mirror of
https://github.com/documize/community.git
synced 2025-07-28 01:29:43 +02:00
Capture LDAP configuration
This commit is contained in:
sauls8t
parent
fd167234ae
commit
1ce7e53398
15 changed files with 647 additions and 714 deletions
|
|
@ -14,9 +14,9 @@ package ldap
|
|||
import (
|
||||
"crypto/tls"
|
||||
// "database/sql"
|
||||
// "encoding/json"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
// "io/ioutil"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
// "sort"
|
||||
// "strings"
|
||||
|
|
@ -24,15 +24,15 @@ import (
|
|||
"github.com/documize/community/core/env"
|
||||
"github.com/documize/community/core/response"
|
||||
// "github.com/documize/community/core/secrets"
|
||||
// "github.com/documize/community/core/streamutil"
|
||||
"github.com/documize/community/core/streamutil"
|
||||
// "github.com/documize/community/core/stringutil"
|
||||
"github.com/documize/community/domain"
|
||||
// "github.com/documize/community/domain/auth"
|
||||
// usr "github.com/documize/community/domain/user"
|
||||
ath "github.com/documize/community/model/auth"
|
||||
lm "github.com/documize/community/model/auth"
|
||||
"github.com/documize/community/model/user"
|
||||
ld "gopkg.in/ldap.v2"
|
||||
// "github.com/documize/community/model/user"
|
||||
)
|
||||
|
||||
// Handler contains the runtime information such as logging and database.
|
||||
|
|
@ -41,6 +41,70 @@ type Handler struct {
|
|||
Store *domain.Store
|
||||
}
|
||||
|
||||
// Preview connects to LDAP using paylaod and returns
|
||||
// first 100 users for.
|
||||
// and marks Keycloak disabled users as inactive.
|
||||
func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
|
||||
h.Runtime.Log.Info("Sync'ing with LDAP")
|
||||
|
||||
ctx := domain.GetRequestContext(r)
|
||||
if !ctx.Administrator {
|
||||
response.WriteForbiddenError(w)
|
||||
return
|
||||
}
|
||||
|
||||
var result struct {
|
||||
Message string `json:"message"`
|
||||
IsError bool `json:"isError"`
|
||||
Users []user.User `json:"users"`
|
||||
}
|
||||
|
||||
// Read the request.
|
||||
defer streamutil.Close(r.Body)
|
||||
body, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
result.Message = "Error: unable read request body"
|
||||
result.IsError = true
|
||||
response.WriteJSON(w, result)
|
||||
h.Runtime.Log.Error(result.Message, err)
|
||||
return
|
||||
}
|
||||
|
||||
// Decode LDAP config.
|
||||
c := lm.LDAPConfig{}
|
||||
err = json.Unmarshal(body, &c)
|
||||
if err != nil {
|
||||
result.Message = "Error: unable read LDAP configuration payload"
|
||||
result.IsError = true
|
||||
response.WriteJSON(w, result)
|
||||
h.Runtime.Log.Error(result.Message, err)
|
||||
return
|
||||
}
|
||||
|
||||
h.Runtime.Log.Info("Fetching LDAP users")
|
||||
|
||||
users, err := fetchUsers(c)
|
||||
if err != nil {
|
||||
result.Message = "Error: unable fetch users from LDAP"
|
||||
result.IsError = true
|
||||
response.WriteJSON(w, result)
|
||||
h.Runtime.Log.Error(result.Message, err)
|
||||
return
|
||||
}
|
||||
|
||||
result.IsError = false
|
||||
result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
|
||||
if len(users) > 100 {
|
||||
result.Users = users[:100]
|
||||
} else {
|
||||
result.Users = users
|
||||
}
|
||||
|
||||
h.Runtime.Log.Info(result.Message)
|
||||
|
||||
response.WriteJSON(w, result)
|
||||
}
|
||||
|
||||
// Sync gets list of Keycloak users and inserts new users into Documize
|
||||
// and marks Keycloak disabled users as inactive.
|
||||
func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
|
||||
|
|
@ -233,145 +297,145 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
// Authenticate checks Keycloak authentication credentials.
|
||||
// func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
|
||||
// method := "authenticate"
|
||||
// ctx := domain.GetRequestContext(r)
|
||||
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
|
||||
// method := "authenticate"
|
||||
// ctx := domain.GetRequestContext(r)
|
||||
|
||||
// defer streamutil.Close(r.Body)
|
||||
// body, err := ioutil.ReadAll(r.Body)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Bad payload")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// defer streamutil.Close(r.Body)
|
||||
// body, err := ioutil.ReadAll(r.Body)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Bad payload")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// a := ath.KeycloakAuthRequest{}
|
||||
// err = json.Unmarshal(body, &a)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, err.Error())
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// a := ath.KeycloakAuthRequest{}
|
||||
// err = json.Unmarshal(body, &a)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, err.Error())
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
|
||||
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
|
||||
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
|
||||
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
|
||||
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
|
||||
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
|
||||
|
||||
// // Check for required fields.
|
||||
// if len(a.Email) == 0 {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// return
|
||||
// }
|
||||
// // Check for required fields.
|
||||
// if len(a.Email) == 0 {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// return
|
||||
// }
|
||||
|
||||
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
|
||||
// if err != nil {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
|
||||
// if err != nil {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// ctx.OrgID = org.RefID
|
||||
// ctx.OrgID = org.RefID
|
||||
|
||||
// // Fetch Keycloak auth provider config
|
||||
// ac := ath.KeycloakConfig{}
|
||||
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// // Fetch Keycloak auth provider config
|
||||
// ac := ath.KeycloakConfig{}
|
||||
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
|
||||
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// pk := string(pkb)
|
||||
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
|
||||
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
|
||||
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// pk := string(pkb)
|
||||
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
|
||||
|
||||
// // Decode and verify Keycloak JWT
|
||||
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, err.Error())
|
||||
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
|
||||
// return
|
||||
// }
|
||||
// // Decode and verify Keycloak JWT
|
||||
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
|
||||
// if err != nil {
|
||||
// response.WriteBadRequestError(w, method, err.Error())
|
||||
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
|
||||
// return
|
||||
// }
|
||||
|
||||
// // Compare the contents from JWT with what we have.
|
||||
// // Guards against MITM token tampering.
|
||||
// if a.Email != claims["email"].(string) {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Info(">> Start Keycloak debug")
|
||||
// h.Runtime.Log.Info(a.Email)
|
||||
// h.Runtime.Log.Info(claims["email"].(string))
|
||||
// h.Runtime.Log.Info(">> End Keycloak debug")
|
||||
// return
|
||||
// }
|
||||
// // Compare the contents from JWT with what we have.
|
||||
// // Guards against MITM token tampering.
|
||||
// if a.Email != claims["email"].(string) {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Info(">> Start Keycloak debug")
|
||||
// h.Runtime.Log.Info(a.Email)
|
||||
// h.Runtime.Log.Info(claims["email"].(string))
|
||||
// h.Runtime.Log.Info(">> End Keycloak debug")
|
||||
// return
|
||||
// }
|
||||
|
||||
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
|
||||
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
|
||||
|
||||
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
|
||||
// if err != nil && err != sql.ErrNoRows {
|
||||
// response.WriteServerError(w, method, err)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
|
||||
// if err != nil && err != sql.ErrNoRows {
|
||||
// response.WriteServerError(w, method, err)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// // Create user account if not found
|
||||
// if err == sql.ErrNoRows {
|
||||
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
|
||||
// // Create user account if not found
|
||||
// if err == sql.ErrNoRows {
|
||||
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
|
||||
|
||||
// u = user.User{}
|
||||
// u.Firstname = a.Firstname
|
||||
// u.Lastname = a.Lastname
|
||||
// u.Email = a.Email
|
||||
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
|
||||
// u.Salt = secrets.GenerateSalt()
|
||||
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
|
||||
// u = user.User{}
|
||||
// u.Firstname = a.Firstname
|
||||
// u.Lastname = a.Lastname
|
||||
// u.Email = a.Email
|
||||
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
|
||||
// u.Salt = secrets.GenerateSalt()
|
||||
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
|
||||
|
||||
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
|
||||
// if err != nil {
|
||||
// response.WriteServerError(w, method, err)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// }
|
||||
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
|
||||
// if err != nil {
|
||||
// response.WriteServerError(w, method, err)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// }
|
||||
|
||||
// // Password correct and active user
|
||||
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// return
|
||||
// }
|
||||
// // Password correct and active user
|
||||
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// return
|
||||
// }
|
||||
|
||||
// // Attach user accounts and work out permissions.
|
||||
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
|
||||
// // Attach user accounts and work out permissions.
|
||||
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
|
||||
|
||||
// // No accounts signals data integrity problem
|
||||
// // so we reject login request.
|
||||
// if len(u.Accounts) == 0 {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// // No accounts signals data integrity problem
|
||||
// // so we reject login request.
|
||||
// if len(u.Accounts) == 0 {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// // Abort login request if account is disabled.
|
||||
// for _, ac := range u.Accounts {
|
||||
// if ac.OrgID == org.RefID {
|
||||
// if ac.Active == false {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// break
|
||||
// }
|
||||
// }
|
||||
// // Abort login request if account is disabled.
|
||||
// for _, ac := range u.Accounts {
|
||||
// if ac.OrgID == org.RefID {
|
||||
// if ac.Active == false {
|
||||
// response.WriteUnauthorizedError(w)
|
||||
// h.Runtime.Log.Error(method, err)
|
||||
// return
|
||||
// }
|
||||
// break
|
||||
// }
|
||||
// }
|
||||
|
||||
// // Generate JWT token
|
||||
// authModel := ath.AuthenticationModel{}
|
||||
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
|
||||
// authModel.User = u
|
||||
// // Generate JWT token
|
||||
// authModel := ath.AuthenticationModel{}
|
||||
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
|
||||
// authModel.User = u
|
||||
|
||||
// response.WriteJSON(w, authModel)
|
||||
// }
|
||||
// response.WriteJSON(w, authModel)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue