nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

improve ldap login
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2024-01-05 10:33:09 +11:00
parent 63cfe1fd8d
commit 7f40884115
3 changed files with 43 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
controllers/auth.go
View File

@@ -79,6 +79,16 @@ func RegisterUser(c *gin.Context) {
return
}
if len(input.UserName) == 0 {
c.JSON(http.StatusBadRequest, gin.H{"error": "no username specified"})
return
}
if len(input.Password) == 0 {
c.JSON(http.StatusBadRequest, gin.H{"error": "no password specified"})
return
}
u := models.User{}
//u.RoleId = 1
u.UserName = input.UserName
@@ -86,7 +96,7 @@ func RegisterUser(c *gin.Context) {
// Default to regular user role if not specified
if input.RoleId == 0 {
log.Printf("Register no role specified, defaulting to RoleId of 2.\n")
log.Printf("Register no role specified, defaulting to builtin role UserRole with id 2.\n")
u.RoleId = 2
} else {
u.RoleId = input.RoleId

53
models/ldap.go
View File

@@ -233,7 +233,7 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
defer ldaps.Close()
// try an authenticated bind to AD to verify credentials
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
log.Printf("GetLdapGroupMembership Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
err = ldaps.Bind(username, password)
if err != nil {
if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
@@ -241,17 +241,17 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
log.Print(errString)
return nil, errors.New(errString)
} else {
errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
errString := fmt.Sprintf("GetLdapGroupMembership error binding to LDAP with supplied credentials : '%s'\n", err)
log.Print(errString)
return nil, errors.New(errString)
}
} else {
log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
log.Printf("GetLdapGroupMembership successfully bound to LDAP\n")
}
groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
if err != nil {
errString := fmt.Sprintf("VerifyLdapCreds group search error : '%s'\n", err)
errString := fmt.Sprintf("GetLdapGroupMembership group search error : '%s'\n", err)
log.Print(errString)
return nil, errors.New(errString)
}
@@ -259,8 +259,8 @@ func GetLdapGroupMembership(username string, password string) ([]string, error)
return groups, nil
}
// Deprecated
func VerifyLdapCreds(username string, password string) bool {
// No need to check group memberships, just validate that we can bind successfully
func VerifyLdapCreds(username string, password string) error {
var err error
username = CheckUsername(username)
@@ -271,46 +271,19 @@ func VerifyLdapCreds(username string, password string) bool {
err = ldaps.Bind(username, password)
if err != nil {
if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
log.Printf("VerifyLdapCreds user credentials are incorrect : '%s'\n", err)
return false
errString := "invalid user credentials"
log.Print(errString)
return errors.New(errString)
} else {
log.Printf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
return false
errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
log.Print(errString)
return errors.New(errString)
}
} else {
log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
}
/*
log.Printf("Attempting LDAP search request from base DN '%s'\n", LdapBaseDn)
searchReq := ldap.NewSearchRequest(
LdapBaseDn,
ldap.ScopeWholeSubtree, // you can also use ldap.ScopeWholeSubtree
ldap.NeverDerefAliases,
0,
0,
false,
"(objectClass=*)",
[]string{},
nil,
)
result, err := ldaps.Search(searchReq)
if err != nil {
log.Printf("VerifyLdapCreds search error : '%s'\n", err)
return false
}
log.Printf("result: %v\n", result)
*/
groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
if err != nil {
log.Printf("VerifyLdapCreds group search error : '%s'\n", err)
return false
}
log.Printf("groups: %v\n", groups)
return true
return nil
}
// GetGroupsOfUser returns the group for a user.

22
models/user.go
View File

@@ -79,6 +79,15 @@ func (u *User) DeleteUser() error {
}
func VerifyPassword(password, hashedPassword string) error {
if len(password) == 0 {
return errors.New("unable to verify empty password")
}
if len(hashedPassword) == 0 {
return errors.New("unable to compare password with empty hash")
}
log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword)
return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
}
@@ -120,7 +129,7 @@ func LoginCheck(username string, password string) (string, error) {
log.Printf("LoginCheck retrieved user '%v' from database\n", u)
}
log.Printf("u: %v\n", u)
//log.Printf("u: %v\n", u)
if !u.LdapUser {
err = VerifyPassword(password, u.Password)
@@ -132,9 +141,15 @@ func LoginCheck(username string, password string) (string, error) {
log.Printf("LoginCheck verified password against stored hash.\n")
}
} else {
log.Printf("LoginCheck no need to verify password in database for LDAP user\n")
err := VerifyLdapCreds(username, password)
// TODO - verify LDAP credentials if this LDAP user was previously stored in the database
if err != nil {
errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
log.Print(errString)
return "", errors.New(errString)
} else {
log.Printf("LoginCheck successfully verified LDAP user\n")
}
}
token, err := token.GenerateToken(uint(u.UserId))
@@ -184,6 +199,7 @@ func LdapLoginCheck(username string, password string) (User, error) {
if matchFound {
// If we found a match, then store user with appropriate role ID
u.LdapUser = true
u.SaveUser()
}