Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-08-02 20:15:26 +02:00
Code Releases Activity

PRovide LDAP sync and authentication

Browse source
This commit is contained in:
sauls8t 2018-09-04 17:19:26 +01:00
parent 63b17f9b88
commit 074eea3aeb
38 changed files with 567 additions and 499 deletions
Download patch file Download diff file Expand all files Collapse all files

90
domain/auth/add.go Normal file
View file

@ -0,0 +1,90 @@
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com
package auth
import (
"database/sql"
"github.com/documize/community/core/env"
"github.com/documize/community/core/uniqueid"
"github.com/documize/community/domain"
usr "github.com/documize/community/domain/user"
"github.com/documize/community/model/account"
"github.com/documize/community/model/user"
)
// AddExternalUser method to setup user account in Documize using Keycloak/LDAP provided user data.
func AddExternalUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (nu user.User, err error) {
// only create account if not dupe
addUser := true
addAccount := true
var userID string
userDupe, err := store.User.GetByEmail(ctx, u.Email)
if err != nil && err != sql.ErrNoRows {
return
}
if u.Email == userDupe.Email {
addUser = false
userID = userDupe.RefID
}
ctx.Transaction, err = rt.Db.Beginx()
if err != nil {
return
}
if addUser {
userID = uniqueid.Generate()
u.RefID = userID
err = store.User.Add(ctx, u)
if err != nil {
ctx.Transaction.Rollback()
return
}
} else {
usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe)
for _, a := range userDupe.Accounts {
if a.OrgID == ctx.OrgID {
addAccount = false
break
}
}
}
// set up user account for the org
if addAccount {
var a account.Account
a.UserID = userID
a.OrgID = ctx.OrgID
a.Editor = addSpace
a.Admin = false
accountID := uniqueid.Generate()
a.RefID = accountID
a.Active = true
err = store.Account.Add(ctx, a)
if err != nil {
ctx.Transaction.Rollback()
return
}
}
ctx.Transaction.Commit()
nu, err = store.User.Get(ctx, userID)
return
}

4
domain/auth/keycloak/endpoint.go
View file

@ -130,7 +130,7 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
if len(u.Email) == 0 {
missing++
} else {
err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
_, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
}
}
@ -240,7 +240,7 @@ func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
u.Salt = secrets.GenerateSalt()
u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
u, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
if err != nil {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)

73
domain/auth/keycloak/keycloak.go
View file

@ -13,7 +13,6 @@ package keycloak
import (
"bytes"
"database/sql"
"encoding/json"
"fmt"
"io/ioutil"
@ -22,12 +21,7 @@ import (
"strconv"
"strings"
"github.com/documize/community/core/env"
"github.com/documize/community/core/stringutil"
"github.com/documize/community/core/uniqueid"
"github.com/documize/community/domain"
usr "github.com/documize/community/domain/user"
"github.com/documize/community/model/account"
"github.com/documize/community/model/auth"
"github.com/documize/community/model/user"
"github.com/pkg/errors"
@ -136,70 +130,3 @@ func Fetch(c auth.KeycloakConfig) (users []user.User, err error) {
return users, nil
}
// Helper method to setup user account in Documize using Keycloak provided user data.
func addUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (err error) {
// only create account if not dupe
addUser := true
addAccount := true
var userID string
userDupe, err := store.User.GetByEmail(ctx, u.Email)
if err != nil && err != sql.ErrNoRows {
return err
}
if u.Email == userDupe.Email {
addUser = false
userID = userDupe.RefID
}
ctx.Transaction, err = rt.Db.Beginx()
if err != nil {
return err
}
if addUser {
userID = uniqueid.Generate()
u.RefID = userID
err = store.User.Add(ctx, u)
if err != nil {
ctx.Transaction.Rollback()
return err
}
} else {
usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe)
for _, a := range userDupe.Accounts {
if a.OrgID == ctx.OrgID {
addAccount = false
break
}
}
}
// set up user account for the org
if addAccount {
var a account.Account
a.UserID = userID
a.OrgID = ctx.OrgID
a.Editor = addSpace
a.Admin = false
accountID := uniqueid.Generate()
a.RefID = accountID
a.Active = true
err = store.Account.Add(ctx, a)
if err != nil {
ctx.Transaction.Rollback()
return err
}
}
ctx.Transaction.Commit()
u, err = store.User.Get(ctx, userID)
return err
}

8
domain/auth/ldap/ad_test.go
View file

@ -88,16 +88,17 @@ func TestAuthenticate_PublicAD(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicAD, "bob.johnson", "Pass@word1!")
user, ok, err := authenticate(l, testConfigPublicAD, "bob.johnson", "Pass@word1!")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated")
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_PublicAD(t *testing.T) {
@ -108,13 +109,14 @@ func TestNotAuthenticate_PublicAD(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicAD, "junk", "junk")
_, ok, err := authenticate(l, testConfigPublicAD, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")

507
domain/auth/ldap/endpoint.go
View file

@ -12,27 +12,24 @@
package ldap
import (
"crypto/tls"
// "database/sql"
"database/sql"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
// "sort"
// "strings"
"sort"
"strings"
"github.com/documize/community/core/env"
"github.com/documize/community/core/response"
// "github.com/documize/community/core/secrets"
"github.com/documize/community/core/secrets"
"github.com/documize/community/core/streamutil"
// "github.com/documize/community/core/stringutil"
"github.com/documize/community/domain"
// "github.com/documize/community/domain/auth"
// usr "github.com/documize/community/domain/user"
"github.com/documize/community/domain/auth"
usr "github.com/documize/community/domain/user"
ath "github.com/documize/community/model/auth"
lm "github.com/documize/community/model/auth"
"github.com/documize/community/model/user"
ld "gopkg.in/ldap.v2"
)
// Handler contains the runtime information such as logging and database.
@ -41,9 +38,7 @@ type Handler struct {
Store *domain.Store
}
// Preview connects to LDAP using paylaod and returns
// first 100 users for.
// and marks Keycloak disabled users as inactive.
// Preview connects to LDAP using paylaod and returns first 50 users.
func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
h.Runtime.Log.Info("Sync'ing with LDAP")
@ -57,6 +52,7 @@ func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
Message string `json:"message"`
IsError bool `json:"isError"`
Users []user.User `json:"users"`
Count int `json:"count"`
}
result.Users = []user.User{}
@ -95,10 +91,12 @@ func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
result.IsError = false
result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
if len(users) > 100 {
result.Users = users[:100]
} else {
result.Users = users
result.Count = len(users)
result.Users = users
// Preview does not require more than 50 users.
if len(users) > 50 {
result.Users = users[:50]
}
h.Runtime.Log.Info(result.Message)
@ -133,310 +131,219 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
// Exit if not using LDAP
if org.AuthProvider != ath.AuthProviderLDAP {
// result.Message = "Error: skipping user sync with LDAP as it is not the configured option"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Info(result.Message)
// return
result.Message = "Error: skipping user sync with LDAP as it is not the configured option"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Info(result.Message)
return
}
// Make Keycloak auth provider config
// Get auth provider config
c := lm.LDAPConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &c)
// if err != nil {
// result.Message = "Error: unable read LDAP configuration data"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
c.ServerHost = "ldap.forumsys.com"
c.ServerPort = 389
c.EncryptionType = "none"
c.BaseDN = "dc=example,dc=com"
c.BindDN = "cn=read-only-admin,dc=example,dc=com"
c.BindPassword = "password"
c.UserFilter = ""
c.GroupFilter = ""
c.DisableLogout = false
c.DefaultPermissionAddSpace = false
address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)
h.Runtime.Log.Info("Connecting to LDAP server")
l, err := ld.Dial("tcp", address)
err = json.Unmarshal([]byte(org.AuthConfig), &c)
if err != nil {
result.Message = "Error: unable to dial LDAP server: " + err.Error()
result.Message = "Error: unable read LDAP configuration data"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
// Get user list from LDAP.
ldapUsers, err := fetchUsers(c)
if err != nil {
result.Message = "Error: unable to fetch LDAP users: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
// Get user list from Documize
dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx, "", 99999)
if err != nil {
result.Message = "Error: unable to fetch Documize users"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
sort.Slice(ldapUsers, func(i, j int) bool { return ldapUsers[i].Email < ldapUsers[j].Email })
sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
insert := []user.User{}
for _, k := range ldapUsers {
exists := false
for _, d := range dmzUsers {
if k.Email == d.Email {
exists = true
}
}
if !exists {
insert = append(insert, k)
}
}
// Track the number of LDAP users with missing data.
missing := 0
// Insert new users into Documize
for _, u := range insert {
if len(u.Email) == 0 {
missing++
} else {
_, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
}
}
result.IsError = false
result.Message = "Sync complete with LDAP server"
result.Message = fmt.Sprintf(
"LDAP sync found %d users, %d new users added, %d users with missing data ignored",
len(ldapUsers), len(insert), missing)
h.Runtime.Log.Info(result.Message)
response.WriteJSON(w, result)
}
// Authenticate checks LDAP authentication credentials.
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
method := "ldap.authenticate"
ctx := domain.GetRequestContext(r)
// check for http header
authHeader := r.Header.Get("Authorization")
if len(authHeader) == 0 {
response.WriteBadRequestError(w, method, "Missing Authorization header")
return
}
// decode what we received
data := strings.Replace(authHeader, "Basic ", "", 1)
decodedBytes, err := secrets.DecodeBase64([]byte(data))
if err != nil {
response.WriteBadRequestError(w, method, "Unable to decode authentication token")
h.Runtime.Log.Error("decode auth header", err)
return
}
decoded := string(decodedBytes)
// check that we have domain:username:password (but allow for : in password field!)
credentials := strings.SplitN(decoded, ":", 3)
if len(credentials) != 3 {
response.WriteBadRequestError(w, method, "Bad authentication token, expecting domain:username:password")
h.Runtime.Log.Error("bad auth token", err)
return
}
dom := strings.TrimSpace(strings.ToLower(credentials[0]))
username := strings.TrimSpace(strings.ToLower(credentials[1]))
password := credentials[2]
// Check for required fields.
if len(username) == 0 || len(password) == 0 {
response.WriteUnauthorizedError(w)
return
}
dom = h.Store.Organization.CheckDomain(ctx, dom) // TODO optimize by removing this once js allows empty domains
h.Runtime.Log.Info("LDAP login request " + username + " @ " + dom)
// Get the org and it's associated LDAP config.
org, err := h.Store.Organization.GetOrganizationByDomain(dom)
if err != nil {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error("bad auth organization", err)
return
}
lc := lm.LDAPConfig{}
err = json.Unmarshal([]byte(org.AuthConfig), &lc)
if err != nil {
response.WriteBadRequestError(w, method, "unable to read LDAP config during authorization")
h.Runtime.Log.Error(method, err)
return
}
ctx.OrgID = org.RefID
l, err := connect(lc)
if err != nil {
response.WriteBadRequestError(w, method, "unable to dial LDAP server")
h.Runtime.Log.Error(method, err)
return
}
defer l.Close()
if c.EncryptionType == "starttls" {
h.Runtime.Log.Info("Using StartTLS with LDAP server")
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
lu, ok, err := authenticate(l, lc, username, password)
if err != nil {
response.WriteBadRequestError(w, method, "error during LDAP authentication")
h.Runtime.Log.Error(method, err)
return
}
if !ok {
response.WriteUnauthorizedError(w)
return
}
h.Runtime.Log.Info("LDAP logon completed " + lu.Email)
u, err := h.Store.User.GetByDomain(ctx, dom, lu.Email)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
// Create user account if not found
if err == sql.ErrNoRows {
h.Runtime.Log.Info("Adding new LDAP user " + lu.Email + " @ " + dom)
u = convertUser(lc, lu)
u.Salt = secrets.GenerateSalt()
u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
u, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, lc.DefaultPermissionAddSpace)
if err != nil {
result.Message = "Error: unable to startTLS with LDAP server: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
}
// Authenticate with LDAP server using admin credentials.
h.Runtime.Log.Info("Binding LDAP admin user")
err = l.Bind(c.BindDN, c.BindPassword)
if err != nil {
result.Message = "Error: unable to bind specified admin user to LDAP: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
// Attach user accounts and work out permissions.
usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// No accounts signals data integrity problem
// so we reject login request.
if len(u.Accounts) == 0 {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error(method, err)
return
}
// Get users from LDAP server by using filter
filter := ""
attrs := []string{}
if len(c.GroupFilter) > 0 {
filter = fmt.Sprintf("(&(objectClass=group)(cn=%s))", c.GroupFilter)
attrs = []string{"cn"}
} else {
filter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
attrs = []string{"dn", "cn", "givenName", "sn", "mail", "uid"}
// Abort login request if account is disabled.
for _, ac := range u.Accounts {
if ac.OrgID == org.RefID {
if ac.Active == false {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error(method, err)
return
}
break
}
}
searchRequest := ld.NewSearchRequest(
c.BaseDN,
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
filter,
attrs,
nil,
)
// Generate JWT token
authModel := ath.AuthenticationModel{}
authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, dom)
authModel.User = u
sr, err := l.Search(searchRequest)
if err != nil {
result.Message = "Error: unable to bind specified admin user to LDAP: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
fmt.Printf("entries found: %d", len(sr.Entries))
for _, entry := range sr.Entries {
fmt.Printf("[%s] %s (%s %s) @ %s\n",
entry.GetAttributeValue("uid"),
entry.GetAttributeValue("cn"),
entry.GetAttributeValue("givenName"),
entry.GetAttributeValue("sn"),
entry.GetAttributeValue("mail"))
}
// // User list from LDAP
// kcUsers, err := Fetch(c)
// if err != nil {
// result.Message = "Error: unable to fetch Keycloak users: " + err.Error()
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
// // User list from Documize
// dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx, "", 99999)
// if err != nil {
// result.Message = "Error: unable to fetch Documize users"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
// sort.Slice(kcUsers, func(i, j int) bool { return kcUsers[i].Email < kcUsers[j].Email })
// sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
// insert := []user.User{}
// for _, k := range kcUsers {
// exists := false
// for _, d := range dmzUsers {
// if k.Email == d.Email {
// exists = true
// }
// }
// if !exists {
// insert = append(insert, k)
// }
// }
// // Track the number of Keycloak users with missing data.
// missing := 0
// // Insert new users into Documize
// for _, u := range insert {
// if len(u.Email) == 0 {
// missing++
// } else {
// err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
// }
// }
// result.Message = fmt.Sprintf("LDAP sync found %d users, %d new users added, %d users with missing data ignored",
// len(kcUsers), len(insert), missing)
result.IsError = false
result.Message = "Sync complete with LDAP server"
response.WriteJSON(w, result)
h.Runtime.Log.Info(result.Message)
}
// Authenticate checks Keycloak authentication credentials.
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
// method := "authenticate"
// ctx := domain.GetRequestContext(r)
// defer streamutil.Close(r.Body)
// body, err := ioutil.ReadAll(r.Body)
// if err != nil {
// response.WriteBadRequestError(w, method, "Bad payload")
// h.Runtime.Log.Error(method, err)
// return
// }
// a := ath.KeycloakAuthRequest{}
// err = json.Unmarshal(body, &a)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Error(method, err)
// return
// }
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
// // Check for required fields.
// if len(a.Email) == 0 {
// response.WriteUnauthorizedError(w)
// return
// }
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
// if err != nil {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// ctx.OrgID = org.RefID
// // Fetch Keycloak auth provider config
// ac := ath.KeycloakConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// pk := string(pkb)
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
// // Decode and verify Keycloak JWT
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
// return
// }
// // Compare the contents from JWT with what we have.
// // Guards against MITM token tampering.
// if a.Email != claims["email"].(string) {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Info(">> Start Keycloak debug")
// h.Runtime.Log.Info(a.Email)
// h.Runtime.Log.Info(claims["email"].(string))
// h.Runtime.Log.Info(">> End Keycloak debug")
// return
// }
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
// if err != nil && err != sql.ErrNoRows {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Create user account if not found
// if err == sql.ErrNoRows {
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
// u = user.User{}
// u.Firstname = a.Firstname
// u.Lastname = a.Lastname
// u.Email = a.Email
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
// u.Salt = secrets.GenerateSalt()
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
// if err != nil {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// }
// // Password correct and active user
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
// response.WriteUnauthorizedError(w)
// return
// }
// // Attach user accounts and work out permissions.
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// // No accounts signals data integrity problem
// // so we reject login request.
// if len(u.Accounts) == 0 {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Abort login request if account is disabled.
// for _, ac := range u.Accounts {
// if ac.OrgID == org.RefID {
// if ac.Active == false {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// break
// }
// }
// // Generate JWT token
// authModel := ath.AuthenticationModel{}
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
// authModel.User = u
// response.WriteJSON(w, authModel)
response.WriteJSON(w, authModel)
}

46
domain/auth/ldap/ldap.go
View file

@ -48,8 +48,10 @@ func connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
}
// Authenticate user against LDAP provider.
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bool, err error) {
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (lu lm.LDAPUser, success bool, err error) {
success = false
err = nil
userAttrs := c.GetUserFilterAttributes()
filter := fmt.Sprintf("(%s=%s)", c.AttributeUserRDN, username)
@ -87,10 +89,13 @@ func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bo
// Bind as the user to verify their password
err = l.Bind(userdn, pwd)
if err != nil {
return false, nil
return
}
return true, nil
lu = extractUser(c, sr.Entries[0])
success = true
return
}
// ExecuteUserFilter returns all matching LDAP users.
@ -212,10 +217,10 @@ func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
}
if len(u.Firstname) == 0 {
u.Firstname = "Empty"
u.Firstname = "LDAP"
}
if len(u.Lastname) == 0 {
u.Lastname = "Empty"
u.Lastname = "User"
}
return
@ -235,25 +240,30 @@ func convertUsers(c lm.LDAPConfig, lu []lm.LDAPUser) (du []user.User) {
// skip if empty email address
add = len(i.Email) > 0
if add {
nu := user.User{}
nu.Editor = c.DefaultPermissionAddSpace
nu.Active = true
nu.Email = i.Email
nu.ViewUsers = false
nu.Analytics = false
nu.Admin = false
nu.Global = false
nu.Firstname = i.Firstname
nu.Lastname = i.Lastname
nu.Initials = stringutil.MakeInitials(i.Firstname, i.Lastname)
du = append(du, nu)
du = append(du, convertUser(c, i))
}
}
return
}
// ConvertUser turns LDAP user into Documize user.
func convertUser(c lm.LDAPConfig, lu lm.LDAPUser) (du user.User) {
du = user.User{}
du.Editor = c.DefaultPermissionAddSpace
du.Active = true
du.Email = lu.Email
du.ViewUsers = false
du.Analytics = false
du.Admin = false
du.Global = false
du.Firstname = lu.Firstname
du.Lastname = lu.Lastname
du.Initials = stringutil.MakeInitials(lu.Firstname, lu.Lastname)
return
}
// FetchUsers from LDAP server using both User and Group filters.
func fetchUsers(c lm.LDAPConfig) (du []user.User, err error) {
du = []user.User{}

8
domain/auth/ldap/local_test.go
View file

@ -104,16 +104,17 @@ func TestAuthenticate_LocalLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigLocalLDAP, "professor", "professor")
user, ok, err := authenticate(l, testConfigLocalLDAP, "professor", "professor")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated")
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_LocalLDAP(t *testing.T) {
@ -124,13 +125,14 @@ func TestNotAuthenticate_LocalLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigLocalLDAP, "junk", "junk")
_, ok, err := authenticate(l, testConfigLocalLDAP, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")

8
domain/auth/ldap/public_test.go
View file

@ -88,14 +88,17 @@ func TestAuthenticate_PublicLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicLDAP, "newton", "password")
user, ok, err := authenticate(l, testConfigPublicLDAP, "newton", "password")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_PublicLDAP(t *testing.T) {
@ -106,13 +109,14 @@ func TestNotAuthenticate_PublicLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicLDAP, "junk", "junk")
_, ok, err := authenticate(l, testConfigPublicLDAP, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")