login-validator: refactor auth methods
This commit is contained in:
parent
1d2199aaef
commit
8d4ab002d8
5 changed files with 126 additions and 91 deletions
|
|
@ -4,7 +4,6 @@ import (
|
|||
"bytes"
|
||||
"crypto/hmac"
|
||||
"crypto/sha512"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
|
|
@ -14,21 +13,13 @@ import (
|
|||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"gopkg.in/ldap.v2"
|
||||
)
|
||||
|
||||
var loginSalt string
|
||||
|
||||
type loginChecker struct {
|
||||
students []Student
|
||||
noAuth bool
|
||||
ldapAddr string
|
||||
ldapPort int
|
||||
ldapIsTLS bool
|
||||
ldapBase string
|
||||
ldapBindUsername string
|
||||
ldapBindPassword string
|
||||
students []Student
|
||||
authMethod AuthMethod
|
||||
}
|
||||
|
||||
type loginUpload struct {
|
||||
|
|
@ -36,64 +27,6 @@ type loginUpload struct {
|
|||
Password string
|
||||
}
|
||||
|
||||
func (l loginChecker) ldapAuth(username, password string) (res bool, err error) {
|
||||
tlsCnf := tls.Config{InsecureSkipVerify: true}
|
||||
|
||||
var c *ldap.Conn
|
||||
|
||||
if l.ldapIsTLS {
|
||||
c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
} else {
|
||||
c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
// Reconnect with TLS
|
||||
err = c.StartTLS(&tlsCnf)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
defer c.Close()
|
||||
|
||||
if l.ldapBindUsername != "" {
|
||||
err = c.Bind(l.ldapBindUsername, l.ldapBindPassword)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
|
||||
// Search for the given username
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
l.ldapBase,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=person)(uid=%s))", username),
|
||||
[]string{"dn"},
|
||||
nil,
|
||||
)
|
||||
|
||||
sr, err := c.Search(searchRequest)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
if len(sr.Entries) != 1 {
|
||||
return false, errors.New("User does not exist or too many entries returned")
|
||||
}
|
||||
|
||||
userdn := sr.Entries[0].DN
|
||||
|
||||
err = c.Bind(userdn, password)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
|
||||
|
|
@ -139,16 +72,14 @@ func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if ! l.noAuth {
|
||||
if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil {
|
||||
log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
return
|
||||
} else if !ok {
|
||||
log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
|
||||
http.Error(w, "Invalid password", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
if ok, err := l.authMethod.checkAuth(lu.Username, lu.Password); err != nil {
|
||||
log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
return
|
||||
} else if !ok {
|
||||
log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
|
||||
http.Error(w, "Invalid password", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
// Find corresponding MAC
|
||||
|
|
|
|||
Reference in a new issue