WIP: new user management and authentication system, use go 1.16 embed

internal/server/ldapsync.go

@@ -4,31 +4,147 @@ import (
 	"time"
 
 	"github.com/h44z/wg-portal/internal/ldap"
+	"github.com/h44z/wg-portal/internal/users"
 	"github.com/sirupsen/logrus"
+	"gorm.io/gorm"
 )
 
-// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
-// Users will be automatically disabled once they are disabled in ldap.
-// This method is blocking.
-func (s *Server) SyncLdapAttributesWithWireGuard() error {
-	allUsers := s.users.GetAllUsers()
-	for i := range allUsers {
-		user := allUsers[i]
-		if user.LdapUser == nil {
-			continue // skip non ldap users
+func (s *Server) SyncLdapWithUserDatabase() {
+	logrus.Info("starting ldap user synchronization...")
+	running := true
+	for running {
+		// Select blocks until one of the cases happens
+		select {
+		case <-time.After(1 * time.Minute):
+			// Sleep for 1 minute
+		case <-s.ctx.Done():
+			logrus.Trace("ldap-sync shutting down (context ended)...")
+			running = false
+			continue
 		}
 
-		if user.DeactivatedAt != nil {
-			continue // skip already disabled interfaces
+		// Main work here
+		logrus.Trace("syncing ldap users to database...")
+		ldapUsers, err := ldap.FindAllUsers(&s.config.LDAP)
+		if err != nil {
+			logrus.Errorf("failed to fetch users from ldap: %v", err)
+			continue
 		}
 
-		if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
-			now := time.Now()
-			user.DeactivatedAt = &now
-			if err := s.UpdateUser(user, now); err != nil {
-				logrus.Errorf("Failed to disable user %s: %v", user.Email, err)
+		for i := range ldapUsers {
+			// prefilter
+			if ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] == "" ||
+				ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute] == "" ||
+				ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] == "" {
+				continue
+			}
+
+			user, err := s.users.GetOrCreateUserUnscoped(ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute])
+			if err != nil {
+				logrus.Errorf("failed to get/create user %s in database: %v", ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute], err)
+			}
+
+			// check if user should be deactivated
+			ldapDeactivated := false
+			switch s.config.LDAP.Type {
+			case ldap.TypeActiveDirectory:
+				ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
+			case ldap.TypeOpenLDAP:
+				ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
+			}
+
+			// check if user has been disabled in ldap, update peers accordingly
+			if ldapDeactivated != user.DeletedAt.Valid {
+				if ldapDeactivated {
+					// disable all peers for the given user
+					for _, peer := range s.peers.GetPeersByMail(user.Email) {
+						now := time.Now()
+						peer.DeactivatedAt = &now
+						if err = s.UpdatePeer(peer, now); err != nil {
+							logrus.Errorf("failed to update deactivated peer %s: %v", peer.PublicKey, err)
+						}
+					}
+				} else {
+					// enable all peers for the given user
+					for _, peer := range s.peers.GetPeersByMail(user.Email) {
+						now := time.Now()
+						peer.DeactivatedAt = nil
+						if err = s.UpdatePeer(peer, now); err != nil {
+							logrus.Errorf("failed to update activated peer %s: %v", peer.PublicKey, err)
+						}
+					}
+				}
+			}
+
+			// Sync attributes from ldap
+			if s.UserChangedInLdap(user, &ldapUsers[i]) {
+				user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
+				user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
+				user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
+				user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
+				user.IsAdmin = false
+				user.Source = users.UserSourceLdap
+				user.DeletedAt = gorm.DeletedAt{} // Not deleted
+
+				for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+					if string(group) == s.config.LDAP.AdminLdapGroup {
+						user.IsAdmin = true
+						break
+					}
+				}
+
+				if ldapDeactivated {
+					if err = s.users.DeleteUser(user); err != nil {
+						logrus.Errorf("failed to delete deactivated user %s in database: %v", user.Email, err)
+						continue
+					}
+				} else {
+					if err = s.users.UpdateUser(user); err != nil {
+						logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
+						continue
+					}
+				}
 			}
 		}
 	}
-	return nil
+	logrus.Info("ldap user synchronization stopped")
+}
+
+func (s Server) UserChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
+	if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
+		return true
+	}
+	if user.Lastname != ldapData.Attributes[s.config.LDAP.LastNameAttribute] {
+		return true
+	}
+	if user.Email != ldapData.Attributes[s.config.LDAP.EmailAttribute] {
+		return true
+	}
+	if user.Phone != ldapData.Attributes[s.config.LDAP.PhoneAttribute] {
+		return true
+	}
+
+	ldapDeactivated := false
+	switch s.config.LDAP.Type {
+	case ldap.TypeActiveDirectory:
+		ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
+	case ldap.TypeOpenLDAP:
+		ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
+	}
+	if ldapDeactivated != user.DeletedAt.Valid {
+		return true
+	}
+
+	ldapAdmin := false
+	for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+		if string(group) == s.config.LDAP.AdminLdapGroup {
+			ldapAdmin = true
+			break
+		}
+	}
+	if user.IsAdmin != ldapAdmin {
+		return true
+	}
+
+	return false
 }