meta/lib/recycledcloud/accounts/user.ex

205 lines
6.0 KiB
Elixir

defmodule RecycledCloud.Accounts.User do
use Ecto.Schema
import Ecto.Changeset
require Logger
require Exldap
alias RecycledCloud.{LDAP,Accounts}
alias RecycledCloud.Accounts.User
alias RecycledCloud.Repo
@derive {Inspect, except: [:password]}
schema "users" do
field :username, :string
field :password, :string, virtual: true
field :dn, :string, virtual: true
field :email, :string, virtual: true
field :confirmed_at, :naive_datetime
timestamps()
end
# Note: the returned LDAP values usually are lists of charlist (e.g. `%{'uid'
# => ['myusername']}`).
defp get_ldap_attributes(%User{username: uid}), do: get_ldap_attributes(uid)
defp get_ldap_attributes(uid) do
query = fn ldap_conn -> Exldap.search_field(ldap_conn, :uid, uid) end
case query |> LDAP.execute do
{:ok, []} -> {:error, "could not find matching object"}
{:ok, [entry]} ->
attrs = entry
|> Map.get(:attributes)
|> Enum.into(%{})
|> Map.put('dn', entry.object_name)
{:ok, attrs}
{:ok, [entry|_]} -> {:error, "found more than one object with uid #{uid}"}
{:error, err} -> {:error, inspect(err)}
end
end
def maybe_populate_ldap_attributes(user) do
# TODO: could be useful to cache this data somehow, perhaps in an ETS
# table? We query the LDAP server every time we try to fetch an user's
# data at the moment, which is inefficient.
case get_ldap_attributes(user) do
{:ok, %{'mail' => [raw_email], 'dn' => raw_dn}} ->
email = List.to_string(raw_email)
dn = List.to_string(raw_dn)
user |> Map.put(:email, email) |> Map.put(:dn, dn)
{:ok, _} ->
Logger.warn("Malformed LDAP user object")
user
{:error, err} ->
Logger.warn("Error querying LDAP backend: #{err}")
user
end
end
def get_by_username(username) when is_binary(username) do
local_user = Repo.get_by(User, username: username)
if local_user do
local_user |> User.maybe_populate_ldap_attributes()
else
case get_ldap_attributes(username) do
{:ok, %{'uid' => [raw_uid], 'mail' => [raw_email], 'dn' => raw_dn}} ->
uid = List.to_string(raw_uid)
email = List.to_string(raw_email)
dn = List.to_string(raw_dn)
case Accounts.register_user(%{username: uid, email: email, dn: dn}) do
{:ok, user} ->
user
{:error, err} ->
Logger.warn("Something went wrong importing user from LDAP: #{inspect(err)}")
nil
end
{:error, err} ->
Logger.warn("Error querying LDAP backend: #{err}")
nil
end
end
end
def get!(id) do
Repo.get!(User, id) |> User.maybe_populate_ldap_attributes()
end
@doc """
A user changeset for registration.
It is important to validate the length of both email and password.
Otherwise databases may truncate the email without warnings, which
could lead to unpredictable or insecure behaviour. Long passwords may
also be very expensive to hash for certain algorithms.
"""
def registration_changeset(user, attrs) do
user
|> cast(attrs, [:username, :password, :email, :dn])
|> validate_email()
end
defp validate_email(changeset) do
changeset
|> validate_required([:email])
|> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces")
|> validate_length(:email, max: 160)
end
defp validate_password(changeset) do
changeset
|> validate_required([:password])
|> validate_length(:password, min: 6, max: 80)
#|> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
#|> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
#|> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
end
@doc """
A user changeset for changing the email.
It requires the email to change otherwise an error is added.
"""
def email_changeset(user, attrs) do
user
|> cast(attrs, [:email])
|> validate_email()
|> case do
%{changes: %{email: _}} = changeset -> changeset
%{} = changeset -> add_error(changeset, :email, "did not change")
end
end
@doc """
A user changeset for changing the password.
"""
def password_changeset(user, attrs) do
user
|> cast(attrs, [:password])
|> validate_confirmation(:password, message: "does not match password")
|> validate_password()
end
@doc """
Confirms the account by setting `confirmed_at`.
"""
def confirm_changeset(user) do
now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
change(user, confirmed_at: now)
end
@doc """
Verifies the password.
"""
def valid_password?(user = %User{username: uid}, password)
when byte_size(password) > 0 do
query = fn ldap_conn ->
Exldap.verify_credentials(ldap_conn, user.dn, password)
end
case query |> LDAP.execute_single do
:ok -> true
{:error, _} -> false
end
end
def valid_password?(_, _) do
false
end
@doc """
Validates the current password otherwise adds an error to the changeset.
"""
def validate_current_password(changeset, password) do
if valid_password?(changeset.data, password) do
changeset
else
add_error(changeset, :current_password, "is not valid")
end
end
def set_password(user, new_password) do
# Exldap does not properly implement `change_password`, hence we have to
# fallback on erlang's `:eldap`.
# See http://erlang.org/doc/man/eldap.html#modify-4
query = fn ldap_conn ->
:eldap.modify_password(
ldap_conn,
String.to_charlist(user.dn),
String.to_charlist(new_password)
)
end
query |> LDAP.execute_single
end
def set_email(user, email) do
ldif = :eldap.mod_replace('mail', [email |> String.to_charlist])
query = fn ldap_conn ->
:eldap.modify(ldap_conn, String.to_charlist(user.dn), [ldif])
end
query |> LDAP.execute_single
end
end