This commit is contained in:
@@ -4,10 +4,12 @@ import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/go-ldap/ldap"
|
||||
@@ -22,9 +24,12 @@ type LdapConfig struct {
|
||||
}
|
||||
|
||||
var systemCA *x509.CertPool
|
||||
var ldaps *ldap.Conn
|
||||
|
||||
// var ldaps *ldap.Conn
|
||||
var LdapServer string
|
||||
var CertLoaded bool
|
||||
var LdapEnabled bool
|
||||
var LdapInsecure bool = false
|
||||
var LdapBaseDn string
|
||||
var DefaultDomainSuffix string
|
||||
|
||||
@@ -118,8 +123,8 @@ func LdapSetup() bool {
|
||||
// Load LDAP certificate if necessary
|
||||
loadLdapCert()
|
||||
|
||||
ldapServer := os.Getenv("LDAP_BIND_ADDRESS")
|
||||
if ldapServer == "" {
|
||||
LdapServer = os.Getenv("LDAP_BIND_ADDRESS")
|
||||
if LdapServer == "" {
|
||||
log.Printf("VerifyLdapCreds no LDAP bind address supplied\n")
|
||||
return false
|
||||
} else {
|
||||
@@ -132,6 +137,14 @@ func LdapSetup() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
insecure := os.Getenv("LDAP_INSECURE_VALIDATION")
|
||||
if insecure != "" {
|
||||
LdapInsecure, err = strconv.ParseBool(insecure)
|
||||
if err != nil {
|
||||
log.Printf("LdapSetup could not convert environment variable LDAP_INSECURE_VALIDATION with value of '%s'\n", insecure)
|
||||
}
|
||||
}
|
||||
|
||||
// Set up TLS to use our custom certificate authority passed in cli argument
|
||||
tlsConfig := &tls.Config{
|
||||
RootCAs: systemCA,
|
||||
@@ -139,31 +152,49 @@ func LdapSetup() bool {
|
||||
}
|
||||
|
||||
// Add port if not specified in .env file
|
||||
if !(strings.HasSuffix(ldapServer, ":636")) {
|
||||
ldapServer = fmt.Sprintf("%s:636", ldapServer)
|
||||
log.Printf("VerifyLdapCreds updated ldapServer string '%s'\n", ldapServer)
|
||||
if !(strings.HasSuffix(LdapServer, ":636")) {
|
||||
LdapServer = fmt.Sprintf("%s:636", LdapServer)
|
||||
log.Printf("VerifyLdapCreds updated ldapServer string '%s'\n", LdapServer)
|
||||
}
|
||||
|
||||
// try connecting to AD via TLS and our custom certificate authority
|
||||
ldaps, err = ldap.DialTLS("tcp", ldapServer, tlsConfig)
|
||||
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
||||
if err != nil {
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", ldapServer, err)
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
|
||||
return false
|
||||
}
|
||||
|
||||
//defer ldaps.Close()
|
||||
|
||||
LdapEnabled = true
|
||||
|
||||
namingContext := LookupNamingContext()
|
||||
namingContext := LookupNamingContext(ldaps)
|
||||
if namingContext != "" {
|
||||
DefaultDomainSuffix = DomainSuffixFromNamingContext(namingContext)
|
||||
}
|
||||
|
||||
ldaps.Close()
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func LookupNamingContext() string {
|
||||
// LdapConnect sets up the connection to LDAP to be used by other functions
|
||||
func ldapConnect() *ldap.Conn {
|
||||
|
||||
// Set up TLS to use our custom certificate authority passed in cli argument
|
||||
tlsConfig := &tls.Config{
|
||||
RootCAs: systemCA,
|
||||
InsecureSkipVerify: LdapInsecure,
|
||||
}
|
||||
|
||||
ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
|
||||
if err != nil {
|
||||
log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
|
||||
return nil
|
||||
}
|
||||
|
||||
return ldaps
|
||||
}
|
||||
|
||||
func LookupNamingContext(ldaps *ldap.Conn) string {
|
||||
// Retrieve the defaultNamingContext
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
"",
|
||||
@@ -194,10 +225,47 @@ func LookupNamingContext() string {
|
||||
return defaultNamingContext
|
||||
}
|
||||
|
||||
func GetLdapGroupMembership(username string, password string) ([]string, error) {
|
||||
var err error
|
||||
username = CheckUsername(username)
|
||||
|
||||
ldaps := ldapConnect()
|
||||
defer ldaps.Close()
|
||||
|
||||
// try an authenticated bind to AD to verify credentials
|
||||
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
|
||||
err = ldaps.Bind(username, password)
|
||||
if err != nil {
|
||||
if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
|
||||
errString := "invalid user credentials"
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
} else {
|
||||
errString := fmt.Sprintf("VerifyLdapCreds error binding to LDAP with supplied credentials : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
}
|
||||
} else {
|
||||
log.Printf("VerifyLdapCreds successfully bound to LDAP\n")
|
||||
}
|
||||
|
||||
groups, err := GetGroupsOfUser(username, LdapBaseDn, ldaps)
|
||||
if err != nil {
|
||||
errString := fmt.Sprintf("VerifyLdapCreds group search error : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return nil, errors.New(errString)
|
||||
}
|
||||
|
||||
return groups, nil
|
||||
}
|
||||
|
||||
// Deprecated
|
||||
func VerifyLdapCreds(username string, password string) bool {
|
||||
var err error
|
||||
username = CheckUsername(username)
|
||||
|
||||
ldaps := ldapConnect()
|
||||
|
||||
// try an authenticated bind to AD to verify credentials
|
||||
log.Printf("Attempting LDAP bind with user '%s' and password length '%d'\n", username, len(password))
|
||||
err = ldaps.Bind(username, password)
|
||||
|
||||
@@ -36,8 +36,8 @@ const createUsers string = `
|
||||
RoleId INTEGER,
|
||||
UserName VARCHAR,
|
||||
Password VARCHAR,
|
||||
LdapUser BOOLEAN,
|
||||
LdapDN VARCHAR,
|
||||
LdapUser BOOLEAN DEFAULT 0,
|
||||
LdapDN VARCHAR DEFAULT '',
|
||||
FOREIGN KEY (RoleId) REFERENCES roles(RoleId)
|
||||
);
|
||||
`
|
||||
@@ -138,7 +138,7 @@ func CreateTables() {
|
||||
cryptText, _ := bcrypt.GenerateFromPassword([]byte(initialPassword), bcrypt.DefaultCost)
|
||||
initialPassword = string(cryptText)
|
||||
}
|
||||
if _, err = db.Exec("INSERT INTO users VALUES(1, 1, 'Administrator', ?);", initialPassword); err != nil {
|
||||
if _, err = db.Exec("INSERT INTO users (RoleId, UserName, Password, LdapUser) VALUES(1, 1, 'Administrator', ?, 0);", initialPassword); err != nil {
|
||||
log.Printf("Error adding initial admin role : '%s'", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
@@ -183,13 +183,13 @@ func CreateTables() {
|
||||
ldapUserCheck, _ := CheckColumnExists("users", "LdapUser")
|
||||
if !ldapUserCheck {
|
||||
log.Printf("CreateTables creating ldap columns in user table")
|
||||
_, err := db.Exec("ALTER TABLE users ADD COLUMN LdapUser BOOLEAN;")
|
||||
_, err := db.Exec("ALTER TABLE users ADD COLUMN LdapUser BOOLEAN DEFAULT 0;")
|
||||
if err != nil {
|
||||
log.Printf("Error altering users table to add LdapUser column : '%s'\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
_, err = db.Exec("ALTER TABLE users ADD COLUMN LdapDN VARCHAR;")
|
||||
_, err = db.Exec("ALTER TABLE users ADD COLUMN LdapDN VARCHAR DEFAULT '';")
|
||||
if err != nil {
|
||||
log.Printf("Error altering users table to add LdapDN column : '%s'\n", err)
|
||||
os.Exit(1)
|
||||
|
||||
@@ -3,6 +3,7 @@ package models
|
||||
import (
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"net/http"
|
||||
"smt/utils/token"
|
||||
@@ -35,7 +36,7 @@ func (u *User) SaveUser() (*User, error) {
|
||||
_, err = GetUserByName(u.UserName)
|
||||
if err != nil && err.Error() == "user not found" {
|
||||
log.Printf("SaveUser confirmed no existing user, continuing with creation of user '%s'\n", u.UserName)
|
||||
result, err := db.NamedExec((`INSERT INTO users (RoleId, UserName, Password) VALUES (:RoleId, :UserName, :Password)`), u)
|
||||
result, err := db.NamedExec((`INSERT INTO users (RoleId, UserName, Password, LdapUser, LdapDn) VALUES (:RoleId, :UserName, :Password, :LdapUser, :LdapDN)`), u)
|
||||
|
||||
if err != nil {
|
||||
log.Printf("SaveUser error executing sql record : '%s'\n", err)
|
||||
@@ -95,11 +96,20 @@ func LoginCheck(username string, password string) (string, error) {
|
||||
if err == sql.ErrNoRows {
|
||||
// check LDAP if enabled
|
||||
if LdapEnabled {
|
||||
//check, err := LdapLoginCheck(username, password)
|
||||
check := VerifyLdapCreds(username, password)
|
||||
if check {
|
||||
u.UserId = StoreLdapUser(username)
|
||||
ldapUser, err := LdapLoginCheck(username, password)
|
||||
if err != nil {
|
||||
errString := fmt.Sprintf("LoginCheck erro checking LDAP for user : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return "", errors.New(errString)
|
||||
|
||||
}
|
||||
|
||||
if ldapUser == (User{}) {
|
||||
errString := fmt.Sprintf("LoginCheck user not found in LDAP : '%s'\n", err)
|
||||
log.Print(errString)
|
||||
return "", errors.New(errString)
|
||||
}
|
||||
|
||||
} else {
|
||||
return "", errors.New("specified user not found in database")
|
||||
}
|
||||
@@ -110,9 +120,6 @@ func LoginCheck(username string, password string) (string, error) {
|
||||
log.Printf("LoginCheck retrieved user '%v' from database\n", u)
|
||||
}
|
||||
|
||||
// TODO : attempt ldap bind
|
||||
//VerifyLdapCreds(username, password)
|
||||
|
||||
err = VerifyPassword(password, u.Password)
|
||||
|
||||
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
|
||||
@@ -133,6 +140,46 @@ func LoginCheck(username string, password string) (string, error) {
|
||||
|
||||
}
|
||||
|
||||
func LdapLoginCheck(username string, password string) (User, error) {
|
||||
var u User
|
||||
|
||||
// try to get LDAP group membership
|
||||
groups, err := GetLdapGroupMembership(username, password)
|
||||
if err != nil {
|
||||
if err.Error() == "invalid user credentials" {
|
||||
return u, nil
|
||||
} else {
|
||||
return u, err
|
||||
}
|
||||
}
|
||||
|
||||
// Compare all roles against the list of user's group membership
|
||||
roleList, err := QueryRoles()
|
||||
if err != nil {
|
||||
return u, err
|
||||
}
|
||||
|
||||
matchFound := false
|
||||
for _, role := range roleList {
|
||||
for _, group := range groups {
|
||||
if role.LdapGroup == group {
|
||||
log.Printf("Found match, user is allowed role ID '%d'\n", role.RoleId)
|
||||
matchFound = true
|
||||
break
|
||||
} else {
|
||||
log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if matchFound {
|
||||
// If we found a match, then store user with appropriate role ID
|
||||
u.UserId = StoreLdapUser(username)
|
||||
}
|
||||
|
||||
return u, nil
|
||||
}
|
||||
|
||||
// StoreLdapUser creates a user record in the database and returns the corresponding userId
|
||||
func StoreLdapUser(username string) int {
|
||||
|
||||
@@ -180,7 +227,7 @@ func GetUserRoleByID(uid uint) (UserRole, error) {
|
||||
|
||||
// Query database for matching user object
|
||||
log.Printf("GetUserRoleByID querying for userid '%d'\n", uid)
|
||||
err := db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", uid).StructScan(&ur)
|
||||
err := db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", uid).StructScan(&ur)
|
||||
if err != nil {
|
||||
log.Printf("GetUserRoleByID received error when querying database : '%s'\n", err)
|
||||
return ur, errors.New("GetUserRoleByID user not found")
|
||||
@@ -202,7 +249,7 @@ func GetUserRoleFromToken(c *gin.Context) (UserRole, error) {
|
||||
|
||||
// Query database for matching user object
|
||||
log.Printf("GetUserRoleFromToken querying for userid '%d'\n", user_id)
|
||||
err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
|
||||
err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
|
||||
if err != nil {
|
||||
log.Printf("GetUserRoleFromToken received error when querying database : '%s'\n", err)
|
||||
return ur, errors.New("GetUserRoleFromToken user not found")
|
||||
|
||||
Reference in New Issue
Block a user