Skynet/ldap_backend
6
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

fmt: updated the formatting

Browse source
This commit is contained in:
silver 2023-08-19 22:09:41 +01:00
parent a81e835257
commit ba6021e328
8 changed files with 1370 additions and 1358 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.rustfmt.toml
View file

@ -1,6 +1,9 @@
max_width = 1000 max_width = 150
single_line_if_else_max_width = 100 single_line_if_else_max_width = 100
chain_width = 100 chain_width = 100
fn_params_layout = "Compressed" fn_params_layout = "Compressed"
#control_brace_style = "ClosingNextLine" #control_brace_style = "ClosingNextLine"
struct_lit_width = 0 #brace_style = "PreferSameLine"
struct_lit_width = 0
tab_spaces = 2
use_small_heuristics = "Max"

240
src/bin/update_data.rs
View file

@ -4,161 +4,169 @@ use sqlx::{Pool, Sqlite};
#[async_std::main] #[async_std::main]
async fn main() -> tide::Result<()> { async fn main() -> tide::Result<()> {
let config = get_config(); let config = get_config();
let db = db_init(&config).await.unwrap(); let db = db_init(&config).await.unwrap();
update_wolves(&config, &db).await; update_wolves(&config, &db).await;
update_ldap(&config, &db).await; update_ldap(&config, &db).await;
Ok(()) Ok(())
} }
async fn update_wolves(config: &Config, db: &Pool<Sqlite>) { async fn update_wolves(config: &Config, db: &Pool<Sqlite>) {
let mut records = vec![]; let mut records = vec![];
if let Ok(accounts) = get_csv(config) { if let Ok(accounts) = get_csv(config) {
for account in accounts { for account in accounts {
records.push(AccountWolves::from(account)); records.push(AccountWolves::from(account));
}
} }
}
for account in records { for account in records {
update_account(db, &account).await; update_account(db, &account).await;
} }
} }
async fn update_ldap(config: &Config, db: &Pool<Sqlite>) { async fn update_ldap(config: &Config, db: &Pool<Sqlite>) {
let mut ldap = LdapConn::new(&config.ldap_host).unwrap(); let mut ldap = LdapConn::new(&config.ldap_host).unwrap();
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw).unwrap().success().unwrap(); ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw).unwrap().success().unwrap();
// use this to pre load a large chunk of data // use this to pre load a large chunk of data
if let Ok(x) = ldap.search("ou=users,dc=skynet,dc=ie", Scope::OneLevel, "(objectClass=*)", vec!["uid", "uidNumber", "skDiscord", "skMemberOf", "mail", "skID", "userPassword"]) { if let Ok(x) = ldap.search(
if let Ok((rs, _res)) = x.success() { "ou=users,dc=skynet,dc=ie",
for entry in rs { Scope::OneLevel,
let tmp = SearchEntry::construct(entry); "(objectClass=*)",
vec!["uid", "uidNumber", "skDiscord", "skMemberOf", "mail", "skID", "userPassword"],
) {
if let Ok((rs, _res)) = x.success() {
for entry in rs {
let tmp = SearchEntry::construct(entry);
let mut tmp_account = Accounts { let mut tmp_account = Accounts {
user: "".to_string(), user: "".to_string(),
uid: 0, uid: 0,
discord: None, discord: None,
mail: "".to_string(), mail: "".to_string(),
student_id: "".to_string(), student_id: "".to_string(),
enabled: false, enabled: false,
secure: false, secure: false,
}; };
// pull out the required info // pull out the required info
if tmp.attrs.contains_key("uid") && !tmp.attrs["uid"].is_empty() { if tmp.attrs.contains_key("uid") && !tmp.attrs["uid"].is_empty() {
tmp_account.user = tmp.attrs["uid"][0].clone(); tmp_account.user = tmp.attrs["uid"][0].clone();
} }
if tmp.attrs.contains_key("uidNumber") && !tmp.attrs["uidNumber"].is_empty() { if tmp.attrs.contains_key("uidNumber") && !tmp.attrs["uidNumber"].is_empty() {
tmp_account.uid = tmp.attrs["uidNumber"][0].clone().parse().unwrap_or(0); tmp_account.uid = tmp.attrs["uidNumber"][0].clone().parse().unwrap_or(0);
} }
if tmp.attrs.contains_key("skDiscord") && !tmp.attrs["skDiscord"].is_empty() { if tmp.attrs.contains_key("skDiscord") && !tmp.attrs["skDiscord"].is_empty() {
tmp_account.discord = Option::from(tmp.attrs["skDiscord"][0].clone()); tmp_account.discord = Option::from(tmp.attrs["skDiscord"][0].clone());
} }
if tmp.attrs.contains_key("mail") && !tmp.attrs["mail"].is_empty() { if tmp.attrs.contains_key("mail") && !tmp.attrs["mail"].is_empty() {
tmp_account.mail = tmp.attrs["mail"][0].clone(); tmp_account.mail = tmp.attrs["mail"][0].clone();
} }
if tmp.attrs.contains_key("skID") && !tmp.attrs["skID"].is_empty() { if tmp.attrs.contains_key("skID") && !tmp.attrs["skID"].is_empty() {
tmp_account.student_id = tmp.attrs["skID"][0].clone(); tmp_account.student_id = tmp.attrs["skID"][0].clone();
} }
if tmp.attrs.contains_key("skMemberOf") && !tmp.attrs["skMemberOf"].is_empty() && tmp.attrs["skMemberOf"].contains(&String::from("cn=skynet-users-linux,ou=groups,dc=skynet,dc=ie")) { if tmp.attrs.contains_key("skMemberOf")
tmp_account.enabled = true; && !tmp.attrs["skMemberOf"].is_empty()
} && tmp.attrs["skMemberOf"].contains(&String::from("cn=skynet-users-linux,ou=groups,dc=skynet,dc=ie"))
if tmp.attrs.contains_key("userPassword") && !tmp.attrs["userPassword"].is_empty() { {
tmp_account.secure = tmp.attrs["userPassword"][0].starts_with("{SSHA512}") tmp_account.enabled = true;
} }
if tmp.attrs.contains_key("userPassword") && !tmp.attrs["userPassword"].is_empty() {
tmp_account.secure = tmp.attrs["userPassword"][0].starts_with("{SSHA512}")
}
if !tmp_account.user.is_empty() { if !tmp_account.user.is_empty() {
sqlx::query_as::<_, Accounts>( sqlx::query_as::<_, Accounts>(
" "
INSERT OR REPLACE INTO accounts (user, uid, discord, mail, student_id, enabled, secure) INSERT OR REPLACE INTO accounts (user, uid, discord, mail, student_id, enabled, secure)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7) VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)
", ",
) )
.bind(&tmp_account.user) .bind(&tmp_account.user)
.bind(tmp_account.uid) .bind(tmp_account.uid)
.bind(&tmp_account.discord) .bind(&tmp_account.discord)
.bind(&tmp_account.mail) .bind(&tmp_account.mail)
.bind(&tmp_account.student_id) .bind(&tmp_account.student_id)
.bind(tmp_account.enabled) .bind(tmp_account.enabled)
.bind(tmp_account.secure) .bind(tmp_account.secure)
.fetch_optional(db) .fetch_optional(db)
.await .await
.ok(); .ok();
}
}
} }
}
} }
}
// done with ldap // done with ldap
ldap.unbind().unwrap(); ldap.unbind().unwrap();
} }
#[derive(Debug, serde::Deserialize)] #[derive(Debug, serde::Deserialize)]
struct RecordCSV { struct RecordCSV {
#[serde(rename = "MemID")] #[serde(rename = "MemID")]
mem_id: String, mem_id: String,
#[serde(rename = "Student Num")] #[serde(rename = "Student Num")]
id_student: String, id_student: String,
#[serde(rename = "Contact Email")] #[serde(rename = "Contact Email")]
email: String, email: String,
#[serde(rename = "Expiry")] #[serde(rename = "Expiry")]
expiry: String, expiry: String,
#[serde(rename = "First Name")] #[serde(rename = "First Name")]
name_first: String, name_first: String,
#[serde(rename = "Last Name")] #[serde(rename = "Last Name")]
name_second: String, name_second: String,
} }
impl From<RecordCSV> for AccountWolves { impl From<RecordCSV> for AccountWolves {
fn from(input: RecordCSV) -> Self { fn from(input: RecordCSV) -> Self {
AccountWolves { AccountWolves {
id_wolves: input.mem_id, id_wolves: input.mem_id,
id_student: input.id_student, id_student: input.id_student,
email: input.email, email: input.email,
expiry: input.expiry, expiry: input.expiry,
name_first: input.name_first, name_first: input.name_first,
name_second: input.name_second, name_second: input.name_second,
}
} }
}
} }
fn get_csv(config: &Config) -> Result<Vec<RecordCSV>, Box<dyn std::error::Error>> { fn get_csv(config: &Config) -> Result<Vec<RecordCSV>, Box<dyn std::error::Error>> {
let mut records: Vec<RecordCSV> = vec![]; let mut records: Vec<RecordCSV> = vec![];
let csv = format!("{}/{}", &config.home, &config.csv); let csv = format!("{}/{}", &config.home, &config.csv);
println!("CSV: {:?}", &csv); println!("CSV: {:?}", &csv);
if let Ok(mut rdr) = csv::Reader::from_path(csv) { if let Ok(mut rdr) = csv::Reader::from_path(csv) {
for result in rdr.deserialize() { for result in rdr.deserialize() {
// Notice that we need to provide a type hint for automatic // Notice that we need to provide a type hint for automatic
// deserialization. // deserialization.
let record: RecordCSV = result?; let record: RecordCSV = result?;
if record.mem_id.is_empty() { if record.mem_id.is_empty() {
continue; continue;
} }
records.push(record); records.push(record);
}
} }
}
Ok(records) Ok(records)
} }
async fn update_account(db: &Pool<Sqlite>, account: &AccountWolves) { async fn update_account(db: &Pool<Sqlite>, account: &AccountWolves) {
sqlx::query_as::<_, AccountWolves>( sqlx::query_as::<_, AccountWolves>(
" "
INSERT OR REPLACE INTO accounts_wolves (id_wolves, id_student, email, expiry, name_first, name_second) INSERT OR REPLACE INTO accounts_wolves (id_wolves, id_student, email, expiry, name_first, name_second)
VALUES (?1, ?2, ?3, ?4, ?5, ?6) VALUES (?1, ?2, ?3, ?4, ?5, ?6)
", ",
) )
.bind(&account.id_wolves) .bind(&account.id_wolves)
.bind(&account.id_student) .bind(&account.id_student)
.bind(&account.email) .bind(&account.email)
.bind(&account.expiry) .bind(&account.expiry)
.bind(&account.name_first) .bind(&account.name_first)
.bind(&account.name_second) .bind(&account.name_second)
.fetch_optional(db) .fetch_optional(db)
.await .await
.ok(); .ok();
} }

222
src/bin/update_groups.rs
View file

@ -4,170 +4,170 @@ use std::{collections::HashSet, env, error::Error};
#[async_std::main] #[async_std::main]
async fn main() -> tide::Result<()> { async fn main() -> tide::Result<()> {
let config = get_config(); let config = get_config();
update(&config).await?; update(&config).await?;
Ok(()) Ok(())
} }
async fn update(config: &Config) -> tide::Result<()> { async fn update(config: &Config) -> tide::Result<()> {
let db = db_init(config).await.unwrap(); let db = db_init(config).await.unwrap();
// default user to ensure group is never empty // default user to ensure group is never empty
let mut users_tmp = HashSet::from([String::from("compsoc")]); let mut users_tmp = HashSet::from([String::from("compsoc")]);
let mut admins_tmp = HashSet::from([String::from("compsoc")]); let mut admins_tmp = HashSet::from([String::from("compsoc")]);
let mut committee_tmp = HashSet::from([String::from("compsoc")]); let mut committee_tmp = HashSet::from([String::from("compsoc")]);
if let Ok(x) = env::var("USERS_LIFETIME") { if let Ok(x) = env::var("USERS_LIFETIME") {
for user in x.split(',').collect::<Vec<&str>>() { for user in x.split(',').collect::<Vec<&str>>() {
users_tmp.insert(user.to_string()); users_tmp.insert(user.to_string());
}
} }
}
// pull from wolves csv // pull from wolves csv
for user in from_csv(&db).await.unwrap_or_default() { for user in from_csv(&db).await.unwrap_or_default() {
users_tmp.insert(user); users_tmp.insert(user);
}
if let Ok(x) = env::var("USERS_ADMIN") {
// admins automatically get added as users
for user in x.split(',').collect::<Vec<&str>>() {
admins_tmp.insert(user.to_string());
users_tmp.insert(user.to_string());
} }
}
if let Ok(x) = env::var("USERS_ADMIN") { // read from teh env
// admins automatically get added as users if let Ok(x) = env::var("USERS_COMMITTEE") {
for user in x.split(',').collect::<Vec<&str>>() { // committee automatically get added as users
admins_tmp.insert(user.to_string()); for user in x.split(',').collect::<Vec<&str>>() {
users_tmp.insert(user.to_string()); committee_tmp.insert(user.to_string());
} users_tmp.insert(user.to_string());
} }
}
// read from teh env // sorting makes it easier/faster
if let Ok(x) = env::var("USERS_COMMITTEE") { if let Ok(x) = env::var("USERS_BANNED") {
// committee automatically get added as users for user in x.split(',').collect::<Vec<&str>>() {
for user in x.split(',').collect::<Vec<&str>>() { users_tmp.remove(user);
committee_tmp.insert(user.to_string());
users_tmp.insert(user.to_string());
}
} }
}
// sorting makes it easier/faster let AccountsSecure {
if let Ok(x) = env::var("USERS_BANNED") { users,
for user in x.split(',').collect::<Vec<&str>>() { admins,
users_tmp.remove(user); committee,
} } = get_secure(&db, &users_tmp, &admins_tmp, &committee_tmp).await;
}
let AccountsSecure { update_group(config, "skynet-users", &users, true).await?;
users, update_group(config, "skynet-admins", &admins, true).await?;
admins, update_group(config, "skynet-committee", &committee, true).await?;
committee,
} = get_secure(&db, &users_tmp, &admins_tmp, &committee_tmp).await;
update_group(config, "skynet-users", &users, true).await?; Ok(())
update_group(config, "skynet-admins", &admins, true).await?;
update_group(config, "skynet-committee", &committee, true).await?;
Ok(())
} }
async fn from_csv(db: &Pool<Sqlite>) -> Result<HashSet<String>, Box<dyn Error>> { async fn from_csv(db: &Pool<Sqlite>) -> Result<HashSet<String>, Box<dyn Error>> {
let mut uids = HashSet::new(); let mut uids = HashSet::new();
for record in get_wolves(db).await { for record in get_wolves(db).await {
// only import users if it is actually active. // only import users if it is actually active.
if record.expiry < get_now_iso(true) { if record.expiry < get_now_iso(true) {
continue; continue;
}
if let Some(uid) = account_mail_get_uid(db, &record.email).await {
uids.insert(uid);
} else if let Some(uid) = account_id_get_uid(db, &record.id_student).await {
uids.insert(uid);
}
} }
if let Some(uid) = account_mail_get_uid(db, &record.email).await {
uids.insert(uid);
} else if let Some(uid) = account_id_get_uid(db, &record.id_student).await {
uids.insert(uid);
}
}
Ok(uids) Ok(uids)
} }
async fn account_mail_get_uid(db: &Pool<Sqlite>, mail: &str) -> Option<String> { async fn account_mail_get_uid(db: &Pool<Sqlite>, mail: &str) -> Option<String> {
match sqlx::query_as::<_, Accounts>( match sqlx::query_as::<_, Accounts>(
r#" r#"
SELECT * SELECT *
FROM accounts FROM accounts
WHERE mail == ? WHERE mail == ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_one(db) .fetch_one(db)
.await .await
{ {
Ok(res) => Some(res.user.to_owned()), Ok(res) => Some(res.user.to_owned()),
Err(_) => None, Err(_) => None,
} }
} }
async fn account_id_get_uid(db: &Pool<Sqlite>, id: &str) -> Option<String> { async fn account_id_get_uid(db: &Pool<Sqlite>, id: &str) -> Option<String> {
match sqlx::query_as::<_, Accounts>( match sqlx::query_as::<_, Accounts>(
r#" r#"
SELECT * SELECT *
FROM accounts FROM accounts
WHERE student_id == ? WHERE student_id == ?
"#, "#,
) )
.bind(id) .bind(id)
.fetch_one(db) .fetch_one(db)
.await .await
{ {
Ok(res) => Some(res.student_id.to_owned()), Ok(res) => Some(res.student_id.to_owned()),
Err(_) => None, Err(_) => None,
} }
} }
struct AccountsSecure { struct AccountsSecure {
users: Vec<String>, users: Vec<String>,
admins: Vec<String>, admins: Vec<String>,
committee: Vec<String>, committee: Vec<String>,
} }
async fn get_secure(db: &Pool<Sqlite>, users: &HashSet<String>, admins: &HashSet<String>, committee: &HashSet<String>) -> AccountsSecure { async fn get_secure(db: &Pool<Sqlite>, users: &HashSet<String>, admins: &HashSet<String>, committee: &HashSet<String>) -> AccountsSecure {
// to avoid searching for teh same thing again. // to avoid searching for teh same thing again.
let mut cache = HashSet::new(); let mut cache = HashSet::new();
AccountsSecure { AccountsSecure {
users: get_secure_sub(db, users, &mut cache).await, users: get_secure_sub(db, users, &mut cache).await,
admins: get_secure_sub(db, admins, &mut cache).await, admins: get_secure_sub(db, admins, &mut cache).await,
committee: get_secure_sub(db, committee, &mut cache).await, committee: get_secure_sub(db, committee, &mut cache).await,
} }
} }
async fn get_secure_sub(db: &Pool<Sqlite>, group: &HashSet<String>, cache: &mut HashSet<String>) -> Vec<String> { async fn get_secure_sub(db: &Pool<Sqlite>, group: &HashSet<String>, cache: &mut HashSet<String>) -> Vec<String> {
let mut tmp = vec![]; let mut tmp = vec![];
for user in group { for user in group {
// check the cache first // check the cache first
let mut add = false; let mut add = false;
if cache.get(user).is_some() { if cache.get(user).is_some() {
add = true; add = true;
} else if is_secure(db, user).await { } else if is_secure(db, user).await {
cache.insert(user.to_string()); cache.insert(user.to_string());
add = true; add = true;
}
if add {
tmp.push(user.clone());
}
} }
tmp if add {
tmp.push(user.clone());
}
}
tmp
} }
async fn is_secure(db: &Pool<Sqlite>, user: &str) -> bool { async fn is_secure(db: &Pool<Sqlite>, user: &str) -> bool {
match sqlx::query_as::<_, Accounts>( match sqlx::query_as::<_, Accounts>(
r#" r#"
SELECT * SELECT *
FROM accounts FROM accounts
WHERE user == ? AND secure == 1 WHERE user == ? AND secure == 1
"#, "#,
) )
.bind(user) .bind(user)
.fetch_all(db) .fetch_all(db)
.await .await
{ {
Ok(res) => !res.is_empty(), Ok(res) => !res.is_empty(),
Err(_) => false, Err(_) => false,
} }
} }

376
src/lib.rs
View file

@ -4,72 +4,72 @@ use dotenvy::dotenv;
use ldap3::{LdapConn, Mod}; use ldap3::{LdapConn, Mod};
use rand::{distributions::Alphanumeric, thread_rng, Rng}; use rand::{distributions::Alphanumeric, thread_rng, Rng};
use sqlx::{ use sqlx::{
sqlite::{SqliteConnectOptions, SqlitePoolOptions}, sqlite::{SqliteConnectOptions, SqlitePoolOptions},
Error, Pool, Sqlite, Error, Pool, Sqlite,
}; };
use std::{ use std::{
env, env,
str::FromStr, str::FromStr,
time::{SystemTime, UNIX_EPOCH}, time::{SystemTime, UNIX_EPOCH},
}; };
use tide::prelude::*; use tide::prelude::*;
#[derive(Debug, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Deserialize, Serialize, sqlx::FromRow)]
pub struct AccountWolves { pub struct AccountWolves {
pub id_wolves: String, pub id_wolves: String,
pub id_student: String, pub id_student: String,
pub email: String, pub email: String,
pub expiry: String, pub expiry: String,
pub name_first: String, pub name_first: String,
pub name_second: String, pub name_second: String,
} }
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct AccountsNew { pub struct AccountsNew {
pub mail: String, pub mail: String,
pub auth_code: String, pub auth_code: String,
pub date_iso: String, pub date_iso: String,
pub date_expiry: String, pub date_expiry: String,
pub name_first: String, pub name_first: String,
pub name_surname: String, pub name_surname: String,
pub id_student: String, pub id_student: String,
} }
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct AccountsReset { pub struct AccountsReset {
pub user: String, pub user: String,
pub auth_code: String, pub auth_code: String,
pub date_expiry: String, pub date_expiry: String,
} }
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct AccountsSSH { pub struct AccountsSSH {
pub user: String, pub user: String,
pub auth_code: String, pub auth_code: String,
pub email: String, pub email: String,
} }
#[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)] #[derive(Debug, Clone, Deserialize, Serialize, sqlx::FromRow)]
pub struct Accounts { pub struct Accounts {
pub user: String, pub user: String,
pub uid: i64, pub uid: i64,
pub discord: Option<String>, pub discord: Option<String>,
pub mail: String, pub mail: String,
pub student_id: String, pub student_id: String,
pub enabled: bool, pub enabled: bool,
pub secure: bool, pub secure: bool,
} }
pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> { pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
let database = format!("{}/{}", &config.home, &config.database); let database = format!("{}/{}", &config.home, &config.database);
println!("Database: {:?}", &database); println!("Database: {:?}", &database);
let pool = SqlitePoolOptions::new() let pool = SqlitePoolOptions::new()
.max_connections(5) .max_connections(5)
.connect_with(SqliteConnectOptions::from_str(&format!("sqlite://{}", database))?.create_if_missing(true)) .connect_with(SqliteConnectOptions::from_str(&format!("sqlite://{}", database))?.create_if_missing(true))
.await?; .await?;
sqlx::query( sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts_wolves ( "CREATE TABLE IF NOT EXISTS accounts_wolves (
id_wolves text primary key, id_wolves text primary key,
id_student text not null, id_student text not null,
email text not null, email text not null,
@ -77,12 +77,12 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
name_first text not null, name_first text not null,
name_second integer not null name_second integer not null
)", )",
) )
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query( sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts_new ( "CREATE TABLE IF NOT EXISTS accounts_new (
mail text primary key, mail text primary key,
auth_code text not null, auth_code text not null,
date_iso text not null, date_iso text not null,
@ -91,47 +91,47 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
name_surname integer not null, name_surname integer not null,
id_student text not null id_student text not null
)", )",
) )
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)")
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_new (date_expiry)")
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_new (auth_code)") sqlx::query(
.execute(&pool) "CREATE TABLE IF NOT EXISTS accounts_ssh (
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_new (date_expiry)")
.execute(&pool)
.await?;
sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts_ssh (
user text primary key, user text primary key,
auth_code text not null, auth_code text not null,
email text not null email text not null
)", )",
) )
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query( sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts_reset ( "CREATE TABLE IF NOT EXISTS accounts_reset (
user text primary key, user text primary key,
auth_code text not null, auth_code text not null,
date_expiry text not null date_expiry text not null
)", )",
) )
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_reset (auth_code)")
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_reset (date_expiry)")
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_auth_code ON accounts_reset (auth_code)") // this is for active use
.execute(&pool) sqlx::query(
.await?; "CREATE TABLE IF NOT EXISTS accounts (
sqlx::query("CREATE INDEX IF NOT EXISTS index_date_expiry ON accounts_reset (date_expiry)")
.execute(&pool)
.await?;
// this is for active use
sqlx::query(
"CREATE TABLE IF NOT EXISTS accounts (
user text primary key, user text primary key,
uid integer not null, uid integer not null,
discord text, discord text,
@ -140,168 +140,168 @@ pub async fn db_init(config: &Config) -> Result<Pool<Sqlite>, Error> {
enabled integer not null, enabled integer not null,
secure integer not null secure integer not null
)", )",
) )
.execute(&pool)
.await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_uid_number ON accounts (uid)").execute(&pool).await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_mail ON accounts (mail)").execute(&pool).await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_student_id ON accounts (student_id)")
.execute(&pool) .execute(&pool)
.await?; .await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_uid_number ON accounts (uid)").execute(&pool).await?; Ok(pool)
sqlx::query("CREATE INDEX IF NOT EXISTS index_mail ON accounts (mail)").execute(&pool).await?;
sqlx::query("CREATE INDEX IF NOT EXISTS index_student_id ON accounts (student_id)")
.execute(&pool)
.await?;
Ok(pool)
} }
pub fn get_now() -> i64 { pub fn get_now() -> i64 {
if let Ok(x) = SystemTime::now().duration_since(UNIX_EPOCH) { if let Ok(x) = SystemTime::now().duration_since(UNIX_EPOCH) {
x.as_secs() as i64 x.as_secs() as i64
} else { } else {
0 0
} }
} }
pub fn get_now_iso(short: bool) -> String { pub fn get_now_iso(short: bool) -> String {
let now = Utc::now(); let now = Utc::now();
if short { if short {
format!("{}-{:02}-{:02}", now.year(), now.month(), now.day()) format!("{}-{:02}-{:02}", now.year(), now.month(), now.day())
} else { } else {
now.to_rfc3339_opts(SecondsFormat::Millis, true) now.to_rfc3339_opts(SecondsFormat::Millis, true)
} }
} }
#[derive(Clone)] #[derive(Clone)]
pub struct State { pub struct State {
pub db: Pool<Sqlite>, pub db: Pool<Sqlite>,
pub config: Config, pub config: Config,
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub struct Config { pub struct Config {
pub ldap_host: String, pub ldap_host: String,
pub ldap_admin: String, pub ldap_admin: String,
pub ldap_admin_pw: String, pub ldap_admin_pw: String,
pub home: String, pub home: String,
pub database: String, pub database: String,
pub csv: String, pub csv: String,
pub host_port: String, pub host_port: String,
pub mail_smtp: String, pub mail_smtp: String,
pub mail_user: String, pub mail_user: String,
pub mail_pass: String, pub mail_pass: String,
pub ssh_root: String, pub ssh_root: String,
} }
pub fn get_config() -> Config { pub fn get_config() -> Config {
dotenv().ok(); dotenv().ok();
// reasonable defaults // reasonable defaults
let mut config = Config { let mut config = Config {
ldap_host: "".to_string(), ldap_host: "".to_string(),
ldap_admin: "".to_string(), ldap_admin: "".to_string(),
ldap_admin_pw: "".to_string(), ldap_admin_pw: "".to_string(),
home: ".".to_string(), home: ".".to_string(),
database: "database.db".to_string(), database: "database.db".to_string(),
csv: "wolves.csv".to_string(), csv: "wolves.csv".to_string(),
host_port: "127.0.0.1:8087".to_string(), host_port: "127.0.0.1:8087".to_string(),
mail_smtp: "".to_string(), mail_smtp: "".to_string(),
mail_user: "".to_string(), mail_user: "".to_string(),
mail_pass: "".to_string(), mail_pass: "".to_string(),
ssh_root: "/skynet_old/home".to_string(), ssh_root: "/skynet_old/home".to_string(),
}; };
if let Ok(x) = env::var("LDAP_HOST") { if let Ok(x) = env::var("LDAP_HOST") {
config.ldap_host = x.trim().to_string(); config.ldap_host = x.trim().to_string();
} }
if let Ok(x) = env::var("LDAP_ADMIN") { if let Ok(x) = env::var("LDAP_ADMIN") {
config.ldap_admin = x.trim().to_string(); config.ldap_admin = x.trim().to_string();
} }
if let Ok(x) = env::var("LDAP_ADMIN_PW") { if let Ok(x) = env::var("LDAP_ADMIN_PW") {
config.ldap_admin_pw = x.trim().to_string(); config.ldap_admin_pw = x.trim().to_string();
} }
if let Ok(x) = env::var("HOME") { if let Ok(x) = env::var("HOME") {
config.home = x.trim().to_string(); config.home = x.trim().to_string();
} }
if let Ok(x) = env::var("DATABASE") { if let Ok(x) = env::var("DATABASE") {
config.database = x.trim().to_string(); config.database = x.trim().to_string();
} }
if let Ok(x) = env::var("CSV") { if let Ok(x) = env::var("CSV") {
config.csv = x.trim().to_string(); config.csv = x.trim().to_string();
} }
if let Ok(x) = env::var("HOST_PORT") { if let Ok(x) = env::var("HOST_PORT") {
config.host_port = x.trim().to_string(); config.host_port = x.trim().to_string();
} }
if let Ok(x) = env::var("EMAIL_SMTP") { if let Ok(x) = env::var("EMAIL_SMTP") {
config.mail_smtp = x.trim().to_string(); config.mail_smtp = x.trim().to_string();
} }
if let Ok(x) = env::var("EMAIL_USER") { if let Ok(x) = env::var("EMAIL_USER") {
config.mail_user = x.trim().to_string(); config.mail_user = x.trim().to_string();
} }
if let Ok(x) = env::var("EMAIL_PASS") { if let Ok(x) = env::var("EMAIL_PASS") {
config.mail_pass = x.trim().to_string(); config.mail_pass = x.trim().to_string();
} }
if let Ok(x) = env::var("SSH_ROOT") { if let Ok(x) = env::var("SSH_ROOT") {
config.ssh_root = x.trim().to_string(); config.ssh_root = x.trim().to_string();
} }
config config
} }
// from https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html#create-random-passwords-from-a-set-of-alphanumeric-characters // from https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html#create-random-passwords-from-a-set-of-alphanumeric-characters
pub fn random_string(len: usize) -> String { pub fn random_string(len: usize) -> String {
thread_rng().sample_iter(&Alphanumeric).take(len).map(char::from).collect() thread_rng().sample_iter(&Alphanumeric).take(len).map(char::from).collect()
} }
pub async fn get_wolves(db: &Pool<Sqlite>) -> Vec<AccountWolves> { pub async fn get_wolves(db: &Pool<Sqlite>) -> Vec<AccountWolves> {
sqlx::query_as::<_, AccountWolves>( sqlx::query_as::<_, AccountWolves>(
r#" r#"
SELECT * SELECT *
FROM accounts_wolves FROM accounts_wolves
"#, "#,
) )
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
} }
pub fn uid_to_dn(uid: &str) -> String { pub fn uid_to_dn(uid: &str) -> String {
format!("uid={},ou=users,dc=skynet,dc=ie", uid) format!("uid={},ou=users,dc=skynet,dc=ie", uid)
} }
pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> { pub async fn update_group(config: &Config, group: &str, users: &Vec<String>, replace: bool) -> tide::Result<()> {
if users.is_empty() { if users.is_empty() {
return Ok(()); return Ok(());
} }
let mut ldap = LdapConn::new(&config.ldap_host)?; let mut ldap = LdapConn::new(&config.ldap_host)?;
// use the admin account // use the admin account
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?; ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let dn = format!("cn={},ou=groups,dc=skynet,dc=ie", group); let dn = format!("cn={},ou=groups,dc=skynet,dc=ie", group);
let members = users.iter().map(|uid| uid_to_dn(uid)).collect(); let members = users.iter().map(|uid| uid_to_dn(uid)).collect();
let mods = if replace { let mods = if replace {
vec![Mod::Replace("member".to_string(), members)] vec![Mod::Replace("member".to_string(), members)]
} else { } else {
vec![Mod::Add("member".to_string(), members)] vec![Mod::Add("member".to_string(), members)]
}; };
if let Err(x) = ldap.modify(&dn, mods) { if let Err(x) = ldap.modify(&dn, mods) {
println!("{:?}", x); println!("{:?}", x);
} }
let dn_linux = format!("cn={}-linux,ou=groups,dc=skynet,dc=ie", group); let dn_linux = format!("cn={}-linux,ou=groups,dc=skynet,dc=ie", group);
let members_linux = users.iter().map(|uid| uid.to_string()).collect(); let members_linux = users.iter().map(|uid| uid.to_string()).collect();
let mods = if replace { let mods = if replace {
vec![Mod::Replace("memberUid".to_string(), members_linux)] vec![Mod::Replace("memberUid".to_string(), members_linux)]
} else { } else {
vec![Mod::Add("memberUid".to_string(), members_linux)] vec![Mod::Add("memberUid".to_string(), members_linux)]
}; };
if let Err(x) = ldap.modify(&dn_linux, mods) { if let Err(x) = ldap.modify(&dn_linux, mods) {
println!("{:?}", x); println!("{:?}", x);
}; };
// tidy up // tidy up
ldap.unbind()?; ldap.unbind()?;
Ok(()) Ok(())
} }

50
src/main.rs
View file

@ -1,39 +1,39 @@
use skynet_ldap_backend::{ use skynet_ldap_backend::{
db_init, get_config, db_init, get_config,
methods::{account_new, account_recover, account_update}, methods::{account_new, account_recover, account_update},
State, State,
}; };
#[async_std::main] #[async_std::main]
async fn main() -> tide::Result<()> { async fn main() -> tide::Result<()> {
let config = get_config(); let config = get_config();
let db = db_init(&config).await?; let db = db_init(&config).await?;
let host_port = config.host_port.clone(); let host_port = config.host_port.clone();
tide::log::start(); tide::log::start();
let state = State { let state = State {
db, db,
config, config,
}; };
let mut app = tide::with_state(state); let mut app = tide::with_state(state);
// for users to update their own profile // for users to update their own profile
app.at("/ldap/update").post(account_update::submit); app.at("/ldap/update").post(account_update::submit);
// for new users // for new users
app.at("/ldap/new/email").post(account_new::email::submit); app.at("/ldap/new/email").post(account_new::email::submit);
app.at("/ldap/new/account").post(account_new::account::submit); app.at("/ldap/new/account").post(account_new::account::submit);
// for folks who forget password/username // for folks who forget password/username
app.at("/ldap/recover/password").post(account_recover::password::reset); app.at("/ldap/recover/password").post(account_recover::password::reset);
app.at("/ldap/recover/password/auth").post(account_recover::password::auth); app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
app.at("/ldap/recover/username").post(account_recover::username::submit); app.at("/ldap/recover/username").post(account_recover::username::submit);
app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request); app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request);
app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify); app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify);
app.listen(host_port).await?; app.listen(host_port).await?;
Ok(()) Ok(())
} }

687
src/methods/account_new.rs
View file

@ -1,170 +1,170 @@
use crate::{get_now_iso, random_string, AccountWolves, Accounts, AccountsNew, Config, State}; use crate::{get_now_iso, random_string, AccountWolves, Accounts, AccountsNew, Config, State};
use ldap3::{exop::PasswordModify, LdapConn, Scope}; use ldap3::{exop::PasswordModify, LdapConn, Scope};
use lettre::{ use lettre::{
message::{header, MultiPart, SinglePart}, message::{header, MultiPart, SinglePart},
transport::smtp::authentication::Credentials, transport::smtp::{self, authentication::Credentials},
Message, SmtpTransport, Transport, Message, SmtpTransport, Transport,
}; };
use maud::html; use maud::html;
use sqlx::{Error, Pool, Sqlite}; use sqlx::{Error, Pool, Sqlite};
use std::collections::HashSet; use std::collections::HashSet;
use tide::{ use tide::{
prelude::{json, Deserialize}, prelude::{json, Deserialize},
Request, Request,
}; };
pub mod email { pub mod email {
use super::*; use super::*;
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
struct SignupEmail { struct SignupEmail {
email: String, email: String,
} }
pub async fn submit(mut req: Request<State>) -> tide::Result { pub async fn submit(mut req: Request<State>) -> tide::Result {
let SignupEmail { let SignupEmail {
email, email,
} = req.body_json().await?; } = req.body_json().await?;
let config = &req.state().config; let config = &req.state().config;
let db = &req.state().db; let db = &req.state().db;
for record in get_wolves_mail(db, &email).await { for record in get_wolves_mail(db, &email).await {
// skynet emails not permitted // skynet emails not permitted
if record.email.trim().ends_with("@skynet.ie") { if record.email.trim().ends_with("@skynet.ie") {
continue; continue;
} }
// check if the email is already in the db // check if the email is already in the db
if !check(db, &record.email).await { if !check(db, &record.email).await {
continue; continue;
} }
// generate a auth key // generate a auth key
let auth = random_string(75); let auth = random_string(75);
match send_mail(config, &record, &auth) { match send_mail(config, &record, &auth) {
Ok(_) => match save_to_db(db, &record, &auth).await { Ok(_) => match save_to_db(db, &record, &auth).await {
Ok(_) => {} Ok(_) => {}
Err(e) => { Err(e) => {
println!("Unable to save to db {} {e:?}", &record.email); println!("Unable to save to db {} {e:?}", &record.email);
} }
}, },
Err(e) => { Err(e) => {
println!("Unable to send mail to {} {e:?}", &record.email); println!("Unable to send mail to {} {e:?}", &record.email);
}
}
} }
}
Ok(json!({"result": "success"}).into())
} }
pub async fn get_wolves_mail(db: &Pool<Sqlite>, mail: &str) -> Vec<AccountWolves> { Ok(json!({"result": "success"}).into())
sqlx::query_as::<_, AccountWolves>( }
r#"
pub async fn get_wolves_mail(db: &Pool<Sqlite>, mail: &str) -> Vec<AccountWolves> {
sqlx::query_as::<_, AccountWolves>(
r#"
SELECT * SELECT *
FROM accounts_wolves FROM accounts_wolves
WHERE email = ? WHERE email = ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
} }
async fn check(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check(db: &Pool<Sqlite>, mail: &str) -> bool {
check_pending(db, mail).await && check_users(db, mail).await check_pending(db, mail).await && check_users(db, mail).await
} }
async fn check_users(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check_users(db: &Pool<Sqlite>, mail: &str) -> bool {
sqlx::query_as::<_, Accounts>( sqlx::query_as::<_, Accounts>(
r#" r#"
SELECT * SELECT *
FROM accounts FROM accounts
WHERE mail == ? WHERE mail == ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
.is_empty() .is_empty()
} }
async fn check_pending(db: &Pool<Sqlite>, mail: &str) -> bool { async fn check_pending(db: &Pool<Sqlite>, mail: &str) -> bool {
sqlx::query_as::<_, AccountsNew>( sqlx::query_as::<_, AccountsNew>(
r#" r#"
SELECT * SELECT *
FROM accounts_new FROM accounts_new
WHERE mail == ? WHERE mail == ?
"#, "#,
) )
.bind(mail) .bind(mail)
.fetch_all(db) .fetch_all(db)
.await .await
.unwrap_or(vec![]) .unwrap_or(vec![])
.is_empty() .is_empty()
} }
// using https://github.com/lettre/lettre/blob/57886c367d69b4d66300b322c94bd910b1eca364/examples/maud_html.rs // using https://github.com/lettre/lettre/blob/57886c367d69b4d66300b322c94bd910b1eca364/examples/maud_html.rs
fn send_mail(config: &Config, record: &AccountWolves, auth: &str) -> Result<lettre::transport::smtp::response::Response, lettre::transport::smtp::Error> { fn send_mail(config: &Config, record: &AccountWolves, auth: &str) -> Result<smtp::response::Response, smtp::Error> {
let recipient = &record.name_first; let recipient = &record.name_first;
let mail = &record.email; let mail = &record.email;
let url_base = "https://account.skynet.ie"; let url_base = "https://account.skynet.ie";
let link_new = format!("{url_base}/register?auth={auth}"); let link_new = format!("{url_base}/register?auth={auth}");
let link_mod = format!("{url_base}/modify"); let link_mod = format!("{url_base}/modify");
let discord = "https://discord.skynet.ie"; let discord = "https://discord.skynet.ie";
let sender = format!("UL Computer Society <{}>", &config.mail_user); let sender = format!("UL Computer Society <{}>", &config.mail_user);
// Create the html we want to send. // Create the html we want to send.
let html = html! { let html = html! {
head { head {
title { "Hello from Skynet!" } title { "Hello from Skynet!" }
style type="text/css" { style type="text/css" {
"h2, h4 { font-family: Arial, Helvetica, sans-serif; }" "h2, h4 { font-family: Arial, Helvetica, sans-serif; }"
}
} }
div style="display: flex; flex-direction: column; align-items: center;" { }
h2 { "Hello from Skynet!" } div style="display: flex; flex-direction: column; align-items: center;" {
// Substitute in the name of our recipient. h2 { "Hello from Skynet!" }
p { "Hi " (recipient) "," } // Substitute in the name of our recipient.
p { p { "Hi " (recipient) "," }
"As part of the UL Computer Society you get an account on our Skynet cluster." p {
br; "As part of the UL Computer Society you get an account on our Skynet cluster."
"This gives you access to some of teh various services we offer:" br;
ul { "This gives you access to some of teh various services we offer:"
li { "Email" } ul {
li { "Gitlab" } li { "Email" }
li { "Linux Webhost" } li { "Gitlab" }
} li { "Linux Webhost" }
br;
"The following invite will remain active until the end of year."
}
p {
"If you are a new member please use the following link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If you are a returning user please set an email for your account at:"
br;
a href=(link_mod) { (link_mod) }
}
p {
"If you have issues please refer to our Discord server:"
br;
a href=(discord) { (discord) }
}
p {
"Skynet Team"
br;
"UL Computer Society"
} }
br;
"The following invite will remain active until the end of year."
}
p {
"If you are a new member please use the following link:"
br;
a href=(link_new) { (link_new) }
}
p {
"If you are a returning user please set an email for your account at:"
br;
a href=(link_mod) { (link_mod) }
}
p {
"If you have issues please refer to our Discord server:"
br;
a href=(discord) { (discord) }
} }
};
let body_text = format!( p {
r#" "Skynet Team"
br;
"UL Computer Society"
}
}
};
let body_text = format!(
r#"
Hi {recipient} Hi {recipient}
As part of the UL Computer Society you get an account on our Skynet cluster. As part of the UL Computer Society you get an account on our Skynet cluster.
@ -186,275 +186,276 @@ pub mod email {
Skynet Team Skynet Team
UL Computer Society UL Computer Society
"# "#
); );
// Build the message. // Build the message.
let email = Message::builder() let email = Message::builder()
.from(sender.parse().unwrap()) .from(sender.parse().unwrap())
.to(mail.parse().unwrap()) .to(mail.parse().unwrap())
.subject("Skynet: New Account.") .subject("Skynet: New Account.")
.multipart( .multipart(
// This is composed of two parts. // This is composed of two parts.
// also helps not trip spam settings (uneven number of url's // also helps not trip spam settings (uneven number of url's
MultiPart::alternative() MultiPart::alternative()
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text)) .singlepart(SinglePart::builder().header(header::ContentType::TEXT_PLAIN).body(body_text))
.singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())), .singlepart(SinglePart::builder().header(header::ContentType::TEXT_HTML).body(html.into_string())),
) )
.expect("failed to build email"); .expect("failed to build email");
let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone()); let creds = Credentials::new(config.mail_user.clone(), config.mail_pass.clone());
// Open a remote connection to gmail using STARTTLS // Open a remote connection to gmail using STARTTLS
let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build(); let mailer = SmtpTransport::starttls_relay(&config.mail_smtp).unwrap().credentials(creds).build();
// Send the email // Send the email
mailer.send(&email) mailer.send(&email)
} }
async fn save_to_db(db: &Pool<Sqlite>, record: &AccountWolves, auth: &str) -> Result<Option<AccountsNew>, sqlx::Error> { async fn save_to_db(db: &Pool<Sqlite>, record: &AccountWolves, auth: &str) -> Result<Option<AccountsNew>, sqlx::Error> {
sqlx::query_as::<_, AccountsNew>( sqlx::query_as::<_, AccountsNew>(
" "
INSERT OR REPLACE INTO accounts_new (mail, auth_code, date_iso, date_expiry, name_first, name_surname, id_student) INSERT OR REPLACE INTO accounts_new (mail, auth_code, date_iso, date_expiry, name_first, name_surname, id_student)
VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7) VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7)
", ",
) )
.bind(record.email.to_owned()) .bind(record.email.to_owned())
.bind(auth.to_owned()) .bind(auth.to_owned())
.bind(get_now_iso(false)) .bind(get_now_iso(false))
.bind(record.expiry.to_owned()) .bind(record.expiry.to_owned())
.bind(record.name_first.to_owned()) .bind(record.name_first.to_owned())
.bind(record.name_second.to_owned()) .bind(record.name_second.to_owned())
.bind(record.id_student.to_owned()) .bind(record.id_student.to_owned())
.fetch_optional(db) .fetch_optional(db)
.await .await
} }
} }
pub mod account { pub mod account {
use super::*; use super::*;
use crate::update_group; use crate::update_group;
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
struct LdapNewUser { struct LdapNewUser {
auth: String, auth: String,
user: String, user: String,
pass: String, pass: String,
}
/// Handles initial detail entering page
/// Verify users have access to said email
/// Get users to set username and password.
pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapNewUser {
auth,
user,
pass,
} = req.body_json().await?;
let config = &req.state().config;
let db = &req.state().db;
// ensure there are no old requests
db_pending_clear_expired(db).await?;
let user_db = if let Some(x) = db_get_user(db, &auth).await {
x
} else {
return Ok(json!({"result": "error", "error": "Invalid auth"}).into());
};
if let Some(error) = is_valid_name(&user) {
return Ok(json!({"result": "error", "error": error}).into());
} }
/// Handles initial detail entering page // easier to give each request its own connection
/// Verify users have access to said email let mut ldap = LdapConn::new(&config.ldap_host)?;
/// Get users to set username and password.
pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapNewUser {
auth,
user,
pass,
} = req.body_json().await?;
let config = &req.state().config; // ldap3 docs say a blank username and pass is an anon bind
let db = &req.state().db; ldap.simple_bind("", "")?.success()?;
// ensure there are no old requests let filter_dn = format!("(uid={})", &user);
db_pending_clear_expired(db).await?; if let Ok(x) = ldap.search("ou=users,dc=skynet,dc=ie", Scope::OneLevel, &filter_dn, vec!["*"]) {
if let Ok((rs, _res)) = x.success() {
let user_db = if let Some(x) = db_get_user(db, &auth).await { if !rs.is_empty() {
x return Ok(json!({"result": "error", "error": "username not available"}).into());
} else {
return Ok(json!({"result": "error", "error": "Invalid auth"}).into());
};
if let Some(error) = is_valid_name(&user) {
return Ok(json!({"result": "error", "error": error}).into());
} }
}
// easier to give each request its own connection
let mut ldap = LdapConn::new(&config.ldap_host)?;
// ldap3 docs say a blank username and pass is an anon bind
ldap.simple_bind("", "")?.success()?;
let filter_dn = format!("(uid={})", &user);
if let Ok(x) = ldap.search("ou=users,dc=skynet,dc=ie", Scope::OneLevel, &filter_dn, vec!["*"]) {
if let Ok((rs, _res)) = x.success() {
if !rs.is_empty() {
return Ok(json!({"result": "error", "error": "username not available"}).into());
}
}
}
// done with anon ldap
ldap.unbind()?;
ldap_create_account(config, db, user_db, &user, &pass).await?;
// account now created, delete from the new table
account_verification_clear_pending(db, &auth).await?;
Ok(json!({"result": "success"}).into())
} }
// clear the db of expired ones before checking for username and validating inputs // done with anon ldap
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsNew>, Error> { ldap.unbind()?;
sqlx::query_as::<_, AccountsNew>(
r#" ldap_create_account(config, db, user_db, &user, &pass).await?;
// account now created, delete from the new table
account_verification_clear_pending(db, &auth).await?;
Ok(json!({"result": "success"}).into())
}
// clear the db of expired ones before checking for username and validating inputs
async fn db_pending_clear_expired(pool: &Pool<Sqlite>) -> Result<Vec<AccountsNew>, Error> {
sqlx::query_as::<_, AccountsNew>(
r#"
DELETE DELETE
FROM accounts_new FROM accounts_new
WHERE date_expiry < ? WHERE date_expiry < ?
"#, "#,
) )
.bind(get_now_iso(true)) .bind(get_now_iso(true))
.fetch_all(pool) .fetch_all(pool)
.await .await
}
fn is_valid_name(name: &str) -> Option<String> {
// max length is 31 chars
if name.len() >= 32 {
return Some(String::from("Too long, max len 31"));
} }
fn is_valid_name(name: &str) -> Option<String> { for (index, letter) in name.chars().enumerate() {
// max length is 31 chars // no uppercase characters allowed
if name.len() >= 32 { if letter.is_ascii_uppercase() {
return Some(String::from("Too long, max len 31")); return Some(String::from("Has uppercase"));
}
if index == 0 {
// first character ahs to be either a letter or underscore
if !(letter.is_ascii_alphabetic() || letter == '_') {
return Some(String::from("Does not start with letter or _"));
} }
} else {
for (index, letter) in name.chars().enumerate() { // after first character options are more relaxed
// no uppercase characters allowed if !(letter.is_ascii_alphabetic() || letter.is_ascii_digit() || letter == '_' || letter == '-') {
if letter.is_ascii_uppercase() { return Some(String::from("Contains character that is not letter, number, _ or -"));
return Some(String::from("Has uppercase"));
}
if index == 0 {
// first character ahs to be either a letter or underscore
if !(letter.is_ascii_alphabetic() || letter == '_') {
return Some(String::from("Does not start with letter or _"));
}
} else {
// after first character options are more relaxed
if !(letter.is_ascii_alphabetic() || letter.is_ascii_digit() || letter == '_' || letter == '-') {
return Some(String::from("Contains character that is not letter, number, _ or -"));
}
}
} }
}
None
} }
async fn db_get_user(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsNew> { None
if let Ok(res) = sqlx::query_as::<_, AccountsNew>( }
r#"
async fn db_get_user(pool: &Pool<Sqlite>, auth: &str) -> Option<AccountsNew> {
if let Ok(res) = sqlx::query_as::<_, AccountsNew>(
r#"
SELECT * SELECT *
FROM accounts_new FROM accounts_new
WHERE auth_code == ? WHERE auth_code == ?
"#, "#,
) )
.bind(auth) .bind(auth)
.fetch_all(pool) .fetch_all(pool)
.await .await
{ {
if !res.is_empty() { if !res.is_empty() {
return Some(res[0].to_owned()); return Some(res[0].to_owned());
} }
}
None
} }
async fn ldap_create_account(config: &Config, db: &Pool<Sqlite>, user: AccountsNew, username: &str, pass: &str) -> Result<(), ldap3::LdapError> { None
let mut ldap = LdapConn::new(&config.ldap_host)?; }
ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", username); async fn ldap_create_account(config: &Config, db: &Pool<Sqlite>, user: AccountsNew, username: &str, pass: &str) -> Result<(), ldap3::LdapError> {
let cn = format!("{} {}", &user.name_first, &user.name_surname); let mut ldap = LdapConn::new(&config.ldap_host)?;
let home_directory = format!("/home/{}", username); ldap.simple_bind(&config.ldap_admin, &config.ldap_admin_pw)?.success()?;
let password_tmp = random_string(50);
let labeled_uri = format!("ldap:///ou=groups,dc=skynet,dc=ie??sub?(&(objectclass=posixgroup)(memberuid={}))", username);
let sk_mail = format!("{}@skynet.ie", username);
let sk_created = get_sk_created();
let uid_number = get_max_uid_number(db).await;
// create user let dn = format!("uid={},ou=users,dc=skynet,dc=ie", username);
ldap.add( let cn = format!("{} {}", &user.name_first, &user.name_surname);
&dn, let home_directory = format!("/home/{}", username);
vec![ let password_tmp = random_string(50);
("objectClass", HashSet::from(["top", "person", "posixaccount", "ldapPublicKey", "inetOrgPerson", "skPerson"])), let labeled_uri = format!("ldap:///ou=groups,dc=skynet,dc=ie??sub?(&(objectclass=posixgroup)(memberuid={}))", username);
// top let sk_mail = format!("{}@skynet.ie", username);
("ou", HashSet::from(["users"])), let sk_created = get_sk_created();
// person let uid_number = get_max_uid_number(db).await;
("uid", HashSet::from([username])),
("cn", HashSet::from([cn.as_str()])),
// posixaccount
("uidNumber", HashSet::from([uid_number.to_string().as_str()])),
("gidNumber", HashSet::from(["1001"])),
("homedirectory", HashSet::from([home_directory.as_str()])),
("userpassword", HashSet::from([password_tmp.as_str()])),
// inetOrgPerson
("mail", HashSet::from([user.mail.as_str()])),
("sn", HashSet::from([user.name_surname.as_str()])),
// skPerson
("labeledURI", HashSet::from([labeled_uri.as_str()])),
("skMail", HashSet::from([sk_mail.as_str()])),
("skID", HashSet::from([user.id_student.as_str()])),
("skCreated", HashSet::from([sk_created.as_str()])),
// 1 = secure, automatic since its a new account
("skSecure", HashSet::from(["1"])),
// quotas
("quotaEmail", HashSet::from(["10737418240"])),
("quotaDisk", HashSet::from(["10737418240"])),
],
)?
.success()?;
// now to properly set teh password // create user
let tmp = PasswordModify { ldap
user_id: Some(&dn), .add(
old_pass: None, &dn,
new_pass: Some(pass), vec![
}; ("objectClass", HashSet::from(["top", "person", "posixaccount", "ldapPublicKey", "inetOrgPerson", "skPerson"])),
// top
("ou", HashSet::from(["users"])),
// person
("uid", HashSet::from([username])),
("cn", HashSet::from([cn.as_str()])),
// posixaccount
("uidNumber", HashSet::from([uid_number.to_string().as_str()])),
("gidNumber", HashSet::from(["1001"])),
("homedirectory", HashSet::from([home_directory.as_str()])),
("userpassword", HashSet::from([password_tmp.as_str()])),
// inetOrgPerson
("mail", HashSet::from([user.mail.as_str()])),
("sn", HashSet::from([user.name_surname.as_str()])),
// skPerson
("labeledURI", HashSet::from([labeled_uri.as_str()])),
("skMail", HashSet::from([sk_mail.as_str()])),
("skID", HashSet::from([user.id_student.as_str()])),
("skCreated", HashSet::from([sk_created.as_str()])),
// 1 = secure, automatic since its a new account
("skSecure", HashSet::from(["1"])),
// quotas
("quotaEmail", HashSet::from(["10737418240"])),
("quotaDisk", HashSet::from(["10737418240"])),
],
)?
.success()?;
ldap.extended(tmp).unwrap(); // now to properly set teh password
let tmp = PasswordModify {
user_id: Some(&dn),
old_pass: None,
new_pass: Some(pass),
};
// user is already verified by being an active member on wolves ldap.extended(tmp).unwrap();
if let Err(e) = update_group(config, "skynet-users", &vec![username.to_string()], false).await {
println!("Couldnt add {} to skynet-users: {:?}", username, e)
}
ldap.unbind()?; // user is already verified by being an active member on wolves
if let Err(e) = update_group(config, "skynet-users", &vec![username.to_string()], false).await {
Ok(()) println!("Couldnt add {} to skynet-users: {:?}", username, e)
} }
fn get_sk_created() -> String { ldap.unbind()?;
use chrono::Utc;
let now = Utc::now();
format!("{}", now.format("%Y%m%d%H%M%SZ")) Ok(())
} }
async fn get_max_uid_number(db: &Pool<Sqlite>) -> i64 { fn get_sk_created() -> String {
if let Ok(results) = sqlx::query_as::<_, Accounts>( use chrono::Utc;
r#" let now = Utc::now();
format!("{}", now.format("%Y%m%d%H%M%SZ"))
}
async fn get_max_uid_number(db: &Pool<Sqlite>) -> i64 {
if let Ok(results) = sqlx::query_as::<_, Accounts>(
r#"
SELECT * SELECT *
FROM accounts FROM accounts
ORDER BY uid DESC ORDER BY uid DESC
LIMIT 1 LIMIT 1
"#, "#,
) )
.fetch_all(db) .fetch_all(db)
.await .await
{ {
if !results.is_empty() { if !results.is_empty() {
return results[0].uid + 1; return results[0].uid + 1;
} }
}
9999
} }
async fn account_verification_clear_pending(db: &Pool<Sqlite>, auth_code: &str) -> Result<Vec<AccountsNew>, Error> { 9999
sqlx::query_as::<_, AccountsNew>( }
r#"
async fn account_verification_clear_pending(db: &Pool<Sqlite>, auth_code: &str) -> Result<Vec<AccountsNew>, Error> {
sqlx::query_as::<_, AccountsNew>(
r#"
DELETE FROM accounts_new DELETE FROM accounts_new
WHERE auth_code == ? WHERE auth_code == ?
"#, "#,
) )
.bind(auth_code) .bind(auth_code)
.fetch_all(db) .fetch_all(db)
.await .await
} }
} }

924
src/methods/account_recover.rs
View file

File diff suppressed because it is too large Load diff

222
src/methods/account_update.rs
View file

@ -3,152 +3,152 @@ use ldap3::{exop::PasswordModify, LdapConn, Mod, Scope, SearchEntry};
use sqlx::{Pool, Sqlite}; use sqlx::{Pool, Sqlite};
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use tide::{ use tide::{
prelude::{json, Deserialize, Serialize}, prelude::{json, Deserialize, Serialize},
Request, Request,
}; };
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct LdapUpdate { pub struct LdapUpdate {
user: String, user: String,
pass: String, pass: String,
field: String, field: String,
value: String, value: String,
} }
#[derive(Debug, Serialize)] #[derive(Debug, Serialize)]
pub struct ModifyResult { pub struct ModifyResult {
mail: Option<String>, mail: Option<String>,
#[serde(rename = "sshPublicKey")] #[serde(rename = "sshPublicKey")]
ssh_public_key: Option<String>, ssh_public_key: Option<String>,
cn: Option<String>, cn: Option<String>,
#[serde(rename = "skDiscord")] #[serde(rename = "skDiscord")]
sk_discord: Option<String>, sk_discord: Option<String>,
} }
/// Handles updating a single field with the users own password /// Handles updating a single field with the users own password
pub async fn submit(mut req: Request<State>) -> tide::Result { pub async fn submit(mut req: Request<State>) -> tide::Result {
let LdapUpdate { let LdapUpdate {
user, user,
pass, pass,
field, field,
value, value,
} = req.body_json().await?; } = req.body_json().await?;
// check that any mail is not using @skynet.ie // check that any mail is not using @skynet.ie
if field == "mail" && value.trim().ends_with("@skynet.ie") { if field == "mail" && value.trim().ends_with("@skynet.ie") {
return Ok(json!({"result": "error", "error": "Skynet email not valid contact address"}).into()); return Ok(json!({"result": "error", "error": "Skynet email not valid contact address"}).into());
}
let config = &req.state().config;
let db = &req.state().db;
// easier to give each request its own connection
let mut ldap = LdapConn::new(&config.ldap_host)?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);
ldap.simple_bind(&dn, &pass)?.success()?;
// always assume insecure
let mut pw_keep_same = false;
let mut is_skynet_user = false;
// get the users current password hash
let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword", "memberOf"])?.success()?;
if !rs.is_empty() {
let tmp = SearchEntry::construct(rs[0].clone());
if tmp.attrs.contains_key("userPassword") && !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
pw_keep_same = true;
}
if tmp.attrs.contains_key("memberOf") {
for group in tmp.attrs["memberOf"].clone() {
if group.contains("skynet-users") {
is_skynet_user = true;
}
}
}
}
// check if the password field itself is being updated
let pass_new = if &field != "userPassword" {
if !is_skynet_user && &field == "mail" {
activate_group(db, config, &user, &value).await;
} }
let config = &req.state().config; // if password is not being updated then just update the required field
let db = &req.state().db; let mods = vec![
// the value we are updating
Mod::Replace(field, HashSet::from([value])),
];
// easier to give each request its own connection ldap.modify(&dn, mods)?.success()?;
let mut ldap = LdapConn::new(&config.ldap_host)?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user); // pass back the "old" and "new" passwords
ldap.simple_bind(&dn, &pass)?.success()?; // using this means we can create teh vars without them needing to be mutable
pass.clone()
} else {
// password is going to be updated, even if the old value is not starting with "{SSHA512}"
pw_keep_same = false;
value
};
// always assume insecure // changing teh password because of an explicit request or upgrading teh security.
let mut pw_keep_same = false; if !pw_keep_same {
let mut is_skynet_user = false; // really easy to update password once ye know how
let tmp = PasswordModify {
// get the users current password hash // none as we are staying on the same connection
let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword", "memberOf"])?.success()?; user_id: None,
if !rs.is_empty() { old_pass: Some(&pass),
let tmp = SearchEntry::construct(rs[0].clone()); new_pass: Some(&pass_new),
if tmp.attrs.contains_key("userPassword") && !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
pw_keep_same = true;
}
if tmp.attrs.contains_key("memberOf") {
for group in tmp.attrs["memberOf"].clone() {
if group.contains("skynet-users") {
is_skynet_user = true;
}
}
}
}
// check if the password field itself is being updated
let pass_new = if &field != "userPassword" {
if !is_skynet_user && &field == "mail" {
activate_group(db, config, &user, &value).await;
}
// if password is not being updated then just update the required field
let mods = vec![
// the value we are updating
Mod::Replace(field, HashSet::from([value])),
];
ldap.modify(&dn, mods)?.success()?;
// pass back the "old" and "new" passwords
// using this means we can create teh vars without them needing to be mutable
pass.clone()
} else {
// password is going to be updated, even if the old value is not starting with "{SSHA512}"
pw_keep_same = false;
value
}; };
// changing teh password because of an explicit request or upgrading teh security. ldap.extended(tmp)?.success()?;
if !pw_keep_same { };
// really easy to update password once ye know how
let tmp = PasswordModify {
// none as we are staying on the same connection
user_id: None,
old_pass: Some(&pass),
new_pass: Some(&pass_new),
};
ldap.extended(tmp)?.success()?; let result = get_result(&mut ldap, &dn);
};
let result = get_result(&mut ldap, &dn); ldap.unbind()?;
ldap.unbind()?; Ok(json!({"result": "success", "success": result}).into())
Ok(json!({"result": "success", "success": result}).into())
} }
fn get_result(ldap: &mut LdapConn, dn: &str) -> ModifyResult { fn get_result(ldap: &mut LdapConn, dn: &str) -> ModifyResult {
let mut result = ModifyResult { let mut result = ModifyResult {
mail: None, mail: None,
ssh_public_key: None, ssh_public_key: None,
cn: None, cn: None,
sk_discord: None, sk_discord: None,
}; };
if let Ok(temp) = ldap.search(dn, Scope::Base, "(objectClass=*)", vec!["mail", "sshPublicKey", "cn", "skDiscord"]) { if let Ok(temp) = ldap.search(dn, Scope::Base, "(objectClass=*)", vec!["mail", "sshPublicKey", "cn", "skDiscord"]) {
if let Ok((rs, _res)) = temp.success() { if let Ok((rs, _res)) = temp.success() {
if !rs.is_empty() { if !rs.is_empty() {
let tmp = SearchEntry::construct(rs[0].clone()); let tmp = SearchEntry::construct(rs[0].clone());
result.mail = get_result_values(&tmp.attrs, "mail"); result.mail = get_result_values(&tmp.attrs, "mail");
result.ssh_public_key = get_result_values(&tmp.attrs, "sshPublicKey"); result.ssh_public_key = get_result_values(&tmp.attrs, "sshPublicKey");
result.cn = get_result_values(&tmp.attrs, "cn"); result.cn = get_result_values(&tmp.attrs, "cn");
result.sk_discord = get_result_values(&tmp.attrs, "skDiscord"); result.sk_discord = get_result_values(&tmp.attrs, "skDiscord");
} }
}
} }
}
result result
} }
fn get_result_values(attrs: &HashMap<String, Vec<String>>, field: &str) -> Option<String> { fn get_result_values(attrs: &HashMap<String, Vec<String>>, field: &str) -> Option<String> {
if let Some(field) = attrs.get(field) { if let Some(field) = attrs.get(field) {
if !field.is_empty() { if !field.is_empty() {
return Some(field[0].clone()); return Some(field[0].clone());
}
} }
None }
None
} }
async fn activate_group(db: &Pool<Sqlite>, config: &Config, user: &str, mail: &str) { async fn activate_group(db: &Pool<Sqlite>, config: &Config, user: &str, mail: &str) {
// check if user has this mail in teh wolves db // check if user has this mail in teh wolves db
if !get_wolves_mail(db, mail).await.is_empty() { if !get_wolves_mail(db, mail).await.is_empty() {
// if so then activate // if so then activate
if let Err(e) = update_group(config, "skynet-users", &vec![user.to_string()], false).await { if let Err(e) = update_group(config, "skynet-users", &vec![user.to_string()], false).await {
println!("Couldnt add {} to skynet-users: {:?}", user, e) println!("Couldnt add {} to skynet-users: {:?}", user, e)
}
} }
}
} }