2018-02-24 04:26:38 +00:00
|
|
|
package security
|
|
|
|
|
|
|
|
import (
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/cuigh/auxo/cache"
|
|
|
|
"github.com/cuigh/auxo/log"
|
|
|
|
"github.com/cuigh/auxo/net/web"
|
|
|
|
"github.com/cuigh/auxo/security"
|
|
|
|
"github.com/cuigh/auxo/security/certify"
|
|
|
|
"github.com/cuigh/auxo/security/certify/ldap"
|
|
|
|
"github.com/cuigh/auxo/security/passwd"
|
|
|
|
"github.com/cuigh/swirl/biz"
|
|
|
|
"github.com/cuigh/swirl/model"
|
|
|
|
)
|
|
|
|
|
|
|
|
const pkgName = "swirl.security"
|
|
|
|
|
|
|
|
// Validator is the authenticator function of swirl.
|
|
|
|
func Validator(setting *model.Setting) func(name, pwd string) (ticket string, err error) {
|
|
|
|
ldapRealm := createLDAPRealm(setting)
|
|
|
|
return func(name, pwd string) (ticket string, err error) {
|
|
|
|
var (
|
|
|
|
su security.User
|
|
|
|
mu *model.User
|
|
|
|
)
|
|
|
|
|
|
|
|
// try find user first
|
|
|
|
mu, err = biz.User.GetByName(name)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-12-04 06:12:56 +00:00
|
|
|
if mu != nil && mu.Status == model.UserStatusBlocked {
|
|
|
|
return "", certify.ErrAccountDisabled
|
|
|
|
}
|
|
|
|
|
2018-02-24 04:26:38 +00:00
|
|
|
if mu != nil && mu.Type == model.UserTypeInternal { // internal user
|
|
|
|
if !passwd.Validate(pwd, mu.Password, mu.Salt) {
|
|
|
|
err = certify.ErrInvalidToken
|
|
|
|
}
|
|
|
|
} else if ldapRealm != nil { // user not exist or ldap user
|
|
|
|
su, err = ldapRealm.Login(certify.NewSimpleToken(name, pwd))
|
|
|
|
if err == nil && mu == nil { // create user if not exists
|
|
|
|
lu := su.(*ldap.User)
|
|
|
|
mu = &model.User{
|
|
|
|
Type: model.UserTypeLDAP,
|
|
|
|
LoginName: lu.LoginName(),
|
|
|
|
Name: lu.Name(),
|
|
|
|
Email: lu.Email(),
|
|
|
|
}
|
|
|
|
err = biz.User.Create(mu, nil)
|
|
|
|
}
|
2018-05-04 06:15:28 +00:00
|
|
|
} else {
|
|
|
|
err = certify.ErrInvalidToken
|
2018-02-24 04:26:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// replace user session, one session is allowed per user.
|
|
|
|
if err == nil {
|
|
|
|
ticket, err = biz.User.UpdateSession(mu.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// create event
|
|
|
|
if err == nil {
|
|
|
|
biz.Event.CreateAuthentication(model.EventActionLogin, mu.ID, mu.LoginName, mu.Name)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createLDAPRealm(setting *model.Setting) certify.Realm {
|
|
|
|
if setting.LDAP.Enabled {
|
|
|
|
opts := []ldap.Option{
|
|
|
|
ldap.NameAttr(setting.LDAP.NameAttr),
|
|
|
|
ldap.EmailAttr(setting.LDAP.EmailAttr),
|
|
|
|
ldap.UserFilter(setting.LDAP.UserFilter),
|
|
|
|
ldap.Security(ldap.SecurityPolicy(setting.LDAP.Security)),
|
|
|
|
}
|
|
|
|
if setting.LDAP.Authentication == 1 {
|
|
|
|
opts = append(opts, ldap.Binding(setting.LDAP.BindDN, setting.LDAP.BindPassword))
|
|
|
|
}
|
|
|
|
return ldap.New(setting.LDAP.Address, setting.LDAP.BaseDN, setting.LDAP.UserDN, opts...)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Identifier is used to identity user.
|
|
|
|
func Identifier(token string) (user web.User) {
|
|
|
|
const cacheKey = "auth_user"
|
|
|
|
|
|
|
|
session, err := biz.User.GetSession(token)
|
|
|
|
if err != nil {
|
|
|
|
log.Get(pkgName).Errorf("Load session failed: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if session == nil || session.Expires.Before(time.Now()) {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// try find from cache first
|
|
|
|
value := cache.Get(cacheKey, session.UserID)
|
|
|
|
if !value.IsNil() {
|
|
|
|
user = &model.AuthUser{}
|
|
|
|
if err = value.Scan(user); err == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
log.Get(pkgName).Warnf("Load auth user from cache failed: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
u, err := biz.User.GetByID(session.UserID)
|
|
|
|
if err != nil {
|
|
|
|
log.Get(pkgName).Errorf("Load user failed: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if u == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var roles []*model.Role
|
|
|
|
if roles, err = getRoles(u); err == nil {
|
|
|
|
user = model.NewAuthUser(u, roles)
|
|
|
|
cache.Set(user, cacheKey, session.UserID)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
func getRoles(u *model.User) (roles []*model.Role, err error) {
|
|
|
|
if len(u.Roles) > 0 {
|
|
|
|
roles = make([]*model.Role, len(u.Roles))
|
|
|
|
for i, id := range u.Roles {
|
|
|
|
roles[i], err = biz.Role.Get(id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|