error : '%s'\n", err) log.Print(errString) return nil, errors.New(errString) } @@ -259,8 +259,8 @@ func GetLdapGroupMembership(username string, password string) ([]string, error) return groups, nil } -// Deprecated -func VerifyLdapCreds(username string, password string) bool { +// No need to check group memberships, just validate that we can bind successfully +func VerifyLdapCreds(username string, password string) error { var err error username = CheckUsername(username) @@ -271,46 +271,19 @@ func VerifyLdapCreds(username string, password string) bool { err = ldaps.Bind(username, password) if err != nil { if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials { - log.Printf("VerifyLdapCreds user credentials are incorrect : '%s'\n", err) - return false + errString := "invalid user credentials" + log.Print(errString) + return errors.New(errString) } else { - log.Printf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err) - return false + errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err) + log.Print(errString) + return errors.New(errString) } } else { log.Printf("VerifyLdapCreds successfully bound to LDAP\n") } - /* - log.Printf("Attempting LDAP search request from base DN '%s'\n", LdapBaseDn) - searchReq := ldap.NewSearchRequest( - LdapBaseDn, - ldap.ScopeWholeSubtree, // you can also use ldap.ScopeWholeSubtree - ldap.NeverDerefAliases, - 0, - 0, - false, - "(objectClass=*)", - []string{}, - nil, - ) - result, err := ldaps.Search(searchReq) - if err != nil { - log.Printf("VerifyLdapCreds search error : '%s'\n", err) - return false - } - - log.Printf("result: %v\n", result) - */ - - groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps) - if err != nil { - log.Printf("VerifyLdapCreds group search error : '%s'\n", err) - return false - } - log.Printf("groups: %v\n", groups) - - return true + return nil } // GetGroupsOfUser returns the group for a user. diff --git a/models/user.go b/models/user.go index e89e7ae..6413215 100644 --- a/models/user.go +++ b/models/user.go @@ -79,6 +79,15 @@ func (u *User) DeleteUser() error { } func VerifyPassword(password, hashedPassword string) error { + + if len(password) == 0 { + return errors.New("unable to verify empty password") + } + + if len(hashedPassword) == 0 { + return errors.New("unable to compare password with empty hash") + } + log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword) return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password)) } @@ -120,7 +129,7 @@ func LoginCheck(username string, password string) (string, error) { log.Printf("LoginCheck retrieved user '%v' from database\n", u) } - log.Printf("u: %v\n", u) + //log.Printf("u: %v\n", u) if !u.LdapUser { err = VerifyPassword(password, u.Password) @@ -132,9 +141,15 @@ func LoginCheck(username string, password string) (string, error) { log.Printf("LoginCheck verified password against stored hash.\n") } } else { - log.Printf("LoginCheck no need to verify password in database for LDAP user\n") + err := VerifyLdapCreds(username, password) - // TODO - verify LDAP credentials if this LDAP user was previously stored in the database + if err != nil { + errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err) + log.Print(errString) + return "", errors.New(errString) + } else { + log.Printf("LoginCheck successfully verified LDAP user\n") + } } token, err := token.GenerateToken(uint(u.UserId)) @@ -184,6 +199,7 @@ func LdapLoginCheck(username string, password string) (User, error) { if matchFound { // If we found a match, then store user with appropriate role ID + u.LdapUser = true u.SaveUser() }