291 lines
8.5 KiB
Elixir
291 lines
8.5 KiB
Elixir
defmodule RecycledCloud.Accounts.User do
|
|
use Ecto.Schema
|
|
import Ecto.Changeset
|
|
require Logger
|
|
alias RecycledCloud.{LDAP,Accounts}
|
|
alias RecycledCloud.Accounts.User
|
|
alias RecycledCloud.Repo
|
|
|
|
@min_password_lenght 6
|
|
@max_password_lenght 80
|
|
|
|
@derive {Inspect, except: [:password]}
|
|
schema "users" do
|
|
field :username, :string
|
|
field :password, :string, virtual: true
|
|
field :dn, :string, virtual: true
|
|
field :email, :string, virtual: true
|
|
field :confirmed_at, :naive_datetime
|
|
field :partner_id, :integer
|
|
field :captcha, :integer, virtual: :true
|
|
|
|
has_many :keys, Accounts.Key
|
|
|
|
timestamps()
|
|
end
|
|
|
|
# Note: the returned LDAP values usually are lists of charlist (e.g. `%{'uid'
|
|
# => ['myusername']}`).
|
|
defp get_ldap_attributes(%User{username: uid}), do: get_ldap_attributes(uid)
|
|
defp get_ldap_attributes(uid) do
|
|
query = fn ldap_conn -> LDAP.search(ldap_conn, :uid, uid) end
|
|
case query |> LDAP.execute do
|
|
{:ok, []} -> {:error, "could not find matching object"}
|
|
{:ok, [entry]} -> {:ok, entry}
|
|
{:ok, [_entry|_]} -> {:error, "found more than one object with uid #{uid}"}
|
|
{:error, err} -> {:error, inspect(err)}
|
|
end
|
|
end
|
|
|
|
def maybe_populate_ldap_attributes(user) do
|
|
# TODO: could be useful to cache this data somehow, perhaps in an ETS
|
|
# table? We query the LDAP server every time we try to fetch an user's
|
|
# data at the moment, which is inefficient.
|
|
|
|
case get_ldap_attributes(user) do
|
|
{:ok, %{:mail => [raw_email], :dn => raw_dn}} ->
|
|
email = List.to_string(raw_email)
|
|
dn = List.to_string(raw_dn)
|
|
user |> Map.put(:email, email) |> Map.put(:dn, dn)
|
|
{:ok, _} ->
|
|
Logger.warn("Malformed LDAP user object")
|
|
user
|
|
{:error, err} ->
|
|
Logger.warn("Error querying LDAP backend: #{err}")
|
|
user
|
|
end
|
|
end
|
|
|
|
defp get_last_ldap_uid() do
|
|
query = fn ldap_conn ->
|
|
LDAP.search(ldap_conn, :objectClass, 'posixAccount')
|
|
end
|
|
|
|
case query |> LDAP.execute do
|
|
{:ok, entries} ->
|
|
uids = Enum.map(entries, fn entry ->
|
|
entry.uidNumber |> Enum.at(0) |> List.to_integer
|
|
end)
|
|
|
|
{:ok, uids |> Enum.max()}
|
|
{:error, err} -> {:error, err}
|
|
end
|
|
end
|
|
|
|
defp create_ldap_user(%User{} = user) do
|
|
# TODO: read dn template from conf, gid_number
|
|
conf = Application.get_env(:recycledcloud, :ldap)
|
|
basetree = conf |> Keyword.get(:base_dn)
|
|
default_group_gid = conf |> Keyword.get(:default_group_gid, 1000)
|
|
|
|
dn = ("uid=" <> user.username <> ",ou=Users," <> basetree) |> String.to_charlist
|
|
|
|
{:ok, last_uid_number} = get_last_ldap_uid()
|
|
uid_number = last_uid_number + 1
|
|
gid_number = default_group_gid
|
|
|
|
ldif = [
|
|
{'uid', [user.username]},
|
|
{'cn', [user.username]},
|
|
{'givenName', [user.username]},
|
|
{'sn', [user.username]},
|
|
{'mail', [user.email]},
|
|
{'objectClass', ["inetOrgPerson", "posixAccount", "shadowAccount"]},
|
|
{'homeDirectory', ["/home/#{user.username}"]},
|
|
{'loginShell', ["/bin/bash"]},
|
|
{'userPassword', ["/bin/bash"]},
|
|
{'uidNumber', [Integer.to_string(uid_number)]},
|
|
{'gidNumber', [Integer.to_string(gid_number)]}
|
|
]
|
|
|
|
query = fn ldap_conn ->
|
|
case :eldap.add(ldap_conn, dn, ldif) do
|
|
:ok ->
|
|
:eldap.modify_password(ldap_conn, dn, to_charlist(user.password))
|
|
err -> err
|
|
end
|
|
end
|
|
query |> LDAP.execute
|
|
end
|
|
|
|
def register(%User{} = user) do
|
|
case create_ldap_user(user) do
|
|
:ok -> {:ok, get_by_username(user.username)}
|
|
err -> err
|
|
end
|
|
end
|
|
|
|
def get_by_username(username) when is_binary(username) do
|
|
local_user = Repo.get_by(User, username: username)
|
|
if local_user do
|
|
local_user |> User.maybe_populate_ldap_attributes()
|
|
else
|
|
case get_ldap_attributes(username) do
|
|
{:ok, %{:uid => [raw_uid], :mail => [raw_email], :dn => raw_dn}} ->
|
|
uid = List.to_string(raw_uid)
|
|
email = List.to_string(raw_email)
|
|
dn = List.to_string(raw_dn)
|
|
case Accounts.insert_user(%{username: uid, email: email, dn: dn}) do
|
|
{:ok, user} ->
|
|
user
|
|
{:error, err} ->
|
|
Logger.warn("Something went wrong importing user from LDAP: #{inspect(err)}")
|
|
nil
|
|
end
|
|
{:error, err} ->
|
|
Logger.warn("Error querying LDAP backend: #{err}")
|
|
nil
|
|
end
|
|
end
|
|
end
|
|
|
|
def get!(id) do
|
|
Repo.get!(User, id) |> User.maybe_populate_ldap_attributes()
|
|
end
|
|
|
|
@doc """
|
|
A user changeset for registration.
|
|
|
|
It is important to validate the length of both email and password.
|
|
Otherwise databases may truncate the email without warnings, which
|
|
could lead to unpredictable or insecure behaviour. Long passwords may
|
|
also be very expensive to hash for certain algorithms.
|
|
"""
|
|
def registration_changeset(user, attrs) do
|
|
expected_captcha_result = attrs |> Map.get("expected_captcha")
|
|
|
|
user
|
|
|> cast(attrs, [:username, :password, :email, :dn, :captcha])
|
|
|> RecycledCloud.Captcha.validate(expected_captcha_result)
|
|
|> validate_username()
|
|
|> validate_email()
|
|
|> validate_password()
|
|
end
|
|
|
|
def insertion_changeset(user, attrs) do
|
|
user
|
|
|> cast(attrs, [:username, :password, :email, :dn])
|
|
|> validate_email()
|
|
|> validate_username()
|
|
end
|
|
|
|
defp validate_email(changeset) do
|
|
changeset
|
|
|> validate_required([:email])
|
|
|> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces")
|
|
|> validate_length(:email, max: 160)
|
|
end
|
|
|
|
defp validate_password(changeset) do
|
|
changeset
|
|
|> validate_required([:password])
|
|
|> validate_length( :password, min: @min_password_lenght, max: @max_password_lenght)
|
|
#|> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
|
|
#|> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
|
|
#|> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
|
|
end
|
|
|
|
defp validate_username(changeset) do
|
|
check_blacklist = fn changeset ->
|
|
username = get_field(changeset, :username)
|
|
if TheBigUsernameBlacklist.valid?(username) do
|
|
changeset
|
|
else
|
|
add_error(changeset, :username, "This username is blacklisted, you cannot use it.")
|
|
end
|
|
end
|
|
|
|
changeset
|
|
|> validate_required([:username])
|
|
|> check_blacklist.()
|
|
end
|
|
|
|
@doc """
|
|
A user changeset for changing the email.
|
|
|
|
It requires the email to change otherwise an error is added.
|
|
"""
|
|
def email_changeset(user, attrs) do
|
|
user
|
|
|> cast(attrs, [:email])
|
|
|> validate_email()
|
|
|> case do
|
|
%{changes: %{email: _}} = changeset -> changeset
|
|
%{} = changeset -> add_error(changeset, :email, "did not change")
|
|
end
|
|
end
|
|
|
|
@doc """
|
|
A user changeset for changing the password.
|
|
"""
|
|
def password_changeset(user, attrs) do
|
|
user
|
|
|> cast(attrs, [:password])
|
|
|> validate_confirmation(:password, message: "does not match password")
|
|
|> validate_password()
|
|
end
|
|
|
|
@doc """
|
|
Confirms the account by setting `confirmed_at`.
|
|
"""
|
|
def confirm_changeset(user) do
|
|
now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
|
|
change(user, confirmed_at: now)
|
|
end
|
|
|
|
@doc """
|
|
Verifies the password.
|
|
"""
|
|
def valid_password?(%User{} = user, password)
|
|
when byte_size(password) > 0 do
|
|
query = fn ldap_conn ->
|
|
:eldap.simple_bind(ldap_conn, user.dn, password)
|
|
end
|
|
|
|
case query |> LDAP.execute_single do
|
|
:ok -> true
|
|
{:error, _} -> false
|
|
end
|
|
end
|
|
|
|
def valid_password?(_, _) do
|
|
false
|
|
end
|
|
|
|
@doc """
|
|
Validates the current password otherwise adds an error to the changeset.
|
|
"""
|
|
def validate_current_password(changeset, password) do
|
|
if valid_password?(changeset.data, password) do
|
|
changeset
|
|
else
|
|
add_error(changeset, :current_password, "is not valid")
|
|
end
|
|
end
|
|
|
|
def set_password(%User{dn: nil} = _user, _), do: {:error, "User DN must be set"}
|
|
def set_password(_, nil), do: {:error, "Password cannot be nil"}
|
|
def set_password(%User{dn: dn} = _user, new_password) when
|
|
byte_size(new_password) > 0do
|
|
query = fn ldap_conn ->
|
|
:eldap.modify_password(
|
|
ldap_conn,
|
|
to_charlist(dn),
|
|
to_charlist(new_password)
|
|
)
|
|
end
|
|
|
|
query |> LDAP.execute
|
|
end
|
|
|
|
def set_email(user, email) do
|
|
ldif = :eldap.mod_replace('mail', [email |> String.to_charlist])
|
|
|
|
query = fn ldap_conn ->
|
|
:eldap.modify(ldap_conn, String.to_charlist(user.dn), [ldif])
|
|
end
|
|
|
|
query |> LDAP.execute
|
|
end
|
|
end
|