feat: 实现 LDAP 登录

2025-11-03 16:00:25 +08:00 · 2023-08-23 22:09:41 +08:00
parent 2e969d46fb
commit 4e1350d1cc
13 changed files with 321 additions and 5174 deletions
--- a/server/internal/auth/api/form/form.go
+++ b/server/internal/auth/api/form/form.go
@@ -1,10 +1,11 @@
 package form

 type LoginForm struct {
-	Username string `json:"username" binding:"required"`
-	Password string `binding:"required"`
-	Captcha  string `json:"captcha"`
-	Cid      string `json:"cid"`
+	Username  string `json:"username" binding:"required"`
+	Password  string `binding:"required"`
+	Captcha   string `json:"captcha"`
+	Cid       string `json:"cid"`
+	LdapLogin bool   `json:"ldapLogin"`
 }

 type OtpVerfiy struct {
--- a/server/internal/auth/api/ldap_login.go
+++ b/server/internal/auth/api/ldap_login.go
@@ -0,0 +1,109 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"gorm.io/gorm"
+	"mayfly-go/internal/auth/api/form"
+	msgapp "mayfly-go/internal/msg/application"
+	sysapp "mayfly-go/internal/sys/application"
+	sysentity "mayfly-go/internal/sys/domain/entity"
+	"mayfly-go/pkg/biz"
+	"mayfly-go/pkg/cache"
+	"mayfly-go/pkg/captcha"
+	"mayfly-go/pkg/config"
+	"mayfly-go/pkg/ginx"
+	"mayfly-go/pkg/ldap"
+	"mayfly-go/pkg/req"
+	"mayfly-go/pkg/utils/cryptox"
+	"strconv"
+	"time"
+)
+
+type LdapLogin struct {
+	AccountApp sysapp.Account
+	MsgApp     msgapp.Msg
+	ConfigApp  sysapp.Config
+}
+
+// @router /auth/ldap/enabled [get]
+func (a *LdapLogin) GetLdapEnabled(rc *req.Ctx) {
+	rc.ResData = config.Conf.Ldap.Enabled
+}
+
+// @router /auth/ldap/login [post]
+func (a *LdapLogin) Login(rc *req.Ctx) {
+	loginForm := ginx.BindJsonAndValid(rc.GinCtx, new(form.LoginForm))
+
+	// 确认是 LDAP 登录
+	biz.IsTrue(loginForm.LdapLogin, "LDAP 登录参数错误")
+
+	accountLoginSecurity := a.ConfigApp.GetConfig(sysentity.ConfigKeyAccountLoginSecurity).ToAccountLoginSecurity()
+	// 判断是否有开启登录验证码校验
+	if accountLoginSecurity.UseCaptcha {
+		// 校验验证码
+		biz.IsTrue(captcha.Verify(loginForm.Cid, loginForm.Captcha), "验证码错误")
+	}
+
+	username := loginForm.Username
+
+	clientIp := getIpAndRegion(rc)
+	rc.ReqParam = fmt.Sprintf("username: %s | ip: %s", username, clientIp)
+
+	originPwd, err := cryptox.DefaultRsaDecrypt(loginForm.Password, true)
+	biz.ErrIsNilAppendErr(err, "解密密码错误: %s")
+	// LDAP 用户本地密码为空，不允许本地登录
+	biz.NotEmpty(originPwd, "密码不能为空")
+
+	failCountKey := fmt.Sprintf("account:login:failcount:%s", username)
+	nowFailCount := cache.GetInt(failCountKey)
+	loginFailCount := accountLoginSecurity.LoginFailCount
+	loginFailMin := accountLoginSecurity.LoginFailMin
+	biz.IsTrue(nowFailCount < loginFailCount, "登录失败超过%d次, 请%d分钟后再试", loginFailCount, loginFailMin)
+
+	var account *sysentity.Account
+	cols := []string{"Id", "Name", "Username", "Password", "Status", "LastLoginTime", "LastLoginIp", "OtpSecret"}
+	account, err = a.getOrCreateUserWithLdap(username, originPwd, cols...)
+
+	if err != nil {
+		nowFailCount++
+		cache.SetStr(failCountKey, strconv.Itoa(nowFailCount), time.Minute*time.Duration(loginFailMin))
+		panic(biz.NewBizErr(fmt.Sprintf("用户名或密码错误【当前登录失败%d次】", nowFailCount)))
+	}
+
+	rc.ResData = LastLoginCheck(account, accountLoginSecurity, clientIp)
+}
+
+func (a *LdapLogin) getUser(userName string, cols ...string) (*sysentity.Account, error) {
+	account := &sysentity.Account{Username: userName}
+	if err := a.AccountApp.GetAccount(account, cols...); err != nil {
+		return nil, err
+	}
+	return account, nil
+}
+
+func (a *LdapLogin) createUser(userName, displayName string) {
+	account := &sysentity.Account{Username: userName}
+	account.SetBaseInfo(nil)
+	account.Name = displayName
+	a.AccountApp.Create(account)
+	// 将 LADP 用户本地密码设置为空，不允许本地登录
+	account.Password = cryptox.PwdHash("")
+	a.AccountApp.Update(account)
+}
+
+func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, cols ...string) (*sysentity.Account, error) {
+	userInfo, err := ldap.Authenticate(userName, password)
+	if err != nil {
+		return nil, errors.New("用户名密码错误")
+	}
+
+	account, err := a.getUser(userName, cols...)
+	if err == gorm.ErrRecordNotFound {
+		a.createUser(userName, userInfo.DisplayName)
+		return a.getUser(userName, cols...)
+	} else if err != nil {
+		return nil, err
+	}
+	return account, nil
+}
--- a/server/internal/auth/router/router.go
+++ b/server/internal/auth/router/router.go
@@ -17,6 +17,12 @@ func Init(router *gin.RouterGroup) {
 		MsgApp:     msgapp.GetMsgApp(),
 	}

+	ldapLogin := &api.LdapLogin{
+		ConfigApp:  sysapp.GetConfigApp(),
+		AccountApp: sysapp.GetAccountApp(),
+		MsgApp:     msgapp.GetMsgApp(),
+	}
+
 	oauth2Login := &api.Oauth2Login{
 		Oauth2App:  application.GetAuthApp(),
 		ConfigApp:  sysapp.GetConfigApp(),
@@ -50,6 +56,10 @@ func Init(router *gin.RouterGroup) {
 		req.NewGet("/oauth2/status", oauth2Login.Oauth2Status),

 		req.NewGet("/oauth2/unbind", oauth2Login.Oauth2Unbind).Log(req.NewLogSave("oauth2解绑")),
+
+		// LDAP 登录
+		req.NewGet("/ldap/enabled", ldapLogin.GetLdapEnabled).DontNeedToken(),
+		req.NewPost("/ldap/login", ldapLogin.Login).Log(req.NewLogSave("LDAP 登录")).DontNeedToken(),
 	}

 	req.BatchSetGroup(rg, reqs[:])