auto create account, sync ldap disabled flag

2025-08-25 14:31:14 +00:00 · 2020-11-16 22:39:41 +01:00
parent 1dee239f4f
commit 7b651da1d7
8 changed files with 106 additions and 20 deletions
--- a/internal/server/core.go
+++ b/internal/server/core.go
@@ -157,7 +157,7 @@ func (s *Server) Run() {
 		go func(s *Server) {
 			for {
 				time.Sleep(CacheRefreshDuration)
-				if err := s.ldapCacheUpdater.Update(true); err != nil {
+				if err := s.ldapCacheUpdater.Update(true, true); err != nil {
 					log.Warnf("Failed to update ldap group cache: %v", err)
 				}
 				log.Debugf("Refreshed LDAP permissions!")
@@ -165,6 +165,18 @@ func (s *Server) Run() {
 		}(s)
 	}

+	if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
+		go func(s *Server) {
+			for {
+				time.Sleep(CacheRefreshDuration)
+				if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
+					log.Warnf("Failed to synchronize ldap attributes: %v", err)
+				}
+				log.Debugf("Synced LDAP attributes!")
+			}
+		}(s)
+	}
+
 	// Run web service
 	err := s.server.Run(s.config.Core.ListeningAddress)
 	if err != nil {
--- a/internal/server/handlers_auth.go
+++ b/internal/server/handlers_auth.go
@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/gin-gonic/gin"
 )

@@ -95,6 +97,21 @@ func (s *Server) PostLogin(c *gin.Context) {
 		}
 	}

+	// Check if user already has a peer setup, if not create one
+	if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
+		users := s.users.GetUsersByMail(sessionData.Email)
+
+		if len(users) == 0 { // Create vpn peer
+			err := s.CreateUser(User{
+				Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
+				Email:      sessionData.Email,
+				CreatedBy:  sessionData.Email,
+				UpdatedBy:  sessionData.Email,
+			})
+			log.Errorf("Failed to automatically create vpn peer for %s: %v", sessionData.Email, err)
+		}
+	}
+
 	if err := s.updateSessionData(c, sessionData); err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
 		return
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@@ -0,0 +1,34 @@
+package server
+
+import (
+	"time"
+
+	"github.com/h44z/wg-portal/internal/ldap"
+	log "github.com/sirupsen/logrus"
+)
+
+// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
+// Users will be automatically disabled once they are disabled in ldap.
+// This method is blocking.
+func (s *Server) SyncLdapAttributesWithWireGuard() error {
+	allUsers := s.users.GetAllUsers()
+	for i := range allUsers {
+		user := allUsers[i]
+		if user.LdapUser == nil {
+			continue // skip non ldap users
+		}
+
+		if user.DeactivatedAt != nil {
+			continue // skip already disabled interfaces
+		}
+
+		if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
+			now := time.Now()
+			user.DeactivatedAt = &now
+			if err := s.UpdateUser(user, now); err != nil {
+				log.Errorf("Failed to disable user %s: %v", user.Email, err)
+			}
+		}
+	}
+	return nil
+}