Skynet/ldap_backend
6
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch '#4-password-reset' into 'main'

Browse source 
Password reset

See merge request compsoc1/skynet/ldap/backend!2
This commit is contained in:
Brendan Golden 2023-08-06 17:22:31 +00:00
commit 224451292d
9 changed files with 1032 additions and 355 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Cargo.toml
View file

@ -40,3 +40,4 @@ csv = "1.2"
# for email # for email
lettre = "0.10.4" lettre = "0.10.4"
maud = "0.25.0" maud = "0.25.0"

43
README.md
View file

@ -81,6 +81,49 @@ Invalid Auth:
Generic responses which is used unless otherwise specified above. Generic responses which is used unless otherwise specified above.
### POST /ldap/recover/password
```json
{
"user" : "[OPTIONAL] username looking for reset",
"email" : "[OPTIONAL] email looking for reset"
}
```
All responses:
```json
{"result": "success"}
```
### POST /ldap/recover/password/auth
```json
{
"auth" : "Auth key from teh email",
"pass" : "Password the user chooses"
}
```
Early Errors:
```json
{"result": "error"}
```
LDAP error:
```json
{"result": "error", "error": "ldap error"}
```
Success:
```json
{"result": "success", "success": "Password set"}
```
## Responses
Generic responses which is used unless otherwise specified above.
### Success: HTTP 200 ### Success: HTTP 200
```json ```json
{ {

37
src/lib.rs
View file

@ -35,7 +35,14 @@ pub struct AccountsNew {
pub id_student: String, pub id_student: String,
} }
#[derive(Debug, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct AccountsReset {
pub user: String,
pub auth_code: String,
pub date_expiry: String,
}
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct Accounts { pub struct Accounts {
pub user: String, pub user: String,
pub uid: i64, pub uid: i64,
@ -84,6 +91,26 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)") sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)")
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_new (date_expiry)")
.execute(&pool)
.await?;
sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts_reset (
user text primary key,
auth_code text not null,
date_expiry text not null
)",
)
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_reset (auth_code)")
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_reset (date_expiry)")
.execute(&pool)
.await?;
// this is for active use // this is for active use
sqlx::query( sqlx::query(
@ -214,6 +241,10 @@ pub async fn get_wolves(db: &Pool<Sqlite>) -> Vec<AccountWolves> {
.unwrap_or(vec![]) .unwrap_or(vec![])
} }
pub fn uid_to_dn(uid: &str) -> String {
format!("uid={},ou=users,dc=skynet,dc=ie", uid)
}
pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> { pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> {
if users.is_empty() { if users.is_empty() {
return Ok(()); return Ok(());
@ -252,7 +283,3 @@ pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, rep
Ok(()) Ok(())
} }
pub fn uid_to_dn(uid: &str) -> String {
format!("uid={},ou=users,dc=skynet,dc=ie", uid)
}

22
src/main.rs
View file

@ -1,9 +1,6 @@
use skynet_ldap_backend::{ use skynet_ldap_backend::{
db_init, get_config, db_init, get_config,
methods::{ methods::{account_new, account_recover, account_update},
account_new::post::{account, email},
account_update::post_update_ldap,
},
State, State,
}; };
@ -23,14 +20,17 @@ async fn main() -> tide::Result<()> {
let mut app = tide::with_state(state); let mut app = tide::with_state(state);
app.at("/ldap/update").post(post_update_ldap); // for users to update their own profile
app.at("/ldap/new/email").post(email::submit); app.at("/ldap/update").post(account_update::submit);
app.at("/ldap/new/account").post(account::submit);
// for new users
app.at("/ldap/new/email").post(account_new::email::submit);
app.at("/ldap/new/account").post(account_new::account::submit);
// for folks who forget password/username
app.at("/ldap/recover/password").post(account_recover::password::reset);
app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
app.listen(host_port).await?; app.listen(host_port).await?;
Ok(()) Ok(())
} }
/*
Password reset via email
*/

672
src/methods/account_new.rs
View file

@ -13,161 +13,158 @@ use tide::{
Request, Request,
}; };
pub mod post { pub mod email {
use super::*; use super::*;
pub mod email { #[derive(Debug, Deserialize)]
use super::*; struct SignupEmail {
email: String,
}
#[derive(Debug, Deserialize)] pub async fn submit(mut req: Request<State>) -> tide::Result {
struct SignupEmail { let SignupEmail {
email: String, email,
} } = req.body_json().await?;
pub async fn submit(mut req: Request<State>) -> tide::Result { let config = &req.state().config;
let SignupEmail { let db = &req.state().db;
email,
} = req.body_json().await?;
let config = &req.state().config; for record in get_wolves_mail(db, &email).await {
let db = &req.state().db; // skynet emails not permitted
if record.email.trim().ends_with("@skynet.ie") {
for record in get_wolves_mail(db, &email).await { continue;
// skynet emails not permitted
if record.email.trim().ends_with("@skynet.ie") {
continue;
}
// check if the email is already in the db
if !check(db, &record.email).await {
continue;
}
// generate a auth key
let auth = random_string(75);
match send_mail(config, &record, &auth) {
Ok(_) => match save_to_db(db, &record, &auth).await {
Ok(_) => {}
Err(e) => {
println!("Unable to save to db {} {e:?}", &record.email);
}
},
Err(e) => {
println!("Unable to send mail to {} {e:?}", &record.email);
}
}
} }
Ok(json!({"result": "success"}).into()) // check if the email is already in the db
if !check(db, &record.email).await {
continue;
}
// generate a auth key
let auth = random_string(75);
match send_mail(config, &record, &auth) {
Ok(_) => match save_to_db(db, &record, &auth).await {
Ok(_) => {}
Err(e) => {
println!("Unable to save to db {} {e:?}", &record.email);
}
},
Err(e) => {
println!("Unable to send mail to {} {e:?}", &record.email);
}
}
} }
async fn get_wolves_mail(db: &Pool<Sqlite>, mail: &str) -> Vec<AccountWolves> { Ok(json!({"result": "success"}).into())
sqlx::query_as::<_, AccountWolves>( }
r#"
async fn get_wolves_mail(db: &Pool<Sqlite>, mail: &str) -> Vec<AccountWolves> {
sqlx::query_as::<_, AccountWolves>(
r#"
SELECT * SELECT *
FROM accounts_wolves FROM accounts_wolves
WHERE email = ? WHERE email = ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
} }
async fn check(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check(db: &Pool<Sqlite>, mail: &str) -> bool {
check_pending(db, mail).await && check_users(db, mail).await check_pending(db, mail).await && check_users(db, mail).await
} }
async fn check_users(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check_users(db: &Pool<Sqlite>, mail: &str) -> bool {
sqlx::query_as::<_, Accounts>( sqlx::query_as::<_, Accounts>(
r#" r#"
SELECT * SELECT *
FROM accounts FROM accounts
WHERE mail == ? WHERE mail == ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
.is_empty() .is_empty()
} }
async fn check_pending(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check_pending(db: &Pool<Sqlite>, mail: &str) -> bool {
sqlx::query_as::<_, AccountsNew>( sqlx::query_as::<_, AccountsNew>(
r#" r#"
SELECT * SELECT *
FROM accounts_new FROM accounts_new
WHERE mail == ? WHERE mail == ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
.is_empty() .is_empty()
} }
// using https://github.com/lettre/lettre/blob/57886c367d69b4d66300b322c94bd910b1eca364/examples/maud_html.rs // using https://github.com/lettre/lettre/blob/57886c367d69b4d66300b322c94bd910b1eca364/examples/maud_html.rs
fn send_mail(config: &Config, record: &AccountWolves, auth: &str) -> Result<lettre::transport::smtp::response::Response, lettre::transport::smtp::Error> { fn send_mail(config: &Config, record: &AccountWolves, auth: &str) -> Result<lettre::transport::smtp::response::Response, lettre::transport::smtp::Error> {
let recipient = &record.name_first; let recipient = &record.name_first;
let mail = &record.email; let mail = &record.email;
let url_base = "https://sso.skynet.ie"; let url_base = "https://sso.skynet.ie";
let link_new = format!("{url_base}/register?auth={auth}"); let link_new = format!("{url_base}/register?auth={auth}");
let link_mod = format!("{url_base}/modify"); let link_mod = format!("{url_base}/modify");
let discord = "https://discord.gg/mkuKJkCuyM"; let discord = "https://discord.gg/mkuKJkCuyM";
let sender = format!("UL Computer Society <{}>", &config.mail_user); let sender = format!("UL Computer Society <{}>", &config.mail_user);
// Create the html we want to send. // Create the html we want to send.
let html = html! { let html = html! {
head { head {
title { "Hello from Skynet!" } title { "Hello from Skynet!" }
style type="text/css" { style type="text/css" {
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }" "h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
}
} }
div style="display: flex; flex-direction: column; align-items: center;" { }
h2 { "Hello from Skynet!" } div style="display: flex; flex-direction: column; align-items: center;" {
// Substitute in the name of our recipient. h2 { "Hello from Skynet!" }
p { "Hi " (recipient) "," } // Substitute in the name of our recipient.
p { p { "Hi " (recipient) "," }
"As part of the UL Computer Society you get an account on our Skynet cluster." p {
br; "As part of the UL Computer Society you get an account on our Skynet cluster."
"This gives you access to some of teh various services we offer:" br;
ul { "This gives you access to some of teh various services we offer:"
li { "Email" } ul {
li { "Gitlab" } li { "Email" }
li { "Linux Webhost" } li { "Gitlab" }
} li { "Linux Webhost" }
br;
"The following invite will remain active until the end of year."
}
p {
"If you are a new member please use the following link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If you are a returning user please set an email for your account at:"
br;
a href=(link_mod) { (link_mod) }
}
p {
"If you have issues please refer to our Discord server:"
br;
a href=(discord) { (discord) }
}
p {
"Skynet Team"
br;
"UL Computer Society"
} }
br;
"The following invite will remain active until the end of year."
}
p {
"If you are a new member please use the following link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If you are a returning user please set an email for your account at:"
br;
a href=(link_mod) { (link_mod) }
}
p {
"If you have issues please refer to our Discord server:"
br;
a href=(discord) { (discord) }
} }
};
let body_text = format!( p {
r#" "Skynet Team"
br;
"UL Computer Society"
}
}
};
let body_text = format!(
r#"
Hi {recipient} Hi {recipient}
As part of the UL Computer Society you get an account on our Skynet cluster. As part of the UL Computer Society you get an account on our Skynet cluster.
@ -189,276 +186,275 @@ pub mod post {
Skynet Team Skynet Team
UL Computer Society UL Computer Society
"# "#
); );
// Build the message. // Build the message.
let email = Message::builder() let email = Message::builder()
.from(sender.parse().unwrap()) .from(sender.parse().unwrap())
.to(mail.parse().unwrap()) .to(mail.parse().unwrap())
.subject("Skynet: New Account.") .subject("Skynet: New Account.")
.multipart( .multipart(
// This is composed of two parts. // This is composed of two parts.
// also helps not trip spam settings (uneven number of url's // also helps not trip spam settings (uneven number of url's
MultiPart::alternative() MultiPart::alternative()
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text)) .singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())), .singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
) )
.expect("failed to build email"); .expect("failed to build email");
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone()); let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
// Open a remote connection to gmail using STARTTLS // Open a remote connection to gmail using STARTTLS
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build(); let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
// Send the email // Send the email
mailer.send(&email) mailer.send(&email)
} }
async fn save_to_db(db: &Pool<Sqlite>, record: &AccountWolves, auth: &str) -> Result<Option<AccountsNew>, sqlx::Error> { async fn save_to_db(db: &Pool<Sqlite>, record: &AccountWolves, auth: &str) -> Result<Option<AccountsNew>, sqlx::Error> {
sqlx::query_as::<_, AccountsNew>( sqlx::query_as::<_, AccountsNew>(
" "
INSERT OR REPLACE INTO accounts_new (mail, auth_code, date_iso, date_expiry, name_first, name_surname, id_student) INSERT OR REPLACE INTO accounts_new (mail, auth_code, date_iso, date_expiry, name_first, name_surname, id_student)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7) VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)
", ",
) )
.bind(record.email.to_owned()) .bind(record.email.to_owned())
.bind(auth.to_owned()) .bind(auth.to_owned())
.bind(get_now_iso(false)) .bind(get_now_iso(false))
.bind(record.expiry.to_owned()) .bind(record.expiry.to_owned())
.bind(record.name_first.to_owned()) .bind(record.name_first.to_owned())
.bind(record.name_second.to_owned()) .bind(record.name_second.to_owned())
.bind(record.id_student.to_owned()) .bind(record.id_student.to_owned())
.fetch_optional(db) .fetch_optional(db)
.await .await
} }
}
pub mod account {
use super::*;
use crate::update_group;
#[derive(Debug, Deserialize)]
struct LdapNewUser {
auth: String,
user: String,
pass: String,
} }
pub mod account { /// Handles initial detail entering page
use super::*; /// Verify users have access to said email
use crate::update_group; /// Get users to set username and password.
pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapNewUser {
auth,
user,
pass,
} = req.body_json().await?;
#[derive(Debug, Deserialize)] let config = &req.state().config;
struct LdapNewUser { let db = &req.state().db;
auth: String,
user: String, // ensure there are no old requests
pass: String, db_pending_clear_expired(db).await?;
let user_db = if let Some(x) = db_get_user(db, &auth).await {
x
} else {
return Ok(json!({"result": "error", "error": "Invalid auth"}).into());
};
if let Some(error) = is_valid_name(&user) {
return Ok(json!({"result": "error", "error": error}).into());
} }
/// Handles initial detail entering page // easier to give each request its own connection
/// Verify users have access to said email let mut ldap = LdapConn::new(&config.ldap_host)?;
/// Get users to set username and password.
pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapNewUser {
auth,
user,
pass,
} = req.body_json().await?;
let config = &req.state().config; // ldap3 docs say a blank username and pass is an anon bind
let db = &req.state().db; ldap.simple_bind("", "")?.success()?;
// ensure there are no old requests let filter_dn = format!("(uid={})", &user);
db_pending_clear_expired(db).await?; if let Ok(x) = ldap.search("ou=users,dc=skynet,dc=ie", Scope::OneLevel, &filter_dn, vec!["*"]) {
if let Ok((rs, _res)) = x.success() {
let user_db = if let Some(x) = db_get_user(db, &auth).await { if !rs.is_empty() {
x return Ok(json!({"result": "error", "error": "username not available"}).into());
} else {
return Ok(json!({"result": "error", "error": "Invalid auth"}).into());
};
if let Some(error) = is_valid_name(&user) {
return Ok(json!({"result": "error", "error": error}).into());
}
// easier to give each request its own connection
let mut ldap = LdapConn::new(&config.ldap_host)?;
// ldap3 docs say a blank username and pass is an anon bind
ldap.simple_bind("", "")?.success()?;
let filter_dn = format!("(uid={})", &user);
if let Ok(x) = ldap.search("ou=users,dc=skynet,dc=ie", Scope::OneLevel, &filter_dn, vec!["*"]) {
if let Ok((rs, _res)) = x.success() {
if !rs.is_empty() {
return Ok(json!({"result": "error", "error": "username not available"}).into());
}
} }
} }
// done with anon ldap
ldap.unbind()?;
ldap_create_account(config, db, user_db, &user, &pass).await?;
// account now created, delete from the new table
account_verification_clear_pending(db, &auth).await?;
Ok(json!({"result": "success"}).into())
} }
// clear the db of expired ones before checking for username and validating inputs // done with anon ldap
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsNew>, Error> { ldap.unbind()?;
sqlx::query_as::<_, AccountsNew>(
r#" ldap_create_account(config, db, user_db, &user, &pass).await?;
// account now created, delete from the new table
account_verification_clear_pending(db, &auth).await?;
Ok(json!({"result": "success"}).into())
}
// clear the db of expired ones before checking for username and validating inputs
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsNew>, Error> {
sqlx::query_as::<_, AccountsNew>(
r#"
DELETE DELETE
FROM accounts_new FROM accounts_new
WHERE date_expiry < ? WHERE date_expiry < ?
"#, "#,
) )
.bind(get_now_iso(true)) .bind(get_now_iso(true))
.fetch_all(pool) .fetch_all(pool)
.await .await
}
fn is_valid_name(name: &str) -> Option<String> {
// max length is 31 chars
if name.len() >= 32 {
return Some(String::from("Too long, max len 31"));
} }
fn is_valid_name(name: &str) -> Option<String> { for (index, letter) in name.chars().enumerate() {
// max length is 31 chars // no uppercase characters allowed
if name.len() >= 32 { if letter.is_ascii_uppercase() {
return Some(String::from("Too long, max len 31")); return Some(String::from("Has uppercase"));
} }
for (index, letter) in name.chars().enumerate() { if index == 0 {
// no uppercase characters allowed // first character ahs to be either a letter or underscore
if letter.is_ascii_uppercase() { if !(letter.is_ascii_alphabetic() || letter == '_') {
return Some(String::from("Has uppercase")); return Some(String::from("Does not start with letter or _"));
} }
} else {
if index == 0 { // after first character options are more relaxed
// first character ahs to be either a letter or underscore if !(letter.is_ascii_alphabetic() || letter.is_ascii_digit() || letter == '_' || letter == '-') {
if !(letter.is_ascii_alphabetic() || letter == '_') { return Some(String::from("Contains character that is not letter, number, _ or -"));
return Some(String::from("Does not start with letter or _"));
}
} else {
// after first character options are more relaxed
if !(letter.is_ascii_alphabetic() || letter.is_ascii_digit() || letter == '_' || letter == '-') {
return Some(String::from("Contains character that is not letter, number, _ or -"));
}
} }
} }
None
} }
async fn db_get_user(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsNew> { None
if let Ok(res) = sqlx::query_as::<_, AccountsNew>( }
r#"
async fn db_get_user(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsNew> {
if let Ok(res) = sqlx::query_as::<_, AccountsNew>(
r#"
SELECT * SELECT *
FROM accounts_new FROM accounts_new
WHERE auth_code == ? WHERE auth_code == ?
"#, "#,
) )
.bind(auth) .bind(auth)
.fetch_all(pool) .fetch_all(pool)
.await .await
{ {
if !res.is_empty() { if !res.is_empty() {
return Some(res[0].to_owned()); return Some(res[0].to_owned());
}
} }
None
} }
async fn ldap_create_account(config: &Config, db: &Pool<Sqlite>, user: AccountsNew, username: &str, pass: &str) -> Result<(), ldap3::LdapError> { None
let mut ldap = LdapConn::new(&config.ldap_host)?; }
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", username); async fn ldap_create_account(config: &Config, db: &Pool<Sqlite>, user: AccountsNew, username: &str, pass: &str) -> Result<(), ldap3::LdapError> {
let cn = format!("{} {}", &user.name_first, &user.name_surname); let mut ldap = LdapConn::new(&config.ldap_host)?;
let home_directory = format!("/home/{}", username); ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let password_tmp = random_string(50);
let labeled_uri = format!("ldap:///ou=groups,dc=skynet,dc=ie??sub?(&(objectclass=posixgroup)(memberuid={}))", username);
let sk_mail = format!("{}@skynet.ie", username);
let sk_created = get_sk_created();
let uid_number = get_max_uid_number(db).await;
// create user let dn = format!("uid={},ou=users,dc=skynet,dc=ie", username);
ldap.add( let cn = format!("{} {}", &user.name_first, &user.name_surname);
&dn, let home_directory = format!("/home/{}", username);
vec![ let password_tmp = random_string(50);
("objectClass", HashSet::from(["top", "person", "posixaccount", "ldapPublicKey", "inetOrgPerson", "skPerson"])), let labeled_uri = format!("ldap:///ou=groups,dc=skynet,dc=ie??sub?(&(objectclass=posixgroup)(memberuid={}))", username);
// top let sk_mail = format!("{}@skynet.ie", username);
("ou", HashSet::from(["users"])), let sk_created = get_sk_created();
// person let uid_number = get_max_uid_number(db).await;
("uid", HashSet::from([username])),
("cn", HashSet::from([cn.as_str()])),
// posixaccount
("uidNumber", HashSet::from([uid_number.to_string().as_str()])),
("gidNumber", HashSet::from(["1001"])),
("homedirectory", HashSet::from([home_directory.as_str()])),
("userpassword", HashSet::from([password_tmp.as_str()])),
// inetOrgPerson
("mail", HashSet::from([user.mail.as_str()])),
("sn", HashSet::from([user.name_surname.as_str()])),
// skPerson
("labeledURI", HashSet::from([labeled_uri.as_str()])),
("skMail", HashSet::from([sk_mail.as_str()])),
("skID", HashSet::from([user.id_student.as_str()])),
("skCreated", HashSet::from([sk_created.as_str()])),
// 1 = secure, automatic since its a new account
("skSecure", HashSet::from(["1"])),
// quotas
("quotaEmail", HashSet::from(["10737418240"])),
("quotaDisk", HashSet::from(["10737418240"])),
],
)?
.success()?;
// now to properly set teh password // create user
let tmp = PasswordModify { ldap.add(
user_id: Some(&dn), &dn,
old_pass: None, vec![
new_pass: Some(pass), ("objectClass", HashSet::from(["top", "person", "posixaccount", "ldapPublicKey", "inetOrgPerson", "skPerson"])),
}; // top
("ou", HashSet::from(["users"])),
// person
("uid", HashSet::from([username])),
("cn", HashSet::from([cn.as_str()])),
// posixaccount
("uidNumber", HashSet::from([uid_number.to_string().as_str()])),
("gidNumber", HashSet::from(["1001"])),
("homedirectory", HashSet::from([home_directory.as_str()])),
("userpassword", HashSet::from([password_tmp.as_str()])),
// inetOrgPerson
("mail", HashSet::from([user.mail.as_str()])),
("sn", HashSet::from([user.name_surname.as_str()])),
// skPerson
("labeledURI", HashSet::from([labeled_uri.as_str()])),
("skMail", HashSet::from([sk_mail.as_str()])),
("skID", HashSet::from([user.id_student.as_str()])),
("skCreated", HashSet::from([sk_created.as_str()])),
// 1 = secure, automatic since its a new account
("skSecure", HashSet::from(["1"])),
// quotas
("quotaEmail", HashSet::from(["10737418240"])),
("quotaDisk", HashSet::from(["10737418240"])),
],
)?
.success()?;
ldap.extended(tmp).unwrap(); // now to properly set teh password
let tmp = PasswordModify {
user_id: Some(&dn),
old_pass: None,
new_pass: Some(pass),
};
// user is already verified by being an active member on wolves ldap.extended(tmp).unwrap();
if let Err(e) = update_group(config, "skynet-users", &vec![username.to_string()], true).await {
println!("Couldnt add {} to skynet-users: {:?}", username, e)
}
ldap.unbind()?; // user is already verified by being an active member on wolves
if let Err(e) = update_group(config, "skynet-users", &vec![username.to_string()], true).await {
Ok(()) println!("Couldnt add {} to skynet-users: {:?}", username, e)
} }
fn get_sk_created() -> String { ldap.unbind()?;
use chrono::Utc;
let now = Utc::now();
format!("{}", now.format("%Y%m%d%H%M%SZ")) Ok(())
} }
async fn get_max_uid_number(db: &Pool<Sqlite>) -> i64 { fn get_sk_created() -> String {
if let Ok(results) = sqlx::query_as::<_, Accounts>( use chrono::Utc;
r#" let now = Utc::now();
format!("{}", now.format("%Y%m%d%H%M%SZ"))
}
async fn get_max_uid_number(db: &Pool<Sqlite>) -> i64 {
if let Ok(results) = sqlx::query_as::<_, Accounts>(
r#"
SELECT * SELECT *
FROM accounts FROM accounts
ORDER BY uid DESC ORDER BY uid DESC
LIMIT 1 LIMIT 1
"#, "#,
) )
.fetch_all(db) .fetch_all(db)
.await .await
{ {
if !results.is_empty() { if !results.is_empty() {
return results[0].uid + 1; return results[0].uid + 1;
}
} }
9999
} }
async fn account_verification_clear_pending(db: &Pool<Sqlite>, auth_code: &str) -> Result<Vec<AccountsNew>, Error> { 9999
sqlx::query_as::<_, AccountsNew>( }
r#"
async fn account_verification_clear_pending(db: &Pool<Sqlite>, auth_code: &str) -> Result<Vec<AccountsNew>, Error> {
sqlx::query_as::<_, AccountsNew>(
r#"
DELETE FROM accounts_new DELETE FROM accounts_new
WHERE auth_code == ? WHERE auth_code == ?
"#, "#,
) )
.bind(auth_code) .bind(auth_code)
.fetch_all(db) .fetch_all(db)
.await .await
}
} }
} }

306
src/methods/account_recover.rs Normal file
View file

@ -0,0 +1,306 @@
use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
use chrono::{Duration, SecondsFormat, Utc};
use ldap3::{exop::PasswordModify, LdapConn};
use lettre::{
message::{header, MultiPart, SinglePart},
transport::smtp::{authentication::Credentials, response::Response, Error},
Message, SmtpTransport, Transport,
};
use maud::html;
use sqlx::{Pool, Sqlite};
use tide::{
prelude::{json, Deserialize},
Request,
};
pub mod password {
use super::*;
#[derive(Debug, Deserialize)]
struct PassReset {
user: Option<String>,
email: Option<String>,
}
/// Handles password resets
/// All responses are success, never want to leak info
pub async fn reset(mut req: Request<State>) -> tide::Result {
let PassReset {
user,
email,
} = req.body_json().await?;
// check that any mail is not using @skynet.ie
if let Some(mail) = &email {
if mail.trim().ends_with("@skynet.ie") {
// all responses from this are a success
return Ok(json!({"result": "success"}).into());
}
}
let config = &req.state().config;
let db = &req.state().db;
// considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
let user_details = match db_get_user(db, &user, &email).await {
None => {
return Ok(json!({"result": "success"}).into());
}
Some(x) => x,
};
// user does not have a different email address set
if user_details.mail.trim().ends_with("@skynet.ie") {
return Ok(json!({"result": "success"}).into());
}
// check if a recent password reset request happened lately
db_pending_clear_expired(db).await?;
if db_get_user_reset(db, &user_details.user).await.is_some() {
// reset already requested within timeframe
return Ok(json!({"result": "success"}).into());
}
// send mail
let auth = random_string(50);
if send_mail(config, &user_details, &auth).is_ok() {
// save to db
save_to_db(db, &user_details, &auth).await?;
}
Ok(json!({"result": "success"}).into())
}
#[derive(Debug, Deserialize)]
pub struct PassResetAuth {
auth: String,
pass: String,
}
pub async fn auth(mut req: Request<State>) -> tide::Result {
let PassResetAuth {
auth,
pass,
} = req.body_json().await?;
let config = &req.state().config;
let db = &req.state().db;
if db_pending_clear_expired(db).await.is_err() {
return Ok(json!({"result": "error"}).into());
}
// check if auth exists
let details = match db_get_user_reset_auth(db, &auth).await {
None => {
return Ok(json!({"result": "error"}).into());
}
Some(x) => x,
};
if ldap_reset_pw(config, &details, &pass).await.is_err() {
return Ok(json!({"result": "error", "error": "ldap error"}).into());
};
Ok(json!({"result": "success", "success": "Password set"}).into())
}
async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
let user = match user_in {
None => "",
Some(x) => x,
};
let mail = match mail_in {
None => "",
Some(x) => x,
};
if let Ok(res) = sqlx::query_as::<_, Accounts>(
r#"
SELECT *
FROM accounts
WHERE user == ? OR mail ==?
"#,
)
.bind(user)
.bind(mail)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
sqlx::query_as::<_, AccountsReset>(
r#"
DELETE
FROM accounts_reset
WHERE date_expiry < ?
"#,
)
.bind(get_now_iso(false))
.fetch_all(pool)
.await
}
async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
r#"
SELECT *
FROM accounts_reset
WHERE user == ?
"#,
)
.bind(user)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
r#"
SELECT *
FROM accounts_reset
WHERE auth == ?
"#,
)
.bind(auth)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
let mut ldap = LdapConn::new(&config.ldap_host)?;
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let dn = uid_to_dn(&details.user);
// if so then set password
let tmp = PasswordModify {
// none as we are staying on the same connection
user_id: Some(&dn),
old_pass: None,
new_pass: Some(pass),
};
ldap.extended(tmp)?.success()?;
ldap.unbind()?;
Ok(())
}
fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
let recipient = &record.user;
let mail = &record.mail;
let url_base = "https://sso.skynet.ie";
let link_new = format!("{url_base}/recovery_pass?auth={auth}");
let discord = "https://discord.gg/mkuKJkCuyM";
let sender = format!("UL Computer Society <{}>", &config.mail_user);
// Create the html we want to send.
let html = html! {
head {
title { "Hello from Skynet!" }
style type="text/css" {
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
}
}
div style="display: flex; flex-direction: column; align-items: center;" {
h2 { "Hello from Skynet!" }
// Substitute in the name of our recipient.
p { "Hi " (recipient) "," }
p {
"Here is your password reset link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If did not request this please ignore."
}
p {
"UL Computer Society"
br;
"Skynet Team"
br;
a href=(discord) { (discord) }
}
}
};
let body_text = format!(
r#"
Hi {recipient}
Here is your password reset link:
{link_new}
If did not request this please ignore.
UL Computer Society
Skynet Team
{discord}
"#
);
// Build the message.
let email = Message::builder()
.from(sender.parse().unwrap())
.to(mail.parse().unwrap())
.subject("Skynet: Password Reset")
.multipart(
// This is composed of two parts.
// also helps not trip spam settings (uneven number of url's
MultiPart::alternative()
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
)
.expect("failed to build email");
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
// Open a remote connection to gmail using STARTTLS
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
// Send the email
mailer.send(&email)
}
async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
// lets start off a 4 hour timeout on password resets
let offset = Utc::now() + Duration::hours(4);
sqlx::query_as::<_, AccountsReset>(
"
INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
VALUES (?1, ?2, ?3)
",
)
.bind(record.user.to_owned())
.bind(auth.to_owned())
.bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
.fetch_optional(db)
.await
}
}

2
src/methods/account_update.rs
View file

@ -25,7 +25,7 @@ pub struct ModifyResult {
} }
/// Handles updating a single field with the users own password /// Handles updating a single field with the users own password
pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result { pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapUpdate { let LdapUpdate {
user, user,
pass, pass,

2
src/methods/mod.rs
View file

@ -1,2 +1,4 @@
pub mod account_new; pub mod account_new;
pub mod account_recover;
pub mod account_update; pub mod account_update;
pub mod password_reset;

302
src/methods/password_reset.rs Normal file
View file

@ -0,0 +1,302 @@
use crate::{get_now_iso, random_string, uid_to_dn, Accounts, AccountsReset, Config, State};
use chrono::{Duration, SecondsFormat, Utc};
use ldap3::{exop::PasswordModify, LdapConn};
use lettre::{
message::{header, MultiPart, SinglePart},
transport::smtp::{authentication::Credentials, response::Response, Error},
Message, SmtpTransport, Transport,
};
use maud::html;
use sqlx::{Pool, Sqlite};
use tide::{
prelude::{json, Deserialize},
Request,
};
#[derive(Debug, Deserialize)]
pub struct PassReset {
user: Option<String>,
email: Option<String>,
}
/// Handles password resets
/// All responses are success, never want to leak info
pub async fn post_password_reset(mut req: Request<State>) -> tide::Result {
let PassReset {
user,
email,
} = req.body_json().await?;
// check that any mail is not using @skynet.ie
if let Some(mail) = &email {
if mail.trim().ends_with("@skynet.ie") {
// all responses from this are a success
return Ok(json!({"result": "success"}).into());
}
}
let config = &req.state().config;
let db = &req.state().db;
// considering the local db is updated hourly (or less) use that instead of teh ldap for lookups
let user_details = match db_get_user(db, &user, &email).await {
None => {
return Ok(json!({"result": "success"}).into());
}
Some(x) => x,
};
// user does not have a different email address set
if user_details.mail.trim().ends_with("@skynet.ie") {
return Ok(json!({"result": "success"}).into());
}
// check if a recent password reset request happened lately
db_pending_clear_expired(db).await?;
if db_get_user_reset(db, &user_details.user).await.is_some() {
// reset already requested within timeframe
return Ok(json!({"result": "success"}).into());
}
// send mail
let auth = random_string(50);
if send_mail(config, &user_details, &auth).is_ok() {
// save to db
save_to_db(db, &user_details, &auth).await?;
}
Ok(json!({"result": "success"}).into())
}
#[derive(Debug, Deserialize)]
pub struct PassResetAuth {
auth: String,
pass: String,
}
pub async fn post_password_auth(mut req: Request<State>) -> tide::Result {
let PassResetAuth {
auth,
pass,
} = req.body_json().await?;
let config = &req.state().config;
let db = &req.state().db;
if db_pending_clear_expired(db).await.is_err() {
return Ok(json!({"result": "error"}).into());
}
// check if auth exists
let details = match db_get_user_reset_auth(db, &auth).await {
None => {
return Ok(json!({"result": "error"}).into());
}
Some(x) => x,
};
if ldap_reset_pw(config, &details, &pass).await.is_err() {
return Ok(json!({"result": "error", "error": "ldap error"}).into());
};
Ok(json!({"result": "success", "success": "Password set"}).into())
}
async fn db_get_user(pool: &Pool<Sqlite>, user_in: &Option<String>, mail_in: &Option<String>) -> Option<Accounts> {
let user = match user_in {
None => "",
Some(x) => x,
};
let mail = match mail_in {
None => "",
Some(x) => x,
};
if let Ok(res) = sqlx::query_as::<_, Accounts>(
r#"
SELECT *
FROM accounts
WHERE user == ? OR mail ==?
"#,
)
.bind(user)
.bind(mail)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsReset>, sqlx::Error> {
sqlx::query_as::<_, AccountsReset>(
r#"
DELETE
FROM accounts_reset
WHERE date_expiry < ?
"#,
)
.bind(get_now_iso(false))
.fetch_all(pool)
.await
}
async fn db_get_user_reset(pool: &Pool<Sqlite>, user: &str) -> Option<AccountsReset> {
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
r#"
SELECT *
FROM accounts_reset
WHERE user == ?
"#,
)
.bind(user)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn db_get_user_reset_auth(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsReset> {
if let Ok(res) = sqlx::query_as::<_, AccountsReset>(
r#"
SELECT *
FROM accounts_reset
WHERE auth == ?
"#,
)
.bind(auth)
.fetch_all(pool)
.await
{
if !res.is_empty() {
return Some(res[0].to_owned());
}
}
None
}
async fn ldap_reset_pw(config: &Config, details: &AccountsReset, pass: &str) -> Result<(), ldap3::LdapError> {
let mut ldap = LdapConn::new(&config.ldap_host)?;
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let dn = uid_to_dn(&details.user);
// if so then set password
let tmp = PasswordModify {
// none as we are staying on the same connection
user_id: Some(&dn),
old_pass: None,
new_pass: Some(pass),
};
ldap.extended(tmp)?.success()?;
ldap.unbind()?;
Ok(())
}
fn send_mail(config: &Config, record: &Accounts, auth: &str) -> Result<Response, Error> {
let recipient = &record.user;
let mail = &record.mail;
let url_base = "https://sso.skynet.ie";
let link_new = format!("{url_base}/recovery_pass?auth={auth}");
let discord = "https://discord.gg/mkuKJkCuyM";
let sender = format!("UL Computer Society <{}>", &config.mail_user);
// Create the html we want to send.
let html = html! {
head {
title { "Hello from Skynet!" }
style type="text/css" {
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
}
}
div style="display: flex; flex-direction: column; align-items: center;" {
h2 { "Hello from Skynet!" }
// Substitute in the name of our recipient.
p { "Hi " (recipient) "," }
p {
"Here is your password reset link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If did not request this please ignore."
}
p {
"UL Computer Society"
br;
"Skynet Team"
br;
a href=(discord) { (discord) }
}
}
};
let body_text = format!(
r#"
Hi {recipient}
Here is your password reset link:
{link_new}
If did not request this please ignore.
UL Computer Society
Skynet Team
{discord}
"#
);
// Build the message.
let email = Message::builder()
.from(sender.parse().unwrap())
.to(mail.parse().unwrap())
.subject("Skynet: Password Reset")
.multipart(
// This is composed of two parts.
// also helps not trip spam settings (uneven number of url's
MultiPart::alternative()
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
)
.expect("failed to build email");
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
// Open a remote connection to gmail using STARTTLS
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
// Send the email
mailer.send(&email)
}
async fn save_to_db(db: &Pool<Sqlite>, record: &Accounts, auth: &str) -> Result<Option<AccountsReset>, sqlx::Error> {
// lets start off a 4 hour timeout on password resets
let offset = Utc::now() + Duration::hours(4);
sqlx::query_as::<_, AccountsReset>(
"
INSERT OR REPLACE INTO accounts_reset (user, auth_code, date_expiry)
VALUES (?1, ?2, ?3)
",
)
.bind(record.user.to_owned())
.bind(auth.to_owned())
.bind(offset.to_rfc3339_opts(SecondsFormat::Millis, true))
.fetch_optional(db)
.await
}