From 50e8a42e34fe24584667d5ce148b7faa69dcd4d4 Mon Sep 17 00:00:00 2001 From: laodaming <11058467+laudamine@user.noreply.gitee.com> Date: Wed, 22 Nov 2023 10:19:27 +0800 Subject: [PATCH 1/2] fix --- .../internal/logic/addldaporganizationmemberlogic.go | 2 +- .../ldap-admin/internal/logic/createldaporganizationlogic.go | 2 +- .../ldap-admin/internal/logic/createldapuserbasegrouplogic.go | 2 +- server/ldap-admin/internal/logic/createldapuserlogic.go | 2 +- .../ldap-admin/internal/logic/deleteldaporganizationlogic.go | 2 +- server/ldap-admin/internal/logic/deleteldapuserlogic.go | 2 +- .../internal/logic/getldaporganizationmemberslogic.go | 2 +- server/ldap-admin/internal/logic/getldaporganizationslogic.go | 2 +- server/ldap-admin/internal/logic/getldapuserinfologic.go | 2 +- server/ldap-admin/internal/logic/getldapuserslogic.go | 2 +- .../internal/logic/removeldaporganizationmemberlogic.go | 2 +- .../ldap-admin/internal/logic/updateldaporganizationlogic.go | 2 +- server/ldap-admin/internal/logic/updateldapuserlogic.go | 2 +- server/ldap-admin/internal/logic/updateldapuserpwdlogic.go | 2 +- utils/ldap_lib/auth.go | 4 ++-- 15 files changed, 16 insertions(+), 16 deletions(-) diff --git a/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go b/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go index 3c59479e..f55adae2 100644 --- a/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go +++ b/server/ldap-admin/internal/logic/addldaporganizationmemberlogic.go @@ -34,7 +34,7 @@ func NewAddLdapOrganizationMemberLogic(ctx context.Context, svcCtx *svc.ServiceC func (l *AddLdapOrganizationMemberLogic) AddLdapOrganizationMember(req *types.AddLdapOrganizationMemberReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationDN = strings.Trim(req.OrganizationDN, " ") diff --git a/server/ldap-admin/internal/logic/createldaporganizationlogic.go b/server/ldap-admin/internal/logic/createldaporganizationlogic.go index cd72b116..c797bd09 100644 --- a/server/ldap-admin/internal/logic/createldaporganizationlogic.go +++ b/server/ldap-admin/internal/logic/createldaporganizationlogic.go @@ -34,7 +34,7 @@ func NewCreateLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont func (l *CreateLdapOrganizationLogic) CreateLdapOrganization(req *types.CreateLdapOrganizationReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationEnName = strings.Trim(req.OrganizationEnName, " ") diff --git a/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go b/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go index ce6d27c1..530d6e07 100644 --- a/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go +++ b/server/ldap-admin/internal/logic/createldapuserbasegrouplogic.go @@ -32,7 +32,7 @@ func NewCreateLdapUserBaseGroupLogic(ctx context.Context, svcCtx *svc.ServiceCon func (l *CreateLdapUserBaseGroupLogic) CreateLdapUserBaseGroup(req *types.Request, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } err := l.svcCtx.Ldap.Create(l.svcCtx.Config.Ldap.PeopleGroupDN, map[string][]string{ diff --git a/server/ldap-admin/internal/logic/createldapuserlogic.go b/server/ldap-admin/internal/logic/createldapuserlogic.go index 69174a29..0c06e49a 100644 --- a/server/ldap-admin/internal/logic/createldapuserlogic.go +++ b/server/ldap-admin/internal/logic/createldapuserlogic.go @@ -40,7 +40,7 @@ func NewCreateLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Cr func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.UserName = strings.Trim(req.UserName, " ") diff --git a/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go b/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go index 05785cad..c142d19c 100644 --- a/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go +++ b/server/ldap-admin/internal/logic/deleteldaporganizationlogic.go @@ -33,7 +33,7 @@ func NewDeleteLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont func (l *DeleteLdapOrganizationLogic) DeleteLdapOrganization(req *types.DeleteLdapOrganizationReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationDN = strings.Trim(req.OrganizationDN, " ") diff --git a/server/ldap-admin/internal/logic/deleteldapuserlogic.go b/server/ldap-admin/internal/logic/deleteldapuserlogic.go index 0d9a379f..117acd5e 100644 --- a/server/ldap-admin/internal/logic/deleteldapuserlogic.go +++ b/server/ldap-admin/internal/logic/deleteldapuserlogic.go @@ -33,7 +33,7 @@ func NewDeleteLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *De func (l *DeleteLdapUserLogic) DeleteLdapUser(req *types.DeleteLdapUserReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.UserDN = strings.Trim(req.UserDN, " ") diff --git a/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go b/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go index 874228b3..8a88fa90 100644 --- a/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go +++ b/server/ldap-admin/internal/logic/getldaporganizationmemberslogic.go @@ -35,7 +35,7 @@ func NewGetLdapOrganizationMembersLogic(ctx context.Context, svcCtx *svc.Service func (l *GetLdapOrganizationMembersLogic) GetLdapOrganizationMembers(req *types.GetLdapOrganizationMembersReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationDN = strings.Trim(req.OrganizationDN, " ") diff --git a/server/ldap-admin/internal/logic/getldaporganizationslogic.go b/server/ldap-admin/internal/logic/getldaporganizationslogic.go index a97fe93d..24aef6d6 100644 --- a/server/ldap-admin/internal/logic/getldaporganizationslogic.go +++ b/server/ldap-admin/internal/logic/getldaporganizationslogic.go @@ -43,7 +43,7 @@ type DNItem struct { func (l *GetLdapOrganizationsLogic) GetLdapOrganizations(req *types.Request, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } //从ldap获取组织架构数据 diff --git a/server/ldap-admin/internal/logic/getldapuserinfologic.go b/server/ldap-admin/internal/logic/getldapuserinfologic.go index e2212827..39168765 100644 --- a/server/ldap-admin/internal/logic/getldapuserinfologic.go +++ b/server/ldap-admin/internal/logic/getldapuserinfologic.go @@ -32,7 +32,7 @@ func NewGetLdapUserInfoLogic(ctx context.Context, svcCtx *svc.ServiceContext) *G func (l *GetLdapUserInfoLogic) GetLdapUserInfo(req *types.GetLdapUserInfoReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } if len(req.UserDN) <= 3 || req.UserDN[:3] != "cn=" { diff --git a/server/ldap-admin/internal/logic/getldapuserslogic.go b/server/ldap-admin/internal/logic/getldapuserslogic.go index 93119f7d..195f98d3 100644 --- a/server/ldap-admin/internal/logic/getldapuserslogic.go +++ b/server/ldap-admin/internal/logic/getldapuserslogic.go @@ -33,7 +33,7 @@ func NewGetLdapUsersLogic(ctx context.Context, svcCtx *svc.ServiceContext) *GetL func (l *GetLdapUsersLogic) GetLdapUsers(req *types.GetLdapUsersReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.PageCookie = strings.Trim(req.PageCookie, " ") diff --git a/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go b/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go index 074fbc3b..8f7f86cc 100644 --- a/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go +++ b/server/ldap-admin/internal/logic/removeldaporganizationmemberlogic.go @@ -34,7 +34,7 @@ func NewRemoveLdapOrganizationMemberLogic(ctx context.Context, svcCtx *svc.Servi func (l *RemoveLdapOrganizationMemberLogic) RemoveLdapOrganizationMember(req *types.RemoveLdapOrganizationMemberReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationDN = strings.Trim(req.OrganizationDN, " ") diff --git a/server/ldap-admin/internal/logic/updateldaporganizationlogic.go b/server/ldap-admin/internal/logic/updateldaporganizationlogic.go index 5f0e91b5..623940b2 100644 --- a/server/ldap-admin/internal/logic/updateldaporganizationlogic.go +++ b/server/ldap-admin/internal/logic/updateldaporganizationlogic.go @@ -33,7 +33,7 @@ func NewUpdateLdapOrganizationLogic(ctx context.Context, svcCtx *svc.ServiceCont func (l *UpdateLdapOrganizationLogic) UpdateLdapOrganization(req *types.UpdateLdapOrganizationReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.OrganizationDN = strings.Trim(req.OrganizationDN, " ") diff --git a/server/ldap-admin/internal/logic/updateldapuserlogic.go b/server/ldap-admin/internal/logic/updateldapuserlogic.go index 3d058a1a..af2903a1 100644 --- a/server/ldap-admin/internal/logic/updateldapuserlogic.go +++ b/server/ldap-admin/internal/logic/updateldapuserlogic.go @@ -38,7 +38,7 @@ func NewUpdateLdapUserLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Up func (l *UpdateLdapUserLogic) UpdateLdapUser(req *types.UpdateLdapUserReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.UserDN = strings.Trim(req.UserDN, " ") diff --git a/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go b/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go index 3f4b15d5..fb576788 100644 --- a/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go +++ b/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go @@ -35,7 +35,7 @@ func NewUpdateLdapUserPwdLogic(ctx context.Context, svcCtx *svc.ServiceContext) func (l *UpdateLdapUserPwdLogic) UpdateLdapUserPwd(req *types.UpdateLdapUserPwdReq, r *http.Request) (resp *basic.Response) { - if !l.svcCtx.Ldap.VerifyAuthority(r, l.svcCtx.Config.Auth.AccessSecret) { + if !l.svcCtx.Ldap.VerifyAuthority(r) { return resp.SetStatusWithMessage(basic.CodeUnAuth, "无权限,请联系管理员开通") } req.UserDN = strings.Trim(req.UserDN, " ") diff --git a/utils/ldap_lib/auth.go b/utils/ldap_lib/auth.go index be05acea..c910c4dc 100644 --- a/utils/ldap_lib/auth.go +++ b/utils/ldap_lib/auth.go @@ -6,9 +6,9 @@ import ( ) // 验证权限 -func (l *Ldap) VerifyAuthority(r *http.Request, jwtSecret string) bool { +func (l *Ldap) VerifyAuthority(r *http.Request) bool { token := r.Header.Get("Ldap-Authorization") - info, err := l.ParseJwtToken(token, jwtSecret) + info, err := l.ParseJwtToken(token, l.jwtSecret) if err != nil { logx.Error("解析token失败", err, "----token:", token) return false From 760d9928dc2be1efe03dcbe25986dec9a8db8f02 Mon Sep 17 00:00:00 2001 From: laodaming <11058467+laudamine@user.noreply.gitee.com> Date: Wed, 22 Nov 2023 10:47:19 +0800 Subject: [PATCH 2/2] fix --- .../internal/logic/createldapuserlogic.go | 7 +----- .../internal/logic/updateldapuserpwdlogic.go | 22 +++---------------- utils/ldap_lib/auth.go | 13 +++++++++-- 3 files changed, 15 insertions(+), 27 deletions(-) diff --git a/server/ldap-admin/internal/logic/createldapuserlogic.go b/server/ldap-admin/internal/logic/createldapuserlogic.go index 0c06e49a..2b73200c 100644 --- a/server/ldap-admin/internal/logic/createldapuserlogic.go +++ b/server/ldap-admin/internal/logic/createldapuserlogic.go @@ -6,7 +6,6 @@ import ( "fusenapi/utils/basic" "fusenapi/utils/chinese_to_pinyin" "fusenapi/utils/email" - "fusenapi/utils/encryption_decryption" "gorm.io/gorm" "net/http" "strings" @@ -73,10 +72,6 @@ func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, r *ht if err := tx.WithContext(l.ctx).Model(&gmodel.LdapUser{}).Create(userData).Error; err != nil { return err } - pwd, err := encryption_decryption.CBCEncrypt(req.Password) - if err != nil { - return err - } return l.svcCtx.Ldap.Create(userDN, map[string][]string{ "objectClass": {"person", "organizationalPerson", "inetOrgPerson", "posixAccount", "top", "shadowAccount"}, //固有属性 "shadowLastChange": {"19676"}, //固有属性 @@ -96,7 +91,7 @@ func (l *CreateLdapUserLogic) CreateLdapUser(req *types.CreateLdapUserReq, r *ht "departmentNumber": {fmt.Sprintf("%d", req.GroupId)}, //权限分组id "postalAddress": {req.Avatar}, //头像 "mobile": {req.Mobile}, //手机号 - "userPassword": {"{crypt}" + pwd}, //密码 + "userPassword": {req.Password}, //密码 }) }) if err != nil { diff --git a/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go b/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go index fb576788..d638e74b 100644 --- a/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go +++ b/server/ldap-admin/internal/logic/updateldapuserpwdlogic.go @@ -3,7 +3,6 @@ package logic import ( "fusenapi/utils/basic" "fusenapi/utils/email" - "fusenapi/utils/encryption_decryption" "net/http" "strings" @@ -57,26 +56,11 @@ func (l *UpdateLdapUserPwdLogic) UpdateLdapUserPwd(req *types.UpdateLdapUserPwdR logx.Error(err) return resp.SetStatusWithMessage(basic.CodeServiceErr, err.Error()) } - if len(user.Password) > 7 && user.Password[:7] == "{crypt}" { - //解密旧的密码 - oldPwd, err := encryption_decryption.CBCDecrypt(user.Password[7:]) - if err != nil { - logx.Error(err) - return resp.SetStatusWithMessage(basic.CodeServiceErr, "解密旧的密码出错") - } - //验证旧的密码 - if oldPwd != req.OldPassword { - return resp.SetStatusWithMessage(basic.CodeServiceErr, "旧密码不对,请重新尝试") - } - } - //加密新的密码 - newPwd, err := encryption_decryption.CBCEncrypt(req.NewPassword) - if err != nil { - logx.Error(err) - return resp.SetStatusWithMessage(basic.CodeServiceErr, "加密密码失败") + if user.Password != req.OldPassword { + return resp.SetStatusWithMessage(basic.CodeServiceErr, "旧密码不对,请重新尝试") } err = l.svcCtx.Ldap.Update(req.UserDN, map[string][]string{ - "userPassword": {"{crypt}" + newPwd}, + "userPassword": {req.NewPassword}, }) if err != nil { logx.Error(err) diff --git a/utils/ldap_lib/auth.go b/utils/ldap_lib/auth.go index c910c4dc..770a3768 100644 --- a/utils/ldap_lib/auth.go +++ b/utils/ldap_lib/auth.go @@ -5,8 +5,11 @@ import ( "net/http" ) +type LdapOptions struct { +} + // 验证权限 -func (l *Ldap) VerifyAuthority(r *http.Request) bool { +func (l *Ldap) VerifyAuthority(r *http.Request, options ...string) bool { token := r.Header.Get("Ldap-Authorization") info, err := l.ParseJwtToken(token, l.jwtSecret) if err != nil { @@ -21,6 +24,12 @@ func (l *Ldap) VerifyAuthority(r *http.Request) bool { if userInfo.Status != 1 { return false } - // TODO 查询权限组相关信息 + if len(options) == 0 { + return true + } + // todo 获取分组信息 + /*for _, option := range options { + + }*/ return true }