fix oauth2 users privileges, merge branch 'dev'

janusec2 · janusec2 · commit 6b51b2306de1 · 2023-07-09T18:22:52.000+08:00
diff --git a/backend/application.go b/backend/application.go
@@ -220,7 +220,7 @@ func LoadAppDomainNames() {
 
 // GetApplications ...
 func GetApplications(authUser *models.AuthUser) ([]*models.Application, error) {
-	if authUser.IsAppAdmin {
+	if authUser.IsAppAdmin || authUser.IsSuperAdmin {
 		return Apps, nil
 	}
 	myApps := []*models.Application{}
diff --git a/data/backend_appuser.go b/data/backend_appuser.go
@@ -86,6 +86,7 @@ func (dal *MyDAL) SelectAppUserByName(username string) *models.AppUser {
 		&appUser.NeedModifyPWD)
 	if err != nil {
 		utils.DebugPrintln("SelectAppUserByName", err)
+		return nil
 	}
 	return appUser
 }
diff --git a/usermgmt/ldap.go b/usermgmt/ldap.go
@@ -139,21 +139,27 @@ func LDAPAuthFunc(w http.ResponseWriter, r *http.Request) {
 	}
 	// Janusec admin user
 	if state == "admin" {
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(username)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(username, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      username,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/oauth_cas2.go b/usermgmt/oauth_cas2.go
@@ -68,22 +68,27 @@ func CAS2CallbackWithCode(w http.ResponseWriter, r *http.Request) {
 	casUser := casServiceResponse.AuthenticationSuccess.CASUser
 
 	if state == "admin" {
-		// To do: for janusec-admin
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(casUser)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(casUser, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      casUser,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/oauth_dingtalk.go b/usermgmt/oauth_dingtalk.go
@@ -82,21 +82,27 @@ func DingtalkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
 	}
 	dingtalkUser := dingtalkResponse.UserInfo
 	if state == "admin" {
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(dingtalkUser.Nick)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(dingtalkUser.Nick, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      dingtalkUser.Nick,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/oauth_feishu.go b/usermgmt/oauth_feishu.go
@@ -97,21 +97,27 @@ func FeishuCallbackWithCode(w http.ResponseWriter, r *http.Request) {
 		utils.DebugPrintln("FeishuCallbackWithCode json.Unmarshal error", err)
 	}
 	if state == "admin" {
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(feishuUser.Data.EnName)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(feishuUser.Data.EnName, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      feishuUser.Data.EnName,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/oauth_lark.go b/usermgmt/oauth_lark.go
@@ -103,21 +103,27 @@ func LarkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
 		utils.DebugPrintln("LarkCallbackWithCode json.Unmarshal error", err)
 	}
 	if state == "admin" {
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(larkUser.Data.EnName)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(larkUser.Data.EnName, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      larkUser.Data.EnName,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/oauth_wxwork.go b/usermgmt/oauth_wxwork.go
@@ -74,21 +74,27 @@ func WxworkCallbackWithCode(w http.ResponseWriter, r *http.Request) {
 		utils.DebugPrintln("WxworkCallbackWithCode json.Unmarshal error", err)
 	}
 	if state == "admin" {
-		// Insert into db if not existed
-		id, err := data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false)
-		if err != nil {
-			w.WriteHeader(403)
-			w.Write([]byte("Error: " + err.Error()))
-			return
+		appUser := data.DAL.SelectAppUserByName(wxworkUser.UserID)
+		var userID int64
+		if appUser == nil {
+			// Insert into db if not existed
+			userID, err = data.DAL.InsertIfNotExistsAppUser(wxworkUser.UserID, "", "", "", false, false, false, false)
+			if err != nil {
+				w.WriteHeader(403)
+				w.Write([]byte("Error: " + err.Error()))
+				return
+			}
+		} else {
+			userID = appUser.ID
 		}
 		// create session
 		authUser := &models.AuthUser{
-			UserID:        id,
+			UserID:        userID,
 			Username:      wxworkUser.UserID,
 			Logged:        true,
-			IsSuperAdmin:  false,
-			IsCertAdmin:   false,
-			IsAppAdmin:    false,
+			IsSuperAdmin:  appUser.IsSuperAdmin,
+			IsCertAdmin:   appUser.IsCertAdmin,
+			IsAppAdmin:    appUser.IsAppAdmin,
 			NeedModifyPWD: false}
 		session, _ := store.Get(r, "sessionid")
 		session.Values["authuser"] = authUser
diff --git a/usermgmt/usermgmt.go b/usermgmt/usermgmt.go
@@ -52,7 +52,10 @@ func Login(w http.ResponseWriter, r *http.Request, body []byte, clientIP string)
 	}
 	loginUser := apiLoginUserRequest.Object
 	appUser := data.DAL.SelectAppUserByName(loginUser.Username)
-
+	if appUser == nil {
+		// not exists
+		return nil, errors.New("wrong authentication credentials")
+	}
 	tmpHashpwd := data.SHA256Hash(loginUser.Password + appUser.Salt)
 	if tmpHashpwd != appUser.HashPwd {
 		return nil, errors.New("wrong authentication credentials")

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ func LoadAppDomainNames() {`
`220`	`220`
`221`	`221`	`// GetApplications ...`
`222`	`222`	`func GetApplications(authUser models.AuthUser) ([]models.Application, error) {`
`223`		`- if authUser.IsAppAdmin {`
	`223`	`+ if authUser.IsAppAdmin \|\| authUser.IsSuperAdmin {`
`224`	`224`	`return Apps, nil`
`225`	`225`	`}`
`226`	`226`	`myApps := []*models.Application{}`
Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,7 @@ func (dal MyDAL) SelectAppUserByName(username string) models.AppUser {`
`86`	`86`	`&appUser.NeedModifyPWD)`
`87`	`87`	`if err != nil {`
`88`	`88`	`utils.DebugPrintln("SelectAppUserByName", err)`
	`89`	`+ return nil`
`89`	`90`	`}`
`90`	`91`	`return appUser`
`91`	`92`	`}`