-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go login #2010
Go login #2010
Conversation
A next step will be persisting a single connection to ldap for reuse with a singleton or similar implementation. |
Refer to this link for build results (access rights to CI server needed): |
Changes need to be made for the following requirements:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-
2 files missing the Apache header.
-
also add a note to the CHANGELOG.md
I'll test this out soon -- can't get to it today, tho..
@@ -0,0 +1,101 @@ | |||
package auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs the Apache license header
@@ -0,0 +1,111 @@ | |||
package auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs the Apache license header
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
traffic_ops/install/bin/_postinstall
Outdated
for my $k (@requiredKeys) { | ||
if (! exists $ldapConf{$k} ) { | ||
errorOut("$k is a required key in $fileName"); | ||
} | ||
} | ||
|
||
delete $ldapConf{setupLdap} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
syntax error here -- missing ;
at the end of that delete
Refer to this link for build results (access rights to CI server needed): |
handleErrs(http.StatusBadRequest, err) | ||
return | ||
} | ||
authenticated, err := checkLocalUser(form, db) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs to check that the local user exists first without checking the password. If it doesn't exist or user's role is disallowed
, immediately error out without checking LDAP.
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
Refer to this link for build results (access rights to CI server needed): |
if cfg.LDAPConfPath != "" { | ||
cfg.LDAPEnabled, cfg.ConfigLDAP, err = GetLDAPConfig(cfg.LDAPConfPath) | ||
if err != nil { | ||
cfg.LDAPEnabled = false // probably unnecessary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd support removing this comment. All return values should be treated as undefined, if a returned error is not nil.
I'd rather omit the comment, than have someone remove the line because of the comment in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
} | ||
err = VerifyPassword(form.Password, hashedPassword) | ||
if err != nil { | ||
if hashedPassword == sha1Hex(form.Password) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be part of VerifyPassword
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I renamed VerifyPassword to VerifySCRYPTPassword since the sha1Hex check is for backwards compatibility.
Refer to this link for build results (access rights to CI server needed): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to vendor gopkg.in/asn1-ber.v1
../vendor/gopkg.in/ldap.v2/add.go:16:2: cannot find package "gopkg.in/asn1-ber.v1"
Refer to this link for build results (access rights to CI server needed): |
I think this needs to check for the Making it configurable is good, but we should support the existing method too, and not require a config change on upgrade. |
} | ||
|
||
func getLDAPConf(s string) (*ConfigLDAP, error) { | ||
ldapConf := ConfigLDAP{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The LDAP timeout should have a reasonable default. It's defaulting to 0 now, and my LDAP (which is probably misconfigured) is hanging indefinitely. I'd suggest something like 10 seconds, if it isn't set in the config.
Should be accomplished by changing this to
const DefaultLDAPTimeout = time.Duration(60 * time.Second)
ldapConf := ConfigLDAP{LDAPTimeoutSecs: DefaultLDAPTimeout / time.Second}
Refer to this link for build results (access rights to CI server needed): |
Verified all concerns have been addressed.
Looks good! Tested, everything works
|
This fixes #1247
This PR implements api/1.3/user/login in go. It follows the same login flow as perl (except the token flow):
check the local user password using scrypt
check the local user password using hash1
if ldap is configured check password using ldap
if any match the user is logged in.