mirror of
https://github.com/DJSundog/wg-portal.git
synced 2024-11-23 07:03:50 -05:00
auto create account, sync ldap disabled flag
This commit is contained in:
parent
1dee239f4f
commit
7b651da1d7
@ -150,16 +150,17 @@
|
|||||||
<ul>
|
<ul>
|
||||||
<li>Firstname: {{$p.LdapUser.Firstname}}</li>
|
<li>Firstname: {{$p.LdapUser.Firstname}}</li>
|
||||||
<li>Lastname: {{$p.LdapUser.Lastname}}</li>
|
<li>Lastname: {{$p.LdapUser.Lastname}}</li>
|
||||||
<li>Phone: {{$p.UID}}</li>
|
<li>Phone: {{index $p.LdapUser.RawLdapData.Attributes "telephoneNumber"}}</li>
|
||||||
<li>Mail: {{$p.LdapUser.Mail}}</li>
|
<li>Mail: {{$p.LdapUser.Mail}}</li>
|
||||||
<li>Department: {{$p.UID}}</li>
|
<li>Department: {{index $p.LdapUser.RawLdapData.Attributes "department"}}</li>
|
||||||
</ul>
|
</ul>
|
||||||
{{end}}
|
{{end}}
|
||||||
<h4>Traffic</h4>
|
<h4>Connection / Traffic</h4>
|
||||||
{{if not $p.Peer}}
|
{{if not $p.Peer}}
|
||||||
<p>No Traffic data available...</p>
|
<p>No Traffic data available...</p>
|
||||||
{{else}}
|
{{else}}
|
||||||
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
|
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas network-wired" title="Last Endpoint"></i> {{formatBytes $p.Peer.Endpoint}}{{end}}</p>
|
||||||
|
<p>{{if $p.DeactivatedAt}}-{{else}}<i class="fas fa-long-arrow-alt-down"></i> {{formatBytes $p.Peer.ReceiveBytes}} / <i class="fas fa-long-arrow-alt-up"></i> {{formatBytes $p.Peer.TransmitBytes}}{{end}}</p>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
<div id="t2{{$p.UID}}" class="tab-pane fade">
|
<div id="t2{{$p.UID}}" class="tab-pane fade">
|
||||||
|
@ -54,15 +54,17 @@ func loadConfigEnv(cfg interface{}) error {
|
|||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
Core struct {
|
Core struct {
|
||||||
ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
|
ListeningAddress string `yaml:"listeningAddress" envconfig:"LISTENING_ADDRESS"`
|
||||||
ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
|
ExternalUrl string `yaml:"externalUrl" envconfig:"EXTERNAL_URL"`
|
||||||
Title string `yaml:"title" envconfig:"WEBSITE_TITLE"`
|
Title string `yaml:"title" envconfig:"WEBSITE_TITLE"`
|
||||||
CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"`
|
CompanyName string `yaml:"company" envconfig:"COMPANY_NAME"`
|
||||||
MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
|
MailFrom string `yaml:"mailfrom" envconfig:"MAIL_FROM"`
|
||||||
AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
|
AdminUser string `yaml:"adminUser" envconfig:"ADMIN_USER"` // optional, non LDAP admin user
|
||||||
AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
|
AdminPassword string `yaml:"adminPass" envconfig:"ADMIN_PASS"`
|
||||||
DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"`
|
DatabasePath string `yaml:"database" envconfig:"DATABASE_PATH"`
|
||||||
EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
|
EditableKeys bool `yaml:"editableKeys" envconfig:"EDITABLE_KEYS"`
|
||||||
|
CreateInterfaceOnLogin bool `yaml:"createOnLogin" envconfig:"CREATE_INTERFACE_ON_LOGIN"`
|
||||||
|
SyncLdapStatus bool `yaml:"syncLdapStatus" envconfig:"SYNC_LDAP_STATUS"` // disable account if disabled in ldap
|
||||||
} `yaml:"core"`
|
} `yaml:"core"`
|
||||||
Email MailConfig `yaml:"email"`
|
Email MailConfig `yaml:"email"`
|
||||||
LDAP ldap.Config `yaml:"ldap"`
|
LDAP ldap.Config `yaml:"ldap"`
|
||||||
|
@ -63,7 +63,7 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
|
|||||||
a.Cfg.BaseDN,
|
a.Cfg.BaseDN,
|
||||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||||
fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
|
fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
|
||||||
[]string{"dn"},
|
[]string{"dn", "userAccountControl"},
|
||||||
nil,
|
nil,
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -78,6 +78,12 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
|
|||||||
|
|
||||||
userDN := sr.Entries[0].DN
|
userDN := sr.Entries[0].DN
|
||||||
|
|
||||||
|
// Check if user is disabled, if so deny login
|
||||||
|
uac := sr.Entries[0].GetAttributeValue("userAccountControl")
|
||||||
|
if uac != "" && IsLdapUserDisabled(uac) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// Bind as the user to verify their password
|
// Bind as the user to verify their password
|
||||||
err = client.Bind(userDN, password)
|
err = client.Bind(userDN, password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -5,6 +5,7 @@ import (
|
|||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"sort"
|
"sort"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
@ -214,7 +215,7 @@ func NewUserCache(config Config, store UserCacheHolder) *UserCache {
|
|||||||
}
|
}
|
||||||
|
|
||||||
log.Infof("Filling user cache...")
|
log.Infof("Filling user cache...")
|
||||||
err := uc.Update(true)
|
err := uc.Update(true, true)
|
||||||
log.Infof("User cache filled!")
|
log.Infof("User cache filled!")
|
||||||
uc.LastError = err
|
uc.LastError = err
|
||||||
|
|
||||||
@ -250,7 +251,7 @@ func (u UserCache) close(conn *ldap.Conn) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Update updates the user cache in background, minimal locking will happen
|
// Update updates the user cache in background, minimal locking will happen
|
||||||
func (u *UserCache) Update(filter bool) error {
|
func (u *UserCache) Update(filter, withDisabledUsers bool) error {
|
||||||
log.Debugf("Updating ldap cache...")
|
log.Debugf("Updating ldap cache...")
|
||||||
client, err := u.open()
|
client, err := u.open()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -290,8 +291,8 @@ func (u *UserCache) Update(filter bool) error {
|
|||||||
continue // prefilter...
|
continue // prefilter...
|
||||||
}
|
}
|
||||||
|
|
||||||
if userAccountControl == "" || userAccountControl == "514" {
|
if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
|
||||||
continue // 514 means account is disabled
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
if entry.DN != dn {
|
if entry.DN != dn {
|
||||||
@ -323,3 +324,15 @@ func (u *UserCache) Update(filter bool) error {
|
|||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func IsLdapUserDisabled(userAccountControl string) bool {
|
||||||
|
uacInt, err := strconv.Atoi(userAccountControl)
|
||||||
|
if err != nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if int32(uacInt)&0x2 != 0 {
|
||||||
|
return true // bit 2 set means account is disabled
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
@ -157,7 +157,7 @@ func (s *Server) Run() {
|
|||||||
go func(s *Server) {
|
go func(s *Server) {
|
||||||
for {
|
for {
|
||||||
time.Sleep(CacheRefreshDuration)
|
time.Sleep(CacheRefreshDuration)
|
||||||
if err := s.ldapCacheUpdater.Update(true); err != nil {
|
if err := s.ldapCacheUpdater.Update(true, true); err != nil {
|
||||||
log.Warnf("Failed to update ldap group cache: %v", err)
|
log.Warnf("Failed to update ldap group cache: %v", err)
|
||||||
}
|
}
|
||||||
log.Debugf("Refreshed LDAP permissions!")
|
log.Debugf("Refreshed LDAP permissions!")
|
||||||
@ -165,6 +165,18 @@ func (s *Server) Run() {
|
|||||||
}(s)
|
}(s)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !s.ldapDisabled && s.config.Core.SyncLdapStatus {
|
||||||
|
go func(s *Server) {
|
||||||
|
for {
|
||||||
|
time.Sleep(CacheRefreshDuration)
|
||||||
|
if err := s.SyncLdapAttributesWithWireGuard(); err != nil {
|
||||||
|
log.Warnf("Failed to synchronize ldap attributes: %v", err)
|
||||||
|
}
|
||||||
|
log.Debugf("Synced LDAP attributes!")
|
||||||
|
}
|
||||||
|
}(s)
|
||||||
|
}
|
||||||
|
|
||||||
// Run web service
|
// Run web service
|
||||||
err := s.server.Run(s.config.Core.ListeningAddress)
|
err := s.server.Run(s.config.Core.ListeningAddress)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -4,6 +4,8 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
log "github.com/sirupsen/logrus"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -95,6 +97,21 @@ func (s *Server) PostLogin(c *gin.Context) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if user already has a peer setup, if not create one
|
||||||
|
if s.config.Core.CreateInterfaceOnLogin && !adminAuthenticated {
|
||||||
|
users := s.users.GetUsersByMail(sessionData.Email)
|
||||||
|
|
||||||
|
if len(users) == 0 { // Create vpn peer
|
||||||
|
err := s.CreateUser(User{
|
||||||
|
Identifier: sessionData.Firstname + " " + sessionData.Lastname + " (Default)",
|
||||||
|
Email: sessionData.Email,
|
||||||
|
CreatedBy: sessionData.Email,
|
||||||
|
UpdatedBy: sessionData.Email,
|
||||||
|
})
|
||||||
|
log.Errorf("Failed to automatically create vpn peer for %s: %v", sessionData.Email, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if err := s.updateSessionData(c, sessionData); err != nil {
|
if err := s.updateSessionData(c, sessionData); err != nil {
|
||||||
s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
|
s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to save session")
|
||||||
return
|
return
|
||||||
|
34
internal/server/ldapsync.go
Normal file
34
internal/server/ldapsync.go
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
package server
|
||||||
|
|
||||||
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/h44z/wg-portal/internal/ldap"
|
||||||
|
log "github.com/sirupsen/logrus"
|
||||||
|
)
|
||||||
|
|
||||||
|
// SyncLdapAttributesWithWireGuard starts to synchronize the "disabled" attribute from ldap.
|
||||||
|
// Users will be automatically disabled once they are disabled in ldap.
|
||||||
|
// This method is blocking.
|
||||||
|
func (s *Server) SyncLdapAttributesWithWireGuard() error {
|
||||||
|
allUsers := s.users.GetAllUsers()
|
||||||
|
for i := range allUsers {
|
||||||
|
user := allUsers[i]
|
||||||
|
if user.LdapUser == nil {
|
||||||
|
continue // skip non ldap users
|
||||||
|
}
|
||||||
|
|
||||||
|
if user.DeactivatedAt != nil {
|
||||||
|
continue // skip already disabled interfaces
|
||||||
|
}
|
||||||
|
|
||||||
|
if ldap.IsLdapUserDisabled(allUsers[i].LdapUser.Attributes["userAccountControl"]) {
|
||||||
|
now := time.Now()
|
||||||
|
user.DeactivatedAt = &now
|
||||||
|
if err := s.UpdateUser(user, now); err != nil {
|
||||||
|
log.Errorf("Failed to disable user %s: %v", user.Email, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
@ -10,7 +10,8 @@ DNS = {{ .Server.DNSStr }}
|
|||||||
{{- end}}
|
{{- end}}
|
||||||
{{- if ne .Server.Mtu 0 -}}
|
{{- if ne .Server.Mtu 0 -}}
|
||||||
MTU = {{.Server.Mtu}}
|
MTU = {{.Server.Mtu}}
|
||||||
{{- end -}}
|
{{- end}}
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = {{ .Server.PublicKey }}
|
PublicKey = {{ .Server.PublicKey }}
|
||||||
{{- if .Client.PresharedKey -}}
|
{{- if .Client.PresharedKey -}}
|
||||||
|
Loading…
Reference in New Issue
Block a user