defmodule Meta.Accounts.User do use Ecto.Schema import Ecto.Changeset require Logger alias Meta.{LDAP,Accounts} alias Meta.Accounts.User alias Meta.Repo @min_password_lenght 6 @max_password_lenght 80 @derive {Inspect, except: [:password]} schema "users" do field :username, :string field :password, :string, virtual: true field :dn, :string, virtual: true field :email, :string, virtual: true field :confirmed_at, :naive_datetime field :partner_id, :integer field :captcha, :integer, virtual: :true has_many :keys, Accounts.Key timestamps() end # Note: the returned LDAP values usually are lists of charlist (e.g. `%{'uid' # => ['myusername']}`). defp get_ldap_attributes(%User{username: uid}), do: get_ldap_attributes(uid) defp get_ldap_attributes(uid) do query = fn ldap_conn -> LDAP.search(ldap_conn, :uid, uid) end case query |> LDAP.execute do {:ok, []} -> {:error, "could not find matching object"} {:ok, [entry]} -> {:ok, entry} {:ok, [_entry|_]} -> {:error, "found more than one object with uid #{uid}"} {:error, err} -> {:error, inspect(err)} end end def maybe_populate_ldap_attributes(user) do # TODO: could be useful to cache this data somehow, perhaps in an ETS # table? We query the LDAP server every time we try to fetch an user's # data at the moment, which is inefficient. case get_ldap_attributes(user) do {:ok, %{:mail => [raw_email], :dn => raw_dn}} -> email = List.to_string(raw_email) dn = List.to_string(raw_dn) user |> Map.put(:email, email) |> Map.put(:dn, dn) {:ok, _} -> Logger.warn("Malformed LDAP user object") user {:error, err} -> Logger.warn("Error querying LDAP backend: #{err}") user end end defp get_last_ldap_uid() do query = fn ldap_conn -> LDAP.search(ldap_conn, :objectClass, 'posixAccount') end case query |> LDAP.execute do {:ok, entries} -> uids = Enum.map(entries, fn entry -> entry.uidNumber |> Enum.at(0) |> List.to_integer end) {:ok, uids |> Enum.max()} {:error, err} -> {:error, err} end end defp create_ldap_user(%User{} = user) do # TODO: read dn template from conf, gid_number conf = Application.get_env(:meta, :ldap) basetree = conf |> Keyword.get(:base_dn) default_group_gid = conf |> Keyword.get(:default_group_gid, 1000) dn = ("uid=" <> user.username <> ",ou=Users," <> basetree) |> String.to_charlist {:ok, last_uid_number} = get_last_ldap_uid() uid_number = last_uid_number + 1 gid_number = default_group_gid ldif = [ {'uid', [user.username]}, {'cn', [user.username]}, {'givenName', [user.username]}, {'sn', [user.username]}, {'mail', [user.email]}, {'objectClass', ["inetOrgPerson", "posixAccount", "shadowAccount"]}, {'homeDirectory', ["/home/#{user.username}"]}, {'loginShell', ["/bin/bash"]}, {'userPassword', ["/bin/bash"]}, {'uidNumber', [Integer.to_string(uid_number)]}, {'gidNumber', [Integer.to_string(gid_number)]} ] query = fn ldap_conn -> case :eldap.add(ldap_conn, dn, ldif) do :ok -> :eldap.modify_password(ldap_conn, dn, to_charlist(user.password)) err -> err end end query |> LDAP.execute end def register(%User{} = user) do case create_ldap_user(user) do :ok -> {:ok, get_by_username(user.username)} err -> err end end def get_by_username(username) when is_binary(username) do local_user = Repo.get_by(User, username: username) if local_user do local_user |> User.maybe_populate_ldap_attributes() else case get_ldap_attributes(username) do {:ok, %{:uid => [raw_uid], :mail => [raw_email], :dn => raw_dn}} -> uid = List.to_string(raw_uid) email = List.to_string(raw_email) dn = List.to_string(raw_dn) case Accounts.insert_user(%{username: uid, email: email, dn: dn}) do {:ok, user} -> user {:error, err} -> Logger.warn("Something went wrong importing user from LDAP: #{inspect(err)}") nil end {:error, err} -> Logger.warn("Error querying LDAP backend: #{err}") nil end end end def get!(id) do Repo.get!(User, id) |> User.maybe_populate_ldap_attributes() end @doc """ A user changeset for registration. It is important to validate the length of both email and password. Otherwise databases may truncate the email without warnings, which could lead to unpredictable or insecure behaviour. Long passwords may also be very expensive to hash for certain algorithms. """ def registration_changeset(user, attrs) do expected_captcha_result = attrs |> Map.get("expected_captcha") user |> cast(attrs, [:username, :password, :email, :dn, :captcha]) |> Meta.Captcha.validate(expected_captcha_result) |> validate_username() |> validate_email() |> validate_password() end def insertion_changeset(user, attrs) do user |> cast(attrs, [:username, :password, :email, :dn]) |> validate_email() |> validate_username() end defp validate_email(changeset) do changeset |> validate_required([:email]) |> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces") |> validate_length(:email, max: 160) end defp validate_password(changeset) do changeset |> validate_required([:password]) |> validate_length( :password, min: @min_password_lenght, max: @max_password_lenght) #|> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character") #|> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character") #|> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character") end defp validate_username(changeset) do check_blacklist = fn changeset -> username = get_field(changeset, :username) if TheBigUsernameBlacklist.valid?(username) do changeset else add_error(changeset, :username, "This username is blacklisted, you cannot use it.") end end changeset |> validate_required([:username]) |> check_blacklist.() end @doc """ A user changeset for changing the email. It requires the email to change otherwise an error is added. """ def email_changeset(user, attrs) do user |> cast(attrs, [:email]) |> validate_email() |> case do %{changes: %{email: _}} = changeset -> changeset %{} = changeset -> add_error(changeset, :email, "did not change") end end @doc """ A user changeset for changing the password. """ def password_changeset(user, attrs) do user |> cast(attrs, [:password]) |> validate_confirmation(:password, message: "does not match password") |> validate_password() end @doc """ Confirms the account by setting `confirmed_at`. """ def confirm_changeset(user) do now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second) change(user, confirmed_at: now) end @doc """ Verifies the password. """ def valid_password?(%User{} = user, password) when byte_size(password) > 0 do query = fn ldap_conn -> :eldap.simple_bind(ldap_conn, user.dn, password) end case query |> LDAP.execute_single do :ok -> true {:error, _} -> false end end def valid_password?(_, _) do false end @doc """ Validates the current password otherwise adds an error to the changeset. """ def validate_current_password(changeset, password) do if valid_password?(changeset.data, password) do changeset else add_error(changeset, :current_password, "is not valid") end end def set_password(%User{dn: nil} = _user, _), do: {:error, "User DN must be set"} def set_password(_, nil), do: {:error, "Password cannot be nil"} def set_password(%User{dn: dn} = _user, new_password) when byte_size(new_password) > 0do query = fn ldap_conn -> :eldap.modify_password( ldap_conn, to_charlist(dn), to_charlist(new_password) ) end query |> LDAP.execute end def set_email(user, email) do ldif = :eldap.mod_replace('mail', [email |> String.to_charlist]) query = fn ldap_conn -> :eldap.modify(ldap_conn, String.to_charlist(user.dn), [ldif]) end query |> LDAP.execute end end