Nathan Coad
ee822b5c9d
All checks were successful
continuous-integration/drone/push Build is passing
542 lines
16 KiB
Go
542 lines
16 KiB
Go
package models
|
|
|
|
import (
|
|
"database/sql"
|
|
"errors"
|
|
"fmt"
|
|
"log"
|
|
"smt/utils/token"
|
|
"strings"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
type User struct {
|
|
UserId int `db:"UserId" json:"userId"`
|
|
GroupId int `db:"GroupId" json:"groupId"`
|
|
UserName string `db:"UserName" json:"userName"`
|
|
Password string `db:"Password" json:"-"`
|
|
LdapUser bool `db:"LdapUser" json:"ldapUser"`
|
|
Admin bool `db:"Admin"`
|
|
LastLogin time.Time `db:"LastLogin" json:"lastLogin"`
|
|
LdapGroup bool `db:"LdapGroup"`
|
|
}
|
|
|
|
type UserRole struct {
|
|
User
|
|
RoleName string `db:"RoleName"`
|
|
ReadOnly bool `db:"ReadOnly"`
|
|
Admin bool `db:"Admin"`
|
|
}
|
|
|
|
type UserGroup struct {
|
|
User
|
|
GroupName string `db:"GroupName"`
|
|
LdapGroup bool `db:"LdapGroup"`
|
|
LdapDn string `db:"LdapDn"`
|
|
Admin bool `db:"Admin"`
|
|
}
|
|
|
|
// Combine Users and Safes to determine which safes a user has access to
|
|
type UserSafe struct {
|
|
User
|
|
SafeId int `db:"SafeId"`
|
|
SafeName string `db:"SafeName"`
|
|
ReadOnly bool `db:"ReadOnly" json:"readOnly"`
|
|
//GroupId int `db:"GroupId"`
|
|
}
|
|
|
|
func (u *User) SaveUser() (*User, error) {
|
|
|
|
var err error
|
|
|
|
if u.LastLogin.IsZero() {
|
|
u.LastLogin = time.Time{}
|
|
}
|
|
|
|
// Validate username not already in use
|
|
_, err = UserGetByName(u.UserName)
|
|
if err != nil && err.Error() == "user not found" {
|
|
log.Printf("SaveUser confirmed no existing user, continuing with creation of user '%s'\n", u.UserName)
|
|
//log.Printf("u: %v\n", u)
|
|
result, err := db.NamedExec((`INSERT INTO users (GroupId, UserName, Password, LdapUser, Admin, LastLogin) VALUES (:GroupId, :UserName, :Password, :LdapUser, :Admin, :LastLogin)`), u)
|
|
|
|
if err != nil {
|
|
log.Printf("SaveUser error executing sql record : '%s'\n", err)
|
|
return &User{}, err
|
|
} else {
|
|
affected, _ := result.RowsAffected()
|
|
id, _ := result.LastInsertId()
|
|
u.UserId = int(id)
|
|
log.Printf("SaveUser insert returned result id '%d' affecting %d row(s).\n", id, affected)
|
|
}
|
|
} else {
|
|
log.Printf("SaveUser Username already exists : '%v'\n", err)
|
|
}
|
|
|
|
return u, nil
|
|
}
|
|
|
|
func (u *User) DeleteUser() error {
|
|
|
|
// Validate username exists
|
|
_, err := UserGetByName(u.UserName)
|
|
if err != nil {
|
|
log.Printf("DeleteUser error finding user account to remove : '%s'\n", err)
|
|
return err
|
|
} else {
|
|
log.Printf("DeleteUser confirmed user exists, continuing with deletion of user '%s'\n", u.UserName)
|
|
result, err := db.NamedExec((`DELETE FROM users WHERE UserName = :UserName`), u)
|
|
|
|
if err != nil {
|
|
log.Printf("DeleteUser error executing sql delete : '%s'\n", err)
|
|
return err
|
|
} else {
|
|
affected, _ := result.RowsAffected()
|
|
id, _ := result.LastInsertId()
|
|
log.Printf("DeleteUser returned result id '%d' affecting %d row(s).\n", id, affected)
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func VerifyPassword(password, hashedPassword string) error {
|
|
|
|
if len(password) == 0 {
|
|
return errors.New("unable to verify empty password")
|
|
}
|
|
|
|
if len(hashedPassword) == 0 {
|
|
return errors.New("unable to compare password with empty hash")
|
|
}
|
|
|
|
//log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword)
|
|
return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
|
|
}
|
|
|
|
func LoginCheck(username string, password string) (string, error) {
|
|
var err error
|
|
newLdapUser := false
|
|
u := User{}
|
|
|
|
// Query database for matching user object
|
|
// Use IFNULL to handle situation where a user might not be a member of a group
|
|
// Join on groups table so we can get the value in LdapGroup column
|
|
|
|
// if username is UPN format then get just the user portion
|
|
if strings.Contains(username, "@") {
|
|
plainUser := GetUserFromUPN(username)
|
|
// check for original username or plainUser
|
|
err = db.QueryRowx(`
|
|
SELECT users.UserId, IFNULL(users.GroupId, 0) GroupId, UserName, Password, LdapUser, users.Admin, groups.LdapGroup FROM Users
|
|
INNER JOIN groups ON users.GroupId = groups.GroupId
|
|
WHERE Username=? OR Username=?`, username, plainUser).StructScan(&u)
|
|
} else {
|
|
err = db.QueryRowx(`
|
|
SELECT users.UserId, IFNULL(users.GroupId, 0) GroupId, UserName, Password, LdapUser, users.Admin, groups.LdapGroup FROM Users
|
|
INNER JOIN groups ON users.GroupId = groups.GroupId
|
|
WHERE Username=?`, username).StructScan(&u)
|
|
}
|
|
|
|
if err != nil {
|
|
if err == sql.ErrNoRows {
|
|
log.Printf("LoginCheck found no users matching username '%s'\n", username)
|
|
|
|
// TODO - if username contains UPN style login then try extracting just the username and doing a query on that
|
|
|
|
// check LDAP if enabled
|
|
if LdapEnabled {
|
|
log.Printf("LoginCheck initiating ldap lookup for username '%s'\n", username)
|
|
ldapUser, err := UserLdapNewLoginCheck(username, password)
|
|
if err != nil {
|
|
errString := fmt.Sprintf("LoginCheck error checking LDAP for user : '%s'\n", err)
|
|
log.Print(errString)
|
|
return "", errors.New(errString)
|
|
}
|
|
|
|
if ldapUser == (User{}) {
|
|
errString := fmt.Sprintf("LoginCheck user not found in LDAP : '%s'\n", err)
|
|
log.Print(errString)
|
|
return "", errors.New(errString)
|
|
} else {
|
|
log.Printf("LoginCheck verified LDAP user successfully\n")
|
|
u = ldapUser
|
|
|
|
// Since this user wasn't in the database, they must have been logging in for the first time
|
|
// So we don't need to repeat the ldap bind and verification
|
|
newLdapUser = true
|
|
|
|
}
|
|
} else {
|
|
// LDAP is not enabled, if user is not in the database then they can't login
|
|
return "", errors.New("specified user not found in database")
|
|
}
|
|
} else {
|
|
errString := fmt.Sprintf("LoginCheck error querying database : '%s'\n", err)
|
|
log.Print(errString)
|
|
return "", errors.New(errString)
|
|
}
|
|
} else {
|
|
//log.Printf("LoginCheck retrieved user '%v' from database\n", u)
|
|
log.Printf("LoginCheck retrieved user id '%d' from database\n", u.UserId)
|
|
}
|
|
|
|
//log.Printf("u: %v\n", u)
|
|
|
|
if !u.LdapUser {
|
|
// Locally defined user, perform password verification
|
|
err = VerifyPassword(password, u.Password)
|
|
|
|
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
|
|
log.Printf("LoginCheck says password doesn't match stored hash.\n")
|
|
return "", err
|
|
} else {
|
|
log.Printf("LoginCheck verified password against stored hash.\n")
|
|
}
|
|
} else {
|
|
// LDAP user, verify credential if user wasn't logging in for the first time
|
|
if !newLdapUser {
|
|
err := VerifyLdapCreds(username, password)
|
|
|
|
if err != nil {
|
|
errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
|
|
log.Print(errString)
|
|
return "", errors.New(errString)
|
|
} else {
|
|
log.Printf("LoginCheck successfully verified LDAP user\n")
|
|
|
|
// check if user's group membership is an ldap group or not
|
|
log.Printf("User id '%d' is a member of group '%d' which has ldapGroup status '%v'\n", u.UserId, u.GroupId, u.LdapGroup)
|
|
|
|
// If user's group membership is an ldap group, then run UserLdapGroupVerify as we were doing before
|
|
if u.LdapGroup {
|
|
// confirm that current LDAP group membership matches a group
|
|
err := UserLdapGroupVerify(username, password)
|
|
|
|
if err != nil {
|
|
// No valid group membership
|
|
errString := fmt.Sprintf("ldap group membership check unsuccessful : '%s'\n", err)
|
|
log.Printf("LoginCheck %s\n", errString)
|
|
return "", errors.New(errString)
|
|
}
|
|
} else { // If user's group membership is not an ldap group, then we are fine and the login attempt was successful
|
|
log.Printf("No need to check ldap group membership since user is not a member of an ldap group\n")
|
|
}
|
|
}
|
|
} else {
|
|
log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n")
|
|
}
|
|
}
|
|
|
|
// If we reached this point then the login was successful
|
|
// Generate a new token and return it to the user
|
|
log.Printf("LoginCheck generating token for user id '%d'\n", uint(u.UserId))
|
|
token, err := token.GenerateToken(uint(u.UserId))
|
|
|
|
if err != nil {
|
|
log.Printf("LoginCheck error generating token : '%s'\n", err)
|
|
return "", err
|
|
}
|
|
|
|
u.UserSetLastLogin()
|
|
|
|
return token, nil
|
|
|
|
}
|
|
|
|
// UserLdapGroupVerify will check current group membership and generate an error if match is not found in database
|
|
func UserLdapGroupVerify(username string, password string) error {
|
|
// try to get LDAP group membership
|
|
ldapGroups, err := LdapGetGroupMembership(username, password)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Compare all roles against the list of user's group membership
|
|
groupList, err := GroupList()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for _, group := range groupList {
|
|
for _, lg := range ldapGroups {
|
|
if group.LdapDn == lg {
|
|
log.Printf("Found match with groupname '%s' and LDAP group DN '%s', user is a member of group ID '%d'\n", group.GroupName, group.LdapDn, group.GroupId)
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
|
|
return errors.New("no match between database and ldap group membership")
|
|
}
|
|
|
|
// UserLdapNewLoginCheck will verify group membership and save User into database
|
|
func UserLdapNewLoginCheck(username string, password string) (User, error) {
|
|
var u User
|
|
u.UserName = username
|
|
|
|
// try to get LDAP group membership
|
|
ldapGroups, err := LdapGetGroupMembership(username, password)
|
|
if err != nil {
|
|
if err.Error() == "invalid user credentials" {
|
|
return u, nil
|
|
} else {
|
|
return u, err
|
|
}
|
|
}
|
|
|
|
// Compare all roles against the list of user's group membership
|
|
groupList, err := GroupList()
|
|
if err != nil {
|
|
return u, err
|
|
}
|
|
|
|
matchFound := false
|
|
|
|
for _, group := range groupList {
|
|
// Skip any groups that aren't LDAP groups
|
|
if len(group.LdapDn) == 0 {
|
|
continue
|
|
}
|
|
for _, lg := range ldapGroups {
|
|
if group.LdapDn == lg {
|
|
log.Printf("Found match with groupname '%s' and LDAP group DN '%s', user is a member of group ID '%d'\n", group.GroupName, group.LdapDn, group.GroupId)
|
|
u.GroupId = group.GroupId
|
|
matchFound = true
|
|
break
|
|
} else {
|
|
log.Printf("Groupname '%s' with LDAP group '%s' not match user group '%s'\n", group.GroupName, group.LdapDn, lg)
|
|
}
|
|
}
|
|
}
|
|
|
|
if matchFound {
|
|
// If we found a match, then store user with appropriate role ID
|
|
u.LdapUser = true
|
|
u.SaveUser()
|
|
}
|
|
|
|
return u, nil
|
|
}
|
|
|
|
func (u *User) UserSetLastLogin() error {
|
|
|
|
u.LastLogin = time.Now().UTC()
|
|
|
|
result, err := db.NamedExec((`UPDATE users SET LastLogin = :LastLogin WHERE UserId = :UserId`), u)
|
|
|
|
if err != nil {
|
|
log.Printf("UserSetLastLogin error executing sql update : '%s'\n", err)
|
|
return err
|
|
} else {
|
|
affected, _ := result.RowsAffected()
|
|
id, _ := result.LastInsertId()
|
|
log.Printf("UserSetLastLogin returned result id '%d' affecting %d row(s).\n", id, affected)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func UserGetByID(uid uint) (User, error) {
|
|
|
|
var u User
|
|
|
|
// Query database for matching user object
|
|
err := db.QueryRowx("SELECT * FROM users WHERE UserId=?", uid).StructScan(&u)
|
|
if err != nil {
|
|
return u, errors.New("user not found")
|
|
}
|
|
/*
|
|
if err := DB.First(&u, uid).Error; err != nil {
|
|
return u, errors.New("User not found!")
|
|
}
|
|
*/
|
|
//u.PrepareGive()
|
|
|
|
return u, nil
|
|
|
|
}
|
|
|
|
func UserGetByName(username string) (User, error) {
|
|
|
|
var u User
|
|
|
|
// Query database for matching user object
|
|
err := db.QueryRowx("SELECT * FROM users WHERE UserName=?", username).StructScan(&u)
|
|
if err != nil {
|
|
return u, errors.New("user not found")
|
|
}
|
|
|
|
return u, nil
|
|
}
|
|
|
|
/*
|
|
func GetUserRoleByID(uid uint) (UserRole, error) {
|
|
|
|
var ur UserRole
|
|
|
|
// Query database for matching user object
|
|
log.Printf("GetUserRoleByID querying for userid '%d'\n", uid)
|
|
err := db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDn, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", uid).StructScan(&ur)
|
|
if err != nil {
|
|
log.Printf("GetUserRoleByID received error when querying database : '%s'\n", err)
|
|
return ur, errors.New("GetUserRoleByID user not found")
|
|
}
|
|
|
|
return ur, nil
|
|
}
|
|
*/
|
|
|
|
func UserGetGroupByID(uid uint) (UserGroup, error) {
|
|
|
|
var ug UserGroup
|
|
|
|
// Query database for matching user object
|
|
log.Printf("UserGetGroupByID querying for userid '%d'\n", uid)
|
|
|
|
err := db.QueryRowx("SELECT users.UserId, users.GroupId, users.UserName, users.Password, users.LdapUser, groups.GroupName, groups.LdapGroup, groups.LdapDn, groups.Admin FROM users INNER JOIN groups ON users.GroupId = groups.GroupId WHERE users.UserId=?", uid).StructScan(&ug)
|
|
if err != nil {
|
|
log.Printf("UserGetGroupByID received error when querying database : '%s'\n", err)
|
|
return ug, errors.New("UserGetGroupByID user id not found")
|
|
}
|
|
|
|
return ug, nil
|
|
}
|
|
|
|
/*
|
|
func UserGetRoleFromToken(c *gin.Context) (UserRole, error) {
|
|
|
|
var ur UserRole
|
|
|
|
user_id, err := token.ExtractTokenID(c)
|
|
|
|
if err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
|
return ur, err
|
|
}
|
|
|
|
// Query database for matching user object
|
|
log.Printf("UserGetRoleFromToken querying for userid '%d'\n", user_id)
|
|
err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDn, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
|
|
if err != nil {
|
|
log.Printf("UserGetRoleFromToken received error when querying database : '%s'\n", err)
|
|
return ur, errors.New("UserGetRoleFromToken user not found")
|
|
}
|
|
|
|
return ur, nil
|
|
}
|
|
*/
|
|
|
|
func UserGetSafesAllowed(userId int) ([]UserSafe, error) {
|
|
|
|
var results []UserSafe
|
|
|
|
// TODO add union for permissions directly assigned to safe via UserId instead of GroupId
|
|
|
|
// join users, groups and permissions
|
|
rows, err := db.Queryx(`
|
|
SELECT users.UserId, users.GroupId, users.UserName,
|
|
permissions.SafeId, permissions.ReadOnly, safes.SafeName FROM users
|
|
INNER JOIN groups ON users.GroupId = groups.GroupId
|
|
INNER JOIN permissions ON groups.GroupId = permissions.GroupId
|
|
INNER JOIN safes on permissions.SafeId = safes.SafeId
|
|
WHERE users.UserId=?`, userId)
|
|
|
|
if err != nil {
|
|
log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err)
|
|
return results, err
|
|
} else {
|
|
defer rows.Close()
|
|
|
|
// Get columns from rows for debugging
|
|
/*
|
|
columns, err := rows.Columns()
|
|
if err != nil {
|
|
log.Printf("UserGetSafesAllowed error getting column listing : '%s'\n", err)
|
|
return results, err
|
|
}
|
|
log.Printf("columns: %v\n", columns)
|
|
*/
|
|
|
|
// parse all the results into a slice
|
|
for rows.Next() {
|
|
var us UserSafe
|
|
err = rows.StructScan(&us)
|
|
if err != nil {
|
|
log.Printf("UserGetSafesAllowed error parsing sql record : '%s'\n", err)
|
|
return results, err
|
|
}
|
|
//log.Printf("UserGetSafesAllowed adding record : '%+v'\n", us)
|
|
//debugPrint := utils.PrintStructContents(&us, 0)
|
|
//log.Printf("UserGetSafesAllowed adding record :\n%s\n", debugPrint)
|
|
|
|
results = append(results, us)
|
|
|
|
/*
|
|
// For intense debugging
|
|
// Create a map to store column names and values
|
|
rowValues := make(map[string]interface{})
|
|
|
|
// Scan each row into the map
|
|
err := rows.MapScan(rowValues)
|
|
if err != nil {
|
|
log.Println(err)
|
|
continue
|
|
}
|
|
|
|
// Print the raw row record
|
|
log.Println("-----------")
|
|
for _, column := range columns {
|
|
log.Printf("%s: %v\n", column, rowValues[column])
|
|
}
|
|
log.Println("-----------")
|
|
*/
|
|
}
|
|
log.Printf("UserGetSafesAllowed retrieved '%d' results\n", len(results))
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func UserList() ([]User, error) {
|
|
var results []User
|
|
|
|
// Query database for role definitions
|
|
rows, err := db.Queryx("SELECT * FROM users")
|
|
|
|
if err != nil {
|
|
log.Printf("UserList error executing sql record : '%s'\n", err)
|
|
return results, err
|
|
} else {
|
|
// parse all the results into a slice
|
|
for rows.Next() {
|
|
var u User
|
|
err = rows.StructScan(&u)
|
|
if err != nil {
|
|
log.Printf("UserList error parsing sql record : '%s'\n", err)
|
|
return results, err
|
|
}
|
|
results = append(results, u)
|
|
|
|
}
|
|
log.Printf("UserList retrieved '%d' results\n", len(results))
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
func UserCheckIfAdmin(userId int) bool {
|
|
// TODO
|
|
|
|
u, err := UserGetByID(uint(userId))
|
|
if err != nil {
|
|
log.Printf("UserCheckIfAdmin received error : '%s'\n", err)
|
|
return false
|
|
}
|
|
|
|
return u.Admin
|
|
}
|