mirror of
https://github.com/gravitl/netmaker.git
synced 2025-10-06 09:22:42 +08:00
Oauth user logic cleanup (#2877)
* additionl logs for oauth user flow * add more debug logs * add more debug logs * add set auth secret * fix fetch pass * make sure auth secret is set only once * make sure auth secret is set only once
This commit is contained in:
Abhishek K
25
auth/auth.go
25
auth/auth.go
@@ -32,7 +32,6 @@ const (
|
|||||||
github_provider_name = "github"
|
github_provider_name = "github"
|
||||||
oidc_provider_name = "oidc"
|
oidc_provider_name = "oidc"
|
||||||
verify_user = "verifyuser"
|
verify_user = "verifyuser"
|
||||||
auth_key = "netmaker_auth"
|
|
||||||
user_signin_length = 16
|
user_signin_length = 16
|
||||||
node_signin_length = 64
|
node_signin_length = 64
|
||||||
headless_signin_length = 32
|
headless_signin_length = 32
|
||||||
@@ -75,10 +74,10 @@ func InitializeAuthProvider() string {
|
|||||||
if functions == nil {
|
if functions == nil {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
var _, err = FetchPassValue(logic.RandomString(64))
|
logger.Log(0, "setting oauth secret")
|
||||||
|
var err = logic.SetAuthSecret(logic.RandomString(64))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Log(0, err.Error())
|
logger.FatalLog("failed to set auth_secret", err.Error())
|
||||||
return ""
|
|
||||||
}
|
}
|
||||||
var authInfo = servercfg.GetAuthProviderInfo()
|
var authInfo = servercfg.GetAuthProviderInfo()
|
||||||
var serverConn = servercfg.GetAPIHost()
|
var serverConn = servercfg.GetAPIHost()
|
||||||
@@ -248,6 +247,7 @@ func addUser(email string) error {
|
|||||||
} // generate random password to adapt to current model
|
} // generate random password to adapt to current model
|
||||||
var newPass, fetchErr = FetchPassValue("")
|
var newPass, fetchErr = FetchPassValue("")
|
||||||
if fetchErr != nil {
|
if fetchErr != nil {
|
||||||
|
slog.Error("failed to get password", "error", err.Error())
|
||||||
return fetchErr
|
return fetchErr
|
||||||
}
|
}
|
||||||
var newUser = models.User{
|
var newUser = models.User{
|
||||||
@@ -255,6 +255,7 @@ func addUser(email string) error {
|
|||||||
Password: newPass,
|
Password: newPass,
|
||||||
}
|
}
|
||||||
if !hasSuperAdmin { // must be first attempt, create a superadmin
|
if !hasSuperAdmin { // must be first attempt, create a superadmin
|
||||||
|
logger.Log(0, "creating superadmin")
|
||||||
if err = logic.CreateSuperAdmin(&newUser); err != nil {
|
if err = logic.CreateSuperAdmin(&newUser); err != nil {
|
||||||
slog.Error("error creating super admin from user", "email", email, "error", err)
|
slog.Error("error creating super admin from user", "email", email, "error", err)
|
||||||
} else {
|
} else {
|
||||||
@@ -264,7 +265,7 @@ func addUser(email string) error {
|
|||||||
// TODO: add ability to add users with preemptive permissions
|
// TODO: add ability to add users with preemptive permissions
|
||||||
newUser.IsAdmin = false
|
newUser.IsAdmin = false
|
||||||
if err = logic.CreateUser(&newUser); err != nil {
|
if err = logic.CreateUser(&newUser); err != nil {
|
||||||
logger.Log(1, "error creating user,", email, "; user not added")
|
logger.Log(0, "error creating user,", email, "; user not added", "error", err.Error())
|
||||||
} else {
|
} else {
|
||||||
logger.Log(0, "user created from ", email)
|
logger.Log(0, "user created from ", email)
|
||||||
}
|
}
|
||||||
@@ -277,20 +278,12 @@ func FetchPassValue(newValue string) (string, error) {
|
|||||||
type valueHolder struct {
|
type valueHolder struct {
|
||||||
Value string `json:"value" bson:"value"`
|
Value string `json:"value" bson:"value"`
|
||||||
}
|
}
|
||||||
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(newValue))
|
newValueHolder := valueHolder{}
|
||||||
var newValueHolder = &valueHolder{
|
var currentValue, err = logic.FetchAuthSecret()
|
||||||
Value: b64NewValue,
|
|
||||||
}
|
|
||||||
var data, marshalErr = json.Marshal(newValueHolder)
|
|
||||||
if marshalErr != nil {
|
|
||||||
return "", marshalErr
|
|
||||||
}
|
|
||||||
|
|
||||||
var currentValue, err = logic.FetchAuthSecret(auth_key, string(data))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder)
|
var unmarshErr = json.Unmarshal([]byte(currentValue), &newValueHolder)
|
||||||
if unmarshErr != nil {
|
if unmarshErr != nil {
|
||||||
return "", unmarshErr
|
return "", unmarshErr
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -91,6 +91,7 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
user, err := logic.GetUser(content.Email)
|
user, err := logic.GetUser(content.Email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logger.Log(0, "error fetching user: ", err.Error())
|
||||||
handleOauthUserNotFound(w)
|
handleOauthUserNotFound(w)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
package logic
|
package logic
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/base64"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
@@ -15,6 +16,10 @@ import (
|
|||||||
"github.com/gravitl/netmaker/models"
|
"github.com/gravitl/netmaker/models"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
auth_key = "netmaker_auth"
|
||||||
|
)
|
||||||
|
|
||||||
// HasSuperAdmin - checks if server has an superadmin/owner
|
// HasSuperAdmin - checks if server has an superadmin/owner
|
||||||
func HasSuperAdmin() (bool, error) {
|
func HasSuperAdmin() (bool, error) {
|
||||||
|
|
||||||
@@ -96,12 +101,14 @@ func CreateUser(user *models.User) error {
|
|||||||
}
|
}
|
||||||
var err = ValidateUser(user)
|
var err = ValidateUser(user)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logger.Log(0, "failed to validate user", err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// encrypt that password so we never see it again
|
// encrypt that password so we never see it again
|
||||||
hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5)
|
hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logger.Log(0, "error encrypting pass", err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
// set password to encrypted password
|
// set password to encrypted password
|
||||||
@@ -109,6 +116,7 @@ func CreateUser(user *models.User) error {
|
|||||||
|
|
||||||
tokenString, _ := CreateUserJWT(user.UserName, user.IsSuperAdmin, user.IsAdmin)
|
tokenString, _ := CreateUserJWT(user.UserName, user.IsSuperAdmin, user.IsAdmin)
|
||||||
if tokenString == "" {
|
if tokenString == "" {
|
||||||
|
logger.Log(0, "failed to generate token", err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -117,10 +125,12 @@ func CreateUser(user *models.User) error {
|
|||||||
// connect db
|
// connect db
|
||||||
data, err := json.Marshal(user)
|
data, err := json.Marshal(user)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logger.Log(0, "failed to marshal", err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME)
|
err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logger.Log(0, "failed to insert user", err.Error())
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -279,16 +289,32 @@ func DeleteUser(user string) (bool, error) {
|
|||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// FetchAuthSecret - manages secrets for oauth
|
func SetAuthSecret(secret string) error {
|
||||||
func FetchAuthSecret(key string, secret string) (string, error) {
|
type valueHolder struct {
|
||||||
var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, key)
|
Value string `json:"value" bson:"value"`
|
||||||
if err != nil {
|
}
|
||||||
if err = database.Insert(key, secret, database.GENERATED_TABLE_NAME); err != nil {
|
record, err := FetchAuthSecret()
|
||||||
return "", err
|
if err == nil {
|
||||||
} else {
|
v := valueHolder{}
|
||||||
return secret, nil
|
json.Unmarshal([]byte(record), &v)
|
||||||
|
if v.Value != "" {
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(secret))
|
||||||
|
newValueHolder := valueHolder{
|
||||||
|
Value: b64NewValue,
|
||||||
|
}
|
||||||
|
d, _ := json.Marshal(newValueHolder)
|
||||||
|
return database.Insert(auth_key, string(d), database.GENERATED_TABLE_NAME)
|
||||||
|
}
|
||||||
|
|
||||||
|
// FetchAuthSecret - manages secrets for oauth
|
||||||
|
func FetchAuthSecret() (string, error) {
|
||||||
|
var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, auth_key)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
return record, nil
|
return record, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user