diff --git a/server/config.yml.example b/server/config.yml.example index 72a65a60..7128c345 100644 --- a/server/config.yml.example +++ b/server/config.yml.example @@ -37,18 +37,4 @@ log: level: info # file: # path: ./ - # name: mayfly-go.log - -# ldap相关配置 -ldap: - enabled: true - host: "ldap.example.com" - port: 389 - baseDn: "ou=users,dc=example,dc=com" - bindDn: "cn=admin,dc=example,dc=com" - userFilter: "(&(objectClass=organizationalPerson)(uid=%s))" - bindPassword: "admin123." - fieldMapping: - identifier: "cn" - displayName: "displayName" - email: "mail" + # name: mayfly-go.log \ No newline at end of file diff --git a/server/internal/auth/api/ldap_login.go b/server/internal/auth/api/ldap_login.go index a7d4173c..b4a1b09e 100644 --- a/server/internal/auth/api/ldap_login.go +++ b/server/internal/auth/api/ldap_login.go @@ -1,7 +1,7 @@ package api import ( - "errors" + "crypto/tls" "fmt" "mayfly-go/internal/auth/api/form" msgapp "mayfly-go/internal/msg/application" @@ -10,14 +10,15 @@ import ( "mayfly-go/pkg/biz" "mayfly-go/pkg/cache" "mayfly-go/pkg/captcha" - "mayfly-go/pkg/config" "mayfly-go/pkg/ginx" - "mayfly-go/pkg/ldap" "mayfly-go/pkg/req" "mayfly-go/pkg/utils/cryptox" "strconv" + "strings" "time" + "github.com/go-ldap/ldap/v3" + "github.com/pkg/errors" "gorm.io/gorm" ) @@ -29,12 +30,8 @@ type LdapLogin struct { // @router /auth/ldap/enabled [get] func (a *LdapLogin) GetLdapEnabled(rc *req.Ctx) { - if config.Conf.Ldap != nil { - rc.ResData = config.Conf.Ldap.Enabled - return - } - - rc.ResData = false + ldapLoginConfig := a.ConfigApp.GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin() + rc.ResData = ldapLoginConfig.Enable } // @router /auth/ldap/login [post] @@ -96,7 +93,7 @@ func (a *LdapLogin) createUser(userName, displayName string) { } func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, cols ...string) (*sysentity.Account, error) { - userInfo, err := ldap.Authenticate(userName, password) + userInfo, err := Authenticate(userName, password) if err != nil { return nil, errors.New("用户名密码错误") } @@ -110,3 +107,98 @@ func (a *LdapLogin) getOrCreateUserWithLdap(userName string, password string, co } return account, nil } + +type UserInfo struct { + UserName string + DisplayName string + Email string +} + +// Authenticate 通过 LDAP 验证用户名密码 +func Authenticate(username, password string) (*UserInfo, error) { + ldapConf := sysapp.GetConfigApp().GetConfig(sysentity.ConfigKeyLdapLogin).ToLdapLogin() + conn, err := Connect(ldapConf) + if err != nil { + return nil, errors.Errorf("connect: %v", err) + } + defer func() { _ = conn.Close() }() + + sr, err := conn.Search( + ldap.NewSearchRequest( + ldapConf.BaseDN, + ldap.ScopeWholeSubtree, + ldap.NeverDerefAliases, + 0, + 0, + false, + strings.ReplaceAll(ldapConf.UserFilter, "%s", username), + []string{"dn", ldapConf.UidMap, ldapConf.UdnMap, ldapConf.EmailMap}, + nil, + ), + ) + if err != nil { + return nil, errors.Errorf("search user DN: %v", err) + } else if len(sr.Entries) != 1 { + return nil, errors.Errorf("expect 1 user DN but got %d", len(sr.Entries)) + } + entry := sr.Entries[0] + + // Bind as the user to verify their password + err = conn.Bind(entry.DN, password) + if err != nil { + return nil, errors.Errorf("bind user: %v", err) + } + + userName := entry.GetAttributeValue(ldapConf.UidMap) + if userName == "" { + return nil, errors.Errorf("the attribute %q is not found or has empty value", ldapConf.UidMap) + } + return &UserInfo{ + UserName: userName, + DisplayName: entry.GetAttributeValue(ldapConf.UdnMap), + Email: entry.GetAttributeValue(ldapConf.EmailMap), + }, nil +} + +// Connect 创建 LDAP 连接 +func Connect(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) { + conn, err := dial(ldapConf) + if err != nil { + return nil, err + } + + // Bind with a system account + err = conn.Bind(ldapConf.BindDN, ldapConf.BindPwd) + if err != nil { + _ = conn.Close() + return nil, errors.Errorf("bind: %v", err) + } + return conn, nil +} + +func dial(ldapConf *sysentity.ConfigLdapLogin) (*ldap.Conn, error) { + addr := fmt.Sprintf("%s:%s", ldapConf.Host, ldapConf.Port) + tlsConfig := &tls.Config{ + ServerName: ldapConf.Host, + InsecureSkipVerify: ldapConf.SkipTLSVerify, + } + if ldapConf.SecurityProtocol == "LDAPS" { + conn, err := ldap.DialTLS("tcp", addr, tlsConfig) + if err != nil { + return nil, errors.Errorf("dial TLS: %v", err) + } + return conn, nil + } + + conn, err := ldap.Dial("tcp", addr) + if err != nil { + return nil, errors.Errorf("dial: %v", err) + } + if ldapConf.SecurityProtocol == "StartTLS" { + if err = conn.StartTLS(tlsConfig); err != nil { + _ = conn.Close() + return nil, errors.Errorf("start TLS: %v", err) + } + } + return conn, nil +} diff --git a/server/internal/sys/domain/entity/config.go b/server/internal/sys/domain/entity/config.go index 7fcb58e4..c439c68b 100644 --- a/server/internal/sys/domain/entity/config.go +++ b/server/internal/sys/domain/entity/config.go @@ -3,12 +3,14 @@ package entity import ( "encoding/json" "mayfly-go/pkg/model" + "mayfly-go/pkg/utils/stringx" "strconv" ) const ( ConfigKeyAccountLoginSecurity string = "AccountLoginSecurity" // 账号登录安全配置 ConfigKeyOauth2Login string = "Oauth2Login" // oauth2认证登录配置 + ConfigKeyLdapLogin string = "LdapLogin" // ldap登录配置 ConfigKeyDbQueryMaxCount string = "DbQueryMaxCount" // 数据库查询的最大数量 ConfigKeyDbSaveQuerySQL string = "DbSaveQuerySQL" // 数据库是否记录查询相关sql ConfigUseWartermark string = "UseWartermark" // 是否使用水印 @@ -105,13 +107,46 @@ func (c *Config) ToOauth2Login() *ConfigOauth2Login { ol.AuthorizationURL = jm["authorizationURL"] ol.AccessTokenURL = jm["accessTokenURL"] ol.RedirectURL = jm["redirectURL"] - ol.Scopes = jm["scopes"] + ol.Scopes = stringx.Trim(jm["scopes"]) ol.ResourceURL = jm["resourceURL"] ol.UserIdentifier = jm["userIdentifier"] ol.AutoRegister = c.ConvBool(jm["autoRegister"], true) return ol } +type ConfigLdapLogin struct { + Enable bool // 是否启用 + Host string + Port string `json:"port"` + SkipTLSVerify bool `json:"skipTLSVerify"` // 客户端是否跳过 TLS 证书验证 + SecurityProtocol string `json:"securityProtocol"` // 安全协议(为Null不使用安全协议),如: StartTLS, LDAPS + BindDN string `json:"bindDn"` // LDAP 服务的管理员账号,如: "cn=admin,dc=example,dc=com" + BindPwd string `json:"bindPwd"` // LDAP 服务的管理员密码 + BaseDN string `json:"baseDN"` // 用户所在的 base DN, 如: "ou=users,dc=example,dc=com" + UserFilter string `json:"userFilter"` // 过滤用户的方式, 如: "(uid=%s)" + UidMap string `json:"UidMap"` // 用户id和 LDAP 字段名之间的映射关系 + UdnMap string `json:"UdnMap"` // 用户姓名(dispalyName)和 LDAP 字段名之间的映射关系 + EmailMap string `json:"emailMap"` // 用户email和 LDAP 字段名之间的映射关系 +} + +// 转换为LdapLogin结构体 +func (c *Config) ToLdapLogin() *ConfigLdapLogin { + jm := c.GetJsonMap() + ll := new(ConfigLdapLogin) + ll.Enable = c.ConvBool(jm["enable"], false) + ll.Host = jm["host"] + ll.SkipTLSVerify = c.ConvBool(jm["skipTLSVerify"], true) + ll.SecurityProtocol = jm["securityProtocol"] + ll.BindDN = stringx.Trim(jm["bindDN"]) + ll.BindPwd = stringx.Trim(jm["bindPwd"]) + ll.BaseDN = stringx.Trim(jm["baseDN"]) + ll.UserFilter = stringx.Trim(jm["userFilter"]) + ll.UidMap = stringx.Trim(jm["uidMap"]) + ll.UdnMap = stringx.Trim(jm["udnMap"]) + ll.EmailMap = stringx.Trim(jm["emailMap"]) + return ll +} + // 转换配置中的值为bool类型(默认"1"或"true"为true,其他为false) func (c *Config) ConvBool(value string, defaultValue bool) bool { if value == "" { diff --git a/server/mayfly-go.sql b/server/mayfly-go.sql index a4dee2f8..62b9a555 100644 --- a/server/mayfly-go.sql +++ b/server/mayfly-go.sql @@ -439,8 +439,9 @@ CREATE TABLE `t_sys_config` ( -- Records of t_sys_config -- ---------------------------- BEGIN; -INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier) VALUES('账号登录安全设置', 'AccountLoginSecurity', '[{"name":"登录验证码","model":"useCaptcha","placeholder":"是否启用登录验证码","options":"true,false"},{"name":"双因素校验(OTP)","model":"useOtp","placeholder":"是否启用双因素(OTP)校验","options":"true,false"},{"name":"OTP签发人","model":"otpIssuer","placeholder":"otp签发人"},{"name":"允许失败次数","model":"loginFailCount","placeholder":"登录失败n次后禁止登录"},{"name":"禁止登录时间","model":"loginFailMin","placeholder":"登录失败指定次数后禁止m分钟内再次登录"}]', '{"useCaptcha":"true","useOtp":"false","loginFailCount":"5","loginFailMin":"10","otpIssuer":"mayfly-go"}', '系统账号登录相关安全设置', 'admin,', '2023-06-17 11:02:11', 1, 'admin', '2023-06-17 14:18:07', 1, 'admin'); -INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('oauth2登录配置', 'Oauth2Login', '[{"name":"是否启用","model":"enable","placeholder":"是否启用oauth2登录","options":"true,false"},{"name":"名称","model":"name","placeholder":"oauth2名称"},{"name":"Client ID","model":"clientId","placeholder":"Client ID"},{"name":"Client Secret","model":"clientSecret","placeholder":"Client Secret"},{"name":"Authorization URL","model":"authorizationURL","placeholder":"Authorization URL"},{"name":"AccessToken URL","model":"accessTokenURL","placeholder":"AccessToken URL"},{"name":"Redirect URL","model":"redirectURL","placeholder":"本系统地址"},{"name":"Scopes","model":"scopes","placeholder":"Scopes"},{"name":"Resource URL","model":"resourceURL","placeholder":"获取用户信息资源地址"},{"name":"UserIdentifier","model":"userIdentifier","placeholder":"用户唯一标识字段;格式为type:fieldPath(string:username)"},{"name":"是否自动注册","model":"autoRegister","placeholder":"","options":"true,false"}]', '', 'oauth2登录相关配置信息', '2023-07-22 13:58:51', 1, 'admin', '2023-07-22 19:34:37', 1, 'admin', 0, NULL); +INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier) VALUES('账号登录安全设置', 'AccountLoginSecurity', '[{"name":"登录验证码","model":"useCaptcha","placeholder":"是否启用登录验证码","options":"true,false"},{"name":"双因素校验(OTP)","model":"useOtp","placeholder":"是否启用双因素(OTP)校验","options":"true,false"},{"name":"OTP签发人","model":"otpIssuer","placeholder":"otp签发人"},{"name":"允许失败次数","model":"loginFailCount","placeholder":"登录失败n次后禁止登录"},{"name":"禁止登录时间","model":"loginFailMin","placeholder":"登录失败指定次数后禁止m分钟内再次登录"}]', '{"useCaptcha":"true","useOtp":"false","loginFailCount":"5","loginFailMin":"10","otpIssuer":"mayfly-go"}', '系统账号登录相关安全设置', '2023-06-17 11:02:11', 1, 'admin', '2023-06-17 14:18:07', 1, 'admin'); +INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('oauth2登录配置', 'Oauth2Login', '[{"name":"是否启用","model":"enable","placeholder":"是否启用oauth2登录","options":"true,false"},{"name":"名称","model":"name","placeholder":"oauth2名称"},{"name":"Client ID","model":"clientId","placeholder":"Client ID"},{"name":"Client Secret","model":"clientSecret","placeholder":"Client Secret"},{"name":"Authorization URL","model":"authorizationURL","placeholder":"Authorization URL"},{"name":"AccessToken URL","model":"accessTokenURL","placeholder":"AccessToken URL"},{"name":"Redirect URL","model":"redirectURL","placeholder":"本系统地址"},{"name":"Scopes","model":"scopes","placeholder":"Scopes"},{"name":"Resource URL","model":"resourceURL","placeholder":"获取用户信息资源地址"},{"name":"UserIdentifier","model":"userIdentifier","placeholder":"用户唯一标识字段;格式为type:fieldPath(string:username)"},{"name":"是否自动注册","model":"autoRegister","placeholder":"","options":"true,false"}]', '', 'oauth2登录相关配置信息', 'admin,', '2023-07-22 13:58:51', 1, 'admin', '2023-07-22 19:34:37', 1, 'admin', 0, NULL); +INSERT INTO `t_sys_config` (name, `key`, params, value, remark, permission, create_time, creator_id, creator, update_time, modifier_id, modifier, is_deleted, delete_time) VALUES('ldap登录配置', 'LdapLogin', '[{"name":"是否启用","model":"enable","placeholder":"是否启用","options":"true,false"},{"name":"host","model":"host","placeholder":"host"},{"name":"port","model":"port","placeholder":"port"},{"name":"bindDN","model":"bindDN","placeholder":"LDAP 服务的管理员账号,如: \\"cn=admin,dc=example,dc=com\\""},{"name":"bindPwd","model":"bindPwd","placeholder":"LDAP 服务的管理员密码"},{"name":"baseDN","model":"baseDN","placeholder":"用户所在的 base DN, 如: \\"ou=users,dc=example,dc=com\\""},{"name":"userFilter","model":"userFilter","placeholder":"过滤用户的方式, 如: \\"(uid=%s)、(&(objectClass=organizationalPerson)(uid=%s))\\""},{"name":"uidMap","model":"uidMap","placeholder":"用户id和 LDAP 字段名之间的映射关系,如: cn"},{"name":"udnMap","model":"udnMap","placeholder":"用户姓名(dispalyName)和 LDAP 字段名之间的映射关系,如: displayName"},{"name":"emailMap","model":"emailMap","placeholder":"用户email和 LDAP 字段名之间的映射关系"},{"name":"skipTLSVerify","model":"skipTLSVerify","placeholder":"客户端是否跳过 TLS 证书验证","options":"true,false"},{"name":"安全协议","model":"securityProtocol","placeholder":"安全协议(为Null不使用安全协议),如: StartTLS, LDAPS","options":"Null,StartTLS,LDAPS"}]', '', 'ldap登录相关配置', 'admin,', '2023-08-25 21:47:20', 1, 'admin', '2023-08-25 22:56:07', 1, 'admin', 0, NULL); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('是否启用水印', 'UseWartermark', NULL, '1', '1: 启用、0: 不启用', '2022-08-25 23:36:35', 1, 'admin', '2022-08-26 10:02:52', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库查询最大结果集', 'DbQueryMaxCount', '[]', '200', '允许sql查询的最大结果集数。注: 0=不限制', '2023-02-11 14:29:03', 1, 'admin', '2023-02-11 14:40:56', 1, 'admin'); INSERT INTO `t_sys_config` (name, `key`, params, value, remark, create_time, creator_id, creator, update_time, modifier_id, modifier)VALUES ('数据库是否记录查询SQL', 'DbSaveQuerySQL', '[]', '0', '1: 记录、0:不记录', '2023-02-11 16:07:14', 1, 'admin', '2023-02-11 16:44:17', 1, 'admin'); @@ -454,7 +455,7 @@ CREATE TABLE `t_sys_log` ( `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, `type` tinyint(4) NOT NULL COMMENT '类型', `description` varchar(255) DEFAULT NULL COMMENT '描述', - `req_param` varchar(1000) DEFAULT NULL COMMENT '请求信息', + `req_param` varchar(2000) DEFAULT NULL COMMENT '请求信息', `resp` varchar(1000) DEFAULT NULL COMMENT '响应信息', `creator` varchar(36) NOT NULL COMMENT '调用者', `creator_id` bigint(20) NOT NULL COMMENT '调用者id', diff --git a/server/pkg/config/config.go b/server/pkg/config/config.go index 3875d5da..99dc2427 100644 --- a/server/pkg/config/config.go +++ b/server/pkg/config/config.go @@ -43,7 +43,6 @@ type Config struct { Mysql *Mysql `yaml:"mysql"` Redis *Redis `yaml:"redis"` Log *Log `yaml:"log"` - Ldap *Ldap `yaml:"ldap"` } // 配置文件内容校验 diff --git a/server/pkg/config/ldap.go b/server/pkg/config/ldap.go deleted file mode 100644 index 21a7451d..00000000 --- a/server/pkg/config/ldap.go +++ /dev/null @@ -1,45 +0,0 @@ -package config - -// FieldMapping 表示用户属性和 LDAP 字段名之间的映射关系 -type FieldMapping struct { - // Identifier 表示用户标识 - Identifier string `yaml:"identifier,omitempty"` - // DisplayName 表示用户姓名 - DisplayName string `yaml:"displayName,omitempty"` - // Email 表示 Email 地址 - Email string `yaml:"email,omitempty"` -} - -// SecurityProtocol 表示连接 LDAP 服务器的安全协议 -type SecurityProtocol string - -const ( - // SecurityProtocolStartTLS 表示 StartTLS 安全协议 - SecurityProtocolStartTLS SecurityProtocol = "starttls" - // SecurityProtocolLDAPS 表示 LDAPS 安全协议 - SecurityProtocolLDAPS SecurityProtocol = "ldaps" -) - -// Ldap 是 LDAP 服务配置 -type Ldap struct { - // Enabled 表示是否启用 LDAP 登录 - Enabled bool `yaml:"enabled"` - // Host 是 LDAP 服务地址, 如: "ldap.example.com" - Host string `yaml:"host"` - // Port 是 LDAP 服务端口号, 如: 389 - Port int `yaml:"port"` - // SkipTLSVerify 控制客户端是否跳过 TLS 证书验证 - SkipTLSVerify bool `yaml:"skipTlsVerify"` - // BindDN 是 LDAP 服务的管理员账号,如: "cn=admin,dc=example,dc=com" - BindDN string `yaml:"bindDn"` - // BindPassword 是 LDAP 服务的管理员密码 - BindPassword string `yaml:"bindPassword"` - // BaseDN 是用户所在的 base DN, 如: "ou=users,dc=example,dc=com". - BaseDN string `yaml:"baseDn"` - // UserFilter 是过滤用户的方式, 如: "(uid=%s)". - UserFilter string `yaml:"userFilter"` - // SecurityProtocol 是连接使用的 LDAP 安全协议(为空不使用安全协议),如: StartTLS, LDAPS - SecurityProtocol SecurityProtocol `yaml:"securityProtocol"` - // FieldMapping 表示用户属性和 LDAP 字段名之间的映射关系 - FieldMapping FieldMapping `yaml:"fieldMapping"` -} diff --git a/server/pkg/ldap/ldap.go b/server/pkg/ldap/ldap.go deleted file mode 100644 index d62ec78e..00000000 --- a/server/pkg/ldap/ldap.go +++ /dev/null @@ -1,108 +0,0 @@ -package ldap - -import ( - "crypto/tls" - "fmt" - "mayfly-go/pkg/config" - "strings" - - "github.com/go-ldap/ldap/v3" - "github.com/pkg/errors" -) - -type UserInfo struct { - UserName string - DisplayName string - Email string -} - -func dial() (*ldap.Conn, error) { - conf := config.Conf.Ldap - addr := fmt.Sprintf("%s:%d", conf.Host, conf.Port) - tlsConfig := &tls.Config{ - ServerName: conf.Host, - InsecureSkipVerify: conf.SkipTLSVerify, - } - if conf.SecurityProtocol == config.SecurityProtocolLDAPS { - conn, err := ldap.DialTLS("tcp", addr, tlsConfig) - if err != nil { - return nil, errors.Errorf("dial TLS: %v", err) - } - return conn, nil - } - - conn, err := ldap.Dial("tcp", addr) - if err != nil { - return nil, errors.Errorf("dial: %v", err) - } - if conf.SecurityProtocol == config.SecurityProtocolStartTLS { - if err = conn.StartTLS(tlsConfig); err != nil { - _ = conn.Close() - return nil, errors.Errorf("start TLS: %v", err) - } - } - return conn, nil -} - -// Connect 创建 LDAP 连接 -func Connect() (*ldap.Conn, error) { - conn, err := dial() - if err != nil { - return nil, err - } - - // Bind with a system account - conf := config.Conf.Ldap - err = conn.Bind(conf.BindDN, conf.BindPassword) - if err != nil { - _ = conn.Close() - return nil, errors.Errorf("bind: %v", err) - } - return conn, nil -} - -// Authenticate 通过 LDAP 验证用户名密码 -func Authenticate(username, password string) (*UserInfo, error) { - conn, err := Connect() - if err != nil { - return nil, errors.Errorf("connect: %v", err) - } - defer func() { _ = conn.Close() }() - - conf := config.Conf.Ldap - sr, err := conn.Search( - ldap.NewSearchRequest( - conf.BaseDN, - ldap.ScopeWholeSubtree, - ldap.NeverDerefAliases, - 0, - 0, - false, - strings.ReplaceAll(conf.UserFilter, "%s", username), - []string{"dn", conf.FieldMapping.Identifier, conf.FieldMapping.DisplayName, conf.FieldMapping.Email}, - nil, - ), - ) - if err != nil { - return nil, errors.Errorf("search user DN: %v", err) - } else if len(sr.Entries) != 1 { - return nil, errors.Errorf("expect 1 user DN but got %d", len(sr.Entries)) - } - entry := sr.Entries[0] - - // Bind as the user to verify their password - err = conn.Bind(entry.DN, password) - if err != nil { - return nil, errors.Errorf("bind user: %v", err) - } - - userName := entry.GetAttributeValue(conf.FieldMapping.Identifier) - if userName == "" { - return nil, errors.Errorf("the attribute %q is not found or has empty value", conf.FieldMapping.Identifier) - } - return &UserInfo{ - UserName: userName, - DisplayName: entry.GetAttributeValue(conf.FieldMapping.DisplayName), - Email: entry.GetAttributeValue(conf.FieldMapping.Email), - }, nil -}