mirror of
https://github.com/h44z/wg-portal.git
synced 2026-01-29 06:36:24 +00:00
feat: allow multiple auth sources per user (#500,#477) (#612)
* feat: allow multiple auth sources per user (#500,#477) * only override isAdmin flag if it is provided by the authentication source
This commit is contained in:
h44z
GitHub
@@ -23,9 +23,6 @@ import (
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
)
|
||||
|
||||
// SchemaVersion describes the current database schema version. It must be incremented if a manual migration is needed.
|
||||
var SchemaVersion uint64 = 2
|
||||
|
||||
// SysStat stores the current database schema version and the timestamp when it was applied.
|
||||
type SysStat struct {
|
||||
MigratedAt time.Time `gorm:"column:migrated_at"`
|
||||
@@ -225,6 +222,8 @@ func (r *SqlRepo) preCheck() error {
|
||||
func (r *SqlRepo) migrate() error {
|
||||
slog.Debug("running migration: sys-stat", "result", r.db.AutoMigrate(&SysStat{}))
|
||||
slog.Debug("running migration: user", "result", r.db.AutoMigrate(&domain.User{}))
|
||||
slog.Debug("running migration: user authentications", "result",
|
||||
r.db.AutoMigrate(&domain.UserAuthentication{}))
|
||||
slog.Debug("running migration: user webauthn credentials", "result",
|
||||
r.db.AutoMigrate(&domain.UserWebauthnCredential{}))
|
||||
slog.Debug("running migration: interface", "result", r.db.AutoMigrate(&domain.Interface{}))
|
||||
@@ -238,35 +237,84 @@ func (r *SqlRepo) migrate() error {
|
||||
|
||||
// Migration: 0 --> 1
|
||||
if existingSysStat.SchemaVersion == 0 {
|
||||
const schemaVersion = 1
|
||||
sysStat := SysStat{
|
||||
MigratedAt: time.Now(),
|
||||
SchemaVersion: SchemaVersion,
|
||||
SchemaVersion: schemaVersion,
|
||||
}
|
||||
if err := r.db.Create(&sysStat).Error; err != nil {
|
||||
return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", SchemaVersion, err)
|
||||
return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
|
||||
}
|
||||
slog.Debug("sys-stat entry written", "schema_version", SchemaVersion)
|
||||
slog.Debug("sys-stat entry written", "schema_version", schemaVersion)
|
||||
existingSysStat = sysStat // ensure that follow-up checks test against the latest version
|
||||
}
|
||||
|
||||
// Migration: 1 --> 2
|
||||
if existingSysStat.SchemaVersion == 1 {
|
||||
const schemaVersion = 2
|
||||
// Preserve existing behavior for installations that had default-peer-creation enabled.
|
||||
if r.cfg.Core.CreateDefaultPeer {
|
||||
err := r.db.Model(&domain.Interface{}).
|
||||
Where("type = ?", domain.InterfaceTypeServer).
|
||||
Update("create_default_peer", true).Error
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to migrate interface flags for schema version %d: %w", SchemaVersion, err)
|
||||
return fmt.Errorf("failed to migrate interface flags for schema version %d: %w", schemaVersion, err)
|
||||
}
|
||||
slog.Debug("migrated interface create_default_peer flags", "schema_version", SchemaVersion)
|
||||
slog.Debug("migrated interface create_default_peer flags", "schema_version", schemaVersion)
|
||||
}
|
||||
sysStat := SysStat{
|
||||
MigratedAt: time.Now(),
|
||||
SchemaVersion: SchemaVersion,
|
||||
SchemaVersion: schemaVersion,
|
||||
}
|
||||
if err := r.db.Create(&sysStat).Error; err != nil {
|
||||
return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", SchemaVersion, err)
|
||||
return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
|
||||
}
|
||||
existingSysStat = sysStat // ensure that follow-up checks test against the latest version
|
||||
}
|
||||
|
||||
// Migration: 2 --> 3
|
||||
if existingSysStat.SchemaVersion == 2 {
|
||||
const schemaVersion = 3
|
||||
// Migration to multi-auth
|
||||
err := r.db.Transaction(func(tx *gorm.DB) error {
|
||||
var users []domain.User
|
||||
if err := tx.Find(&users).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
for _, user := range users {
|
||||
auth := domain.UserAuthentication{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: domain.CtxSystemDBMigrator,
|
||||
UpdatedBy: domain.CtxSystemDBMigrator,
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
UserIdentifier: user.Identifier,
|
||||
Source: user.Source,
|
||||
ProviderName: user.ProviderName,
|
||||
}
|
||||
if err := tx.Create(&auth).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
slog.Debug("migrated users to multi-auth model", "schema_version", schemaVersion)
|
||||
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to migrate to multi-auth: %w", err)
|
||||
}
|
||||
sysStat := SysStat{
|
||||
MigratedAt: time.Now(),
|
||||
SchemaVersion: schemaVersion,
|
||||
}
|
||||
if err := r.db.Create(&sysStat).Error; err != nil {
|
||||
return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
|
||||
}
|
||||
existingSysStat = sysStat // ensure that follow-up checks test against the latest version
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -776,7 +824,7 @@ func (r *SqlRepo) GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr
|
||||
func (r *SqlRepo) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
|
||||
var user domain.User
|
||||
|
||||
err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").First(&user, id).Error
|
||||
err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Preload("Authentications").First(&user, id).Error
|
||||
|
||||
if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, domain.ErrNotFound
|
||||
@@ -794,7 +842,8 @@ func (r *SqlRepo) GetUser(ctx context.Context, id domain.UserIdentifier) (*domai
|
||||
func (r *SqlRepo) GetUserByEmail(ctx context.Context, email string) (*domain.User, error) {
|
||||
var users []domain.User
|
||||
|
||||
err := r.db.WithContext(ctx).Where("email = ?", email).Preload("WebAuthnCredentialList").Find(&users).Error
|
||||
err := r.db.WithContext(ctx).Where("email = ?",
|
||||
email).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&users).Error
|
||||
if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
return nil, domain.ErrNotFound
|
||||
}
|
||||
@@ -834,7 +883,7 @@ func (r *SqlRepo) GetUserByWebAuthnCredential(ctx context.Context, credentialIdB
|
||||
func (r *SqlRepo) GetAllUsers(ctx context.Context) ([]domain.User, error) {
|
||||
var users []domain.User
|
||||
|
||||
err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Find(&users).Error
|
||||
err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&users).Error
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -854,6 +903,7 @@ func (r *SqlRepo) FindUsers(ctx context.Context, search string) ([]domain.User,
|
||||
Or("lastname LIKE ?", searchValue).
|
||||
Or("email LIKE ?", searchValue).
|
||||
Preload("WebAuthnCredentialList").
|
||||
Preload("Authentications").
|
||||
Find(&users).Error
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -913,7 +963,17 @@ func (r *SqlRepo) getOrCreateUser(ui *domain.ContextUserInfo, tx *gorm.DB, id do
|
||||
) {
|
||||
var user domain.User
|
||||
|
||||
// userDefaults will be applied to newly created user records
|
||||
result := tx.Model(&user).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&user, id)
|
||||
if result.Error != nil {
|
||||
if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
|
||||
return nil, result.Error
|
||||
}
|
||||
}
|
||||
if result.Error == nil && result.RowsAffected > 0 {
|
||||
return &user, nil
|
||||
}
|
||||
|
||||
// create a new user record if no user record exists yet
|
||||
userDefaults := domain.User{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: ui.UserId(),
|
||||
@@ -922,16 +982,15 @@ func (r *SqlRepo) getOrCreateUser(ui *domain.ContextUserInfo, tx *gorm.DB, id do
|
||||
UpdatedAt: time.Now(),
|
||||
},
|
||||
Identifier: id,
|
||||
Source: domain.UserSourceDatabase,
|
||||
IsAdmin: false,
|
||||
}
|
||||
|
||||
err := tx.Attrs(userDefaults).FirstOrCreate(&user, id).Error
|
||||
err := tx.Create(&userDefaults).Error
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &user, nil
|
||||
return &userDefaults, nil
|
||||
}
|
||||
|
||||
func (r *SqlRepo) upsertUser(ui *domain.ContextUserInfo, tx *gorm.DB, user *domain.User) error {
|
||||
@@ -948,6 +1007,11 @@ func (r *SqlRepo) upsertUser(ui *domain.ContextUserInfo, tx *gorm.DB, user *doma
|
||||
return fmt.Errorf("failed to update users webauthn credentials: %w", err)
|
||||
}
|
||||
|
||||
err = tx.Session(&gorm.Session{FullSaveAssociations: true}).Unscoped().Model(user).Association("Authentications").Unscoped().Replace(user.Authentications)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to update users authentications: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -2676,6 +2676,12 @@
|
||||
"ApiTokenCreated": {
|
||||
"type": "string"
|
||||
},
|
||||
"AuthSources": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"Department": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -2719,14 +2725,11 @@
|
||||
"PeerCount": {
|
||||
"type": "integer"
|
||||
},
|
||||
"PersistLocalChanges": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"Phone": {
|
||||
"type": "string"
|
||||
},
|
||||
"ProviderName": {
|
||||
"type": "string"
|
||||
},
|
||||
"Source": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@@ -431,6 +431,10 @@ definitions:
|
||||
type: string
|
||||
ApiTokenCreated:
|
||||
type: string
|
||||
AuthSources:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
Department:
|
||||
type: string
|
||||
Disabled:
|
||||
@@ -461,12 +465,10 @@ definitions:
|
||||
type: string
|
||||
PeerCount:
|
||||
type: integer
|
||||
PersistLocalChanges:
|
||||
type: boolean
|
||||
Phone:
|
||||
type: string
|
||||
ProviderName:
|
||||
type: string
|
||||
Source:
|
||||
type: string
|
||||
type: object
|
||||
model.WebAuthnCredentialRequest:
|
||||
properties:
|
||||
|
||||
@@ -2132,6 +2132,22 @@
|
||||
"minLength": 32,
|
||||
"example": ""
|
||||
},
|
||||
"AuthSources": {
|
||||
"description": "The source of the user. This field is optional.",
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"db",
|
||||
"ldap",
|
||||
"oauth"
|
||||
]
|
||||
},
|
||||
"readOnly": true,
|
||||
"example": [
|
||||
"db"
|
||||
]
|
||||
},
|
||||
"Department": {
|
||||
"description": "The department of the user. This field is optional.",
|
||||
"type": "string",
|
||||
@@ -2205,22 +2221,6 @@
|
||||
"description": "The phone number of the user. This field is optional.",
|
||||
"type": "string",
|
||||
"example": "+1234546789"
|
||||
},
|
||||
"ProviderName": {
|
||||
"description": "The name of the authentication provider. This field is read-only.",
|
||||
"type": "string",
|
||||
"readOnly": true,
|
||||
"example": ""
|
||||
},
|
||||
"Source": {
|
||||
"description": "The source of the user. This field is optional.",
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"db",
|
||||
"ldap",
|
||||
"oauth"
|
||||
],
|
||||
"example": "db"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@@ -490,6 +490,18 @@ definitions:
|
||||
maxLength: 64
|
||||
minLength: 32
|
||||
type: string
|
||||
AuthSources:
|
||||
description: The source of the user. This field is optional.
|
||||
example:
|
||||
- db
|
||||
items:
|
||||
enum:
|
||||
- db
|
||||
- ldap
|
||||
- oauth
|
||||
type: string
|
||||
readOnly: true
|
||||
type: array
|
||||
Department:
|
||||
description: The department of the user. This field is optional.
|
||||
example: Software Development
|
||||
@@ -552,19 +564,6 @@ definitions:
|
||||
description: The phone number of the user. This field is optional.
|
||||
example: "+1234546789"
|
||||
type: string
|
||||
ProviderName:
|
||||
description: The name of the authentication provider. This field is read-only.
|
||||
example: ""
|
||||
readOnly: true
|
||||
type: string
|
||||
Source:
|
||||
description: The source of the user. This field is optional.
|
||||
enum:
|
||||
- db
|
||||
- ldap
|
||||
- oauth
|
||||
example: db
|
||||
type: string
|
||||
required:
|
||||
- Identifier
|
||||
type: object
|
||||
|
||||
@@ -3,6 +3,7 @@ package backend
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"slices"
|
||||
"strings"
|
||||
|
||||
"github.com/h44z/wg-portal/internal/config"
|
||||
@@ -95,8 +96,10 @@ func (u UserService) ChangePassword(
|
||||
}
|
||||
|
||||
// ensure that the user uses the database backend; otherwise we can't change the password
|
||||
if user.Source != domain.UserSourceDatabase {
|
||||
return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
|
||||
if !slices.ContainsFunc(user.Authentications, func(authentication domain.UserAuthentication) bool {
|
||||
return authentication.Source == domain.UserSourceDatabase
|
||||
}) {
|
||||
return nil, fmt.Errorf("user has no linked authentication source that does support password changes")
|
||||
}
|
||||
|
||||
// validate old password
|
||||
|
||||
@@ -3,15 +3,15 @@ package model
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/h44z/wg-portal/internal"
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
)
|
||||
|
||||
type User struct {
|
||||
Identifier string `json:"Identifier"`
|
||||
Email string `json:"Email"`
|
||||
Source string `json:"Source"`
|
||||
ProviderName string `json:"ProviderName"`
|
||||
IsAdmin bool `json:"IsAdmin"`
|
||||
Identifier string `json:"Identifier"`
|
||||
Email string `json:"Email"`
|
||||
AuthSources []string `json:"AuthSources"`
|
||||
IsAdmin bool `json:"IsAdmin"`
|
||||
|
||||
Firstname string `json:"Firstname"`
|
||||
Lastname string `json:"Lastname"`
|
||||
@@ -29,6 +29,8 @@ type User struct {
|
||||
ApiTokenCreated *time.Time `json:"ApiTokenCreated,omitempty"`
|
||||
ApiEnabled bool `json:"ApiEnabled"`
|
||||
|
||||
PersistLocalChanges bool `json:"PersistLocalChanges"`
|
||||
|
||||
// Calculated
|
||||
|
||||
PeerCount int `json:"PeerCount"`
|
||||
@@ -36,24 +38,26 @@ type User struct {
|
||||
|
||||
func NewUser(src *domain.User, exposeCreds bool) *User {
|
||||
u := &User{
|
||||
Identifier: string(src.Identifier),
|
||||
Email: src.Email,
|
||||
Source: string(src.Source),
|
||||
ProviderName: src.ProviderName,
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
Phone: src.Phone,
|
||||
Department: src.Department,
|
||||
Notes: src.Notes,
|
||||
Password: "", // never fill password
|
||||
Disabled: src.IsDisabled(),
|
||||
DisabledReason: src.DisabledReason,
|
||||
Locked: src.IsLocked(),
|
||||
LockedReason: src.LockedReason,
|
||||
ApiToken: "", // by default, do not expose API token
|
||||
ApiTokenCreated: src.ApiTokenCreated,
|
||||
ApiEnabled: src.IsApiEnabled(),
|
||||
Identifier: string(src.Identifier),
|
||||
Email: src.Email,
|
||||
AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
|
||||
return string(authentication.Source)
|
||||
}),
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
Phone: src.Phone,
|
||||
Department: src.Department,
|
||||
Notes: src.Notes,
|
||||
Password: "", // never fill password
|
||||
Disabled: src.IsDisabled(),
|
||||
DisabledReason: src.DisabledReason,
|
||||
Locked: src.IsLocked(),
|
||||
LockedReason: src.LockedReason,
|
||||
ApiToken: "", // by default, do not expose API token
|
||||
ApiTokenCreated: src.ApiTokenCreated,
|
||||
ApiEnabled: src.IsApiEnabled(),
|
||||
PersistLocalChanges: src.PersistLocalChanges,
|
||||
|
||||
PeerCount: src.LinkedPeerCount,
|
||||
}
|
||||
@@ -77,22 +81,21 @@ func NewUsers(src []domain.User) []User {
|
||||
func NewDomainUser(src *User) *domain.User {
|
||||
now := time.Now()
|
||||
res := &domain.User{
|
||||
Identifier: domain.UserIdentifier(src.Identifier),
|
||||
Email: src.Email,
|
||||
Source: domain.UserSource(src.Source),
|
||||
ProviderName: src.ProviderName,
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
Phone: src.Phone,
|
||||
Department: src.Department,
|
||||
Notes: src.Notes,
|
||||
Password: domain.PrivateString(src.Password),
|
||||
Disabled: nil, // set below
|
||||
DisabledReason: src.DisabledReason,
|
||||
Locked: nil, // set below
|
||||
LockedReason: src.LockedReason,
|
||||
LinkedPeerCount: src.PeerCount,
|
||||
Identifier: domain.UserIdentifier(src.Identifier),
|
||||
Email: src.Email,
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
Phone: src.Phone,
|
||||
Department: src.Department,
|
||||
Notes: src.Notes,
|
||||
Password: domain.PrivateString(src.Password),
|
||||
Disabled: nil, // set below
|
||||
DisabledReason: src.DisabledReason,
|
||||
Locked: nil, // set below
|
||||
LockedReason: src.LockedReason,
|
||||
LinkedPeerCount: src.PeerCount,
|
||||
PersistLocalChanges: src.PersistLocalChanges,
|
||||
}
|
||||
|
||||
if src.Disabled {
|
||||
|
||||
@@ -3,6 +3,7 @@ package models
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/h44z/wg-portal/internal"
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
)
|
||||
|
||||
@@ -13,9 +14,7 @@ type User struct {
|
||||
// The email address of the user. This field is optional.
|
||||
Email string `json:"Email" binding:"omitempty,email" example:"test@test.com"`
|
||||
// The source of the user. This field is optional.
|
||||
Source string `json:"Source" binding:"oneof=db ldap oauth" example:"db"`
|
||||
// The name of the authentication provider. This field is read-only.
|
||||
ProviderName string `json:"ProviderName,omitempty" readonly:"true" example:""`
|
||||
AuthSources []string `json:"AuthSources" readonly:"true" binding:"oneof=db ldap oauth" example:"db"`
|
||||
// If this field is set, the user is an admin.
|
||||
IsAdmin bool `json:"IsAdmin" example:"false"`
|
||||
|
||||
@@ -52,10 +51,11 @@ type User struct {
|
||||
|
||||
func NewUser(src *domain.User, exposeCredentials bool) *User {
|
||||
u := &User{
|
||||
Identifier: string(src.Identifier),
|
||||
Email: src.Email,
|
||||
Source: string(src.Source),
|
||||
ProviderName: src.ProviderName,
|
||||
Identifier: string(src.Identifier),
|
||||
Email: src.Email,
|
||||
AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
|
||||
return string(authentication.Source)
|
||||
}),
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
@@ -93,8 +93,6 @@ func NewDomainUser(src *User) *domain.User {
|
||||
res := &domain.User{
|
||||
Identifier: domain.UserIdentifier(src.Identifier),
|
||||
Email: src.Email,
|
||||
Source: domain.UserSource(src.Source),
|
||||
ProviderName: src.ProviderName,
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
|
||||
@@ -129,8 +129,6 @@ func (a *App) createDefaultUser(ctx context.Context) error {
|
||||
},
|
||||
Identifier: adminUserId,
|
||||
Email: "admin@wgportal.local",
|
||||
Source: domain.UserSourceDatabase,
|
||||
ProviderName: "",
|
||||
IsAdmin: true,
|
||||
Firstname: "WireGuard Portal",
|
||||
Lastname: "Admin",
|
||||
|
||||
@@ -29,8 +29,8 @@ type UserManager interface {
|
||||
GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
|
||||
// RegisterUser creates a new user in the database.
|
||||
RegisterUser(ctx context.Context, user *domain.User) error
|
||||
// UpdateUser updates an existing user in the database.
|
||||
UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
|
||||
// UpdateUserInternal updates an existing user in the database.
|
||||
UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
|
||||
}
|
||||
|
||||
type EventBus interface {
|
||||
@@ -232,7 +232,7 @@ func (a *Authenticator) setupExternalAuthProviders(
|
||||
}
|
||||
for i := range ldap { // LDAP
|
||||
providerCfg := &ldap[i]
|
||||
providerId := strings.ToLower(providerCfg.URL)
|
||||
providerId := strings.ToLower(providerCfg.ProviderName)
|
||||
|
||||
if _, exists := a.ldapAuthenticators[providerId]; exists {
|
||||
// this is an unrecoverable error, we cannot register the same provider twice
|
||||
@@ -354,21 +354,45 @@ func (a *Authenticator) passwordAuthentication(
|
||||
var ldapProvider AuthenticatorLdap
|
||||
|
||||
var userInDatabase = false
|
||||
var userSource domain.UserSource
|
||||
existingUser, err := a.users.GetUser(ctx, identifier)
|
||||
if err == nil {
|
||||
userInDatabase = true
|
||||
userSource = existingUser.Source
|
||||
}
|
||||
if userInDatabase && (existingUser.IsLocked() || existingUser.IsDisabled()) {
|
||||
return nil, errors.New("user is locked")
|
||||
}
|
||||
|
||||
if !userInDatabase || userSource == domain.UserSourceLdap {
|
||||
// search user in ldap if registration is enabled
|
||||
authOK := false
|
||||
if userInDatabase {
|
||||
// User is already in db, search for authentication sources which support password authentication and
|
||||
// validate the password.
|
||||
for _, authentication := range existingUser.Authentications {
|
||||
if authentication.Source == domain.UserSourceDatabase {
|
||||
err := existingUser.CheckPassword(password)
|
||||
if err == nil {
|
||||
authOK = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if authentication.Source == domain.UserSourceLdap {
|
||||
ldapProvider, ok := a.ldapAuthenticators[strings.ToLower(authentication.ProviderName)]
|
||||
if !ok {
|
||||
continue // ldap provider not found, skip further checks
|
||||
}
|
||||
err := ldapProvider.PlaintextAuthentication(identifier, password)
|
||||
if err == nil {
|
||||
authOK = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// User is not yet in the db, check ldap providers which have registration enabled.
|
||||
// If the user is found, check the password - on success, sync it to the db.
|
||||
for _, ldapAuth := range a.ldapAuthenticators {
|
||||
if !userInDatabase && !ldapAuth.RegistrationEnabled() {
|
||||
continue
|
||||
if !ldapAuth.RegistrationEnabled() {
|
||||
continue // ldap provider does not support registration, skip further checks
|
||||
}
|
||||
|
||||
rawUserInfo, err := ldapAuth.GetUserInfo(context.Background(), identifier)
|
||||
@@ -379,55 +403,39 @@ func (a *Authenticator) passwordAuthentication(
|
||||
}
|
||||
continue // user not found / other ldap error
|
||||
}
|
||||
|
||||
// user found, check if the password is correct
|
||||
err = ldapAuth.PlaintextAuthentication(identifier, password)
|
||||
if err != nil {
|
||||
continue // password is incorrect, skip further checks
|
||||
}
|
||||
|
||||
// create a new user in the db
|
||||
ldapUserInfo, err = ldapAuth.ParseUserInfo(rawUserInfo)
|
||||
if err != nil {
|
||||
slog.Error("failed to parse ldap user info",
|
||||
"source", ldapAuth.GetName(), "identifier", identifier, "error", err)
|
||||
continue
|
||||
}
|
||||
user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(), true)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to process user information: %w", err)
|
||||
}
|
||||
|
||||
// ldap user found
|
||||
userSource = domain.UserSourceLdap
|
||||
ldapProvider = ldapAuth
|
||||
existingUser = user
|
||||
slog.Debug("created new LDAP user in db",
|
||||
"identifier", user.Identifier, "provider", ldapProvider.GetName())
|
||||
|
||||
authOK = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if userSource == "" {
|
||||
slog.Warn("no user source found for user",
|
||||
"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
|
||||
return nil, errors.New("user not found")
|
||||
if !authOK {
|
||||
return nil, errors.New("failed to authenticate user")
|
||||
}
|
||||
|
||||
if userSource == domain.UserSourceLdap && ldapProvider == nil {
|
||||
slog.Warn("no ldap provider found for user",
|
||||
"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
|
||||
return nil, errors.New("ldap provider not found")
|
||||
}
|
||||
|
||||
switch userSource {
|
||||
case domain.UserSourceDatabase:
|
||||
err = existingUser.CheckPassword(password)
|
||||
case domain.UserSourceLdap:
|
||||
err = ldapProvider.PlaintextAuthentication(identifier, password)
|
||||
default:
|
||||
err = errors.New("no authentication backend available")
|
||||
}
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to authenticate: %w", err)
|
||||
}
|
||||
|
||||
if !userInDatabase {
|
||||
user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(),
|
||||
ldapProvider.RegistrationEnabled())
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to process user information: %w", err)
|
||||
}
|
||||
return user, nil
|
||||
} else {
|
||||
return existingUser, nil
|
||||
}
|
||||
return existingUser, nil
|
||||
}
|
||||
|
||||
// endregion password authentication
|
||||
@@ -590,17 +598,34 @@ func (a *Authenticator) registerNewUser(
|
||||
source domain.UserSource,
|
||||
provider string,
|
||||
) (*domain.User, error) {
|
||||
ctxUserInfo := domain.GetUserInfo(ctx)
|
||||
now := time.Now()
|
||||
|
||||
// convert user info to domain.User
|
||||
user := &domain.User{
|
||||
Identifier: userInfo.Identifier,
|
||||
Email: userInfo.Email,
|
||||
Source: source,
|
||||
ProviderName: provider,
|
||||
IsAdmin: userInfo.IsAdmin,
|
||||
Firstname: userInfo.Firstname,
|
||||
Lastname: userInfo.Lastname,
|
||||
Phone: userInfo.Phone,
|
||||
Department: userInfo.Department,
|
||||
Identifier: userInfo.Identifier,
|
||||
Email: userInfo.Email,
|
||||
IsAdmin: false,
|
||||
Firstname: userInfo.Firstname,
|
||||
Lastname: userInfo.Lastname,
|
||||
Phone: userInfo.Phone,
|
||||
Department: userInfo.Department,
|
||||
Authentications: []domain.UserAuthentication{
|
||||
{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: ctxUserInfo.UserId(),
|
||||
UpdatedBy: ctxUserInfo.UserId(),
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
UserIdentifier: userInfo.Identifier,
|
||||
Source: source,
|
||||
ProviderName: provider,
|
||||
},
|
||||
},
|
||||
}
|
||||
if userInfo.AdminInfoAvailable && userInfo.IsAdmin {
|
||||
user.IsAdmin = true
|
||||
}
|
||||
|
||||
err := a.users.RegisterUser(ctx, user)
|
||||
@@ -610,6 +635,7 @@ func (a *Authenticator) registerNewUser(
|
||||
|
||||
slog.Debug("registered user from external authentication provider",
|
||||
"user", user.Identifier,
|
||||
"adminInfoAvailable", userInfo.AdminInfoAvailable,
|
||||
"isAdmin", user.IsAdmin,
|
||||
"provider", source)
|
||||
|
||||
@@ -643,6 +669,39 @@ func (a *Authenticator) updateExternalUser(
|
||||
return nil // user is locked or disabled, do not update
|
||||
}
|
||||
|
||||
// Update authentication sources
|
||||
foundAuthSource := false
|
||||
for _, auth := range existingUser.Authentications {
|
||||
if auth.Source == source && auth.ProviderName == provider {
|
||||
foundAuthSource = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !foundAuthSource {
|
||||
ctxUserInfo := domain.GetUserInfo(ctx)
|
||||
now := time.Now()
|
||||
existingUser.Authentications = append(existingUser.Authentications, domain.UserAuthentication{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: ctxUserInfo.UserId(),
|
||||
UpdatedBy: ctxUserInfo.UserId(),
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
UserIdentifier: existingUser.Identifier,
|
||||
Source: source,
|
||||
ProviderName: provider,
|
||||
})
|
||||
}
|
||||
|
||||
if existingUser.PersistLocalChanges {
|
||||
if !foundAuthSource {
|
||||
// Even if local changes are persisted, we need to save the new authentication source
|
||||
_, err := a.users.UpdateUserInternal(ctx, existingUser)
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
isChanged := false
|
||||
if existingUser.Email != userInfo.Email {
|
||||
existingUser.Email = userInfo.Email
|
||||
@@ -664,33 +723,24 @@ func (a *Authenticator) updateExternalUser(
|
||||
existingUser.Department = userInfo.Department
|
||||
isChanged = true
|
||||
}
|
||||
if existingUser.IsAdmin != userInfo.IsAdmin {
|
||||
if userInfo.AdminInfoAvailable && existingUser.IsAdmin != userInfo.IsAdmin {
|
||||
existingUser.IsAdmin = userInfo.IsAdmin
|
||||
isChanged = true
|
||||
}
|
||||
if existingUser.Source != source {
|
||||
existingUser.Source = source
|
||||
isChanged = true
|
||||
}
|
||||
if existingUser.ProviderName != provider {
|
||||
existingUser.ProviderName = provider
|
||||
isChanged = true
|
||||
}
|
||||
|
||||
if !isChanged {
|
||||
return nil // nothing to update
|
||||
}
|
||||
if isChanged || !foundAuthSource {
|
||||
_, err := a.users.UpdateUserInternal(ctx, existingUser)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to update user: %w", err)
|
||||
}
|
||||
|
||||
_, err := a.users.UpdateUser(ctx, existingUser)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to update user: %w", err)
|
||||
slog.Debug("updated user with data from external authentication provider",
|
||||
"user", existingUser.Identifier,
|
||||
"adminInfoAvailable", userInfo.AdminInfoAvailable,
|
||||
"isAdmin", existingUser.IsAdmin,
|
||||
"provider", source)
|
||||
}
|
||||
|
||||
slog.Debug("updated user with data from external authentication provider",
|
||||
"user", existingUser.Identifier,
|
||||
"isAdmin", existingUser.IsAdmin,
|
||||
"provider", source)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -127,18 +127,26 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden
|
||||
|
||||
// ParseUserInfo parses the user information from the LDAP server into a domain.AuthenticatorUserInfo struct.
|
||||
func (l LdapAuthenticator) ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error) {
|
||||
isAdmin, err := internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to check admin group: %w", err)
|
||||
isAdmin := false
|
||||
adminInfoAvailable := false
|
||||
if l.cfg.FieldMap.GroupMembership != "" {
|
||||
adminInfoAvailable = true
|
||||
var err error
|
||||
isAdmin, err = internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to check admin group: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
userInfo := &domain.AuthenticatorUserInfo{
|
||||
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
|
||||
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
|
||||
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
|
||||
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
|
||||
IsAdmin: isAdmin,
|
||||
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
|
||||
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
|
||||
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
|
||||
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
|
||||
IsAdmin: isAdmin,
|
||||
AdminInfoAvailable: adminInfoAvailable,
|
||||
}
|
||||
|
||||
return userInfo, nil
|
||||
|
||||
@@ -15,9 +15,11 @@ func parseOauthUserInfo(
|
||||
raw map[string]any,
|
||||
) (*domain.AuthenticatorUserInfo, error) {
|
||||
var isAdmin bool
|
||||
var adminInfoAvailable bool
|
||||
|
||||
// first try to match the is_admin field against the given regex
|
||||
if mapping.IsAdmin != "" {
|
||||
adminInfoAvailable = true
|
||||
re := adminMapping.GetAdminValueRegex()
|
||||
if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {
|
||||
isAdmin = true
|
||||
@@ -26,6 +28,7 @@ func parseOauthUserInfo(
|
||||
|
||||
// next try to parse the user's groups
|
||||
if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
|
||||
adminInfoAvailable = true
|
||||
userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
|
||||
re := adminMapping.GetAdminGroupRegex()
|
||||
for _, group := range userGroups {
|
||||
@@ -37,13 +40,14 @@ func parseOauthUserInfo(
|
||||
}
|
||||
|
||||
userInfo := &domain.AuthenticatorUserInfo{
|
||||
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
|
||||
Email: internal.MapDefaultString(raw, mapping.Email, ""),
|
||||
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
|
||||
Department: internal.MapDefaultString(raw, mapping.Department, ""),
|
||||
IsAdmin: isAdmin,
|
||||
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
|
||||
Email: internal.MapDefaultString(raw, mapping.Email, ""),
|
||||
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
|
||||
Department: internal.MapDefaultString(raw, mapping.Department, ""),
|
||||
IsAdmin: isAdmin,
|
||||
AdminInfoAvailable: adminInfoAvailable,
|
||||
}
|
||||
|
||||
return userInfo, nil
|
||||
|
||||
@@ -23,8 +23,8 @@ type WebAuthnUserManager interface {
|
||||
GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
|
||||
// GetUserByWebAuthnCredential returns a user by its WebAuthn ID.
|
||||
GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error)
|
||||
// UpdateUser updates an existing user in the database.
|
||||
UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
|
||||
// UpdateUserInternal updates an existing user in the database.
|
||||
UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
|
||||
}
|
||||
|
||||
type WebAuthnAuthenticator struct {
|
||||
@@ -89,7 +89,7 @@ func (a *WebAuthnAuthenticator) StartWebAuthnRegistration(ctx context.Context, u
|
||||
|
||||
if user.WebAuthnId == "" {
|
||||
user.GenerateWebAuthnId()
|
||||
user, err = a.users.UpdateUser(ctx, user)
|
||||
user, err = a.users.UpdateUserInternal(ctx, user)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("failed to store webauthn id to user: %w", err)
|
||||
}
|
||||
@@ -150,7 +150,7 @@ func (a *WebAuthnAuthenticator) FinishWebAuthnRegistration(
|
||||
return nil, err
|
||||
}
|
||||
|
||||
user, err = a.users.UpdateUser(ctx, user)
|
||||
user, err = a.users.UpdateUserInternal(ctx, user)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -181,7 +181,7 @@ func (a *WebAuthnAuthenticator) RemoveCredential(
|
||||
}
|
||||
|
||||
user.RemoveCredential(credentialIdBase64)
|
||||
user, err = a.users.UpdateUser(ctx, user)
|
||||
user, err = a.users.UpdateUserInternal(ctx, user)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -205,7 +205,7 @@ func (a *WebAuthnAuthenticator) UpdateCredential(
|
||||
return nil, err
|
||||
}
|
||||
|
||||
user, err = a.users.UpdateUser(ctx, user)
|
||||
user, err = a.users.UpdateUserInternal(ctx, user)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -144,8 +144,6 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
|
||||
},
|
||||
Identifier: domain.UserIdentifier(oldUser.Email),
|
||||
Email: oldUser.Email,
|
||||
Source: domain.UserSource(oldUser.Source),
|
||||
ProviderName: "",
|
||||
IsAdmin: oldUser.IsAdmin,
|
||||
Firstname: oldUser.Firstname,
|
||||
Lastname: oldUser.Lastname,
|
||||
@@ -159,11 +157,25 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
|
||||
LockedReason: "",
|
||||
LinkedPeerCount: 0,
|
||||
}
|
||||
|
||||
if err := newDb.Create(&newUser).Error; err != nil {
|
||||
return fmt.Errorf("failed to migrate user %s: %w", oldUser.Email, err)
|
||||
}
|
||||
|
||||
authentication := domain.UserAuthentication{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: domain.CtxSystemV1Migrator,
|
||||
UpdatedBy: domain.CtxSystemV1Migrator,
|
||||
CreatedAt: oldUser.CreatedAt,
|
||||
UpdatedAt: oldUser.UpdatedAt,
|
||||
},
|
||||
UserIdentifier: domain.UserIdentifier(oldUser.Email),
|
||||
Source: domain.UserSource(oldUser.Source),
|
||||
ProviderName: "", // unknown
|
||||
}
|
||||
if err := newDb.Create(&authentication).Error; err != nil {
|
||||
return fmt.Errorf("failed to migrate user-authentication %s: %w", oldUser.Email, err)
|
||||
}
|
||||
|
||||
slog.Debug("user migrated successfully", "identifier", newUser.Identifier)
|
||||
}
|
||||
|
||||
@@ -346,8 +358,6 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
|
||||
},
|
||||
Identifier: domain.UserIdentifier(oldPeer.Email),
|
||||
Email: oldPeer.Email,
|
||||
Source: domain.UserSourceDatabase,
|
||||
ProviderName: "",
|
||||
IsAdmin: false,
|
||||
Locked: &now,
|
||||
LockedReason: domain.DisabledReasonMigrationDummy,
|
||||
@@ -358,6 +368,21 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
|
||||
return fmt.Errorf("failed to migrate dummy user %s: %w", oldPeer.Email, err)
|
||||
}
|
||||
|
||||
authentication := domain.UserAuthentication{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: domain.CtxSystemV1Migrator,
|
||||
UpdatedBy: domain.CtxSystemV1Migrator,
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
UserIdentifier: domain.UserIdentifier(oldPeer.Email),
|
||||
Source: domain.UserSourceDatabase,
|
||||
ProviderName: "", // unknown
|
||||
}
|
||||
if err := newDb.Create(&authentication).Error; err != nil {
|
||||
return fmt.Errorf("failed to migrate dummy user-authentication %s: %w", oldPeer.Email, err)
|
||||
}
|
||||
|
||||
slog.Debug("dummy user migrated successfully", "identifier", user.Identifier)
|
||||
}
|
||||
newPeer := domain.Peer{
|
||||
|
||||
@@ -2,6 +2,7 @@ package users
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -25,6 +26,8 @@ func convertRawLdapUser(
|
||||
return nil, fmt.Errorf("failed to check admin group: %w", err)
|
||||
}
|
||||
|
||||
uid := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
|
||||
|
||||
return &domain.User{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: domain.CtxSystemLdapSyncer,
|
||||
@@ -32,18 +35,23 @@ func convertRawLdapUser(
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
Identifier: domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, "")),
|
||||
Email: strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
|
||||
Source: domain.UserSourceLdap,
|
||||
ProviderName: providerName,
|
||||
IsAdmin: isAdmin,
|
||||
Firstname: internal.MapDefaultString(rawUser, fields.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(rawUser, fields.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(rawUser, fields.Phone, ""),
|
||||
Department: internal.MapDefaultString(rawUser, fields.Department, ""),
|
||||
Notes: "",
|
||||
Password: "",
|
||||
Disabled: nil,
|
||||
Identifier: uid,
|
||||
Email: strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
|
||||
IsAdmin: isAdmin,
|
||||
Authentications: []domain.UserAuthentication{
|
||||
{
|
||||
UserIdentifier: uid,
|
||||
Source: domain.UserSourceLdap,
|
||||
ProviderName: providerName,
|
||||
},
|
||||
},
|
||||
Firstname: internal.MapDefaultString(rawUser, fields.Firstname, ""),
|
||||
Lastname: internal.MapDefaultString(rawUser, fields.Lastname, ""),
|
||||
Phone: internal.MapDefaultString(rawUser, fields.Phone, ""),
|
||||
Department: internal.MapDefaultString(rawUser, fields.Department, ""),
|
||||
Notes: "",
|
||||
Password: "",
|
||||
Disabled: nil,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -72,7 +80,9 @@ func userChangedInLdap(dbUser, ldapUser *domain.User) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
if dbUser.ProviderName != ldapUser.ProviderName {
|
||||
if !slices.ContainsFunc(dbUser.Authentications, func(authentication domain.UserAuthentication) bool {
|
||||
return authentication.Source == ldapUser.Authentications[0].Source
|
||||
}) {
|
||||
return true
|
||||
}
|
||||
|
||||
|
||||
239
internal/app/users/ldap_sync.go
Normal file
239
internal/app/users/ldap_sync.go
Normal file
@@ -0,0 +1,239 @@
|
||||
package users
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"time"
|
||||
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
|
||||
"github.com/h44z/wg-portal/internal"
|
||||
"github.com/h44z/wg-portal/internal/app"
|
||||
"github.com/h44z/wg-portal/internal/config"
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
)
|
||||
|
||||
func (m Manager) runLdapSynchronizationService(ctx context.Context) {
|
||||
ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
|
||||
|
||||
for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
|
||||
go func(cfg config.LdapProvider) {
|
||||
syncInterval := cfg.SyncInterval
|
||||
if syncInterval == 0 {
|
||||
slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
|
||||
return
|
||||
}
|
||||
|
||||
// perform initial sync
|
||||
err := m.synchronizeLdapUsers(ctx, &cfg)
|
||||
if err != nil {
|
||||
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
|
||||
} else {
|
||||
slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
|
||||
}
|
||||
|
||||
// start periodic sync
|
||||
running := true
|
||||
for running {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
running = false
|
||||
continue
|
||||
case <-time.After(syncInterval):
|
||||
// select blocks until one of the cases evaluate to true
|
||||
}
|
||||
|
||||
err := m.synchronizeLdapUsers(ctx, &cfg)
|
||||
if err != nil {
|
||||
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
|
||||
}
|
||||
}
|
||||
}(ldapCfg)
|
||||
}
|
||||
}
|
||||
|
||||
func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
|
||||
slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
|
||||
|
||||
dn, err := ldap.ParseDN(provider.AdminGroupDN)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse admin group DN: %w", err)
|
||||
}
|
||||
provider.ParsedAdminGroupDN = dn
|
||||
|
||||
conn, err := internal.LdapConnect(provider)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to setup LDAP connection: %w", err)
|
||||
}
|
||||
defer internal.LdapDisconnect(conn)
|
||||
|
||||
rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
|
||||
|
||||
// Update existing LDAP users
|
||||
err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Disable missing LDAP users
|
||||
if provider.DisableMissing {
|
||||
err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m Manager) updateLdapUsers(
|
||||
ctx context.Context,
|
||||
provider *config.LdapProvider,
|
||||
rawUsers []internal.RawLdapUser,
|
||||
fields *config.LdapFields,
|
||||
adminGroupDN *ldap.DN,
|
||||
) error {
|
||||
for _, rawUser := range rawUsers {
|
||||
user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
|
||||
}
|
||||
|
||||
if provider.SyncLogUserInfo {
|
||||
slog.Debug("ldap user data",
|
||||
"raw-user", rawUser, "user", user.Identifier,
|
||||
"is-admin", user.IsAdmin, "provider", provider.ProviderName)
|
||||
}
|
||||
|
||||
existingUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
|
||||
tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
|
||||
|
||||
if existingUser == nil {
|
||||
// create new user
|
||||
slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
|
||||
|
||||
_, err := m.create(tctx, user)
|
||||
if err != nil {
|
||||
cancel()
|
||||
return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
} else {
|
||||
// update existing user
|
||||
if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
|
||||
user.Disabled = nil
|
||||
user.DisabledReason = ""
|
||||
} else {
|
||||
user.Disabled = existingUser.Disabled
|
||||
user.DisabledReason = existingUser.DisabledReason
|
||||
}
|
||||
|
||||
if existingUser.PersistLocalChanges {
|
||||
cancel()
|
||||
continue // skip synchronization for this user
|
||||
}
|
||||
|
||||
if userChangedInLdap(existingUser, user) {
|
||||
syncedUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
cancel()
|
||||
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
syncedUser.UpdatedAt = time.Now()
|
||||
syncedUser.UpdatedBy = domain.CtxSystemLdapSyncer
|
||||
syncedUser.MergeAuthSources(user.Authentications...)
|
||||
syncedUser.Email = user.Email
|
||||
syncedUser.Firstname = user.Firstname
|
||||
syncedUser.Lastname = user.Lastname
|
||||
syncedUser.Phone = user.Phone
|
||||
syncedUser.Department = user.Department
|
||||
syncedUser.IsAdmin = user.IsAdmin
|
||||
syncedUser.Disabled = user.Disabled
|
||||
syncedUser.DisabledReason = user.DisabledReason
|
||||
|
||||
_, err = m.update(tctx, existingUser, syncedUser, false)
|
||||
if err != nil {
|
||||
cancel()
|
||||
return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
cancel()
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m Manager) disableMissingLdapUsers(
|
||||
ctx context.Context,
|
||||
providerName string,
|
||||
rawUsers []internal.RawLdapUser,
|
||||
fields *config.LdapFields,
|
||||
) error {
|
||||
allUsers, err := m.users.GetAllUsers(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for _, user := range allUsers {
|
||||
userHasAuthSource := false
|
||||
for _, auth := range user.Authentications {
|
||||
if auth.Source == domain.UserSourceLdap && auth.ProviderName == providerName {
|
||||
userHasAuthSource = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !userHasAuthSource {
|
||||
continue // ignore non ldap users
|
||||
}
|
||||
if user.IsDisabled() {
|
||||
continue // ignore deactivated
|
||||
}
|
||||
if user.PersistLocalChanges {
|
||||
continue // skip sync for this user
|
||||
}
|
||||
|
||||
existsInLDAP := false
|
||||
for _, rawUser := range rawUsers {
|
||||
userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
|
||||
if user.Identifier == userId {
|
||||
existsInLDAP = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if existsInLDAP {
|
||||
continue
|
||||
}
|
||||
|
||||
slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
|
||||
|
||||
now := time.Now()
|
||||
user.Disabled = &now
|
||||
user.DisabledReason = domain.DisabledReasonLdapMissing
|
||||
|
||||
err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
u.Disabled = user.Disabled
|
||||
u.DisabledReason = user.DisabledReason
|
||||
return u, nil
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserDisabled, user)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -4,15 +4,12 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"math"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
"github.com/google/uuid"
|
||||
|
||||
"github.com/h44z/wg-portal/internal"
|
||||
"github.com/h44z/wg-portal/internal/app"
|
||||
"github.com/h44z/wg-portal/internal/config"
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
@@ -79,7 +76,7 @@ func (m Manager) RegisterUser(ctx context.Context, user *domain.User) error {
|
||||
return err
|
||||
}
|
||||
|
||||
createdUser, err := m.CreateUser(ctx, user)
|
||||
createdUser, err := m.create(ctx, user)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -101,20 +98,11 @@ func (m Manager) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain
|
||||
return nil, err
|
||||
}
|
||||
|
||||
user, err := m.users.GetUser(ctx, id)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load user %s: %w", id, err)
|
||||
}
|
||||
peers, _ := m.peers.GetUserPeers(ctx, id) // ignore error, list will be empty in error case
|
||||
|
||||
user.LinkedPeerCount = len(peers)
|
||||
|
||||
return user, nil
|
||||
return m.getUser(ctx, id)
|
||||
}
|
||||
|
||||
// GetUserByEmail returns the user with the given email address.
|
||||
func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User, error) {
|
||||
|
||||
user, err := m.users.GetUserByEmail(ctx, email)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load user for email %s: %w", email, err)
|
||||
@@ -124,16 +112,11 @@ func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User
|
||||
return nil, err
|
||||
}
|
||||
|
||||
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
|
||||
|
||||
user.LinkedPeerCount = len(peers)
|
||||
|
||||
return user, nil
|
||||
return m.enrichUser(ctx, user), nil
|
||||
}
|
||||
|
||||
// GetUserByWebAuthnCredential returns the user for the given WebAuthn credential.
|
||||
func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error) {
|
||||
|
||||
user, err := m.users.GetUserByWebAuthnCredential(ctx, credentialIdBase64)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to load user for webauthn credential %s: %w", credentialIdBase64, err)
|
||||
@@ -143,11 +126,7 @@ func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBa
|
||||
return nil, err
|
||||
}
|
||||
|
||||
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
|
||||
|
||||
user.LinkedPeerCount = len(peers)
|
||||
|
||||
return user, nil
|
||||
return m.enrichUser(ctx, user), nil
|
||||
}
|
||||
|
||||
// GetAllUsers returns all users.
|
||||
@@ -169,8 +148,7 @@ func (m Manager) GetAllUsers(ctx context.Context) ([]domain.User, error) {
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
for user := range ch {
|
||||
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
|
||||
user.LinkedPeerCount = len(peers)
|
||||
m.enrichUser(ctx, user)
|
||||
}
|
||||
}()
|
||||
}
|
||||
@@ -194,77 +172,29 @@ func (m Manager) UpdateUser(ctx context.Context, user *domain.User) (*domain.Use
|
||||
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
if err := m.validateModifications(ctx, existingUser, user); err != nil {
|
||||
return nil, fmt.Errorf("update not allowed: %w", err)
|
||||
}
|
||||
user.CopyCalculatedAttributes(existingUser, true) // ensure that crucial attributes stay the same
|
||||
|
||||
user.CopyCalculatedAttributes(existingUser)
|
||||
err = user.HashPassword()
|
||||
return m.update(ctx, existingUser, user, true)
|
||||
}
|
||||
|
||||
// UpdateUserInternal updates the user with the given identifier. This function must never be called from external.
|
||||
// This function allows to override authentications and webauthn credentials.
|
||||
func (m Manager) UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error) {
|
||||
existingUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if user.Password == "" { // keep old password
|
||||
user.Password = existingUser.Password
|
||||
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
user.CopyCalculatedAttributes(u)
|
||||
return user, nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("update failure: %w", err)
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserUpdated, *user)
|
||||
|
||||
switch {
|
||||
case !existingUser.IsDisabled() && user.IsDisabled():
|
||||
m.bus.Publish(app.TopicUserDisabled, *user)
|
||||
case existingUser.IsDisabled() && !user.IsDisabled():
|
||||
m.bus.Publish(app.TopicUserEnabled, *user)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
return m.update(ctx, existingUser, user, false)
|
||||
}
|
||||
|
||||
// CreateUser creates a new user.
|
||||
func (m Manager) CreateUser(ctx context.Context, user *domain.User) (*domain.User, error) {
|
||||
if user.Identifier == "" {
|
||||
return nil, errors.New("missing user identifier")
|
||||
}
|
||||
|
||||
if err := domain.ValidateAdminAccessRights(ctx); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
existingUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
|
||||
}
|
||||
if existingUser != nil {
|
||||
return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
|
||||
}
|
||||
|
||||
if err := m.validateCreation(ctx, user); err != nil {
|
||||
return nil, fmt.Errorf("creation not allowed: %w", err)
|
||||
}
|
||||
|
||||
err = user.HashPassword()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
user.CopyCalculatedAttributes(u)
|
||||
return user, nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("creation failure: %w", err)
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserCreated, *user)
|
||||
|
||||
return user, nil
|
||||
return m.create(ctx, user)
|
||||
}
|
||||
|
||||
// DeleteUser deletes the user with the given identifier.
|
||||
@@ -307,15 +237,10 @@ func (m Manager) ActivateApi(ctx context.Context, id domain.UserIdentifier) (*do
|
||||
user.ApiToken = uuid.New().String()
|
||||
user.ApiTokenCreated = &now
|
||||
|
||||
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
user.CopyCalculatedAttributes(u)
|
||||
return user, nil
|
||||
})
|
||||
user, err = m.update(ctx, user, user, true) // self-update
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("update failure: %w", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserUpdated, *user)
|
||||
m.bus.Publish(app.TopicUserApiEnabled, *user)
|
||||
|
||||
return user, nil
|
||||
@@ -335,15 +260,10 @@ func (m Manager) DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*
|
||||
user.ApiToken = ""
|
||||
user.ApiTokenCreated = nil
|
||||
|
||||
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
user.CopyCalculatedAttributes(u)
|
||||
return user, nil
|
||||
})
|
||||
user, err = m.update(ctx, user, user, true) // self-update
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("update failure: %w", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserUpdated, *user)
|
||||
m.bus.Publish(app.TopicUserApiDisabled, *user)
|
||||
|
||||
return user, nil
|
||||
@@ -380,10 +300,6 @@ func (m Manager) validateModifications(ctx context.Context, old, new *domain.Use
|
||||
return fmt.Errorf("cannot lock own user: %w", domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
if old.Source != new.Source {
|
||||
return fmt.Errorf("cannot change user source: %w", domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -414,14 +330,19 @@ func (m Manager) validateCreation(ctx context.Context, new *domain.User) error {
|
||||
return fmt.Errorf("reserved user identifier: %w", domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
if len(new.Authentications) != 1 {
|
||||
return fmt.Errorf("invalid number of authentications: %d, expected 1: %w",
|
||||
len(new.Authentications), domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
// Admins are allowed to create users for arbitrary sources.
|
||||
if new.Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
|
||||
if new.Authentications[0].Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
|
||||
return fmt.Errorf("invalid user source: %s, only %s is allowed: %w",
|
||||
new.Source, domain.UserSourceDatabase, domain.ErrInvalidData)
|
||||
new.Authentications[0].Source, domain.UserSourceDatabase, domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
// database users must have a password
|
||||
if new.Source == domain.UserSourceDatabase && string(new.Password) == "" {
|
||||
if new.Authentications[0].Source == domain.UserSourceDatabase && string(new.Password) == "" {
|
||||
return fmt.Errorf("missing password: %w", domain.ErrInvalidData)
|
||||
}
|
||||
|
||||
@@ -460,214 +381,112 @@ func (m Manager) validateApiChange(ctx context.Context, user *domain.User) error
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m Manager) runLdapSynchronizationService(ctx context.Context) {
|
||||
ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
|
||||
// region internal-modifiers
|
||||
|
||||
for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
|
||||
go func(cfg config.LdapProvider) {
|
||||
syncInterval := cfg.SyncInterval
|
||||
if syncInterval == 0 {
|
||||
slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
|
||||
return
|
||||
}
|
||||
|
||||
// perform initial sync
|
||||
err := m.synchronizeLdapUsers(ctx, &cfg)
|
||||
if err != nil {
|
||||
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
|
||||
} else {
|
||||
slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
|
||||
}
|
||||
|
||||
// start periodic sync
|
||||
running := true
|
||||
for running {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
running = false
|
||||
continue
|
||||
case <-time.After(syncInterval):
|
||||
// select blocks until one of the cases evaluate to true
|
||||
}
|
||||
|
||||
err := m.synchronizeLdapUsers(ctx, &cfg)
|
||||
if err != nil {
|
||||
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
|
||||
}
|
||||
}
|
||||
}(ldapCfg)
|
||||
func (m Manager) enrichUser(ctx context.Context, user *domain.User) *domain.User {
|
||||
if user == nil {
|
||||
return nil
|
||||
}
|
||||
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
|
||||
user.LinkedPeerCount = len(peers)
|
||||
return user
|
||||
}
|
||||
|
||||
func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
|
||||
slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
|
||||
|
||||
dn, err := ldap.ParseDN(provider.AdminGroupDN)
|
||||
func (m Manager) getUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
|
||||
user, err := m.users.GetUser(ctx, id)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse admin group DN: %w", err)
|
||||
return nil, fmt.Errorf("unable to load user %s: %w", id, err)
|
||||
}
|
||||
provider.ParsedAdminGroupDN = dn
|
||||
|
||||
conn, err := internal.LdapConnect(provider)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to setup LDAP connection: %w", err)
|
||||
}
|
||||
defer internal.LdapDisconnect(conn)
|
||||
|
||||
rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
|
||||
|
||||
// Update existing LDAP users
|
||||
err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Disable missing LDAP users
|
||||
if provider.DisableMissing {
|
||||
err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
return m.enrichUser(ctx, user), nil
|
||||
}
|
||||
|
||||
func (m Manager) updateLdapUsers(
|
||||
ctx context.Context,
|
||||
provider *config.LdapProvider,
|
||||
rawUsers []internal.RawLdapUser,
|
||||
fields *config.LdapFields,
|
||||
adminGroupDN *ldap.DN,
|
||||
) error {
|
||||
for _, rawUser := range rawUsers {
|
||||
user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
|
||||
}
|
||||
|
||||
if provider.SyncLogUserInfo {
|
||||
slog.Debug("ldap user data",
|
||||
"raw-user", rawUser, "user", user.Identifier,
|
||||
"is-admin", user.IsAdmin, "provider", provider.ProviderName)
|
||||
}
|
||||
|
||||
existingUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
|
||||
tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
|
||||
|
||||
if existingUser == nil {
|
||||
// create new user
|
||||
slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
|
||||
|
||||
_, err := m.CreateUser(tctx, user)
|
||||
if err != nil {
|
||||
cancel()
|
||||
return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
} else {
|
||||
// update existing user
|
||||
if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
|
||||
user.Disabled = nil
|
||||
user.DisabledReason = ""
|
||||
} else {
|
||||
user.Disabled = existingUser.Disabled
|
||||
user.DisabledReason = existingUser.DisabledReason
|
||||
}
|
||||
if existingUser.Source == domain.UserSourceLdap && userChangedInLdap(existingUser, user) {
|
||||
err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
u.UpdatedAt = time.Now()
|
||||
u.UpdatedBy = domain.CtxSystemLdapSyncer
|
||||
u.Source = user.Source
|
||||
u.ProviderName = user.ProviderName
|
||||
u.Email = user.Email
|
||||
u.Firstname = user.Firstname
|
||||
u.Lastname = user.Lastname
|
||||
u.Phone = user.Phone
|
||||
u.Department = user.Department
|
||||
u.IsAdmin = user.IsAdmin
|
||||
u.Disabled = nil
|
||||
u.DisabledReason = ""
|
||||
|
||||
return u, nil
|
||||
})
|
||||
if err != nil {
|
||||
cancel()
|
||||
return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
|
||||
}
|
||||
|
||||
if existingUser.IsDisabled() && !user.IsDisabled() {
|
||||
m.bus.Publish(app.TopicUserEnabled, *user)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
cancel()
|
||||
func (m Manager) update(ctx context.Context, existingUser, user *domain.User, keepAuthentications bool) (
|
||||
*domain.User,
|
||||
error,
|
||||
) {
|
||||
if err := m.validateModifications(ctx, existingUser, user); err != nil {
|
||||
return nil, fmt.Errorf("update not allowed: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
err := user.HashPassword()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if user.Password == "" { // keep old password
|
||||
user.Password = existingUser.Password
|
||||
}
|
||||
|
||||
err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
user.CopyCalculatedAttributes(u, keepAuthentications)
|
||||
return user, nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("update failure: %w", err)
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserUpdated, *user)
|
||||
|
||||
switch {
|
||||
case !existingUser.IsDisabled() && user.IsDisabled():
|
||||
m.bus.Publish(app.TopicUserDisabled, *user)
|
||||
case existingUser.IsDisabled() && !user.IsDisabled():
|
||||
m.bus.Publish(app.TopicUserEnabled, *user)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func (m Manager) disableMissingLdapUsers(
|
||||
ctx context.Context,
|
||||
providerName string,
|
||||
rawUsers []internal.RawLdapUser,
|
||||
fields *config.LdapFields,
|
||||
) error {
|
||||
allUsers, err := m.users.GetAllUsers(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
func (m Manager) create(ctx context.Context, user *domain.User) (*domain.User, error) {
|
||||
if user.Identifier == "" {
|
||||
return nil, errors.New("missing user identifier")
|
||||
}
|
||||
for _, user := range allUsers {
|
||||
if user.Source != domain.UserSourceLdap {
|
||||
continue // ignore non ldap users
|
||||
}
|
||||
if user.ProviderName != providerName {
|
||||
continue // user was synchronized through different provider
|
||||
}
|
||||
if user.IsDisabled() {
|
||||
continue // ignore deactivated
|
||||
}
|
||||
|
||||
existsInLDAP := false
|
||||
for _, rawUser := range rawUsers {
|
||||
userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
|
||||
if user.Identifier == userId {
|
||||
existsInLDAP = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if existsInLDAP {
|
||||
continue
|
||||
}
|
||||
|
||||
slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
|
||||
existingUser, err := m.users.GetUser(ctx, user.Identifier)
|
||||
if err != nil && !errors.Is(err, domain.ErrNotFound) {
|
||||
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
|
||||
}
|
||||
if existingUser != nil {
|
||||
return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
|
||||
}
|
||||
|
||||
// Add default authentication if missing
|
||||
if len(user.Authentications) == 0 {
|
||||
ctxUserInfo := domain.GetUserInfo(ctx)
|
||||
now := time.Now()
|
||||
user.Disabled = &now
|
||||
user.DisabledReason = domain.DisabledReasonLdapMissing
|
||||
|
||||
err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
u.Disabled = user.Disabled
|
||||
u.DisabledReason = user.DisabledReason
|
||||
return u, nil
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
|
||||
user.Authentications = []domain.UserAuthentication{
|
||||
{
|
||||
BaseModel: domain.BaseModel{
|
||||
CreatedBy: ctxUserInfo.UserId(),
|
||||
UpdatedBy: ctxUserInfo.UserId(),
|
||||
CreatedAt: now,
|
||||
UpdatedAt: now,
|
||||
},
|
||||
UserIdentifier: user.Identifier,
|
||||
Source: domain.UserSourceDatabase,
|
||||
ProviderName: "",
|
||||
},
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserDisabled, user)
|
||||
}
|
||||
|
||||
return nil
|
||||
if err := m.validateCreation(ctx, user); err != nil {
|
||||
return nil, fmt.Errorf("creation not allowed: %w", err)
|
||||
}
|
||||
|
||||
err = user.HashPassword()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
|
||||
return user, nil
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("creation failure: %w", err)
|
||||
}
|
||||
|
||||
m.bus.Publish(app.TopicUserCreated, *user)
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// endregion internal-modifiers
|
||||
|
||||
@@ -3,6 +3,7 @@ package models
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/h44z/wg-portal/internal"
|
||||
"github.com/h44z/wg-portal/internal/domain"
|
||||
)
|
||||
|
||||
@@ -13,11 +14,10 @@ type User struct {
|
||||
CreatedAt time.Time `json:"CreatedAt"`
|
||||
UpdatedAt time.Time `json:"UpdatedAt"`
|
||||
|
||||
Identifier string `json:"Identifier"`
|
||||
Email string `json:"Email"`
|
||||
Source string `json:"Source"`
|
||||
ProviderName string `json:"ProviderName"`
|
||||
IsAdmin bool `json:"IsAdmin"`
|
||||
Identifier string `json:"Identifier"`
|
||||
Email string `json:"Email"`
|
||||
AuthSources []UserAuthSource `json:"AuthSources"`
|
||||
IsAdmin bool `json:"IsAdmin"`
|
||||
|
||||
Firstname string `json:"Firstname,omitempty"`
|
||||
Lastname string `json:"Lastname,omitempty"`
|
||||
@@ -31,8 +31,22 @@ type User struct {
|
||||
LockedReason string `json:"LockedReason,omitempty"`
|
||||
}
|
||||
|
||||
// UserAuthSource represents a single authentication source for a user.
|
||||
// For details about the fields, see the domain.UserAuthentication struct.
|
||||
type UserAuthSource struct {
|
||||
Source string `json:"Source"`
|
||||
ProviderName string `json:"ProviderName"`
|
||||
}
|
||||
|
||||
// NewUser creates a new User model from a domain.User
|
||||
func NewUser(src domain.User) User {
|
||||
authSources := internal.Map(src.Authentications, func(authentication domain.UserAuthentication) UserAuthSource {
|
||||
return UserAuthSource{
|
||||
Source: string(authentication.Source),
|
||||
ProviderName: authentication.ProviderName,
|
||||
}
|
||||
})
|
||||
|
||||
return User{
|
||||
CreatedBy: src.CreatedBy,
|
||||
UpdatedBy: src.UpdatedBy,
|
||||
@@ -40,8 +54,7 @@ func NewUser(src domain.User) User {
|
||||
UpdatedAt: src.UpdatedAt,
|
||||
Identifier: string(src.Identifier),
|
||||
Email: src.Email,
|
||||
Source: string(src.Source),
|
||||
ProviderName: src.ProviderName,
|
||||
AuthSources: authSources,
|
||||
IsAdmin: src.IsAdmin,
|
||||
Firstname: src.Firstname,
|
||||
Lastname: src.Lastname,
|
||||
|
||||
@@ -10,11 +10,12 @@ type LoginProviderInfo struct {
|
||||
}
|
||||
|
||||
type AuthenticatorUserInfo struct {
|
||||
Identifier UserIdentifier
|
||||
Email string
|
||||
Firstname string
|
||||
Lastname string
|
||||
Phone string
|
||||
Department string
|
||||
IsAdmin bool
|
||||
Identifier UserIdentifier
|
||||
Email string
|
||||
Firstname string
|
||||
Lastname string
|
||||
Phone string
|
||||
Department string
|
||||
IsAdmin bool
|
||||
AdminInfoAvailable bool // true if the IsAdmin flag is valid
|
||||
}
|
||||
|
||||
@@ -14,6 +14,7 @@ const (
|
||||
CtxSystemLdapSyncer = "_WG_SYS_LDAP_SYNCER_"
|
||||
CtxSystemWgImporter = "_WG_SYS_WG_IMPORTER_"
|
||||
CtxSystemV1Migrator = "_WG_SYS_V1_MIGRATOR_"
|
||||
CtxSystemDBMigrator = "_WG_SYS_DB_MIGRATOR_"
|
||||
)
|
||||
|
||||
type ContextUserInfo struct {
|
||||
|
||||
@@ -25,6 +25,14 @@ type UserIdentifier string
|
||||
|
||||
type UserSource string
|
||||
|
||||
type UserAuthentication struct {
|
||||
BaseModel
|
||||
|
||||
UserIdentifier UserIdentifier `gorm:"primaryKey;column:user_identifier"` // sAMAccountName, sub, etc.
|
||||
Source UserSource `gorm:"primaryKey;column:source"`
|
||||
ProviderName string `gorm:"primaryKey;column:provider_name"`
|
||||
}
|
||||
|
||||
// User is the user model that gets linked to peer entries, by default an empty user model with only the email address is created
|
||||
type User struct {
|
||||
BaseModel
|
||||
@@ -32,10 +40,15 @@ type User struct {
|
||||
// required fields
|
||||
Identifier UserIdentifier `gorm:"primaryKey;column:identifier"`
|
||||
Email string `form:"email" binding:"required,email"`
|
||||
Source UserSource
|
||||
ProviderName string
|
||||
Source UserSource // deprecated: moved to Authentications.Source
|
||||
ProviderName string // deprecated: moved to Authentications.ProviderName
|
||||
IsAdmin bool
|
||||
|
||||
// authentication sources
|
||||
Authentications []UserAuthentication `gorm:"foreignKey:user_identifier"`
|
||||
// synchronization behavior
|
||||
PersistLocalChanges bool `gorm:"column:persist_local_changes"`
|
||||
|
||||
// optional fields
|
||||
Firstname string `form:"firstname" binding:"omitempty"`
|
||||
Lastname string `form:"lastname" binding:"omitempty"`
|
||||
@@ -81,15 +94,19 @@ func (u *User) IsApiEnabled() bool {
|
||||
}
|
||||
|
||||
func (u *User) CanChangePassword() error {
|
||||
if u.Source == UserSourceDatabase {
|
||||
return nil
|
||||
if slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
|
||||
return e.Source == UserSourceDatabase
|
||||
}) {
|
||||
return nil // password can be changed for database users
|
||||
}
|
||||
|
||||
return errors.New("password change only allowed for database source")
|
||||
}
|
||||
|
||||
func (u *User) HasWeakPassword(minLength int) error {
|
||||
if u.Source != UserSourceDatabase {
|
||||
if !slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
|
||||
return e.Source == UserSourceDatabase
|
||||
}) {
|
||||
return nil // password is not required for non-database users, so no check needed
|
||||
}
|
||||
|
||||
@@ -105,13 +122,16 @@ func (u *User) HasWeakPassword(minLength int) error {
|
||||
}
|
||||
|
||||
func (u *User) EditAllowed(new *User) error {
|
||||
if u.Source == UserSourceDatabase {
|
||||
return nil
|
||||
if len(u.Authentications) == 1 && u.Authentications[0].Source == UserSourceDatabase {
|
||||
return nil // database-only users can be edited always
|
||||
}
|
||||
|
||||
if new.PersistLocalChanges {
|
||||
return nil // if changes will be persisted locally, they can be edited always
|
||||
}
|
||||
|
||||
// for users which are not database users, only the notes field and the disabled flag can be updated
|
||||
updateOk := u.Identifier == new.Identifier
|
||||
updateOk = updateOk && u.Source == new.Source
|
||||
updateOk = updateOk && u.IsAdmin == new.IsAdmin
|
||||
updateOk = updateOk && u.Email == new.Email
|
||||
updateOk = updateOk && u.Firstname == new.Firstname
|
||||
@@ -120,7 +140,7 @@ func (u *User) EditAllowed(new *User) error {
|
||||
updateOk = updateOk && u.Department == new.Department
|
||||
|
||||
if !updateOk {
|
||||
return errors.New("edit only allowed for database source")
|
||||
return errors.New("edit only allowed for reserved fields")
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -131,8 +151,10 @@ func (u *User) DeleteAllowed() error {
|
||||
}
|
||||
|
||||
func (u *User) CheckPassword(password string) error {
|
||||
if u.Source != UserSourceDatabase {
|
||||
return errors.New("invalid user source")
|
||||
if !slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
|
||||
return e.Source == UserSourceDatabase
|
||||
}) {
|
||||
return errors.New("invalid user source") // password can only be checked for database users
|
||||
}
|
||||
|
||||
if u.IsDisabled() {
|
||||
@@ -180,9 +202,24 @@ func (u *User) HashPassword() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (u *User) CopyCalculatedAttributes(src *User) {
|
||||
func (u *User) CopyCalculatedAttributes(src *User, withAuthentications bool) {
|
||||
u.BaseModel = src.BaseModel
|
||||
u.LinkedPeerCount = src.LinkedPeerCount
|
||||
if withAuthentications {
|
||||
u.Authentications = src.Authentications
|
||||
u.WebAuthnId = src.WebAuthnId
|
||||
u.WebAuthnCredentialList = src.WebAuthnCredentialList
|
||||
}
|
||||
}
|
||||
|
||||
// MergeAuthSources merges the given authentication sources with the existing ones.
|
||||
// Already existing sources are not overwritten, nor will be added any duplicates.
|
||||
func (u *User) MergeAuthSources(extSources ...UserAuthentication) {
|
||||
for _, src := range extSources {
|
||||
if !slices.Contains(u.Authentications, src) {
|
||||
u.Authentications = append(u.Authentications, src)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// DisplayName returns the display name of the user.
|
||||
|
||||
@@ -35,19 +35,25 @@ func TestUser_IsApiEnabled(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestUser_CanChangePassword(t *testing.T) {
|
||||
user := &User{Source: UserSourceDatabase}
|
||||
user := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
|
||||
assert.NoError(t, user.CanChangePassword())
|
||||
|
||||
user.Source = UserSourceLdap
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
|
||||
assert.Error(t, user.CanChangePassword())
|
||||
|
||||
user.Source = UserSourceOauth
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
|
||||
assert.Error(t, user.CanChangePassword())
|
||||
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceLdap}, {Source: UserSourceDatabase}}
|
||||
assert.NoError(t, user.CanChangePassword())
|
||||
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
|
||||
assert.NoError(t, user.CanChangePassword())
|
||||
}
|
||||
|
||||
func TestUser_EditAllowed(t *testing.T) {
|
||||
user := &User{Source: UserSourceDatabase}
|
||||
newUser := &User{Source: UserSourceDatabase}
|
||||
user := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
|
||||
newUser := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
|
||||
assert.NoError(t, user.EditAllowed(newUser))
|
||||
|
||||
newUser.Notes = "notes can be changed"
|
||||
@@ -59,8 +65,8 @@ func TestUser_EditAllowed(t *testing.T) {
|
||||
newUser.Lastname = "lastname or other fields can be changed"
|
||||
assert.NoError(t, user.EditAllowed(newUser))
|
||||
|
||||
user.Source = UserSourceLdap
|
||||
newUser.Source = UserSourceLdap
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
|
||||
newUser.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
|
||||
newUser.Disabled = nil
|
||||
newUser.Lastname = ""
|
||||
newUser.Notes = "notes can be changed"
|
||||
@@ -72,8 +78,8 @@ func TestUser_EditAllowed(t *testing.T) {
|
||||
newUser.Lastname = "lastname or other fields can not be changed"
|
||||
assert.Error(t, user.EditAllowed(newUser))
|
||||
|
||||
user.Source = UserSourceOauth
|
||||
newUser.Source = UserSourceOauth
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
|
||||
newUser.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
|
||||
newUser.Disabled = nil
|
||||
newUser.Lastname = ""
|
||||
newUser.Notes = "notes can be changed"
|
||||
@@ -84,6 +90,20 @@ func TestUser_EditAllowed(t *testing.T) {
|
||||
|
||||
newUser.Lastname = "lastname or other fields can not be changed"
|
||||
assert.Error(t, user.EditAllowed(newUser))
|
||||
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
|
||||
newUser.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
|
||||
newUser.PersistLocalChanges = true
|
||||
newUser.Disabled = nil
|
||||
newUser.Lastname = ""
|
||||
newUser.Notes = "notes can be changed"
|
||||
assert.NoError(t, user.EditAllowed(newUser))
|
||||
|
||||
newUser.Disabled = &time.Time{}
|
||||
assert.NoError(t, user.EditAllowed(newUser))
|
||||
|
||||
newUser.Lastname = "lastname or other fields can be changed"
|
||||
assert.NoError(t, user.EditAllowed(newUser))
|
||||
}
|
||||
|
||||
func TestUser_DeleteAllowed(t *testing.T) {
|
||||
@@ -95,13 +115,15 @@ func TestUser_CheckPassword(t *testing.T) {
|
||||
password := "password"
|
||||
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||
|
||||
user := &User{Source: UserSourceDatabase, Password: PrivateString(hashedPassword)}
|
||||
user := &User{
|
||||
Authentications: []UserAuthentication{{Source: UserSourceDatabase}}, Password: PrivateString(hashedPassword),
|
||||
}
|
||||
assert.NoError(t, user.CheckPassword(password))
|
||||
|
||||
user.Password = ""
|
||||
assert.Error(t, user.CheckPassword(password))
|
||||
|
||||
user.Source = UserSourceLdap
|
||||
user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
|
||||
assert.Error(t, user.CheckPassword(password))
|
||||
}
|
||||
|
||||
|
||||
@@ -168,3 +168,12 @@ func BoolToFloat64(b bool) float64 {
|
||||
}
|
||||
return 0.0
|
||||
}
|
||||
|
||||
// Map applies the given function to each element of the given slice and returns the resulting slice
|
||||
func Map[T, V any](ts []T, fn func(T) V) []V {
|
||||
result := make([]V, len(ts))
|
||||
for i, t := range ts {
|
||||
result[i] = fn(t)
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user