improve ldap login

controllers/auth.go

@@ -79,6 +79,16 @@ func RegisterUser(c *gin.Context) {
 		return
 	}
 
+	if len(input.UserName) == 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified"})
+		return
+	}
+
+	if len(input.Password) == 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "no password specified"})
+		return
+	}
+
 	u := models.User{}
 	//u.RoleId = 1
 	u.UserName = input.UserName
@@ -86,7 +96,7 @@ func RegisterUser(c *gin.Context) {
 
 	// Default to regular user role if not specified
 	if input.RoleId == 0 {
-		log.Printf("Register no role specified, defaulting to RoleId of 2.\n")
+		log.Printf("Register no role specified, defaulting to builtin role UserRole with id 2.\n")
 		u.RoleId = 2
 	} else {
 		u.RoleId = input.RoleId

models/ldap.go

@@ -233,7 +233,7 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
 	defer ldaps.Close()
 
 	// try an authenticated bind to AD to verify credentials
-	log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
+	log.Printf("GetLdapGroupMembership Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
 	err = ldaps.Bind(username, password)
 	if err != nil {
 		if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
@@ -241,17 +241,17 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
 			log.Print(errString)
 			return nil, errors.New(errString)
 		} else {
-			errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
+			errString := fmt.Sprintf("GetLdapGroupMembership error binding to LDAP with supplied credentials : '%s'\n", err)
 			log.Print(errString)
 			return nil, errors.New(errString)
 		}
 	} else {
-		log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
+		log.Printf("GetLdapGroupMembership successfully bound to LDAP\n")
 	}
 
 	groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
 	if err != nil {
-		errString := fmt.Sprintf("VerifyLdapCreds group search error : '%s'\n", err)
+		errString := fmt.Sprintf("GetLdapGroupMembership group search error : '%s'\n", err)
 		log.Print(errString)
 		return nil, errors.New(errString)
 	}
@@ -259,8 +259,8 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
 	return groups, nil
 }
 
-// Deprecated
+// No need to check group memberships, just validate that we can bind successfully
-func VerifyLdapCreds(username string, password string) bool {
+func VerifyLdapCreds(username string, password string) error {
 	var err error
 	username = CheckUsername(username)
 
@@ -271,46 +271,19 @@ func VerifyLdapCreds(username string, password string) bool {
 	err = ldaps.Bind(username, password)
 	if err != nil {
 		if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
-			log.Printf("VerifyLdapCreds user credentials are incorrect : '%s'\n", err)
+			errString := "invalid user credentials"
-			return false
+			log.Print(errString)
+			return errors.New(errString)
 		} else {
-			log.Printf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
+			errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
-			return false
+			log.Print(errString)
+			return errors.New(errString)
 		}
 	} else {
 		log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
 	}
 
-	/*
+	return nil
-		log.Printf("Attempting LDAP search request from base DN '%s'\n", LdapBaseDn)
-		searchReq := ldap.NewSearchRequest(
-			LdapBaseDn,
-			ldap.ScopeWholeSubtree, // you can also use ldap.ScopeWholeSubtree
-			ldap.NeverDerefAliases,
-			0,
-			0,
-			false,
-			"(objectClass=*)",
-			[]string{},
-			nil,
-		)
-		result, err := ldaps.Search(searchReq)
-		if err != nil {
-			log.Printf("VerifyLdapCreds search error : '%s'\n", err)
-			return false
-		}
-
-		log.Printf("result: %v\n", result)
-	*/
-
-	groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
-	if err != nil {
-		log.Printf("VerifyLdapCreds group search error : '%s'\n", err)
-		return false
-	}
-	log.Printf("groups: %v\n", groups)
-
-	return true
 }
 
 // GetGroupsOfUser returns the group for a user.

models/user.go

@@ -79,6 +79,15 @@ func (u *User) DeleteUser() error {
 }
 
 func VerifyPassword(password, hashedPassword string) error {
+
+	if len(password) == 0 {
+		return errors.New("unable to verify empty password")
+	}
+
+	if len(hashedPassword) == 0 {
+		return errors.New("unable to compare password with empty hash")
+	}
+
 	log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword)
 	return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
 }
@@ -120,7 +129,7 @@ func LoginCheck(username string, password string) (string, error) {
 		log.Printf("LoginCheck retrieved user '%v' from database\n", u)
 	}
 
-	log.Printf("u: %v\n", u)
+	//log.Printf("u: %v\n", u)
 
 	if !u.LdapUser {
 		err = VerifyPassword(password, u.Password)
@@ -132,9 +141,15 @@ func LoginCheck(username string, password string) (string, error) {
 			log.Printf("LoginCheck verified password against stored hash.\n")
 		}
 	} else {
-		log.Printf("LoginCheck no need to verify password in database for LDAP user\n")
+		err := VerifyLdapCreds(username, password)
 
-		// TODO - verify LDAP credentials if this LDAP user was previously stored in the database
+		if err != nil {
+			errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
+			log.Print(errString)
+			return "", errors.New(errString)
+		} else {
+			log.Printf("LoginCheck successfully verified LDAP user\n")
+		}
 	}
 
 	token, err := token.GenerateToken(uint(u.UserId))
@@ -184,6 +199,7 @@ func LdapLoginCheck(username string, password string) (User, error) {
 
 	if matchFound {
 		// If we found a match, then store user with appropriate role ID
+		u.LdapUser = true
 		u.SaveUser()
 	}