meta/lib/recycledcloud/accounts/user.ex
2021-01-08 14:41:37 +01:00

267 lines
7.8 KiB
Elixir

defmodule RecycledCloud.Accounts.User do
use Ecto.Schema
import Ecto.Changeset
require Logger
alias RecycledCloud.{LDAP,Accounts}
alias RecycledCloud.Accounts.User
alias RecycledCloud.Repo
@min_password_lenght 6
@max_password_lenght 80
@derive {Inspect, except: [:password]}
schema "users" do
field :username, :string
field :password, :string, virtual: true
field :dn, :string, virtual: true
field :email, :string, virtual: true
field :confirmed_at, :naive_datetime
has_many :keys, Accounts.Key
timestamps()
end
# Note: the returned LDAP values usually are lists of charlist (e.g. `%{'uid'
# => ['myusername']}`).
defp get_ldap_attributes(%User{username: uid}), do: get_ldap_attributes(uid)
defp get_ldap_attributes(uid) do
query = fn ldap_conn -> LDAP.search(ldap_conn, :uid, uid) end
case query |> LDAP.execute do
{:ok, []} -> {:error, "could not find matching object"}
{:ok, [entry]} -> {:ok, entry}
{:ok, [_entry|_]} -> {:error, "found more than one object with uid #{uid}"}
{:error, err} -> {:error, inspect(err)}
end
end
def maybe_populate_ldap_attributes(user) do
# TODO: could be useful to cache this data somehow, perhaps in an ETS
# table? We query the LDAP server every time we try to fetch an user's
# data at the moment, which is inefficient.
case get_ldap_attributes(user) do
{:ok, %{:mail => [raw_email], :dn => raw_dn}} ->
email = List.to_string(raw_email)
dn = List.to_string(raw_dn)
user |> Map.put(:email, email) |> Map.put(:dn, dn)
{:ok, _} ->
Logger.warn("Malformed LDAP user object")
user
{:error, err} ->
Logger.warn("Error querying LDAP backend: #{err}")
user
end
end
defp get_last_ldap_uid() do
query = fn ldap_conn ->
LDAP.search(ldap_conn, :objectClass, 'posixAccount')
end
case query |> LDAP.execute do
{:ok, entries} ->
uids = Enum.map(entries, fn entry ->
entry.uidNumber |> Enum.at(0) |> List.to_integer
end)
{:ok, uids |> Enum.max()}
{:error, err} -> {:error, err}
end
end
defp create_ldap_user(%User{} = user) do
# TODO: read dn template from conf, gid_number
conf = Application.get_env(:recycledcloud, :ldap)
basetree = conf |> Keyword.get(:base_dn)
default_group_gid = conf |> Keyword.get(:default_group_gid, 1000)
dn = ("uid=" <> user.username <> ",ou=Users," <> basetree) |> String.to_charlist
{:ok, last_uid_number} = get_last_ldap_uid()
uid_number = last_uid_number + 1
gid_number = default_group_gid
ldif = [
{'uid', [user.username]},
{'cn', [user.username]},
{'givenName', [user.username]},
{'sn', [user.username]},
{'mail', [user.email]},
{'objectClass', ["inetOrgPerson", "posixAccount", "shadowAccount"]},
{'homeDirectory', ["/home/#{user.username}"]},
{'loginShell', ["/bin/bash"]},
{'userPassword', ["/bin/bash"]},
{'uidNumber', [Integer.to_string(uid_number)]},
{'gidNumber', [Integer.to_string(gid_number)]}
]
query = fn ldap_conn ->
case :eldap.add(ldap_conn, dn, ldif) do
:ok ->
:eldap.modify_password(ldap_conn, dn, to_charlist(user.password))
err -> err
end
end
query |> LDAP.execute
end
def register(%User{} = user) do
case create_ldap_user(user) do
:ok -> {:ok, get_by_username(user.username)}
err -> err
end
end
def get_by_username(username) when is_binary(username) do
local_user = Repo.get_by(User, username: username)
if local_user do
local_user |> User.maybe_populate_ldap_attributes()
else
case get_ldap_attributes(username) do
{:ok, %{:uid => [raw_uid], :mail => [raw_email], :dn => raw_dn}} ->
uid = List.to_string(raw_uid)
email = List.to_string(raw_email)
dn = List.to_string(raw_dn)
case Accounts.insert_user(%{username: uid, email: email, dn: dn}) do
{:ok, user} ->
user
{:error, err} ->
Logger.warn("Something went wrong importing user from LDAP: #{inspect(err)}")
nil
end
{:error, err} ->
Logger.warn("Error querying LDAP backend: #{err}")
nil
end
end
end
def get!(id) do
Repo.get!(User, id) |> User.maybe_populate_ldap_attributes()
end
@doc """
A user changeset for registration.
It is important to validate the length of both email and password.
Otherwise databases may truncate the email without warnings, which
could lead to unpredictable or insecure behaviour. Long passwords may
also be very expensive to hash for certain algorithms.
"""
def registration_changeset(user, attrs) do
user
|> insertion_changeset(attrs)
|> validate_password()
end
def insertion_changeset(user, attrs) do
user
|> cast(attrs, [:username, :password, :email, :dn])
|> validate_email()
end
defp validate_email(changeset) do
changeset
|> validate_required([:email])
|> validate_format(:email, ~r/^[^\s]+@[^\s]+$/, message: "must have the @ sign and no spaces")
|> validate_length(:email, max: 160)
end
defp validate_password(changeset) do
changeset
|> validate_required([:password])
|> validate_length( :password, min: @min_password_lenght, max: @max_password_lenght)
#|> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
#|> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
#|> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
end
@doc """
A user changeset for changing the email.
It requires the email to change otherwise an error is added.
"""
def email_changeset(user, attrs) do
user
|> cast(attrs, [:email])
|> validate_email()
|> case do
%{changes: %{email: _}} = changeset -> changeset
%{} = changeset -> add_error(changeset, :email, "did not change")
end
end
@doc """
A user changeset for changing the password.
"""
def password_changeset(user, attrs) do
user
|> cast(attrs, [:password])
|> validate_confirmation(:password, message: "does not match password")
|> validate_password()
end
@doc """
Confirms the account by setting `confirmed_at`.
"""
def confirm_changeset(user) do
now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
change(user, confirmed_at: now)
end
@doc """
Verifies the password.
"""
def valid_password?(%User{} = user, password)
when byte_size(password) > 0 do
query = fn ldap_conn ->
:eldap.simple_bind(ldap_conn, user.dn, password)
end
case query |> LDAP.execute_single do
:ok -> true
{:error, _} -> false
end
end
def valid_password?(_, _) do
false
end
@doc """
Validates the current password otherwise adds an error to the changeset.
"""
def validate_current_password(changeset, password) do
if valid_password?(changeset.data, password) do
changeset
else
add_error(changeset, :current_password, "is not valid")
end
end
def set_password(%User{dn: nil} = _user, _), do: {:error, "User DN must be set"}
def set_password(_, nil), do: {:error, "Password cannot be nil"}
def set_password(%User{dn: dn} = _user, new_password) when
byte_size(new_password) > 0do
query = fn ldap_conn ->
:eldap.modify_password(
ldap_conn,
to_charlist(dn),
to_charlist(new_password)
)
end
query |> LDAP.execute
end
def set_email(user, email) do
ldif = :eldap.mod_replace('mail', [email |> String.to_charlist])
query = fn ldap_conn ->
:eldap.modify(ldap_conn, String.to_charlist(user.dn), [ldif])
end
query |> LDAP.execute
end
end