casdoor/object/check.go

// Copyright 2021 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package object

import (
	"fmt"
	"regexp"
	"strings"

	"github.com/casdoor/casdoor/cred"
	"github.com/casdoor/casdoor/util"
	goldap "github.com/go-ldap/ldap/v3"
)

var (
	reWhiteSpace     *regexp.Regexp
	reFieldWhiteList *regexp.Regexp
)

func init() {
	reWhiteSpace, _ = regexp.Compile(`\s`)
	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
}

func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string) string {
	if organization == nil {
		return "organization does not exist"
	}

	if application.IsSignupItemVisible("Username") {
		if len(username) <= 1 {
			return "username must have at least 2 characters"
		} else if reWhiteSpace.MatchString(username) {
			return "username cannot contain white spaces"
		} else if HasUserByField(organization.Name, "name", username) {
			return "username already exists"
		}
	}

	if len(password) <= 5 {
		return "password must have at least 6 characters"
	}

	if application.IsSignupItemVisible("Email") {
		if email == "" {
			if application.IsSignupItemRequired("Email") {
				return "email cannot be empty"
			} else {
				return ""
			}
		}

		if HasUserByField(organization.Name, "email", email) {
			return "email already exists"
		} else if !util.IsEmailValid(email) {
			return "email is invalid"
		}
	}

	if application.IsSignupItemVisible("Phone") {
		if phone == "" {
			if application.IsSignupItemRequired("Phone") {
				return "phone cannot be empty"
			} else {
				return ""
			}
		}

		if HasUserByField(organization.Name, "phone", phone) {
			return "phone already exists"
		} else if organization.PhonePrefix == "86" && !util.IsPhoneCnValid(phone) {
			return "phone number is invalid"
		}
	}

	if application.IsSignupItemVisible("Display name") {
		if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" || lastName != "") {
			if firstName == "" {
				return "firstName cannot be blank"
			} else if lastName == "" {
				return "lastName cannot be blank"
			}
		} else {
			if displayName == "" {
				return "displayName cannot be blank"
			} else if application.GetSignupItemRule("Display name") == "Real name" {
				if !isValidRealName(displayName) {
					return "displayName is not valid real name"
				}
			}
		}
	}

	if application.IsSignupItemVisible("Affiliation") {
		if affiliation == "" {
			return "affiliation cannot be blank"
		}
	}

	return ""
}

func CheckPassword(user *User, password string) string {
	organization := GetOrganizationByUser(user)
	if organization == nil {
		return "organization does not exist"
	}

	credManager := cred.GetCredManager(organization.PasswordType)
	if credManager != nil {
		if organization.MasterPassword != "" {
			if credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {
				return ""
			}
		}

		if credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt, organization.PasswordSalt) {
			return ""
		}
		return "password incorrect"
	} else {
		return fmt.Sprintf("unsupported password type: %s", organization.PasswordType)
	}
}

func checkLdapUserPassword(user *User, password string) (*User, string) {
	ldaps := GetLdaps(user.Owner)
	ldapLoginSuccess := false
	for _, ldapServer := range ldaps {
		conn, err := GetLdapConn(ldapServer.Host, ldapServer.Port, ldapServer.Admin, ldapServer.Passwd)
		if err != nil {
			continue
		}
		SearchFilter := fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", user.Name)
		searchReq := goldap.NewSearchRequest(ldapServer.BaseDn,
			goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
			SearchFilter, []string{}, nil)
		searchResult, err := conn.Conn.Search(searchReq)
		if err != nil {
			return nil, err.Error()
		}

		if len(searchResult.Entries) == 0 {
			continue
		} else if len(searchResult.Entries) > 1 {
			return nil, "Error: multiple accounts with same uid, please check your ldap server"
		}

		dn := searchResult.Entries[0].DN
		if err := conn.Conn.Bind(dn, password); err == nil {
			ldapLoginSuccess = true
			break
		}
	}

	if !ldapLoginSuccess {
		return nil, "ldap user name or password incorrect"
	}
	return user, ""
}

func CheckUserPassword(organization string, username string, password string) (*User, string) {
	user := GetUserByFields(organization, username)
	if user == nil || user.IsDeleted == true {
		return nil, "the user does not exist, please sign up first"
	}

	if user.IsForbidden {
		return nil, "the user is forbidden to sign in, please contact the administrator"
	}

	if user.Ldap != "" {
		//ONLY for ldap users
		return checkLdapUserPassword(user, password)
	} else {
		msg := CheckPassword(user, password)
		if msg != "" {
			return nil, msg
		}
	}
	return user, ""
}

func filterField(field string) bool {
	return reFieldWhiteList.MatchString(field)
}

func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error) {
	if requestUserId == "" {
		return false, fmt.Errorf("please login first")
	}

	targetUser := GetUser(userId)
	if targetUser == nil {
		return false, fmt.Errorf("the user: %s doesn't exist", userId)
	}

	hasPermission := false
	if strings.HasPrefix(requestUserId, "app/") {
		hasPermission = true
	} else {
		requestUser := GetUser(requestUserId)
		if requestUser == nil {
			return false, fmt.Errorf("session outdated, please login again")
		}
		if requestUser.IsGlobalAdmin {
			hasPermission = true
		} else if requestUserId == userId {
			hasPermission = true
		} else if targetUser.Owner == requestUser.Owner {
			if strict {
				hasPermission = requestUser.IsAdmin
			} else {
				hasPermission = true
			}
		}
	}

	return hasPermission, fmt.Errorf("you don't have the permission to do this")
}

func CheckPermission(userId string, application *Application) (bool, error) {
	permissions := GetPermissions(application.Organization)
	allow := true
	var err error
	for _, permission := range permissions {
		if permission.IsEnabled {
			for _, resource := range permission.Resources {
				if resource == application.Name {
					enforcer := getEnforcer(permission)
					allow, err = enforcer.Enforce(userId, application.Name, "read")
				}
			}
		}
	}
	return allow, err
}
Update license headers. 2022-02-13 23:39:27 +08:00			`// Copyright 2021 The Casdoor Authors. All Rights Reserved.`
Add clientId and clientSecret to app. 2021-03-06 16:39:17 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Add account APIs. 2021-02-11 22:56:08 +08:00			`package object`

Add username check. 2021-05-01 16:50:47 +08:00			`import (`
			`"fmt"`
			`"regexp"`
feat: add isProfilePublic setting for accessing user info (#656) * feat: add isProfilePublic setting for accessing user info Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: requested changes Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-04-16 15:10:03 +08:00			`"strings"`
Improve CheckUserSignup(). 2021-05-01 17:45:01 +08:00
Update import path. 2022-01-20 14:11:46 +08:00			`"github.com/casdoor/casdoor/cred"`
			`"github.com/casdoor/casdoor/util"`
feat: support checking password through ldap server (#354) Signed-off-by: Товарищ программист <2962928213@qq.com> 2021-12-10 22:45:01 +08:00			`goldap "github.com/go-ldap/ldap/v3"`
Add username check. 2021-05-01 16:50:47 +08:00			`)`

fix: fix the SQL injection vulnerability in field filter (#442) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-01-26 19:36:36 +08:00			`var (`
			`reWhiteSpace *regexp.Regexp`
			`reFieldWhiteList *regexp.Regexp`
			`)`
Add username check. 2021-05-01 16:50:47 +08:00
			`func init() {`
fix: improve code specification (#231) 2021-08-07 22:02:56 +08:00			reWhiteSpace, _ = regexp.Compile(`\s`)
fix: fix the SQL injection vulnerability in field filter (#442) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-01-26 19:36:36 +08:00			reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
Add username check. 2021-05-01 16:50:47 +08:00			`}`
Fix github login. 2021-02-14 01:04:51 +08:00
Support user's first name and last name. 2022-02-27 14:02:52 +08:00			`func CheckUserSignup(application Application, organization Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string) string {`
Use signup table in Signup API. 2021-06-17 00:49:02 +08:00			`if organization == nil {`
			`return "organization does not exist"`
			`}`

			`if application.IsSignupItemVisible("Username") {`
			`if len(username) <= 1 {`
			`return "username must have at least 2 characters"`
			`} else if reWhiteSpace.MatchString(username) {`
			`return "username cannot contain white spaces"`
			`} else if HasUserByField(organization.Name, "name", username) {`
			`return "username already exists"`
			`}`
			`}`
Remove user's PhonePrefix. 2021-05-15 13:54:23 +08:00
Use signup table in Signup API. 2021-06-17 00:49:02 +08:00			`if len(password) <= 5 {`
Improve password length check. 2021-05-16 21:52:50 +08:00			`return "password must have at least 6 characters"`
Add account APIs. 2021-02-11 22:56:08 +08:00			`}`
Use signup table in Signup API. 2021-06-17 00:49:02 +08:00
			`if application.IsSignupItemVisible("Email") {`
Improve email and phone checking in Signup(). 2021-11-09 20:28:27 +08:00			`if email == "" {`
			`if application.IsSignupItemRequired("Email") {`
			`return "email cannot be empty"`
			`} else {`
			`return ""`
			`}`
			`}`

Use signup table in Signup API. 2021-06-17 00:49:02 +08:00			`if HasUserByField(organization.Name, "email", email) {`
			`return "email already exists"`
			`} else if !util.IsEmailValid(email) {`
			`return "email is invalid"`
			`}`
			`}`

			`if application.IsSignupItemVisible("Phone") {`
Improve email and phone checking in Signup(). 2021-11-09 20:28:27 +08:00			`if phone == "" {`
			`if application.IsSignupItemRequired("Phone") {`
			`return "phone cannot be empty"`
			`} else {`
			`return ""`
			`}`
			`}`

Use signup table in Signup API. 2021-06-17 00:49:02 +08:00			`if HasUserByField(organization.Name, "phone", phone) {`
			`return "phone already exists"`
			`} else if organization.PhonePrefix == "86" && !util.IsPhoneCnValid(phone) {`
			`return "phone number is invalid"`
			`}`
			`}`

			`if application.IsSignupItemVisible("Display name") {`
Fix bug in first name, last name checking 2022-02-28 13:17:05 +08:00			`if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" \|\| lastName != "") {`
Support user's first name and last name. 2022-02-27 14:02:52 +08:00			`if firstName == "" {`
			`return "firstName cannot be blank"`
			`} else if lastName == "" {`
			`return "lastName cannot be blank"`
			`}`
			`} else {`
			`if displayName == "" {`
			`return "displayName cannot be blank"`
			`} else if application.GetSignupItemRule("Display name") == "Real name" {`
			`if !isValidRealName(displayName) {`
			`return "displayName is not valid real name"`
			`}`
Add isValidPersonalName(). 2021-06-17 11:55:06 +08:00			`}`
Use signup table in Signup API. 2021-06-17 00:49:02 +08:00			`}`
			`}`

			`if application.IsSignupItemVisible("Affiliation") {`
			`if affiliation == "" {`
			`return "affiliation cannot be blank"`
			`}`
			`}`

			`return ""`
Add account APIs. 2021-02-11 22:56:08 +08:00			`}`

Fix add/update salted password. 2021-05-16 21:04:26 +08:00			`func CheckPassword(user *User, password string) string {`
Remove GetOrganizationByName(). 2021-05-16 22:58:30 +08:00			`organization := GetOrganizationByUser(user)`
fix: improvde code logic (#285) Signed-off-by: sh1luo <690898835@qq.com> 2021-09-04 22:20:47 +08:00			`if organization == nil {`
			`return "organization does not exist"`
			`}`
Add CredManager. 2021-11-04 21:08:43 +08:00
			`credManager := cred.GetCredManager(organization.PasswordType)`
			`if credManager != nil {`
Support cred manager for organization.MasterPassword 2021-12-22 20:56:22 +08:00			`if organization.MasterPassword != "" {`
			`if credManager.IsPasswordCorrect(password, organization.MasterPassword, "", organization.PasswordSalt) {`
			`return ""`
			`}`
Add MasterPassword to organization. 2021-11-06 21:14:53 +08:00			`}`

feat: Add bcrypt encrypted password type (#386) * Add loading and countdown status to the verification code sending button * Add bcrypt encrypted password type * Revert "Add loading and countdown status to the verification code sending button" This reverts commit 782b9e229acf2cced9848f137f1b714b0be1df63. * Update bcrypt.go * Update go.sum 2021-12-22 13:56:32 +08:00			`if credManager.IsPasswordCorrect(password, user.Password, user.PasswordSalt, organization.PasswordSalt) {`
Add checkPassword(). 2021-05-03 10:13:32 +08:00			`return ""`
			`}`
fix: improvde code logic (#285) Signed-off-by: sh1luo <690898835@qq.com> 2021-09-04 22:20:47 +08:00			`return "password incorrect"`
Add checkPassword(). 2021-05-03 10:13:32 +08:00			`} else {`
Move passwordType to org. 2021-05-05 23:32:21 +08:00			`return fmt.Sprintf("unsupported password type: %s", organization.PasswordType)`
Add checkPassword(). 2021-05-03 10:13:32 +08:00			`}`
			`}`

feat: support checking password through ldap server (#354) Signed-off-by: Товарищ программист <2962928213@qq.com> 2021-12-10 22:45:01 +08:00			`func checkLdapUserPassword(user User, password string) (User, string) {`
			`ldaps := GetLdaps(user.Owner)`
			`ldapLoginSuccess := false`
			`for _, ldapServer := range ldaps {`
			`conn, err := GetLdapConn(ldapServer.Host, ldapServer.Port, ldapServer.Admin, ldapServer.Passwd)`
			`if err != nil {`
			`continue`
			`}`
			`SearchFilter := fmt.Sprintf("(&(objectClass=posixAccount)(uid=%s))", user.Name)`
			`searchReq := goldap.NewSearchRequest(ldapServer.BaseDn,`
			`goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,`
			`SearchFilter, []string{}, nil)`
			`searchResult, err := conn.Conn.Search(searchReq)`
			`if err != nil {`
			`return nil, err.Error()`
			`}`

			`if len(searchResult.Entries) == 0 {`
			`continue`
			`} else if len(searchResult.Entries) > 1 {`
			`return nil, "Error: multiple accounts with same uid, please check your ldap server"`
			`}`

			`dn := searchResult.Entries[0].DN`
			`if err := conn.Conn.Bind(dn, password); err == nil {`
			`ldapLoginSuccess = true`
			`break`
			`}`
			`}`

			`if !ldapLoginSuccess {`
			`return nil, "ldap user name or password incorrect"`
			`}`
			`return user, ""`
			`}`

Add CheckUserPassword() API. 2021-08-15 21:57:36 +08:00			`func CheckUserPassword(organization string, username string, password string) (*User, string) {`
Support Email and phone login. 2021-05-01 20:23:20 +08:00			`user := GetUserByFields(organization, username)`
Add user soft deletion. 2021-11-06 15:52:03 +08:00			`if user == nil \|\| user.IsDeleted == true {`
Support Email and phone login. 2021-05-01 20:23:20 +08:00			`return nil, "the user does not exist, please sign up first"`
Add account APIs. 2021-02-11 22:56:08 +08:00			`}`

Move passwordType to org. 2021-05-05 23:32:21 +08:00			`if user.IsForbidden {`
			`return nil, "the user is forbidden to sign in, please contact the administrator"`
			`}`

fix: adjust the password check logic for ldap user (#597) * fix: the password check logic for ldap user. LDAP user should only use the ldap connection to check the password. * fix: code format 2022-03-28 17:19:58 +08:00			`if user.Ldap != "" {`
			`//ONLY for ldap users`
			`return checkLdapUserPassword(user, password)`
			`} else {`
			`msg := CheckPassword(user, password)`
			`if msg != "" {`
			`return nil, msg`
feat: support master password for ldap user (#561) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-03-12 21:06:38 +08:00			`}`
Add account APIs. 2021-02-11 22:56:08 +08:00			`}`
Improve CheckUserLogin(). 2021-05-01 19:45:40 +08:00			`return user, ""`
Add account APIs. 2021-02-11 22:56:08 +08:00			`}`
fix: fix the SQL injection vulnerability in field filter (#442) Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-01-26 19:36:36 +08:00
			`func filterField(field string) bool {`
			`return reFieldWhiteList.MatchString(field)`
Update license headers. 2022-02-13 23:39:27 +08:00			`}`
feat: add isProfilePublic setting for accessing user info (#656) * feat: add isProfilePublic setting for accessing user info Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: requested changes Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-04-16 15:10:03 +08:00
			`func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error) {`
			`if requestUserId == "" {`
			`return false, fmt.Errorf("please login first")`
			`}`

			`targetUser := GetUser(userId)`
			`if targetUser == nil {`
			`return false, fmt.Errorf("the user: %s doesn't exist", userId)`
			`}`

			`hasPermission := false`
			`if strings.HasPrefix(requestUserId, "app/") {`
			`hasPermission = true`
			`} else {`
			`requestUser := GetUser(requestUserId)`
			`if requestUser == nil {`
			`return false, fmt.Errorf("session outdated, please login again")`
			`}`
			`if requestUser.IsGlobalAdmin {`
			`hasPermission = true`
			`} else if requestUserId == userId {`
			`hasPermission = true`
			`} else if targetUser.Owner == requestUser.Owner {`
			`if strict {`
			`hasPermission = requestUser.IsAdmin`
			`} else {`
			`hasPermission = true`
			`}`
			`}`
			`}`

			`return hasPermission, fmt.Errorf("you don't have the permission to do this")`
feat: implement access control using casbin (#806) * feat: implement access control using casbin Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * chore: sort imports Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: remove Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * Update auth.go Co-authored-by: Gucheng <85475922+nomeguy@users.noreply.github.com> 2022-07-13 00:34:35 +08:00			`}`

			`func CheckPermission(userId string, application *Application) (bool, error) {`
			`permissions := GetPermissions(application.Organization)`
			`allow := true`
			`var err error`
			`for _, permission := range permissions {`
			`if permission.IsEnabled {`
			`for _, resource := range permission.Resources {`
			`if resource == application.Name {`
			`enforcer := getEnforcer(permission)`
			`allow, err = enforcer.Enforce(userId, application.Name, "read")`
			`}`
			`}`
			`}`
			`}`
			`return allow, err`
feat: add isProfilePublic setting for accessing user info (#656) * feat: add isProfilePublic setting for accessing user info Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: requested changes Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> 2022-04-16 15:10:03 +08:00			`}`