Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2026-01-29 06:36:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: allow multiple auth sources per user (#500,#477) (#612)

Browse Source 
* feat: allow multiple auth sources per user (#500,#477)

* only override isAdmin flag if it is provided by the authentication source
This commit is contained in:
h44z
2026-01-21 22:22:22 +01:00
committed by GitHub
parent d2fe267be7
commit e0f6c1d04b
44 changed files with 1158 additions and 798 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/app/api/core/assets/doc/v0_swagger.json
View File

@@ -2676,6 +2676,12 @@
"ApiTokenCreated": {
"type": "string"
},
"AuthSources": {
"type": "array",
"items": {
"type": "string"
}
},
"Department": {
"type": "string"
},
@@ -2719,14 +2725,11 @@
"PeerCount": {
"type": "integer"
},
"PersistLocalChanges": {
"type": "boolean"
},
"Phone": {
"type": "string"
},
"ProviderName": {
"type": "string"
},
"Source": {
"type": "string"
}
}
},

10
internal/app/api/core/assets/doc/v0_swagger.yaml
View File

@@ -431,6 +431,10 @@ definitions:
type: string
ApiTokenCreated:
type: string
AuthSources:
items:
type: string
type: array
Department:
type: string
Disabled:
@@ -461,12 +465,10 @@ definitions:
type: string
PeerCount:
type: integer
PersistLocalChanges:
type: boolean
Phone:
type: string
ProviderName:
type: string
Source:
type: string
type: object
model.WebAuthnCredentialRequest:
properties:

32
internal/app/api/core/assets/doc/v1_swagger.json
View File

@@ -2132,6 +2132,22 @@
"minLength": 32,
"example": ""
},
"AuthSources": {
"description": "The source of the user. This field is optional.",
"type": "array",
"items": {
"type": "string",
"enum": [
"db",
"ldap",
"oauth"
]
},
"readOnly": true,
"example": [
"db"
]
},
"Department": {
"description": "The department of the user. This field is optional.",
"type": "string",
@@ -2205,22 +2221,6 @@
"description": "The phone number of the user. This field is optional.",
"type": "string",
"example": "+1234546789"
},
"ProviderName": {
"description": "The name of the authentication provider. This field is read-only.",
"type": "string",
"readOnly": true,
"example": ""
},
"Source": {
"description": "The source of the user. This field is optional.",
"type": "string",
"enum": [
"db",
"ldap",
"oauth"
],
"example": "db"
}
}
},

25
internal/app/api/core/assets/doc/v1_swagger.yaml
View File

@@ -490,6 +490,18 @@ definitions:
maxLength: 64
minLength: 32
type: string
AuthSources:
description: The source of the user. This field is optional.
example:
- db
items:
enum:
- db
- ldap
- oauth
type: string
readOnly: true
type: array
Department:
description: The department of the user. This field is optional.
example: Software Development
@@ -552,19 +564,6 @@ definitions:
description: The phone number of the user. This field is optional.
example: "+1234546789"
type: string
ProviderName:
description: The name of the authentication provider. This field is read-only.
example: ""
readOnly: true
type: string
Source:
description: The source of the user. This field is optional.
enum:
- db
- ldap
- oauth
example: db
type: string
required:
- Identifier
type: object

7
internal/app/api/v0/backend/user_service.go
View File

@@ -3,6 +3,7 @@ package backend
import (
"context"
"fmt"
"slices"
"strings"
"github.com/h44z/wg-portal/internal/config"
@@ -95,8 +96,10 @@ func (u UserService) ChangePassword(
}
// ensure that the user uses the database backend; otherwise we can't change the password
if user.Source != domain.UserSourceDatabase {
return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
if !slices.ContainsFunc(user.Authentications, func(authentication domain.UserAuthentication) bool {
return authentication.Source == domain.UserSourceDatabase
}) {
return nil, fmt.Errorf("user has no linked authentication source that does support password changes")
}
// validate old password

81
internal/app/api/v0/model/models_user.go
View File

@@ -3,15 +3,15 @@ package model
import (
"time"
"github.com/h44z/wg-portal/internal"
"github.com/h44z/wg-portal/internal/domain"
)
type User struct {
Identifier string `json:"Identifier"`
Email string `json:"Email"`
Source string `json:"Source"`
ProviderName string `json:"ProviderName"`
IsAdmin bool `json:"IsAdmin"`
Identifier string `json:"Identifier"`
Email string `json:"Email"`
AuthSources []string `json:"AuthSources"`
IsAdmin bool `json:"IsAdmin"`
Firstname string `json:"Firstname"`
Lastname string `json:"Lastname"`
@@ -29,6 +29,8 @@ type User struct {
ApiTokenCreated *time.Time `json:"ApiTokenCreated,omitempty"`
ApiEnabled bool `json:"ApiEnabled"`
PersistLocalChanges bool `json:"PersistLocalChanges"`
// Calculated
PeerCount int `json:"PeerCount"`
@@ -36,24 +38,26 @@ type User struct {
func NewUser(src *domain.User, exposeCreds bool) *User {
u := &User{
Identifier: string(src.Identifier),
Email: src.Email,
Source: string(src.Source),
ProviderName: src.ProviderName,
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,
Phone: src.Phone,
Department: src.Department,
Notes: src.Notes,
Password: "", // never fill password
Disabled: src.IsDisabled(),
DisabledReason: src.DisabledReason,
Locked: src.IsLocked(),
LockedReason: src.LockedReason,
ApiToken: "", // by default, do not expose API token
ApiTokenCreated: src.ApiTokenCreated,
ApiEnabled: src.IsApiEnabled(),
Identifier: string(src.Identifier),
Email: src.Email,
AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
return string(authentication.Source)
}),
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,
Phone: src.Phone,
Department: src.Department,
Notes: src.Notes,
Password: "", // never fill password
Disabled: src.IsDisabled(),
DisabledReason: src.DisabledReason,
Locked: src.IsLocked(),
LockedReason: src.LockedReason,
ApiToken: "", // by default, do not expose API token
ApiTokenCreated: src.ApiTokenCreated,
ApiEnabled: src.IsApiEnabled(),
PersistLocalChanges: src.PersistLocalChanges,
PeerCount: src.LinkedPeerCount,
}
@@ -77,22 +81,21 @@ func NewUsers(src []domain.User) []User {
func NewDomainUser(src *User) *domain.User {
now := time.Now()
res := &domain.User{
Identifier: domain.UserIdentifier(src.Identifier),
Email: src.Email,
Source: domain.UserSource(src.Source),
ProviderName: src.ProviderName,
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,
Phone: src.Phone,
Department: src.Department,
Notes: src.Notes,
Password: domain.PrivateString(src.Password),
Disabled: nil, // set below
DisabledReason: src.DisabledReason,
Locked: nil, // set below
LockedReason: src.LockedReason,
LinkedPeerCount: src.PeerCount,
Identifier: domain.UserIdentifier(src.Identifier),
Email: src.Email,
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,
Phone: src.Phone,
Department: src.Department,
Notes: src.Notes,
Password: domain.PrivateString(src.Password),
Disabled: nil, // set below
DisabledReason: src.DisabledReason,
Locked: nil, // set below
LockedReason: src.LockedReason,
LinkedPeerCount: src.PeerCount,
PersistLocalChanges: src.PersistLocalChanges,
}
if src.Disabled {

16
internal/app/api/v1/models/models_user.go
View File

@@ -3,6 +3,7 @@ package models
import (
"time"
"github.com/h44z/wg-portal/internal"
"github.com/h44z/wg-portal/internal/domain"
)
@@ -13,9 +14,7 @@ type User struct {
// The email address of the user. This field is optional.
Email string `json:"Email" binding:"omitempty,email" example:"test@test.com"`
// The source of the user. This field is optional.
Source string `json:"Source" binding:"oneof=db ldap oauth" example:"db"`
// The name of the authentication provider. This field is read-only.
ProviderName string `json:"ProviderName,omitempty" readonly:"true" example:""`
AuthSources []string `json:"AuthSources" readonly:"true" binding:"oneof=db ldap oauth" example:"db"`
// If this field is set, the user is an admin.
IsAdmin bool `json:"IsAdmin" example:"false"`
@@ -52,10 +51,11 @@ type User struct {
func NewUser(src *domain.User, exposeCredentials bool) *User {
u := &User{
Identifier: string(src.Identifier),
Email: src.Email,
Source: string(src.Source),
ProviderName: src.ProviderName,
Identifier: string(src.Identifier),
Email: src.Email,
AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
return string(authentication.Source)
}),
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,
@@ -93,8 +93,6 @@ func NewDomainUser(src *User) *domain.User {
res := &domain.User{
Identifier: domain.UserIdentifier(src.Identifier),
Email: src.Email,
Source: domain.UserSource(src.Source),
ProviderName: src.ProviderName,
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,

2
internal/app/app.go
View File

@@ -129,8 +129,6 @@ func (a *App) createDefaultUser(ctx context.Context) error {
},
Identifier: adminUserId,
Email: "admin@wgportal.local",
Source: domain.UserSourceDatabase,
ProviderName: "",
IsAdmin: true,
Firstname: "WireGuard Portal",
Lastname: "Admin",

196
internal/app/auth/auth.go
View File

@@ -29,8 +29,8 @@ type UserManager interface {
GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
// RegisterUser creates a new user in the database.
RegisterUser(ctx context.Context, user *domain.User) error
// UpdateUser updates an existing user in the database.
UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
// UpdateUserInternal updates an existing user in the database.
UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
}
type EventBus interface {
@@ -232,7 +232,7 @@ func (a *Authenticator) setupExternalAuthProviders(
}
for i := range ldap { // LDAP
providerCfg := &ldap[i]
providerId := strings.ToLower(providerCfg.URL)
providerId := strings.ToLower(providerCfg.ProviderName)
if _, exists := a.ldapAuthenticators[providerId]; exists {
// this is an unrecoverable error, we cannot register the same provider twice
@@ -354,21 +354,45 @@ func (a *Authenticator) passwordAuthentication(
var ldapProvider AuthenticatorLdap
var userInDatabase = false
var userSource domain.UserSource
existingUser, err := a.users.GetUser(ctx, identifier)
if err == nil {
userInDatabase = true
userSource = existingUser.Source
}
if userInDatabase && (existingUser.IsLocked() || existingUser.IsDisabled()) {
return nil, errors.New("user is locked")
}
if !userInDatabase || userSource == domain.UserSourceLdap {
// search user in ldap if registration is enabled
authOK := false
if userInDatabase {
// User is already in db, search for authentication sources which support password authentication and
// validate the password.
for _, authentication := range existingUser.Authentications {
if authentication.Source == domain.UserSourceDatabase {
err := existingUser.CheckPassword(password)
if err == nil {
authOK = true
break
}
}
if authentication.Source == domain.UserSourceLdap {
ldapProvider, ok := a.ldapAuthenticators[strings.ToLower(authentication.ProviderName)]
if !ok {
continue // ldap provider not found, skip further checks
}
err := ldapProvider.PlaintextAuthentication(identifier, password)
if err == nil {
authOK = true
break
}
}
}
} else {
// User is not yet in the db, check ldap providers which have registration enabled.
// If the user is found, check the password - on success, sync it to the db.
for _, ldapAuth := range a.ldapAuthenticators {
if !userInDatabase && !ldapAuth.RegistrationEnabled() {
continue
if !ldapAuth.RegistrationEnabled() {
continue // ldap provider does not support registration, skip further checks
}
rawUserInfo, err := ldapAuth.GetUserInfo(context.Background(), identifier)
@@ -379,55 +403,39 @@ func (a *Authenticator) passwordAuthentication(
}
continue // user not found / other ldap error
}
// user found, check if the password is correct
err = ldapAuth.PlaintextAuthentication(identifier, password)
if err != nil {
continue // password is incorrect, skip further checks
}
// create a new user in the db
ldapUserInfo, err = ldapAuth.ParseUserInfo(rawUserInfo)
if err != nil {
slog.Error("failed to parse ldap user info",
"source", ldapAuth.GetName(), "identifier", identifier, "error", err)
continue
}
user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(), true)
if err != nil {
return nil, fmt.Errorf("unable to process user information: %w", err)
}
// ldap user found
userSource = domain.UserSourceLdap
ldapProvider = ldapAuth
existingUser = user
slog.Debug("created new LDAP user in db",
"identifier", user.Identifier, "provider", ldapProvider.GetName())
authOK = true
break
}
}
if userSource == "" {
slog.Warn("no user source found for user",
"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
return nil, errors.New("user not found")
if !authOK {
return nil, errors.New("failed to authenticate user")
}
if userSource == domain.UserSourceLdap && ldapProvider == nil {
slog.Warn("no ldap provider found for user",
"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
return nil, errors.New("ldap provider not found")
}
switch userSource {
case domain.UserSourceDatabase:
err = existingUser.CheckPassword(password)
case domain.UserSourceLdap:
err = ldapProvider.PlaintextAuthentication(identifier, password)
default:
err = errors.New("no authentication backend available")
}
if err != nil {
return nil, fmt.Errorf("failed to authenticate: %w", err)
}
if !userInDatabase {
user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(),
ldapProvider.RegistrationEnabled())
if err != nil {
return nil, fmt.Errorf("unable to process user information: %w", err)
}
return user, nil
} else {
return existingUser, nil
}
return existingUser, nil
}
// endregion password authentication
@@ -590,17 +598,34 @@ func (a *Authenticator) registerNewUser(
source domain.UserSource,
provider string,
) (*domain.User, error) {
ctxUserInfo := domain.GetUserInfo(ctx)
now := time.Now()
// convert user info to domain.User
user := &domain.User{
Identifier: userInfo.Identifier,
Email: userInfo.Email,
Source: source,
ProviderName: provider,
IsAdmin: userInfo.IsAdmin,
Firstname: userInfo.Firstname,
Lastname: userInfo.Lastname,
Phone: userInfo.Phone,
Department: userInfo.Department,
Identifier: userInfo.Identifier,
Email: userInfo.Email,
IsAdmin: false,
Firstname: userInfo.Firstname,
Lastname: userInfo.Lastname,
Phone: userInfo.Phone,
Department: userInfo.Department,
Authentications: []domain.UserAuthentication{
{
BaseModel: domain.BaseModel{
CreatedBy: ctxUserInfo.UserId(),
UpdatedBy: ctxUserInfo.UserId(),
CreatedAt: now,
UpdatedAt: now,
},
UserIdentifier: userInfo.Identifier,
Source: source,
ProviderName: provider,
},
},
}
if userInfo.AdminInfoAvailable && userInfo.IsAdmin {
user.IsAdmin = true
}
err := a.users.RegisterUser(ctx, user)
@@ -610,6 +635,7 @@ func (a *Authenticator) registerNewUser(
slog.Debug("registered user from external authentication provider",
"user", user.Identifier,
"adminInfoAvailable", userInfo.AdminInfoAvailable,
"isAdmin", user.IsAdmin,
"provider", source)
@@ -643,6 +669,39 @@ func (a *Authenticator) updateExternalUser(
return nil // user is locked or disabled, do not update
}
// Update authentication sources
foundAuthSource := false
for _, auth := range existingUser.Authentications {
if auth.Source == source && auth.ProviderName == provider {
foundAuthSource = true
break
}
}
if !foundAuthSource {
ctxUserInfo := domain.GetUserInfo(ctx)
now := time.Now()
existingUser.Authentications = append(existingUser.Authentications, domain.UserAuthentication{
BaseModel: domain.BaseModel{
CreatedBy: ctxUserInfo.UserId(),
UpdatedBy: ctxUserInfo.UserId(),
CreatedAt: now,
UpdatedAt: now,
},
UserIdentifier: existingUser.Identifier,
Source: source,
ProviderName: provider,
})
}
if existingUser.PersistLocalChanges {
if !foundAuthSource {
// Even if local changes are persisted, we need to save the new authentication source
_, err := a.users.UpdateUserInternal(ctx, existingUser)
return err
}
return nil
}
isChanged := false
if existingUser.Email != userInfo.Email {
existingUser.Email = userInfo.Email
@@ -664,33 +723,24 @@ func (a *Authenticator) updateExternalUser(
existingUser.Department = userInfo.Department
isChanged = true
}
if existingUser.IsAdmin != userInfo.IsAdmin {
if userInfo.AdminInfoAvailable && existingUser.IsAdmin != userInfo.IsAdmin {
existingUser.IsAdmin = userInfo.IsAdmin
isChanged = true
}
if existingUser.Source != source {
existingUser.Source = source
isChanged = true
}
if existingUser.ProviderName != provider {
existingUser.ProviderName = provider
isChanged = true
}
if !isChanged {
return nil // nothing to update
}
if isChanged || !foundAuthSource {
_, err := a.users.UpdateUserInternal(ctx, existingUser)
if err != nil {
return fmt.Errorf("failed to update user: %w", err)
}
_, err := a.users.UpdateUser(ctx, existingUser)
if err != nil {
return fmt.Errorf("failed to update user: %w", err)
slog.Debug("updated user with data from external authentication provider",
"user", existingUser.Identifier,
"adminInfoAvailable", userInfo.AdminInfoAvailable,
"isAdmin", existingUser.IsAdmin,
"provider", source)
}
slog.Debug("updated user with data from external authentication provider",
"user", existingUser.Identifier,
"isAdmin", existingUser.IsAdmin,
"provider", source)
return nil
}

28
internal/app/auth/auth_ldap.go
View File

@@ -127,18 +127,26 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden
// ParseUserInfo parses the user information from the LDAP server into a domain.AuthenticatorUserInfo struct.
func (l LdapAuthenticator) ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error) {
isAdmin, err := internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
if err != nil {
return nil, fmt.Errorf("failed to check admin group: %w", err)
isAdmin := false
adminInfoAvailable := false
if l.cfg.FieldMap.GroupMembership != "" {
adminInfoAvailable = true
var err error
isAdmin, err = internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
if err != nil {
return nil, fmt.Errorf("failed to check admin group: %w", err)
}
}
userInfo := &domain.AuthenticatorUserInfo{
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
IsAdmin: isAdmin,
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
IsAdmin: isAdmin,
AdminInfoAvailable: adminInfoAvailable,
}
return userInfo, nil

18
internal/app/auth/oauth_common.go
View File

@@ -15,9 +15,11 @@ func parseOauthUserInfo(
raw map[string]any,
) (*domain.AuthenticatorUserInfo, error) {
var isAdmin bool
var adminInfoAvailable bool
// first try to match the is_admin field against the given regex
if mapping.IsAdmin != "" {
adminInfoAvailable = true
re := adminMapping.GetAdminValueRegex()
if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {
isAdmin = true
@@ -26,6 +28,7 @@ func parseOauthUserInfo(
// next try to parse the user's groups
if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
adminInfoAvailable = true
userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
re := adminMapping.GetAdminGroupRegex()
for _, group := range userGroups {
@@ -37,13 +40,14 @@ func parseOauthUserInfo(
}
userInfo := &domain.AuthenticatorUserInfo{
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, mapping.Email, ""),
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
Department: internal.MapDefaultString(raw, mapping.Department, ""),
IsAdmin: isAdmin,
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, mapping.Email, ""),
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
Department: internal.MapDefaultString(raw, mapping.Department, ""),
IsAdmin: isAdmin,
AdminInfoAvailable: adminInfoAvailable,
}
return userInfo, nil

12
internal/app/auth/webauthn.go
View File

@@ -23,8 +23,8 @@ type WebAuthnUserManager interface {
GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
// GetUserByWebAuthnCredential returns a user by its WebAuthn ID.
GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error)
// UpdateUser updates an existing user in the database.
UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
// UpdateUserInternal updates an existing user in the database.
UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
}
type WebAuthnAuthenticator struct {
@@ -89,7 +89,7 @@ func (a *WebAuthnAuthenticator) StartWebAuthnRegistration(ctx context.Context, u
if user.WebAuthnId == "" {
user.GenerateWebAuthnId()
user, err = a.users.UpdateUser(ctx, user)
user, err = a.users.UpdateUserInternal(ctx, user)
if err != nil {
return nil, nil, fmt.Errorf("failed to store webauthn id to user: %w", err)
}
@@ -150,7 +150,7 @@ func (a *WebAuthnAuthenticator) FinishWebAuthnRegistration(
return nil, err
}
user, err = a.users.UpdateUser(ctx, user)
user, err = a.users.UpdateUserInternal(ctx, user)
if err != nil {
return nil, err
}
@@ -181,7 +181,7 @@ func (a *WebAuthnAuthenticator) RemoveCredential(
}
user.RemoveCredential(credentialIdBase64)
user, err = a.users.UpdateUser(ctx, user)
user, err = a.users.UpdateUserInternal(ctx, user)
if err != nil {
return nil, err
}
@@ -205,7 +205,7 @@ func (a *WebAuthnAuthenticator) UpdateCredential(
return nil, err
}
user, err = a.users.UpdateUser(ctx, user)
user, err = a.users.UpdateUserInternal(ctx, user)
if err != nil {
return nil, err
}

35
internal/app/migrate_v1.go
View File

@@ -144,8 +144,6 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
},
Identifier: domain.UserIdentifier(oldUser.Email),
Email: oldUser.Email,
Source: domain.UserSource(oldUser.Source),
ProviderName: "",
IsAdmin: oldUser.IsAdmin,
Firstname: oldUser.Firstname,
Lastname: oldUser.Lastname,
@@ -159,11 +157,25 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
LockedReason: "",
LinkedPeerCount: 0,
}
if err := newDb.Create(&newUser).Error; err != nil {
return fmt.Errorf("failed to migrate user %s: %w", oldUser.Email, err)
}
authentication := domain.UserAuthentication{
BaseModel: domain.BaseModel{
CreatedBy: domain.CtxSystemV1Migrator,
UpdatedBy: domain.CtxSystemV1Migrator,
CreatedAt: oldUser.CreatedAt,
UpdatedAt: oldUser.UpdatedAt,
},
UserIdentifier: domain.UserIdentifier(oldUser.Email),
Source: domain.UserSource(oldUser.Source),
ProviderName: "", // unknown
}
if err := newDb.Create(&authentication).Error; err != nil {
return fmt.Errorf("failed to migrate user-authentication %s: %w", oldUser.Email, err)
}
slog.Debug("user migrated successfully", "identifier", newUser.Identifier)
}
@@ -346,8 +358,6 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
},
Identifier: domain.UserIdentifier(oldPeer.Email),
Email: oldPeer.Email,
Source: domain.UserSourceDatabase,
ProviderName: "",
IsAdmin: false,
Locked: &now,
LockedReason: domain.DisabledReasonMigrationDummy,
@@ -358,6 +368,21 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
return fmt.Errorf("failed to migrate dummy user %s: %w", oldPeer.Email, err)
}
authentication := domain.UserAuthentication{
BaseModel: domain.BaseModel{
CreatedBy: domain.CtxSystemV1Migrator,
UpdatedBy: domain.CtxSystemV1Migrator,
CreatedAt: now,
UpdatedAt: now,
},
UserIdentifier: domain.UserIdentifier(oldPeer.Email),
Source: domain.UserSourceDatabase,
ProviderName: "", // unknown
}
if err := newDb.Create(&authentication).Error; err != nil {
return fmt.Errorf("failed to migrate dummy user-authentication %s: %w", oldPeer.Email, err)
}
slog.Debug("dummy user migrated successfully", "identifier", user.Identifier)
}
newPeer := domain.Peer{

36
internal/app/users/ldap_helper.go
View File

@@ -2,6 +2,7 @@ package users
import (
"fmt"
"slices"
"strings"
"time"
@@ -25,6 +26,8 @@ func convertRawLdapUser(
return nil, fmt.Errorf("failed to check admin group: %w", err)
}
uid := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
return &domain.User{
BaseModel: domain.BaseModel{
CreatedBy: domain.CtxSystemLdapSyncer,
@@ -32,18 +35,23 @@ func convertRawLdapUser(
CreatedAt: now,
UpdatedAt: now,
},
Identifier: domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, "")),
Email: strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
Source: domain.UserSourceLdap,
ProviderName: providerName,
IsAdmin: isAdmin,
Firstname: internal.MapDefaultString(rawUser, fields.Firstname, ""),
Lastname: internal.MapDefaultString(rawUser, fields.Lastname, ""),
Phone: internal.MapDefaultString(rawUser, fields.Phone, ""),
Department: internal.MapDefaultString(rawUser, fields.Department, ""),
Notes: "",
Password: "",
Disabled: nil,
Identifier: uid,
Email: strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
IsAdmin: isAdmin,
Authentications: []domain.UserAuthentication{
{
UserIdentifier: uid,
Source: domain.UserSourceLdap,
ProviderName: providerName,
},
},
Firstname: internal.MapDefaultString(rawUser, fields.Firstname, ""),
Lastname: internal.MapDefaultString(rawUser, fields.Lastname, ""),
Phone: internal.MapDefaultString(rawUser, fields.Phone, ""),
Department: internal.MapDefaultString(rawUser, fields.Department, ""),
Notes: "",
Password: "",
Disabled: nil,
}, nil
}
@@ -72,7 +80,9 @@ func userChangedInLdap(dbUser, ldapUser *domain.User) bool {
return true
}
if dbUser.ProviderName != ldapUser.ProviderName {
if !slices.ContainsFunc(dbUser.Authentications, func(authentication domain.UserAuthentication) bool {
return authentication.Source == ldapUser.Authentications[0].Source
}) {
return true
}

239
internal/app/users/ldap_sync.go Normal file
View File

@@ -0,0 +1,239 @@
package users
import (
"context"
"errors"
"fmt"
"log/slog"
"time"
"github.com/go-ldap/ldap/v3"
"github.com/h44z/wg-portal/internal"
"github.com/h44z/wg-portal/internal/app"
"github.com/h44z/wg-portal/internal/config"
"github.com/h44z/wg-portal/internal/domain"
)
func (m Manager) runLdapSynchronizationService(ctx context.Context) {
ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
go func(cfg config.LdapProvider) {
syncInterval := cfg.SyncInterval
if syncInterval == 0 {
slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
return
}
// perform initial sync
err := m.synchronizeLdapUsers(ctx, &cfg)
if err != nil {
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
} else {
slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
}
// start periodic sync
running := true
for running {
select {
case <-ctx.Done():
running = false
continue
case <-time.After(syncInterval):
// select blocks until one of the cases evaluate to true
}
err := m.synchronizeLdapUsers(ctx, &cfg)
if err != nil {
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
}
}
}(ldapCfg)
}
}
func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
dn, err := ldap.ParseDN(provider.AdminGroupDN)
if err != nil {
return fmt.Errorf("failed to parse admin group DN: %w", err)
}
provider.ParsedAdminGroupDN = dn
conn, err := internal.LdapConnect(provider)
if err != nil {
return fmt.Errorf("failed to setup LDAP connection: %w", err)
}
defer internal.LdapDisconnect(conn)
rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
if err != nil {
return err
}
slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
// Update existing LDAP users
err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
if err != nil {
return err
}
// Disable missing LDAP users
if provider.DisableMissing {
err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
if err != nil {
return err
}
}
return nil
}
func (m Manager) updateLdapUsers(
ctx context.Context,
provider *config.LdapProvider,
rawUsers []internal.RawLdapUser,
fields *config.LdapFields,
adminGroupDN *ldap.DN,
) error {
for _, rawUser := range rawUsers {
user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
}
if provider.SyncLogUserInfo {
slog.Debug("ldap user data",
"raw-user", rawUser, "user", user.Identifier,
"is-admin", user.IsAdmin, "provider", provider.ProviderName)
}
existingUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
}
tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
if existingUser == nil {
// create new user
slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
_, err := m.create(tctx, user)
if err != nil {
cancel()
return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
}
} else {
// update existing user
if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
user.Disabled = nil
user.DisabledReason = ""
} else {
user.Disabled = existingUser.Disabled
user.DisabledReason = existingUser.DisabledReason
}
if existingUser.PersistLocalChanges {
cancel()
continue // skip synchronization for this user
}
if userChangedInLdap(existingUser, user) {
syncedUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
cancel()
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
}
syncedUser.UpdatedAt = time.Now()
syncedUser.UpdatedBy = domain.CtxSystemLdapSyncer
syncedUser.MergeAuthSources(user.Authentications...)
syncedUser.Email = user.Email
syncedUser.Firstname = user.Firstname
syncedUser.Lastname = user.Lastname
syncedUser.Phone = user.Phone
syncedUser.Department = user.Department
syncedUser.IsAdmin = user.IsAdmin
syncedUser.Disabled = user.Disabled
syncedUser.DisabledReason = user.DisabledReason
_, err = m.update(tctx, existingUser, syncedUser, false)
if err != nil {
cancel()
return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
}
}
}
cancel()
}
return nil
}
func (m Manager) disableMissingLdapUsers(
ctx context.Context,
providerName string,
rawUsers []internal.RawLdapUser,
fields *config.LdapFields,
) error {
allUsers, err := m.users.GetAllUsers(ctx)
if err != nil {
return err
}
for _, user := range allUsers {
userHasAuthSource := false
for _, auth := range user.Authentications {
if auth.Source == domain.UserSourceLdap && auth.ProviderName == providerName {
userHasAuthSource = true
break
}
}
if !userHasAuthSource {
continue // ignore non ldap users
}
if user.IsDisabled() {
continue // ignore deactivated
}
if user.PersistLocalChanges {
continue // skip sync for this user
}
existsInLDAP := false
for _, rawUser := range rawUsers {
userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
if user.Identifier == userId {
existsInLDAP = true
break
}
}
if existsInLDAP {
continue
}
slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
now := time.Now()
user.Disabled = &now
user.DisabledReason = domain.DisabledReasonLdapMissing
err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
u.Disabled = user.Disabled
u.DisabledReason = user.DisabledReason
return u, nil
})
if err != nil {
return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
}
m.bus.Publish(app.TopicUserDisabled, user)
}
return nil
}

415
internal/app/users/user_manager.go
View File

@@ -4,15 +4,12 @@ import (
"context"
"errors"
"fmt"
"log/slog"
"math"
"sync"
"time"
"github.com/go-ldap/ldap/v3"
"github.com/google/uuid"
"github.com/h44z/wg-portal/internal"
"github.com/h44z/wg-portal/internal/app"
"github.com/h44z/wg-portal/internal/config"
"github.com/h44z/wg-portal/internal/domain"
@@ -79,7 +76,7 @@ func (m Manager) RegisterUser(ctx context.Context, user *domain.User) error {
return err
}
createdUser, err := m.CreateUser(ctx, user)
createdUser, err := m.create(ctx, user)
if err != nil {
return err
}
@@ -101,20 +98,11 @@ func (m Manager) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain
return nil, err
}
user, err := m.users.GetUser(ctx, id)
if err != nil {
return nil, fmt.Errorf("unable to load user %s: %w", id, err)
}
peers, _ := m.peers.GetUserPeers(ctx, id) // ignore error, list will be empty in error case
user.LinkedPeerCount = len(peers)
return user, nil
return m.getUser(ctx, id)
}
// GetUserByEmail returns the user with the given email address.
func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User, error) {
user, err := m.users.GetUserByEmail(ctx, email)
if err != nil {
return nil, fmt.Errorf("unable to load user for email %s: %w", email, err)
@@ -124,16 +112,11 @@ func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User
return nil, err
}
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
user.LinkedPeerCount = len(peers)
return user, nil
return m.enrichUser(ctx, user), nil
}
// GetUserByWebAuthnCredential returns the user for the given WebAuthn credential.
func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error) {
user, err := m.users.GetUserByWebAuthnCredential(ctx, credentialIdBase64)
if err != nil {
return nil, fmt.Errorf("unable to load user for webauthn credential %s: %w", credentialIdBase64, err)
@@ -143,11 +126,7 @@ func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBa
return nil, err
}
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
user.LinkedPeerCount = len(peers)
return user, nil
return m.enrichUser(ctx, user), nil
}
// GetAllUsers returns all users.
@@ -169,8 +148,7 @@ func (m Manager) GetAllUsers(ctx context.Context) ([]domain.User, error) {
go func() {
defer wg.Done()
for user := range ch {
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
user.LinkedPeerCount = len(peers)
m.enrichUser(ctx, user)
}
}()
}
@@ -194,77 +172,29 @@ func (m Manager) UpdateUser(ctx context.Context, user *domain.User) (*domain.Use
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
}
if err := m.validateModifications(ctx, existingUser, user); err != nil {
return nil, fmt.Errorf("update not allowed: %w", err)
}
user.CopyCalculatedAttributes(existingUser, true) // ensure that crucial attributes stay the same
user.CopyCalculatedAttributes(existingUser)
err = user.HashPassword()
return m.update(ctx, existingUser, user, true)
}
// UpdateUserInternal updates the user with the given identifier. This function must never be called from external.
// This function allows to override authentications and webauthn credentials.
func (m Manager) UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error) {
existingUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil {
return nil, err
}
if user.Password == "" { // keep old password
user.Password = existingUser.Password
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
}
err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
user.CopyCalculatedAttributes(u)
return user, nil
})
if err != nil {
return nil, fmt.Errorf("update failure: %w", err)
}
m.bus.Publish(app.TopicUserUpdated, *user)
switch {
case !existingUser.IsDisabled() && user.IsDisabled():
m.bus.Publish(app.TopicUserDisabled, *user)
case existingUser.IsDisabled() && !user.IsDisabled():
m.bus.Publish(app.TopicUserEnabled, *user)
}
return user, nil
return m.update(ctx, existingUser, user, false)
}
// CreateUser creates a new user.
func (m Manager) CreateUser(ctx context.Context, user *domain.User) (*domain.User, error) {
if user.Identifier == "" {
return nil, errors.New("missing user identifier")
}
if err := domain.ValidateAdminAccessRights(ctx); err != nil {
return nil, err
}
existingUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
}
if existingUser != nil {
return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
}
if err := m.validateCreation(ctx, user); err != nil {
return nil, fmt.Errorf("creation not allowed: %w", err)
}
err = user.HashPassword()
if err != nil {
return nil, err
}
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
user.CopyCalculatedAttributes(u)
return user, nil
})
if err != nil {
return nil, fmt.Errorf("creation failure: %w", err)
}
m.bus.Publish(app.TopicUserCreated, *user)
return user, nil
return m.create(ctx, user)
}
// DeleteUser deletes the user with the given identifier.
@@ -307,15 +237,10 @@ func (m Manager) ActivateApi(ctx context.Context, id domain.UserIdentifier) (*do
user.ApiToken = uuid.New().String()
user.ApiTokenCreated = &now
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
user.CopyCalculatedAttributes(u)
return user, nil
})
user, err = m.update(ctx, user, user, true) // self-update
if err != nil {
return nil, fmt.Errorf("update failure: %w", err)
return nil, err
}
m.bus.Publish(app.TopicUserUpdated, *user)
m.bus.Publish(app.TopicUserApiEnabled, *user)
return user, nil
@@ -335,15 +260,10 @@ func (m Manager) DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*
user.ApiToken = ""
user.ApiTokenCreated = nil
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
user.CopyCalculatedAttributes(u)
return user, nil
})
user, err = m.update(ctx, user, user, true) // self-update
if err != nil {
return nil, fmt.Errorf("update failure: %w", err)
return nil, err
}
m.bus.Publish(app.TopicUserUpdated, *user)
m.bus.Publish(app.TopicUserApiDisabled, *user)
return user, nil
@@ -380,10 +300,6 @@ func (m Manager) validateModifications(ctx context.Context, old, new *domain.Use
return fmt.Errorf("cannot lock own user: %w", domain.ErrInvalidData)
}
if old.Source != new.Source {
return fmt.Errorf("cannot change user source: %w", domain.ErrInvalidData)
}
return nil
}
@@ -414,14 +330,19 @@ func (m Manager) validateCreation(ctx context.Context, new *domain.User) error {
return fmt.Errorf("reserved user identifier: %w", domain.ErrInvalidData)
}
if len(new.Authentications) != 1 {
return fmt.Errorf("invalid number of authentications: %d, expected 1: %w",
len(new.Authentications), domain.ErrInvalidData)
}
// Admins are allowed to create users for arbitrary sources.
if new.Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
if new.Authentications[0].Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
return fmt.Errorf("invalid user source: %s, only %s is allowed: %w",
new.Source, domain.UserSourceDatabase, domain.ErrInvalidData)
new.Authentications[0].Source, domain.UserSourceDatabase, domain.ErrInvalidData)
}
// database users must have a password
if new.Source == domain.UserSourceDatabase && string(new.Password) == "" {
if new.Authentications[0].Source == domain.UserSourceDatabase && string(new.Password) == "" {
return fmt.Errorf("missing password: %w", domain.ErrInvalidData)
}
@@ -460,214 +381,112 @@ func (m Manager) validateApiChange(ctx context.Context, user *domain.User) error
return nil
}
func (m Manager) runLdapSynchronizationService(ctx context.Context) {
ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
// region internal-modifiers
for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
go func(cfg config.LdapProvider) {
syncInterval := cfg.SyncInterval
if syncInterval == 0 {
slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
return
}
// perform initial sync
err := m.synchronizeLdapUsers(ctx, &cfg)
if err != nil {
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
} else {
slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
}
// start periodic sync
running := true
for running {
select {
case <-ctx.Done():
running = false
continue
case <-time.After(syncInterval):
// select blocks until one of the cases evaluate to true
}
err := m.synchronizeLdapUsers(ctx, &cfg)
if err != nil {
slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
}
}
}(ldapCfg)
func (m Manager) enrichUser(ctx context.Context, user *domain.User) *domain.User {
if user == nil {
return nil
}
peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
user.LinkedPeerCount = len(peers)
return user
}
func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
dn, err := ldap.ParseDN(provider.AdminGroupDN)
func (m Manager) getUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
user, err := m.users.GetUser(ctx, id)
if err != nil {
return fmt.Errorf("failed to parse admin group DN: %w", err)
return nil, fmt.Errorf("unable to load user %s: %w", id, err)
}
provider.ParsedAdminGroupDN = dn
conn, err := internal.LdapConnect(provider)
if err != nil {
return fmt.Errorf("failed to setup LDAP connection: %w", err)
}
defer internal.LdapDisconnect(conn)
rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
if err != nil {
return err
}
slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
// Update existing LDAP users
err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
if err != nil {
return err
}
// Disable missing LDAP users
if provider.DisableMissing {
err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
if err != nil {
return err
}
}
return nil
return m.enrichUser(ctx, user), nil
}
func (m Manager) updateLdapUsers(
ctx context.Context,
provider *config.LdapProvider,
rawUsers []internal.RawLdapUser,
fields *config.LdapFields,
adminGroupDN *ldap.DN,
) error {
for _, rawUser := range rawUsers {
user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
}
if provider.SyncLogUserInfo {
slog.Debug("ldap user data",
"raw-user", rawUser, "user", user.Identifier,
"is-admin", user.IsAdmin, "provider", provider.ProviderName)
}
existingUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
}
tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
if existingUser == nil {
// create new user
slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
_, err := m.CreateUser(tctx, user)
if err != nil {
cancel()
return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
}
} else {
// update existing user
if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
user.Disabled = nil
user.DisabledReason = ""
} else {
user.Disabled = existingUser.Disabled
user.DisabledReason = existingUser.DisabledReason
}
if existingUser.Source == domain.UserSourceLdap && userChangedInLdap(existingUser, user) {
err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
u.UpdatedAt = time.Now()
u.UpdatedBy = domain.CtxSystemLdapSyncer
u.Source = user.Source
u.ProviderName = user.ProviderName
u.Email = user.Email
u.Firstname = user.Firstname
u.Lastname = user.Lastname
u.Phone = user.Phone
u.Department = user.Department
u.IsAdmin = user.IsAdmin
u.Disabled = nil
u.DisabledReason = ""
return u, nil
})
if err != nil {
cancel()
return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
}
if existingUser.IsDisabled() && !user.IsDisabled() {
m.bus.Publish(app.TopicUserEnabled, *user)
}
}
}
cancel()
func (m Manager) update(ctx context.Context, existingUser, user *domain.User, keepAuthentications bool) (
*domain.User,
error,
) {
if err := m.validateModifications(ctx, existingUser, user); err != nil {
return nil, fmt.Errorf("update not allowed: %w", err)
}
return nil
err := user.HashPassword()
if err != nil {
return nil, err
}
if user.Password == "" { // keep old password
user.Password = existingUser.Password
}
err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
user.CopyCalculatedAttributes(u, keepAuthentications)
return user, nil
})
if err != nil {
return nil, fmt.Errorf("update failure: %w", err)
}
m.bus.Publish(app.TopicUserUpdated, *user)
switch {
case !existingUser.IsDisabled() && user.IsDisabled():
m.bus.Publish(app.TopicUserDisabled, *user)
case existingUser.IsDisabled() && !user.IsDisabled():
m.bus.Publish(app.TopicUserEnabled, *user)
}
return user, nil
}
func (m Manager) disableMissingLdapUsers(
ctx context.Context,
providerName string,
rawUsers []internal.RawLdapUser,
fields *config.LdapFields,
) error {
allUsers, err := m.users.GetAllUsers(ctx)
if err != nil {
return err
func (m Manager) create(ctx context.Context, user *domain.User) (*domain.User, error) {
if user.Identifier == "" {
return nil, errors.New("missing user identifier")
}
for _, user := range allUsers {
if user.Source != domain.UserSourceLdap {
continue // ignore non ldap users
}
if user.ProviderName != providerName {
continue // user was synchronized through different provider
}
if user.IsDisabled() {
continue // ignore deactivated
}
existsInLDAP := false
for _, rawUser := range rawUsers {
userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
if user.Identifier == userId {
existsInLDAP = true
break
}
}
if existsInLDAP {
continue
}
slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
existingUser, err := m.users.GetUser(ctx, user.Identifier)
if err != nil && !errors.Is(err, domain.ErrNotFound) {
return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
}
if existingUser != nil {
return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
}
// Add default authentication if missing
if len(user.Authentications) == 0 {
ctxUserInfo := domain.GetUserInfo(ctx)
now := time.Now()
user.Disabled = &now
user.DisabledReason = domain.DisabledReasonLdapMissing
err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
u.Disabled = user.Disabled
u.DisabledReason = user.DisabledReason
return u, nil
})
if err != nil {
return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
user.Authentications = []domain.UserAuthentication{
{
BaseModel: domain.BaseModel{
CreatedBy: ctxUserInfo.UserId(),
UpdatedBy: ctxUserInfo.UserId(),
CreatedAt: now,
UpdatedAt: now,
},
UserIdentifier: user.Identifier,
Source: domain.UserSourceDatabase,
ProviderName: "",
},
}
m.bus.Publish(app.TopicUserDisabled, user)
}
return nil
if err := m.validateCreation(ctx, user); err != nil {
return nil, fmt.Errorf("creation not allowed: %w", err)
}
err = user.HashPassword()
if err != nil {
return nil, err
}
err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
return user, nil
})
if err != nil {
return nil, fmt.Errorf("creation failure: %w", err)
}
m.bus.Publish(app.TopicUserCreated, *user)
return user, nil
}
// endregion internal-modifiers

27
internal/app/webhooks/models/user.go
View File

@@ -3,6 +3,7 @@ package models
import (
"time"
"github.com/h44z/wg-portal/internal"
"github.com/h44z/wg-portal/internal/domain"
)
@@ -13,11 +14,10 @@ type User struct {
CreatedAt time.Time `json:"CreatedAt"`
UpdatedAt time.Time `json:"UpdatedAt"`
Identifier string `json:"Identifier"`
Email string `json:"Email"`
Source string `json:"Source"`
ProviderName string `json:"ProviderName"`
IsAdmin bool `json:"IsAdmin"`
Identifier string `json:"Identifier"`
Email string `json:"Email"`
AuthSources []UserAuthSource `json:"AuthSources"`
IsAdmin bool `json:"IsAdmin"`
Firstname string `json:"Firstname,omitempty"`
Lastname string `json:"Lastname,omitempty"`
@@ -31,8 +31,22 @@ type User struct {
LockedReason string `json:"LockedReason,omitempty"`
}
// UserAuthSource represents a single authentication source for a user.
// For details about the fields, see the domain.UserAuthentication struct.
type UserAuthSource struct {
Source string `json:"Source"`
ProviderName string `json:"ProviderName"`
}
// NewUser creates a new User model from a domain.User
func NewUser(src domain.User) User {
authSources := internal.Map(src.Authentications, func(authentication domain.UserAuthentication) UserAuthSource {
return UserAuthSource{
Source: string(authentication.Source),
ProviderName: authentication.ProviderName,
}
})
return User{
CreatedBy: src.CreatedBy,
UpdatedBy: src.UpdatedBy,
@@ -40,8 +54,7 @@ func NewUser(src domain.User) User {
UpdatedAt: src.UpdatedAt,
Identifier: string(src.Identifier),
Email: src.Email,
Source: string(src.Source),
ProviderName: src.ProviderName,
AuthSources: authSources,
IsAdmin: src.IsAdmin,
Firstname: src.Firstname,
Lastname: src.Lastname,