nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity
Files
fe502e150f10c859a0031ba287df7277883240d4
smt/models/user.go
Nathan Coad fe502e150f
All checks were successful
continuous-integration/drone/push Build is passing
Details
more debugging
2024-01-08 15:02:24 +11:00

424 lines
12 KiB
Go
Raw Blame History

package models
import (
"database/sql"
"errors"
"fmt"
"log"
"smt/utils/token"
"golang.org/x/crypto/bcrypt"
)
type User struct {
UserId int `db:"UserId" json:"userId"`
GroupId int `db:"GroupId" json:"groupId"`
UserName string `db:"UserName" json:"userName"`
Password string `db:"Password" json:"-"`
LdapUser bool `db:"LdapUser" json:"ldapUser"`
Admin bool `db:"Admin"`
//LdapDn string `db:"LdapDN" json:"ldapDn"`
}
type UserRole struct {
User
RoleName string `db:"RoleName"`
ReadOnly bool `db:"ReadOnly"`
Admin bool `db:"Admin"`
}
type UserGroup struct {
User
GroupName string `db:"GroupName"`
LdapGroup bool `db:"LdapGroup"`
LdapDn string `db:"LdapDN"`
Admin bool `db:"Admin"`
}
type UserSafe struct {
User
AdminUser bool `db:"AdminUser"`
AdminGroup bool `db:"AdminGroup"`
SafeId int `db:"SafeId"`
SafeName string `db:"SafeName"`
GroupId int `db:"GroupId"`
}
func (u *User) SaveUser() (*User, error) {
var err error
// Validate username not already in use
_, err = UserGetByName(u.UserName)
if err != nil && err.Error() == "user not found" {
log.Printf("SaveUser confirmed no existing user, continuing with creation of user '%s'\n", u.UserName)
result, err := db.NamedExec((`INSERT INTO users (GroupId, UserName, Password, LdapUser) VALUES (:GroupId, :UserName, :Password, :LdapUser`), u)
if err != nil {
log.Printf("SaveUser error executing sql record : '%s'\n", err)
return &User{}, err
} else {
affected, _ := result.RowsAffected()
id, _ := result.LastInsertId()
log.Printf("SaveUser insert returned result id '%d' affecting %d row(s).\n", id, affected)
}
} else {
log.Printf("SaveUser Username already exists : '%v'\n", err)
}
return u, nil
}
func (u *User) DeleteUser() error {
// Validate username exists
_, err := UserGetByName(u.UserName)
if err != nil {
log.Printf("DeleteUser error finding user account to remove : '%s'\n", err)
return err
} else {
log.Printf("DeleteUser confirmed user exists, continuing with deletion of user '%s'\n", u.UserName)
result, err := db.NamedExec((`DELETE FROM users WHERE UserName = :UserName`), u)
if err != nil {
log.Printf("DeleteUser error executing sql delete : '%s'\n", err)
return err
} else {
affected, _ := result.RowsAffected()
id, _ := result.LastInsertId()
log.Printf("DeleteUser returned result id '%d' affecting %d row(s).\n", id, affected)
}
}
return nil
}
func VerifyPassword(password, hashedPassword string) error {
if len(password) == 0 {
return errors.New("unable to verify empty password")
}
if len(hashedPassword) == 0 {
return errors.New("unable to compare password with empty hash")
}
log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword)
return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
}
func LoginCheck(username string, password string) (string, error) {
var err error
newLdapUser := false
u := User{}
// Query database for matching user object
err = db.QueryRowx("SELECT * FROM Users WHERE Username=?", username).StructScan(&u)
if err != nil {
if err == sql.ErrNoRows {
// check LDAP if enabled
if LdapEnabled {
ldapUser, err := LdapLoginCheck(username, password)
if err != nil {
errString := fmt.Sprintf("LoginCheck error checking LDAP for user : '%s'\n", err)
log.Print(errString)
return "", errors.New(errString)
}
if ldapUser == (User{}) {
errString := fmt.Sprintf("LoginCheck user not found in LDAP : '%s'\n", err)
log.Print(errString)
return "", errors.New(errString)
} else {
log.Printf("LoginCheck verified LDAP user successfully\n")
u = ldapUser
// Since this user wasn't in the database, they must have been logging in for the first time
// So we don't need to repeat the ldap bind and verification
newLdapUser = true
}
} else {
// LDAP is not enabled, if user is not in the database then they can't login
return "", errors.New("specified user not found in database")
}
}
} else {
log.Printf("LoginCheck retrieved user '%v' from database\n", u)
}
log.Printf("u: %v\n", u)
if !u.LdapUser {
// Locally defined user, perform password verification
err = VerifyPassword(password, u.Password)
if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
log.Printf("LoginCheck says password doesn't match stored hash.\n")
return "", err
} else {
log.Printf("LoginCheck verified password against stored hash.\n")
}
} else {
// LDAP user, verify credential if user wasn't logging in for the first time
if !newLdapUser {
err := VerifyLdapCreds(username, password)
if err != nil {
errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
log.Print(errString)
return "", errors.New(errString)
} else {
log.Printf("LoginCheck successfully verified LDAP user\n")
}
} else {
log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n")
}
}
// If we reached this point then the login was successful
// Generate a new token and return it to the user
log.Printf("LoginCheck generating token for user id '%d'\n", uint(u.UserId))
token, err := token.GenerateToken(uint(u.UserId))
if err != nil {
log.Printf("LoginCheck error generating token : '%s'\n", err)
return "", err
}
return token, nil
}
func LdapLoginCheck(username string, password string) (User, error) {
var u User
u.UserName = username
// try to get LDAP group membership
ldapGroups, err := LdapGetGroupMembership(username, password)
if err != nil {
if err.Error() == "invalid user credentials" {
return u, nil
} else {
return u, err
}
}
// Compare all roles against the list of user's group membership
//roleList, err := QueryRoles()
groupList, err := GroupList()
if err != nil {
return u, err
}
matchFound := false
/*
for _, role := range roleList {
for _, group := range groups {
if role.LdapGroup == group {
log.Printf("Found match with role '%s' and LDAP group '%s', user is allowed role ID '%d'\n", role.RoleName, role.LdapGroup, role.RoleId)
u.RoleId = role.RoleId
matchFound = true
break
} //else {
//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
//}
}
}
*/
for _, group := range groupList {
for _, lg := range ldapGroups {
if group.LdapDn == lg {
log.Printf("Found match with groupname '%s' and LDAP group DN '%s', user is a member of group ID '%d'\n", group.GroupName, group.LdapDn, group.GroupId)
u.GroupId = group.GroupId
matchFound = true
break
} else {
log.Printf("Groupname '%s' with LDAP group '%s' not match user group '%s'\n", group.GroupName, group.LdapDn, lg)
}
}
}
if matchFound {
// If we found a match, then store user with appropriate role ID
u.LdapUser = true
u.SaveUser()
}
return u, nil
}
// StoreLdapUser creates a user record in the database and returns the corresponding userId
func StoreLdapUser(u *User) error {
// TODO
return nil
}
func UserGetByID(uid uint) (User, error) {
var u User
// Query database for matching user object
err := db.QueryRowx("SELECT * FROM users WHERE UserId=?", uid).StructScan(&u)
if err != nil {
return u, errors.New("user not found")
}
/*
if err := DB.First(&u, uid).Error; err != nil {
return u, errors.New("User not found!")
}
*/
//u.PrepareGive()
return u, nil
}
func UserGetByName(username string) (User, error) {
var u User
// Query database for matching user object
err := db.QueryRowx("SELECT * FROM users WHERE UserName=?", username).StructScan(&u)
if err != nil {
return u, errors.New("user not found")
}
return u, nil
}
/*
func GetUserRoleByID(uid uint) (UserRole, error) {
var ur UserRole
// Query database for matching user object
log.Printf("GetUserRoleByID querying for userid '%d'\n", uid)
err := db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", uid).StructScan(&ur)
if err != nil {
log.Printf("GetUserRoleByID received error when querying database : '%s'\n", err)
return ur, errors.New("GetUserRoleByID user not found")
}
return ur, nil
}
*/
func UserGetGroupByID(uid uint) (UserGroup, error) {
var ug UserGroup
// Query database for matching user object
log.Printf("UserGetGroupByID querying for userid '%d'\n", uid)
err := db.QueryRowx("SELECT users.UserId, users.GroupId, users.UserName, users.Password, users.LdapUser, groups.GroupName, groups.LdapGroup, groups.LdapDN, groups.Admin FROM users INNER JOIN groups ON users.GroupId = groups.GroupId WHERE users.UserId=?", uid).StructScan(&ug)
if err != nil {
log.Printf("UserGetGroupByID received error when querying database : '%s'\n", err)
return ug, errors.New("UserGetGroupByID user id not found")
}
return ug, nil
}
/*
func UserGetRoleFromToken(c *gin.Context) (UserRole, error) {
var ur UserRole
user_id, err := token.ExtractTokenID(c)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return ur, err
}
// Query database for matching user object
log.Printf("UserGetRoleFromToken querying for userid '%d'\n", user_id)
err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
if err != nil {
log.Printf("UserGetRoleFromToken received error when querying database : '%s'\n", err)
return ur, errors.New("UserGetRoleFromToken user not found")
}
return ur, nil
}
*/
func UserGetSafesAllowed(userId int) ([]UserSafe, error) {
var results []UserSafe
// join users, groups and permissions
rows, err := db.Queryx("SELECT users.UserId, users.GroupId, users.Admin as AdminUser, groups.Admin as AdminGroup, permissions.SafeId, safe.SafeName FROM users INNER JOIN groups ON users.GroupId = groups.GroupId INNER JOIN permissions ON groups.GroupId = permissions.GroupId INNER JOIN safes on permissions.SafeId = safes.SafeId WHERE users.UserId=?", userId)
if err != nil {
log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err)
return results, err
} else {
// parse all the results into a slice
for rows.Next() {
var us UserSafe
err = rows.StructScan(&us)
if err != nil {
log.Printf("UserGetSafesAllowed error parsing sql record : '%s'\n", err)
return results, err
}
results = append(results, us)
}
log.Printf("UserGetSafesAllowed retrieved '%d' results\n", len(results))
}
return results, nil
}
func UserList() ([]User, error) {
var results []User
// Query database for role definitions
rows, err := db.Queryx("SELECT * FROM users")
if err != nil {
log.Printf("QueryUsers error executing sql record : '%s'\n", err)
return results, err
} else {
// parse all the results into a slice
for rows.Next() {
var u User
err = rows.StructScan(&u)
if err != nil {
log.Printf("QueryUsers error parsing sql record : '%s'\n", err)
return results, err
}
results = append(results, u)
}
log.Printf("QueryUsers retrieved '%d' results\n", len(results))
}
return results, nil
}
func UserCheckIfAdmin(userId int) bool {
// TODO
u, err := UserGetByID(uint(userId))
if err != nil {
log.Printf("UserCheckIfAdmin received error : '%s'\n", err)
return false
}
return u.Admin
}
func UserGetSafe() {
}
// need a way of checking what safe a user has access to
// if they only have access to one then that is easy
// if they are an admin then they have access to everything
Reference in New Issue View Git Blame Copy Permalink