Go login #2010
Go login #2010
Conversation
|
A next step will be persisting a single connection to ldap for reuse with a singleton or similar implementation. |
|
Refer to this link for build results (access rights to CI server needed): |
|
Changes need to be made for the following requirements:
|
| @@ -0,0 +1,101 @@ | |||
| package auth | |||
There was a problem hiding this comment.
Needs the Apache license header
| @@ -0,0 +1,111 @@ | |||
| package auth | |||
There was a problem hiding this comment.
Needs the Apache license header
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
traffic_ops/install/bin/_postinstall
Outdated
| for my $k (@requiredKeys) { | ||
| if (! exists $ldapConf{$k} ) { | ||
| errorOut("$k is a required key in $fileName"); | ||
| } | ||
| } | ||
|
|
||
| delete $ldapConf{setupLdap} | ||
|
|
There was a problem hiding this comment.
syntax error here -- missing ; at the end of that delete
|
Refer to this link for build results (access rights to CI server needed): |
| handleErrs(http.StatusBadRequest, err) | ||
| return | ||
| } | ||
| authenticated, err := checkLocalUser(form, db) |
There was a problem hiding this comment.
this needs to check that the local user exists first without checking the password. If it doesn't exist or user's role is disallowed, immediately error out without checking LDAP.
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
| if cfg.LDAPConfPath != "" { | ||
| cfg.LDAPEnabled, cfg.ConfigLDAP, err = GetLDAPConfig(cfg.LDAPConfPath) | ||
| if err != nil { | ||
| cfg.LDAPEnabled = false // probably unnecessary |
There was a problem hiding this comment.
I'd support removing this comment. All return values should be treated as undefined, if a returned error is not nil.
I'd rather omit the comment, than have someone remove the line because of the comment in the future.
| } | ||
| err = VerifyPassword(form.Password, hashedPassword) | ||
| if err != nil { | ||
| if hashedPassword == sha1Hex(form.Password) { |
There was a problem hiding this comment.
Should this be part of VerifyPassword?
There was a problem hiding this comment.
I renamed VerifyPassword to VerifySCRYPTPassword since the sha1Hex check is for backwards compatibility.
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
|
I think this needs to check for the Making it configurable is good, but we should support the existing method too, and not require a config change on upgrade. |
| } | ||
|
|
||
| func getLDAPConf(s string) (*ConfigLDAP, error) { | ||
| ldapConf := ConfigLDAP{} |
There was a problem hiding this comment.
The LDAP timeout should have a reasonable default. It's defaulting to 0 now, and my LDAP (which is probably misconfigured) is hanging indefinitely. I'd suggest something like 10 seconds, if it isn't set in the config.
Should be accomplished by changing this to
const DefaultLDAPTimeout = time.Duration(60 * time.Second)
ldapConf := ConfigLDAP{LDAPTimeoutSecs: DefaultLDAPTimeout / time.Second}
|
Refer to this link for build results (access rights to CI server needed): |
rob05c
dismissed
dangogh’s stale review
Verified all concerns have been addressed.
|
Looks good! Tested, everything works
|
zrhoffman
added
the
authentication
This fixes #1247
This PR implements api/1.3/user/login in go. It follows the same login flow as perl (except the token flow):
check the local user password using scrypt
check the local user password using hash1
if ldap is configured check password using ldap
if any match the user is logged in.