2021-03-13 23:06:03 +08:00
|
|
|
// Copyright 2021 The casbin Authors. All Rights Reserved.
|
2021-03-06 16:39:17 +08:00
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
2021-02-11 22:56:08 +08:00
|
|
|
package object
|
|
|
|
|
|
2021-05-01 16:50:47 +08:00
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"regexp"
|
2021-05-01 17:45:01 +08:00
|
|
|
|
2022-01-20 14:11:46 +08:00
|
|
|
"github.com/casdoor/casdoor/cred"
|
|
|
|
|
"github.com/casdoor/casdoor/util"
|
2021-12-10 22:45:01 +08:00
|
|
|
goldap "github.com/go-ldap/ldap/v3"
|
2021-05-01 16:50:47 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var reWhiteSpace *regexp.Regexp
|
|
|
|
|
|
|
|
|
|
func init() {
|
2021-08-07 22:02:56 +08:00
|
|
|
reWhiteSpace, _ = regexp.Compile(`\s`)
|
2021-05-01 16:50:47 +08:00
|
|
|
}
|
2021-02-14 01:04:51 +08:00
|
|
|
|
2021-06-17 00:49:02 +08:00
|
|
|
func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, email string, phone string, affiliation string) string {
|
|
|
|
|
if organization == nil {
|
|
|
|
|
return "organization does not exist"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.IsSignupItemVisible("Username") {
|
|
|
|
|
if len(username) <= 1 {
|
|
|
|
|
return "username must have at least 2 characters"
|
|
|
|
|
} else if reWhiteSpace.MatchString(username) {
|
|
|
|
|
return "username cannot contain white spaces"
|
|
|
|
|
} else if HasUserByField(organization.Name, "name", username) {
|
|
|
|
|
return "username already exists"
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-05-15 13:54:23 +08:00
|
|
|
|
2021-06-17 00:49:02 +08:00
|
|
|
if len(password) <= 5 {
|
2021-05-16 21:52:50 +08:00
|
|
|
return "password must have at least 6 characters"
|
2021-02-11 22:56:08 +08:00
|
|
|
}
|
2021-06-17 00:49:02 +08:00
|
|
|
|
|
|
|
|
if application.IsSignupItemVisible("Email") {
|
2021-11-09 20:28:27 +08:00
|
|
|
if email == "" {
|
|
|
|
|
if application.IsSignupItemRequired("Email") {
|
|
|
|
|
return "email cannot be empty"
|
|
|
|
|
} else {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-17 00:49:02 +08:00
|
|
|
if HasUserByField(organization.Name, "email", email) {
|
|
|
|
|
return "email already exists"
|
|
|
|
|
} else if !util.IsEmailValid(email) {
|
|
|
|
|
return "email is invalid"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.IsSignupItemVisible("Phone") {
|
2021-11-09 20:28:27 +08:00
|
|
|
if phone == "" {
|
|
|
|
|
if application.IsSignupItemRequired("Phone") {
|
|
|
|
|
return "phone cannot be empty"
|
|
|
|
|
} else {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-17 00:49:02 +08:00
|
|
|
if HasUserByField(organization.Name, "phone", phone) {
|
|
|
|
|
return "phone already exists"
|
|
|
|
|
} else if organization.PhonePrefix == "86" && !util.IsPhoneCnValid(phone) {
|
|
|
|
|
return "phone number is invalid"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.IsSignupItemVisible("Display name") {
|
|
|
|
|
if displayName == "" {
|
|
|
|
|
return "displayName cannot be blank"
|
2021-06-17 11:55:06 +08:00
|
|
|
} else if application.GetSignupItemRule("Display name") == "Personal" {
|
|
|
|
|
if !isValidPersonalName(displayName) {
|
|
|
|
|
return "displayName is not valid personal name"
|
|
|
|
|
}
|
2021-06-17 00:49:02 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.IsSignupItemVisible("Affiliation") {
|
|
|
|
|
if affiliation == "" {
|
|
|
|
|
return "affiliation cannot be blank"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ""
|
2021-02-11 22:56:08 +08:00
|
|
|
}
|
|
|
|
|
|
2021-05-16 21:04:26 +08:00
|
|
|
func CheckPassword(user *User, password string) string {
|
2021-05-16 22:58:30 +08:00
|
|
|
organization := GetOrganizationByUser(user)
|
2021-09-04 22:20:47 +08:00
|
|
|
if organization == nil {
|
|
|
|
|
return "organization does not exist"
|
|
|
|
|
}
|
2021-11-04 21:08:43 +08:00
|
|
|
|
|
|
|
|
credManager := cred.GetCredManager(organization.PasswordType)
|
|
|
|
|
if credManager != nil {
|
2021-12-22 20:56:22 +08:00
|
|
|
if organization.MasterPassword != "" {
|
|
|
|
|
if credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
2021-11-06 21:14:53 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-22 13:56:32 +08:00
|
|
|
if credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt, organization.PasswordSalt) {
|
2021-05-03 10:13:32 +08:00
|
|
|
return ""
|
|
|
|
|
}
|
2021-09-04 22:20:47 +08:00
|
|
|
return "password incorrect"
|
2021-05-03 10:13:32 +08:00
|
|
|
} else {
|
2021-05-05 23:32:21 +08:00
|
|
|
return fmt.Sprintf("unsupported password type: %s", organization.PasswordType)
|
2021-05-03 10:13:32 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-10 22:45:01 +08:00
|
|
|
func checkLdapUserPassword(user *User, password string) (*User, string) {
|
|
|
|
|
ldaps := GetLdaps(user.Owner)
|
|
|
|
|
ldapLoginSuccess := false
|
|
|
|
|
for _, ldapServer := range ldaps {
|
|
|
|
|
conn, err := GetLdapConn(ldapServer.Host, ldapServer.Port, ldapServer.Admin, ldapServer.Passwd)
|
|
|
|
|
if err != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
SearchFilter := fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", user.Name)
|
|
|
|
|
searchReq := goldap.NewSearchRequest(ldapServer.BaseDn,
|
|
|
|
|
goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
|
|
|
|
|
SearchFilter, []string{}, nil)
|
|
|
|
|
searchResult, err := conn.Conn.Search(searchReq)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err.Error()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(searchResult.Entries) == 0 {
|
|
|
|
|
continue
|
|
|
|
|
} else if len(searchResult.Entries) > 1 {
|
|
|
|
|
return nil, "Error: multiple accounts with same uid, please check your ldap server"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dn := searchResult.Entries[0].DN
|
|
|
|
|
if err := conn.Conn.Bind(dn, password); err == nil {
|
|
|
|
|
ldapLoginSuccess = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !ldapLoginSuccess {
|
|
|
|
|
return nil, "ldap user name or password incorrect"
|
|
|
|
|
}
|
|
|
|
|
return user, ""
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-15 21:57:36 +08:00
|
|
|
func CheckUserPassword(organization string, username string, password string) (*User, string) {
|
2021-05-01 20:23:20 +08:00
|
|
|
user := GetUserByFields(organization, username)
|
2021-11-06 15:52:03 +08:00
|
|
|
if user == nil || user.IsDeleted == true {
|
2021-05-01 20:23:20 +08:00
|
|
|
return nil, "the user does not exist, please sign up first"
|
2021-02-11 22:56:08 +08:00
|
|
|
}
|
|
|
|
|
|
2021-05-05 23:32:21 +08:00
|
|
|
if user.IsForbidden {
|
|
|
|
|
return nil, "the user is forbidden to sign in, please contact the administrator"
|
|
|
|
|
}
|
2021-12-10 22:45:01 +08:00
|
|
|
//for ldap users
|
|
|
|
|
if user.Ldap != "" {
|
|
|
|
|
return checkLdapUserPassword(user, password)
|
|
|
|
|
}
|
2021-05-05 23:32:21 +08:00
|
|
|
|
2021-05-16 21:04:26 +08:00
|
|
|
msg := CheckPassword(user, password)
|
2021-05-03 10:13:32 +08:00
|
|
|
if msg != "" {
|
|
|
|
|
return nil, msg
|
2021-02-11 22:56:08 +08:00
|
|
|
}
|
|
|
|
|
|
2021-05-01 19:45:40 +08:00
|
|
|
return user, ""
|
2021-02-11 22:56:08 +08:00
|
|
|
}
|
