37 Star 407 Fork 74

GVPrancher/rancher

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
user_actions.go 4.60 KB
一键复制 编辑 原始数据 按行查看 历史
Craig Jellick 提交于 2019-02-08 14:33 . Auth refresh in HA unreliable
package authn
import (
"net/http"
"strings"
"github.com/pkg/errors"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/parse"
"github.com/rancher/norman/types"
"github.com/rancher/rancher/pkg/auth/providerrefresh"
"github.com/rancher/rancher/pkg/settings"
"github.com/rancher/types/apis/management.cattle.io/v3"
"github.com/rancher/types/client/management/v3"
"golang.org/x/crypto/bcrypt"
"k8s.io/apimachinery/pkg/apis/meta/v1"
)
func (h *Handler) UserFormatter(apiContext *types.APIContext, resource *types.RawResource) {
resource.AddAction(apiContext, "setpassword")
if canRefresh := h.userCanRefresh(apiContext); canRefresh {
resource.AddAction(apiContext, "refreshauthprovideraccess")
}
}
func (h *Handler) CollectionFormatter(apiContext *types.APIContext, collection *types.GenericCollection) {
collection.AddAction(apiContext, "changepassword")
if canRefresh := h.userCanRefresh(apiContext); canRefresh {
collection.AddAction(apiContext, "refreshauthprovideraccess")
}
}
type Handler struct {
UserClient v3.UserInterface
GlobalRoleBindingsClient v3.GlobalRoleBindingInterface
UserAuthRefresher providerrefresh.UserAuthRefresher
}
func (h *Handler) Actions(actionName string, action *types.Action, apiContext *types.APIContext) error {
switch actionName {
case "changepassword":
if err := h.changePassword(actionName, action, apiContext); err != nil {
return err
}
case "setpassword":
if err := h.setPassword(actionName, action, apiContext); err != nil {
return err
}
case "refreshauthprovideraccess":
if err := h.refreshAttributes(actionName, action, apiContext); err != nil {
return err
}
default:
return errors.Errorf("bad action %v", actionName)
}
if !strings.EqualFold(settings.FirstLogin.Get(), "false") {
if err := settings.FirstLogin.Set("false"); err != nil {
return err
}
}
return nil
}
func (h *Handler) changePassword(actionName string, action *types.Action, request *types.APIContext) error {
actionInput, err := parse.ReadBody(request.Request)
if err != nil {
return err
}
store := request.Schema.Store
if store == nil {
return errors.New("no user store available")
}
userID := request.Request.Header.Get("Impersonate-User")
if userID == "" {
return errors.New("can't find user")
}
currentPass, ok := actionInput["currentPassword"].(string)
if !ok || len(currentPass) == 0 {
return httperror.NewAPIError(httperror.InvalidBodyContent, "must specify current password")
}
newPass, ok := actionInput["newPassword"].(string)
if !ok || len(newPass) == 0 {
return httperror.NewAPIError(httperror.InvalidBodyContent, "invalid new password")
}
user, err := h.UserClient.Get(userID, v1.GetOptions{})
if err != nil {
return err
}
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(currentPass)); err != nil {
return httperror.NewAPIError(httperror.InvalidBodyContent, "invalid current password")
}
newPassHash, err := HashPasswordString(newPass)
if err != nil {
return err
}
user.Password = newPassHash
user.MustChangePassword = false
user, err = h.UserClient.Update(user)
if err != nil {
return err
}
return nil
}
func (h *Handler) setPassword(actionName string, action *types.Action, request *types.APIContext) error {
actionInput, err := parse.ReadBody(request.Request)
if err != nil {
return err
}
store := request.Schema.Store
if store == nil {
return errors.New("no user store available")
}
userData, err := store.ByID(request, request.Schema, request.ID)
if err != nil {
return err
}
newPass, ok := actionInput["newPassword"].(string)
if !ok || len(newPass) == 0 {
return errors.New("Invalid password")
}
userData[client.UserFieldPassword] = newPass
if err := hashPassword(userData); err != nil {
return err
}
userData[client.UserFieldMustChangePassword] = false
delete(userData, "me")
userData, err = store.Update(request, request.Schema, userData, request.ID)
if err != nil {
return err
}
request.WriteResponse(http.StatusOK, userData)
return nil
}
func (h *Handler) refreshAttributes(actionName string, action *types.Action, request *types.APIContext) error {
canRefresh := h.userCanRefresh(request)
if !canRefresh {
return errors.New("Not Allowed")
}
if request.ID != "" {
h.UserAuthRefresher.TriggerUserRefresh(request.ID, true)
} else {
h.UserAuthRefresher.TriggerAllUserRefresh()
}
request.WriteResponse(http.StatusOK, nil)
return nil
}
func (h *Handler) userCanRefresh(request *types.APIContext) bool {
return request.AccessControl.CanDo(v3.UserGroupVersionKind.Group, v3.UserResource.Name, "create", request, nil, request.Schema) == nil
}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.2.4-rc16

搜索帮助