auto create account, sync ldap disabled flag

assets/tpl/admin_index.html

@@ -150,16 +150,17 @@
                                                     <ul>
                                                         <li>Firstname: {{$p.LdapUser.Firstname}}</li>
                                                         <li>Lastname: {{$p.LdapUser.Lastname}}</li>
-                                                        <li>Phone: {{$p.UID}}</li>
+                                                        <li>Phone: {{index $p.LdapUser.RawLdapData.Attributes "telephoneNumber"}}</li>
                                                         <li>Mail: {{$p.LdapUser.Mail}}</li>
-                                                        <li>Department: {{$p.UID}}</li>
+                                                        <li>Department: {{index $p.LdapUser.RawLdapData.Attributes "department"}}</li>
                                                     </ul>
                                                 {{end}}
-                                                <h4>Traffic</h4>
+                                                <h4>Connection / Traffic</h4>
                                                 {{if not $p.Peer}}
                                                     <p>No Traffic data available...</p>
                                                 {{else}}
-                                                    <p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
+                                                    <p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas network-wired" title="Last Endpoint"></i> {{formatBytes $p.Peer.Endpoint}}{{end}}</p>
+                                                    <p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
                                                 {{end}}
                                             </div>
                                             <div id="t2{{$p.UID}}" class="tab-pane fade">

internal/common/configuration.go

@@ -63,6 +63,8 @@ type Config struct {
 		AdminPassword          string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
 		DatabasePath           string `yaml:"database" envconfig:"DATABASE_PATH"`
 		EditableKeys           bool   `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
+		CreateInterfaceOnLogin bool   `yaml:"createOnLogin" envconfig:"CREATE_INTERFACE_ON_LOGIN"`
+		SyncLdapStatus         bool   `yaml:"syncLdapStatus" envconfig:"SYNC_LDAP_STATUS"` // disable account if disabled in ldap
 	} `yaml:"core"`
 	Email          MailConfig       `yaml:"email"`
 	LDAP           ldap.Config      `yaml:"ldap"`

internal/ldap/authentication.go

@@ -63,7 +63,7 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
 		a.Cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
-		[]string{"dn"},
+		[]string{"dn", "userAccountControl"},
 		nil,
 	)
 
@@ -78,6 +78,12 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
 
 	userDN := sr.Entries[0].DN
 
+	// Check if user is disabled, if so deny login
+	uac := sr.Entries[0].GetAttributeValue("userAccountControl")
+	if uac != "" && IsLdapUserDisabled(uac) {
+		return false
+	}
+
 	// Bind as the user to verify their password
 	err = client.Bind(userDN, password)
 	if err != nil {

internal/ldap/usercache.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -214,7 +215,7 @@ func NewUserCache(config Config, store UserCacheHolder) *UserCache {
 	}
 
 	log.Infof("Filling user cache...")
-	err := uc.Update(true)
+	err := uc.Update(true, true)
 	log.Infof("User cache filled!")
 	uc.LastError = err
 
@@ -250,7 +251,7 @@ func (u UserCache) close(conn *ldap.Conn) {
 }
 
 // Update updates the user cache in background, minimal locking will happen
-func (u *UserCache) Update(filter bool) error {
+func (u *UserCache) Update(filter, withDisabledUsers bool) error {
 	log.Debugf("Updating ldap cache...")
 	client, err := u.open()
 	if err != nil {
@@ -290,8 +291,8 @@ func (u *UserCache) Update(filter bool) error {
 				continue // prefilter...
 			}
 
-			if userAccountControl == "" || userAccountControl == "514" {
+			if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
-				continue // 514 means account is disabled
+				continue
 			}
 
 			if entry.DN != dn {
@@ -323,3 +324,15 @@ func (u *UserCache) Update(filter bool) error {
 
 	return nil
 }
+
+func IsLdapUserDisabled(userAccountControl string) bool {
+	uacInt, err := strconv.Atoi(userAccountControl)
+	if err != nil {
+		return true
+	}
+	if int32(uacInt)&0x2 != 0 {
+		return true // bit 2 set means account is disabled
+	}
+
+	return false
+}

internal/server/core.go

@@ -157,7 +157,7 @@ func (s *Server) Run() {
 		go func(s *Server) {
 			for {
 				time.Sleep(CacheRefreshDuration)
-				if err := s.ldapCacheUpdater.Update(true); err != nil {
+				if err := s.ldapCacheUpdater.Update(true, true); err != nil {
 					log.Warnf("Failed to update ldap group cache: %v", err)
 				}
 				log.Debugf("Refreshed LDAP permissions!")
@@ -165,6 +165,18 @@ func (s *Server) Run() {
 		}(s)
 	}
 
+	if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
+		go func(s *Server) {
+			for {
+				time.Sleep(CacheRefreshDuration)
+				if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
+					log.Warnf("Failed to synchronize ldap attributes: %v", err)
+				}
+				log.Debugf("Synced LDAP attributes!")
+			}
+		}(s)
+	}
+
 	// Run web service
 	err := s.server.Run(s.config.Core.ListeningAddress)
 	if err != nil {

internal/server/handlers_auth.go

@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/gin-gonic/gin"
 )
 
@@ -95,6 +97,21 @@ func (s *Server) PostLogin(c *gin.Context) {
 		}
 	}
 
+	// Check if user already has a peer setup, if not create one
+	if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
+		users := s.users.GetUsersByMail(sessionData.Email)
+
+		if len(users) == 0 { // Create vpn peer
+			err := s.CreateUser(User{
+				Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
+				Email:      sessionData.Email,
+				CreatedBy:  sessionData.Email,
+				UpdatedBy:  sessionData.Email,
+			})
+			log.Errorf("Failed to automatically create vpn peer for %s: %v", sessionData.Email, err)
+		}
+	}
+
 	if err := s.updateSessionData(c, sessionData); err != nil {
 		s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
 		return

internal/server/ldapsync.go

@@ -0,0 +1,34 @@
+package server
+
+import (
+	"time"
+
+	"github.com/h44z/wg-portal/internal/ldap"
+	log "github.com/sirupsen/logrus"
+)
+
+// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
+// Users will be automatically disabled once they are disabled in ldap.
+// This method is blocking.
+func (s *Server) SyncLdapAttributesWithWireGuard() error {
+	allUsers := s.users.GetAllUsers()
+	for i := range allUsers {
+		user := allUsers[i]
+		if user.LdapUser == nil {
+			continue // skip non ldap users
+		}
+
+		if user.DeactivatedAt != nil {
+			continue // skip already disabled interfaces
+		}
+
+		if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
+			now := time.Now()
+			user.DeactivatedAt = &now
+			if err := s.UpdateUser(user, now); err != nil {
+				log.Errorf("Failed to disable user %s: %v", user.Email, err)
+			}
+		}
+	}
+	return nil
+}

internal/wireguard/template.go

@@ -10,7 +10,8 @@ DNS = {{ .Server.DNSStr }}
 {{- end}}
 {{- if ne .Server.Mtu 0 -}}
 MTU = {{.Server.Mtu}}
-{{- end -}}
+{{- end}}
+
 [Peer]
 PublicKey = {{ .Server.PublicKey }}
 {{- if .Client.PresharedKey -}}