tronnet/user-manager-api
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3e3723a2081019b290fd7f3b149c40388f971629
user-manager-api/app/main.go
Arthur Lu 3e3723a208 create realm configurations from proxmox domain configuration using api token, 
update go mod with domain sync fixes from go-proxmox
2026-04-04 22:24:15 +00:00

366 lines
9.6 KiB
Go
Raw Blame History

package app
import (
"context"
"crypto/rand"
"crypto/tls"
"fmt"
"log"
"net/http"
"strconv"
common "user-manager-api/app/common"
ldap "user-manager-api/app/ldap"
pve "user-manager-api/app/pve"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie"
"github.com/gin-gonic/gin"
"github.com/luthermonson/go-proxmox"
uuid "github.com/nu7hatch/gouuid"
)
var Version = "0.0.1"
var Config common.Config
var UserSessions map[string]*UserSession
var Realms map[string]Realm
func Run(configPath *string) {
// load config values
var err error
Config, err = common.GetConfig(*configPath)
if err != nil {
log.Fatalf("Error when reading config file: %s\n", err)
}
log.Printf("Read in config from %s\n", *configPath)
// setup router
gin.SetMode(gin.ReleaseMode)
router := SetupAPISessionStore(&Config)
// get realms from proxmox
Realms = make(map[string]Realm)
Realms = GetRealmsFromPVE(&Config)
// make global session map
UserSessions = make(map[string]*UserSession)
router.GET("/version", func(c *gin.Context) {
c.JSON(200, gin.H{"version": Version})
})
router.POST("/ticket", func(c *gin.Context) {
body := common.Login{}
err := c.ShouldBind(&body)
if err != nil { // bad request from binding
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
// attempt to parse username
body.Username, err = common.ParseUsername(body.UsernameRaw)
if err != nil { // username format incorrect
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
handler := Realms[body.Username.Realm].Type
userbackends := UserSession{}
// always bind proxmox backend
PVEClient, code, err := pve.NewClientFromCredentials(Config.PVE, body.Username, body.Password)
if err != nil { // pve client failed to bind
c.JSON(code, gin.H{"auth": false, "error": err.Error()})
return
}
userbackends.PVE = PVEClient
// bind ldap backend if backend is ldap
if handler == "ldap" {
config := Realms[body.Username.Realm].Config.(ldap.LDAPConfig)
LDAPClient, code, err := ldap.NewClientFromCredentials(config, body.Username, body.Password)
if err != nil { // ldap client failed to bind
c.JSON(code, gin.H{"auth": false, "error": err.Error()})
return
}
userbackends.Realm.Name = body.Username.Realm
userbackends.Realm.Handler = LDAPClient
}
// successful binding at this point
// create new session
session := sessions.Default(c)
// create random uuid to map user to backends
uuid, _ := uuid.NewV4()
// set uuid mapping in session
session.Set("SessionUUID", uuid.String())
// set uuid mapping in LDAPSessions
UserSessions[uuid.String()] = &userbackends
// save the session
session.Save()
// return successful auth
c.JSON(http.StatusOK, gin.H{"auth": true})
})
router.DELETE("/ticket", func(c *gin.Context) {
// get session uuid from session cookie
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
// delete uuid entry from user sessions
delete(UserSessions, uuid)
session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so session cookie is deleted
session.Save()
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
})
router.POST("/pools/:poolid", func(c *gin.Context) {
poolid, ok := c.Params.Get("poolid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = NewPool(backends, poolid)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
router.DELETE("/pools/:poolid", func(c *gin.Context) {
poolid, ok := c.Params.Get("poolid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter poolid")})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = DelPool(backends, poolid)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
router.POST("/groups/:groupid", func(c *gin.Context) {
groupid, ok := c.Params.Get("groupid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupname, err := common.ParseGroupname(groupid)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = NewGroup(backends, groupname)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
router.DELETE("/groups/:groupid", func(c *gin.Context) {
groupid, ok := c.Params.Get("groupid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupname, err := common.ParseGroupname(groupid)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = DelGroup(backends, groupname)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
router.POST("/pools/:poolid/groups/:groupid", func(c *gin.Context) {
poolid, ok := c.Params.Get("poolid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupid, ok := c.Params.Get("groupid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupname, err := common.ParseGroupname(groupid)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = AddGroupToPool(backends, groupname, poolid)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
router.DELETE("/pools/:poolid/groups/:groupid", func(c *gin.Context) {
poolid, ok := c.Params.Get("poolid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupid, ok := c.Params.Get("groupid")
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Errorf("Missing required path parameter groupid")})
return
}
groupname, err := common.ParseGroupname(groupid)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err})
return
}
backends, code, err := GetUserSessionFromContext(c)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
return
}
code, err = DelGroupFromPool(backends, groupname, poolid)
if err != nil {
c.JSON(code, gin.H{"error": err.Error()})
} else {
c.Status(200)
}
})
log.Printf("Starting User Manager API on port %s\n", strconv.Itoa(Config.ListenPort))
err = router.Run("0.0.0.0:" + strconv.Itoa(Config.ListenPort))
if err != nil {
log.Fatalf("Error starting router: %s", err.Error())
}
}
func SetupAPISessionStore(config *common.Config) *gin.Engine {
secretKey := make([]byte, 256)
n, _ := rand.Read(secretKey) // rand Read never returns an error, always crashes on error
log.Printf("Generated session secret key of length %d\n", n)
router := gin.Default()
store := cookie.NewStore(secretKey)
store.Options(sessions.Options{
Path: config.SessionCookie.Path,
HttpOnly: config.SessionCookie.HttpOnly,
Secure: config.SessionCookie.Secure,
MaxAge: config.SessionCookie.MaxAge,
})
router.Use(sessions.Sessions(config.SessionCookieName, store))
log.Printf("Started cookie store (Name: %s Params: %+v)\n", config.SessionCookieName, config.SessionCookie)
return router
}
func GetRealmsFromPVE(config *common.Config) map[string]Realm {
realms := map[string]Realm{}
HTTPClient := http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
token := fmt.Sprintf(`%s@%s!%s`, config.PVE.Token.User, config.PVE.Token.Realm, config.PVE.Token.ID)
client := proxmox.NewClient(config.PVE.URL,
proxmox.WithHTTPClient(&HTTPClient),
proxmox.WithAPIToken(token, config.PVE.Token.UUID),
)
pverealms, err := client.Domains(context.Background())
if err != nil {
// failure to get realms is a fatal error
log.Fatalf("Error getting authentication realms: %s", err.Error())
}
// add required pve realm handler, removing the pve api token
pveconfig := common.PVEConfig{
URL: config.PVE.URL,
PAASClientRole: config.PVE.PAASClientRole,
}
realms["pve"] = Realm{
Type: "pve",
Config: pveconfig,
}
log.Printf("Configured default authentication realm pve")
// iterate through handlers and
for _, r := range pverealms {
realm, err := client.Domain(context.Background(), r.Realm)
if err != nil {
log.Printf("Error getting authentication realm %s: %s", r.Realm, err.Error())
}
if realm.Type == "ldap" {
ldapconfig := ldap.LDAPConfig{
BaseDN: realm.BaseDN,
LdapURL: fmt.Sprintf("ldap://%s", realm.Server1),
StartTLS: realm.Mode == "ldap+starttls",
}
realms[realm.Realm] = Realm{
Type: realm.Type,
Config: ldapconfig,
}
log.Printf("Configured external authentication realm %s", realm.Realm)
} else {
continue
}
}
return realms
}
Reference in New Issue View Git Blame Copy Permalink