hongming
@@ -19,6 +19,7 @@ package iam
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/golang/glog"
|
||||
"kubesphere.io/kubesphere/pkg/params"
|
||||
"net/http"
|
||||
"regexp"
|
||||
@@ -43,22 +44,29 @@ func CreateUser(req *restful.Request, resp *restful.Response) {
|
||||
err := req.ReadEntity(&user)
|
||||
|
||||
if err != nil {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if user.Username == "" {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid username")))
|
||||
err = fmt.Errorf("invalid username: %s", user.Username)
|
||||
glog.Info(err, user.Username)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if !regexp.MustCompile(emailRegex).MatchString(user.Email) {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email")))
|
||||
err = fmt.Errorf("invalid email: %s", user.Email)
|
||||
glog.Info(err, user.Email)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if len(user.Password) < 6 {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password")))
|
||||
err = fmt.Errorf("invalid password")
|
||||
glog.Info(err, user.Password)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
@@ -66,9 +74,11 @@ func CreateUser(req *restful.Request, resp *restful.Response) {
|
||||
|
||||
if err != nil {
|
||||
if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -82,13 +92,16 @@ func DeleteUser(req *restful.Request, resp *restful.Response) {
|
||||
operator := req.HeaderParameter(constants.UserNameHeader)
|
||||
|
||||
if operator == username {
|
||||
resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(fmt.Errorf("cannot delete yourself")))
|
||||
err := fmt.Errorf("cannot delete yourself")
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
err := iam.DeleteUser(username)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -105,22 +118,29 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
|
||||
err := req.ReadEntity(&user)
|
||||
|
||||
if err != nil {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if usernameInPath != user.Username {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath)))
|
||||
err = fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath)
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if !regexp.MustCompile(emailRegex).MatchString(user.Email) {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email")))
|
||||
err = fmt.Errorf("invalid email: %s", user.Email)
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
if user.Password != "" && len(user.Password) < 6 {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password")))
|
||||
err = fmt.Errorf("invalid password")
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
@@ -128,14 +148,17 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
|
||||
if usernameInHeader == user.Username && user.Password != "" {
|
||||
isUserManager, err := isUserManager(usernameInHeader)
|
||||
if err != nil {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
if !isUserManager {
|
||||
_, err = iam.Login(usernameInHeader, user.CurrentPassword, "")
|
||||
}
|
||||
if err != nil {
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("incorrect current password")))
|
||||
err = fmt.Errorf("incorrect current password")
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
}
|
||||
@@ -143,6 +166,13 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
|
||||
result, err := iam.UpdateUser(&user)
|
||||
|
||||
if err != nil {
|
||||
if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -166,6 +196,7 @@ func UserLoginLogs(req *restful.Request, resp *restful.Response) {
|
||||
logs, err := iam.LoginLog(username)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -193,8 +224,10 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
|
||||
|
||||
if err != nil {
|
||||
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusNotFound, errors.Wrap(err))
|
||||
} else {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
}
|
||||
return
|
||||
@@ -203,6 +236,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
|
||||
clusterRole, err := iam.GetUserClusterRole(username)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -212,6 +246,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
|
||||
clusterRules, err := iam.GetUserClusterSimpleRules(username)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -234,6 +269,7 @@ func Precheck(req *restful.Request, resp *restful.Response) {
|
||||
exist, err := iam.UserCreateCheck(check)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -254,6 +290,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) {
|
||||
reverse := params.ParseReverse(req)
|
||||
|
||||
if err != nil {
|
||||
glog.Info(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
@@ -261,6 +298,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) {
|
||||
users, err := iam.ListUsers(conditions, orderBy, reverse, limit, offset)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
|
||||
return
|
||||
}
|
||||
|
||||
@@ -875,6 +875,7 @@ func UpdateUser(user *models.User) (*models.User, error) {
|
||||
conn, err := ldapclient.Client()
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -883,6 +884,28 @@ func UpdateUser(user *models.User) (*models.User, error) {
|
||||
dn := fmt.Sprintf("uid=%s,%s", user.Username, ldapclient.UserSearchBase)
|
||||
userModifyRequest := ldap.NewModifyRequest(dn, nil)
|
||||
if user.Email != "" {
|
||||
userSearchRequest := ldap.NewSearchRequest(
|
||||
ldapclient.UserSearchBase,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=inetOrgPerson)(mail=%s))", user.Email),
|
||||
[]string{"uid", "mail"},
|
||||
nil,
|
||||
)
|
||||
result, err := conn.Search(userSearchRequest)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
if len(result.Entries) > 1 {
|
||||
err = ldap.NewError(ldap.ErrorDebugging, fmt.Errorf("email is duplicated: %s", user.Email))
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
if len(result.Entries) == 1 && result.Entries[0].GetAttributeValue("uid") != user.Username {
|
||||
err = ldap.NewError(ldap.LDAPResultEntryAlreadyExists, fmt.Errorf("email is duplicated: %s", user.Email))
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
userModifyRequest.Replace("mail", []string{user.Email})
|
||||
}
|
||||
if user.Description != "" {
|
||||
@@ -902,12 +925,14 @@ func UpdateUser(user *models.User) (*models.User, error) {
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = conn.Modify(userModifyRequest)
|
||||
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user