Skip to content

Commit

Permalink
fix OAuth2 user privileges
Browse files Browse the repository at this point in the history
  • Loading branch information
janusec2 committed Jul 9, 2023
1 parent 0d772f1 commit a1f3703
Show file tree
Hide file tree
Showing 9 changed files with 102 additions and 63 deletions.
2 changes: 1 addition & 1 deletion backend/application.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ func LoadAppDomainNames() {

// GetApplications ...
func GetApplications(authUser *models.AuthUser) ([]*models.Application, error) {
if authUser.IsAppAdmin {
if authUser.IsAppAdmin || authUser.IsSuperAdmin {
return Apps, nil
}
myApps := []*models.Application{}
Expand Down
1 change: 1 addition & 0 deletions data/backend_appuser.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ func (dal *MyDAL) SelectAppUserByName(username string) *models.AppUser {
&appUser.NeedModifyPWD)
if err != nil {
utils.DebugPrintln("SelectAppUserByName", err)
return nil
}
return appUser
}
Expand Down
26 changes: 16 additions & 10 deletions usermgmt/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,21 +139,27 @@ func LDAPAuthFunc(w http.ResponseWriter, r *http.Request) {
}
// Janusec admin user
if state == "admin" {
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(username)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: username,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
27 changes: 16 additions & 11 deletions usermgmt/oauth_cas2.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,22 +68,27 @@ func CAS2CallbackWithCode(w http.ResponseWriter, r *http.Request) {
casUser := casServiceResponse.AuthenticationSuccess.CASUser

if state == "admin" {
// To do: for janusec-admin
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(casUser)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: casUser,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
26 changes: 16 additions & 10 deletions usermgmt/oauth_dingtalk.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,21 +82,27 @@ func DingtalkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
}
dingtalkUser := dingtalkResponse.UserInfo
if state == "admin" {
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(dingtalkUser.Nick)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: dingtalkUser.Nick,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
26 changes: 16 additions & 10 deletions usermgmt/oauth_feishu.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,21 +97,27 @@ func FeishuCallbackWithCode(w http.ResponseWriter, r *http.Request) {
utils.DebugPrintln("FeishuCallbackWithCode json.Unmarshal error", err)
}
if state == "admin" {
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(feishuUser.Data.EnName)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: feishuUser.Data.EnName,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
26 changes: 16 additions & 10 deletions usermgmt/oauth_lark.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,21 +103,27 @@ func LarkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
utils.DebugPrintln("LarkCallbackWithCode json.Unmarshal error", err)
}
if state == "admin" {
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(larkUser.Data.EnName)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: larkUser.Data.EnName,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
26 changes: 16 additions & 10 deletions usermgmt/oauth_wxwork.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,21 +74,27 @@ func WxworkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
utils.DebugPrintln("WxworkCallbackWithCode json.Unmarshal error", err)
}
if state == "admin" {
// Insert into db if not existed
id, err := data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
appUser := data.DAL.SelectAppUserByName(wxworkUser.UserID)
var userID int64
if appUser == nil {
// Insert into db if not existed
userID, err = data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false)
if err != nil {
w.WriteHeader(403)
w.Write([]byte("Error: " + err.Error()))
return
}
} else {
userID = appUser.ID
}
// create session
authUser := &models.AuthUser{
UserID: id,
UserID: userID,
Username: wxworkUser.UserID,
Logged: true,
IsSuperAdmin: false,
IsCertAdmin: false,
IsAppAdmin: false,
IsSuperAdmin: appUser.IsSuperAdmin,
IsCertAdmin: appUser.IsCertAdmin,
IsAppAdmin: appUser.IsAppAdmin,
NeedModifyPWD: false}
session, _ := store.Get(r, "sessionid")
session.Values["authuser"] = authUser
Expand Down
5 changes: 4 additions & 1 deletion usermgmt/usermgmt.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,10 @@ func Login(w http.ResponseWriter, r *http.Request, body []byte, clientIP string)
}
loginUser := apiLoginUserRequest.Object
appUser := data.DAL.SelectAppUserByName(loginUser.Username)

if appUser == nil {
// not exists
return nil, errors.New("wrong authentication credentials")
}
tmpHashpwd := data.SHA256Hash(loginUser.Password + appUser.Salt)
if tmpHashpwd != appUser.HashPwd {
return nil, errors.New("wrong authentication credentials")
Expand Down

0 comments on commit a1f3703

Please sign in to comment.