Adding LDAPS with newuser permissions OK

This commit is contained in:
Chris Mann 2023-07-23 08:22:09 +02:00
parent 00e2a57c29
commit 14a446df71
8 changed files with 149 additions and 16 deletions

4
go.mod
View file

@ -4,8 +4,8 @@ go 1.18
require (
git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20230131081355-c965fe7f7dc9
github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b
github.com/emersion/go-smtp v0.12.1
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
github.com/emersion/go-smtp v0.17.0
github.com/go-ldap/ldap/v3 v3.1.6
github.com/google/uuid v1.1.1
github.com/gorilla/mux v1.7.3

4
go.sum
View file

@ -48,8 +48,12 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
github.com/emersion/go-sasl v0.0.0-20190817083125-240c8404624e/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b h1:uhWtEWBHgop1rqEk2klKaxPAkVDCXexai6hSuRQ7Nvs=
github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
github.com/emersion/go-smtp v0.12.1 h1:1R8BDqrR2HhlGwgFYcOi+BVTvK1bMjAB65QcVpJ5sNA=
github.com/emersion/go-smtp v0.12.1/go.mod h1:SD9V/xa4ndMw77lR3Mf7htkp8RBNYuPh9UeuBs9tpUQ=
github.com/emersion/go-smtp v0.17.0 h1:tq90evlrcyqRfE6DSXaWVH54oX6OuZOQECEmhWBMEtI=
github.com/emersion/go-smtp v0.17.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=

67
gpas.go Normal file
View file

@ -0,0 +1,67 @@
/*
gpas is GVoisin password reset
*/
package main
import (
"bytes"
"errors"
"fmt"
"html/template"
"log"
"github.com/emersion/go-sasl"
"github.com/emersion/go-smtp"
"github.com/go-ldap/ldap/v3"
// "strings"
)
// var EMAIL_REGEXP := regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
func passwordLost(user User, config *ConfigFile, ldapConn *ldap.Conn) error {
if user.CN == "" && user.Mail == "" && user.OtherMailbox == "" {
return errors.New("Il n'y a pas de quoi identifier l'utilisateur")
}
searchFilter := "(|"
if user.CN == "" {
searchFilter += "(cn=" + user.CN + ")"
}
if user.Mail == "" {
searchFilter += "(mail=" + user.Mail + ")"
}
if user.OtherMailbox == "" {
searchFilter += "(carLicense=" + user.OtherMailbox + ")"
}
searchReq := ldap.NewSearchRequest(config.UserBaseDN, ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, "(|()()())", []string{"cn", "uid", "mail", "carLicense"}, nil)
searchRes, err := ldapConn.Search(searchReq)
err = l.Bind(config.NewUserDN, config.NewUserPassword)
if err != nil {
log.Printf(fmt.Sprintf("passwordLost : %v %v", err, l))
}
if len(searchRes.Entries) == 0 {
return errors.New("Il n'y a pas d'utilisateur qui correspond")
}
// Préparation du courriel à envoyer
code := "GPas"
templateMail := template.Must(template.ParseFiles(templatePath + "/invite_mail.txt"))
buf := bytes.NewBuffer([]byte{})
templateMail.Execute(buf, &CodeMailFields{
To: user.OtherMailbox,
From: config.MailFrom,
InviteFrom: "GPas",
Code: code,
WebBaseAddress: config.WebAddress,
})
log.Printf("Sending mail to: %s", user.OtherMailbox)
var auth sasl.Client = nil
if config.SMTPUsername != "" {
auth = sasl.NewPlainClient("", config.SMTPUsername, config.SMTPPassword)
}
err = smtp.SendMail(config.SMTPServer, auth, config.MailFrom, []string{user.OtherMailbox}, buf)
if err != nil {
return err
}
log.Printf("Mail sent.")
return nil
}

View file

@ -38,6 +38,42 @@ func checkInviterLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
// New account creation directly from interface
type LostPasswordData struct {
Username string
Mail string
OtherMailbox string
}
func handleLostPassword(w http.ResponseWriter, r *http.Request) {
templateLostPasswordPage := getTemplate("lost_password.html")
l, err := ldapOpen(w)
if err != nil {
log.Printf(fmt.Sprintf("handleLostPassword : %v %v", err, l))
}
err = l.Bind(config.NewUserDN, config.NewUserPassword)
if err != nil {
log.Printf(fmt.Sprintf("handleLostPassword : %v %v", err, l))
}
data := LostPasswordData{}
if r.Method == "POST" {
r.ParseForm()
data.Username = strings.TrimSpace(strings.Join(r.Form["username"], ""))
data.Mail = strings.TrimSpace(strings.Join(r.Form["mail"], ""))
data.OtherMailbox = strings.TrimSpace(strings.Join(r.Form["otherMailbox"], ""))
user := User{
CN: data.Username,
Mail: data.Mail,
OtherMailbox: data.OtherMailbox,
}
err = passwordLost(user, config, l)
err = l.Bind(config.NewUserDN, config.NewUserPassword)
if err != nil {
log.Printf(fmt.Sprintf("handleLostPassword : %v %v", err, l))
}
}
templateLostPasswordPage.Execute(w, data)
}
func handleInviteNewAccount(w http.ResponseWriter, r *http.Request) {
l, err := ldapOpen(w)
if err != nil {
@ -54,9 +90,9 @@ func handleInviteNewAccount(w http.ResponseWriter, r *http.Request) {
// loginInfo, err := doLogin(w, r, "testuser", config.NewUserDN, config.NewUserPassword)
if err != nil {
log.Printf(fmt.Sprintf("58: %v %v", err, l))
}
// if err != nil {
// log.Printf(fmt.Sprintf("58: %v %v", err, l))
// }
// l := ldapOpen(w)
if l == nil {
@ -129,7 +165,7 @@ type NewAccountData struct {
Surname string
Mail string
SuggestPW string
CN string
OtherEmail string
ErrorUsernameTaken bool
ErrorInvalidUsername bool
@ -156,9 +192,9 @@ func handleNewAccount(w http.ResponseWriter, r *http.Request, l *ldap.Conn, invi
newUser.GivenName = strings.TrimSpace(strings.Join(r.Form["givenname"], ""))
newUser.SN = strings.TrimSpace(strings.Join(r.Form["surname"], ""))
newUser.Mail = strings.TrimSpace(strings.Join(r.Form["mail"], ""))
newUser.UID = strings.TrimSpace(strings.Join(r.Form["username"], ""))
newUser.CN = strings.TrimSpace(strings.Join(r.Form["cn"], ""))
newUser.DN = "cn=" + strings.TrimSpace(strings.Join(r.Form["cn"], "")) + "," + config.InvitationBaseDN
newUser.UID = strings.TrimSpace(strings.Join(r.Form["otheremail"], ""))
newUser.CN = strings.TrimSpace(strings.Join(r.Form["username"], ""))
newUser.DN = "cn=" + strings.TrimSpace(strings.Join(r.Form["username"], "")) + "," + config.InvitationBaseDN
password1 := strings.Join(r.Form["password"], "")
password2 := strings.Join(r.Form["password2"], "")

View file

@ -73,8 +73,6 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
Password: login_info.Password,
}, config, l)
// err = l.Bind(login_info.DN, login_info.Password)
if err != nil {
delete(session.Values, "login_username")
delete(session.Values, "login_password")
@ -108,8 +106,6 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
CanInvite: ldapUser.CanInvite,
}
return loginStatus
/*
requestKind := "(objectClass=organizationalPerson)"
@ -196,6 +192,8 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
return loginStatus
*/
return loginStatus
}
func handleLogout(w http.ResponseWriter, r *http.Request) {
@ -304,5 +302,4 @@ func doLogin(w http.ResponseWriter, r *http.Request, username string, user_dn st
}
return &LoginInfo, nil
}

View file

@ -75,6 +75,7 @@ func main() {
r.HandleFunc("/invite/new_account", handleInviteNewAccount)
r.HandleFunc("/invite/send_code", handleInviteSendCode)
r.HandleFunc("/gpas", handleLostPassword)
r.HandleFunc("/invitation/{code}", handleInvitationCode)
r.HandleFunc("/admin/users", handleAdminUsers)

View file

@ -31,8 +31,8 @@
<input type="text" id="surname" name="surname" class="form-control" value="{{ .Surname }}" />
</div>
<div class="form-group">
<label for="cn">Email de secours:</label>
<input type="text" id="cn" name="cn" class="form-control" value="{{ .CN }}" />
<label for="otheremail">Email de secours:</label>
<input type="text" id="otheremail" name="otheremail" class="form-control" value="{{ .OtherEmail }}" />
<small class="form-text text-muted">
Le courriel de l'utilisateur.
</small>

View file

@ -0,0 +1,28 @@
<h2>G Pas</h2>
<p>Refaire son mot de passe</p>
{{if .ErrorMessage}}
<div class="alert alert-danger">Impossible
<div style="font-size: 0.8em">{{ .ErrorMessage }}</div>
</div>
{{end}}
{{if .Success}}
<div class="alert alert-success mt-4">
Email envoyé au courriel de secours.
</div>
{{end}}
<form method="POST">
<div class="form-group">
<label for="username">Identifiant :</label>
<input type="text" name="username" id="username" class="form-control" value="{{ .Username }}" />
</div>
<div class="form-group">
<label for="username">Mail (@resdigita.com) :</label>
<input type="text" name="mail" id="mail" class="form-control" value="{{ .Mail }}" />
</div>
<div class="form-group">
<label for="username">Mail de secours :</label>
<input type="text" name="othermailbox" id="othermailbox" class="form-control" value="{{ .OtherMailbox }}" />
</div>