From a1f3703f3f7f2457934c12c053463f939287cba3 Mon Sep 17 00:00:00 2001 From: janusec Date: Sun, 9 Jul 2023 18:21:08 +0800 Subject: [PATCH] fix OAuth2 user privileges --- backend/application.go | 2 +- data/backend_appuser.go | 1 + usermgmt/ldap.go | 26 ++++++++++++++++---------- usermgmt/oauth_cas2.go | 27 ++++++++++++++++----------- usermgmt/oauth_dingtalk.go | 26 ++++++++++++++++---------- usermgmt/oauth_feishu.go | 26 ++++++++++++++++---------- usermgmt/oauth_lark.go | 26 ++++++++++++++++---------- usermgmt/oauth_wxwork.go | 26 ++++++++++++++++---------- usermgmt/usermgmt.go | 5 ++++- 9 files changed, 102 insertions(+), 63 deletions(-) diff --git a/backend/application.go b/backend/application.go index 302950c..0267886 100644 --- a/backend/application.go +++ b/backend/application.go @@ -220,7 +220,7 @@ func LoadAppDomainNames() { // GetApplications ... func GetApplications(authUser *models.AuthUser) ([]*models.Application, error) { - if authUser.IsAppAdmin { + if authUser.IsAppAdmin || authUser.IsSuperAdmin { return Apps, nil } myApps := []*models.Application{} diff --git a/data/backend_appuser.go b/data/backend_appuser.go index 8f8d228..b8b0207 100644 --- a/data/backend_appuser.go +++ b/data/backend_appuser.go @@ -86,6 +86,7 @@ func (dal *MyDAL) SelectAppUserByName(username string) *models.AppUser { &appUser.NeedModifyPWD) if err != nil { utils.DebugPrintln("SelectAppUserByName", err) + return nil } return appUser } diff --git a/usermgmt/ldap.go b/usermgmt/ldap.go index b72eda5..b8083d1 100644 --- a/usermgmt/ldap.go +++ b/usermgmt/ldap.go @@ -139,21 +139,27 @@ func LDAPAuthFunc(w http.ResponseWriter, r *http.Request) { } // Janusec admin user if state == "admin" { - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(username) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: username, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/oauth_cas2.go b/usermgmt/oauth_cas2.go index 4cff1c5..fcceea2 100644 --- a/usermgmt/oauth_cas2.go +++ b/usermgmt/oauth_cas2.go @@ -68,22 +68,27 @@ func CAS2CallbackWithCode(w http.ResponseWriter, r *http.Request) { casUser := casServiceResponse.AuthenticationSuccess.CASUser if state == "admin" { - // To do: for janusec-admin - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(casUser) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: casUser, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/oauth_dingtalk.go b/usermgmt/oauth_dingtalk.go index ea40f71..9b11076 100644 --- a/usermgmt/oauth_dingtalk.go +++ b/usermgmt/oauth_dingtalk.go @@ -82,21 +82,27 @@ func DingtalkCallbackWithCode(w http.ResponseWriter, r *http.Request) { } dingtalkUser := dingtalkResponse.UserInfo if state == "admin" { - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(dingtalkUser.Nick) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: dingtalkUser.Nick, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/oauth_feishu.go b/usermgmt/oauth_feishu.go index aeb10c6..d99147a 100644 --- a/usermgmt/oauth_feishu.go +++ b/usermgmt/oauth_feishu.go @@ -97,21 +97,27 @@ func FeishuCallbackWithCode(w http.ResponseWriter, r *http.Request) { utils.DebugPrintln("FeishuCallbackWithCode json.Unmarshal error", err) } if state == "admin" { - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(feishuUser.Data.EnName) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: feishuUser.Data.EnName, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/oauth_lark.go b/usermgmt/oauth_lark.go index 554af5f..4d93cfb 100644 --- a/usermgmt/oauth_lark.go +++ b/usermgmt/oauth_lark.go @@ -103,21 +103,27 @@ func LarkCallbackWithCode(w http.ResponseWriter, r *http.Request) { utils.DebugPrintln("LarkCallbackWithCode json.Unmarshal error", err) } if state == "admin" { - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(larkUser.Data.EnName) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: larkUser.Data.EnName, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/oauth_wxwork.go b/usermgmt/oauth_wxwork.go index 5f395ca..4000dc6 100644 --- a/usermgmt/oauth_wxwork.go +++ b/usermgmt/oauth_wxwork.go @@ -74,21 +74,27 @@ func WxworkCallbackWithCode(w http.ResponseWriter, r *http.Request) { utils.DebugPrintln("WxworkCallbackWithCode json.Unmarshal error", err) } if state == "admin" { - // Insert into db if not existed - id, err := data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false) - if err != nil { - w.WriteHeader(403) - w.Write([]byte("Error: " + err.Error())) - return + appUser := data.DAL.SelectAppUserByName(wxworkUser.UserID) + var userID int64 + if appUser == nil { + // Insert into db if not existed + userID, err = data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false) + if err != nil { + w.WriteHeader(403) + w.Write([]byte("Error: " + err.Error())) + return + } + } else { + userID = appUser.ID } // create session authUser := &models.AuthUser{ - UserID: id, + UserID: userID, Username: wxworkUser.UserID, Logged: true, - IsSuperAdmin: false, - IsCertAdmin: false, - IsAppAdmin: false, + IsSuperAdmin: appUser.IsSuperAdmin, + IsCertAdmin: appUser.IsCertAdmin, + IsAppAdmin: appUser.IsAppAdmin, NeedModifyPWD: false} session, _ := store.Get(r, "sessionid") session.Values["authuser"] = authUser diff --git a/usermgmt/usermgmt.go b/usermgmt/usermgmt.go index 8520258..e6ffc65 100644 --- a/usermgmt/usermgmt.go +++ b/usermgmt/usermgmt.go @@ -52,7 +52,10 @@ func Login(w http.ResponseWriter, r *http.Request, body []byte, clientIP string) } loginUser := apiLoginUserRequest.Object appUser := data.DAL.SelectAppUserByName(loginUser.Username) - + if appUser == nil { + // not exists + return nil, errors.New("wrong authentication credentials") + } tmpHashpwd := data.SHA256Hash(loginUser.Password + appUser.Salt) if tmpHashpwd != appUser.HashPwd { return nil, errors.New("wrong authentication credentials")