public_git
/
wg-portal
mirror of https://github.com/h44z/wg-portal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix disabling of missing ldap users (#344) and allow deletion of all user types

This commit is contained in:
Christoph Haas 2025-01-18 17:39:18 +01:00
parent 31c0daeba8
commit c73ce0288e
4 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/src/components/UserEditModal.vue
View File

@ -165,7 +165,7 @@ async function del() {
</template> </template>
<template #footer> <template #footer>
<div class="flex-fill text-start"> <div class="flex-fill text-start">
<button v-if="props.userId!=='#NEW#'&&formData.Source==='db'" class="btn btn-danger me-1" type="button" @click.prevent="del">{{ $t('general.delete') }}</button> <button v-if="props.userId!=='#NEW#'" class="btn btn-danger me-1" type="button" @click.prevent="del">{{ $t('general.delete') }}</button>
</div> </div>
<button class="btn btn-primary me-1" type="button" @click.prevent="save">{{ $t('general.save') }}</button> <button class="btn btn-primary me-1" type="button" @click.prevent="save">{{ $t('general.save') }}</button>
<button class="btn btn-secondary" type="button" @click.prevent="close">{{ $t('general.close') }}</button> <button class="btn btn-secondary" type="button" @click.prevent="close">{{ $t('general.close') }}</button>

12
internal/app/auth/auth.go
View File

@ -373,7 +373,7 @@ func (a *Authenticator) processUserInfo(
case err != nil: case err != nil:
return nil, fmt.Errorf("registration disabled, cannot create missing user: %w", err) return nil, fmt.Errorf("registration disabled, cannot create missing user: %w", err)
default: default:
err = a.updateExternalUser(ctx, user, userInfo) err = a.updateExternalUser(ctx, user, userInfo, source, provider)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to update user: %w", err) return nil, fmt.Errorf("failed to update user: %w", err)
} }
@ -432,6 +432,8 @@ func (a *Authenticator) updateExternalUser(
ctx context.Context, ctx context.Context,
existingUser *domain.User, existingUser *domain.User,
userInfo *domain.AuthenticatorUserInfo, userInfo *domain.AuthenticatorUserInfo,
source domain.UserSource,
provider string,
) error { ) error {
if existingUser.IsLocked() || existingUser.IsDisabled() { if existingUser.IsLocked() || existingUser.IsDisabled() {
return nil // user is locked or disabled, do not update return nil // user is locked or disabled, do not update
@ -462,6 +464,14 @@ func (a *Authenticator) updateExternalUser(
existingUser.IsAdmin = userInfo.IsAdmin existingUser.IsAdmin = userInfo.IsAdmin
isChanged = true isChanged = true
} }
if existingUser.Source != source {
existingUser.Source = source
isChanged = true
}
if existingUser.ProviderName != provider {
existingUser.ProviderName = provider
isChanged = true
}
if !isChanged { if !isChanged {
return nil // nothing to update return nil // nothing to update

21
internal/app/users/user_manager.go
View File

@ -73,11 +73,16 @@ func (m Manager) NewUser(ctx context.Context, user *domain.User) error {
u.Identifier = user.Identifier u.Identifier = user.Identifier
u.Email = user.Email u.Email = user.Email
u.Source = user.Source u.Source = user.Source
u.ProviderName = user.ProviderName
u.IsAdmin = user.IsAdmin u.IsAdmin = user.IsAdmin
u.Firstname = user.Firstname u.Firstname = user.Firstname
u.Lastname = user.Lastname u.Lastname = user.Lastname
u.Phone = user.Phone u.Phone = user.Phone
u.Department = user.Department u.Department = user.Department
u.Notes = user.Notes
u.ApiToken = user.ApiToken
u.ApiTokenCreated = user.ApiTokenCreated
return u, nil return u, nil
}) })
if err != nil { if err != nil {
@ -421,13 +426,14 @@ func (m Manager) runLdapSynchronizationService(ctx context.Context) {
logrus.Debugf("sync disabled for LDAP server: %s", cfg.ProviderName) logrus.Debugf("sync disabled for LDAP server: %s", cfg.ProviderName)
return return
} }
running := true running := true
for running { for running {
select { select {
case <-ctx.Done(): case <-ctx.Done():
running = false running = false
continue continue
case <-time.After(syncInterval * time.Second): case <-time.After(syncInterval):
// select blocks until one of the cases evaluate to true // select blocks until one of the cases evaluate to true
} }
@ -460,7 +466,7 @@ func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.Ldap
return err return err
} }
logrus.Tracef("fetched %d raw ldap users...", len(rawUsers)) logrus.Tracef("fetched %d raw ldap users from provider %s...", len(rawUsers), provider.ProviderName)
// Update existing LDAP users // Update existing LDAP users
err = m.updateLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN) err = m.updateLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
@ -497,13 +503,13 @@ func (m Manager) updateLdapUsers(
return fmt.Errorf("find error for user id %s: %w", user.Identifier, err) return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
} }
tctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
defer cancel()
tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo()) tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
if existingUser == nil { if existingUser == nil {
err := m.NewUser(tctx, user) err := m.NewUser(tctx, user)
if err != nil { if err != nil {
cancel()
return fmt.Errorf("create error for user id %s: %w", user.Identifier, err) return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
} }
} }
@ -514,6 +520,8 @@ func (m Manager) updateLdapUsers(
err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) { err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
u.UpdatedAt = time.Now() u.UpdatedAt = time.Now()
u.UpdatedBy = domain.CtxSystemLdapSyncer u.UpdatedBy = domain.CtxSystemLdapSyncer
u.Source = user.Source
u.ProviderName = user.ProviderName
u.Email = user.Email u.Email = user.Email
u.Firstname = user.Firstname u.Firstname = user.Firstname
u.Lastname = user.Lastname u.Lastname = user.Lastname
@ -525,9 +533,12 @@ func (m Manager) updateLdapUsers(
return u, nil return u, nil
}) })
if err != nil { if err != nil {
cancel()
return fmt.Errorf("update error for user id %s: %w", user.Identifier, err) return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
} }
} }
cancel()
} }
return nil return nil
@ -567,6 +578,8 @@ func (m Manager) disableMissingLdapUsers(
continue continue
} }
logrus.Tracef("user %s is missing in ldap provider %s, disabling", user.Identifier, providerName)
now := time.Now() now := time.Now()
user.Disabled = &now user.Disabled = &now
user.DisabledReason = domain.DisabledReasonLdapMissing user.DisabledReason = domain.DisabledReasonLdapMissing

6
internal/domain/user.go
View File

@ -101,11 +101,7 @@ func (u *User) EditAllowed(new *User) error {
} }
func (u *User) DeleteAllowed() error { func (u *User) DeleteAllowed() error {
if u.Source == UserSourceDatabase { return nil // all users can be deleted, OAuth and LDAP users might still be recreated
return nil
}
return errors.New("delete only allowed for database source")
} }
func (u *User) CheckPassword(password string) error { func (u *User) CheckPassword(password string) error {