7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

新增LDAP认证方式

This commit is contained in:
lanrenwo 2022-07-04 12:55:04 +08:00
parent 918859cc62
commit d1414c6b5d
6 changed files with 260 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/dbdata/group.go
View File

@ -159,8 +159,7 @@ func SetGroup(g *Group) error {
if authType == "local" {
g.Auth = defAuth
} else {
_, ok := authRegistry[authType]
if !ok {
if _, ok := authRegistry[authType]; !ok {
return errors.New("未知的认证方式: " + authType)
}
auth := makeInstance(authType).(IUserAuth)
@ -168,6 +167,11 @@ func SetGroup(g *Group) error {
if err != nil {
return err
}
// 重置Auth 删除多余的key
g.Auth = map[string]interface{}{
"type": authType,
authType: g.Auth[authType],
}
}
g.UpdatedAt = time.Now()

18
server/dbdata/group_test.go
View File

@ -41,8 +41,24 @@ func TestGetGroupNames(t *testing.T) {
err = SetGroup(&g6)
ast.Nil(err)
authData = map[string]interface{}{
"type": "ldap",
"ldap": map[string]interface{}{
"addr": "192.168.8.12:389",
"tls": true,
"bind_name": "userfind@abc.com",
"bind_pwd": "afdbfdsafds",
"base_dn": "dc=abc,dc=com",
"search_attr": "sAMAccountName",
"member_of": "cn=vpn,cn=user,dc=abc,dc=com",
},
}
g7 := Group{Name: "g7", ClientDns: []ValData{{Val: "114.114.114.114"}}, Auth: authData}
err = SetGroup(&g7)
ast.Nil(err)
// 判断所有数据
gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6"}
gAll := []string{"g1", "g2", "g3", "g4", "g5", "g6", "g7"}
gs := GetGroupNames()
for _, v := range gs {
ast.Equal(true, utils.InArrStr(gAll, v))

2
server/dbdata/tables.go
View File

@ -17,7 +17,7 @@ type Group struct {
DsIncludeDomains string `json:"ds_include_domains" xorm:"Text"`
LinkAcl []GroupLinkAcl `json:"link_acl" xorm:"Text"`
Bandwidth int `json:"bandwidth" xorm:"Int"` // 带宽限制
Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(255)"` // 认证方式
Auth map[string]interface{} `json:"auth" xorm:"not null default '{}' varchar(500)"` // 认证方式
Status int8 `json:"status" xorm:"Int"` // 1正常
CreatedAt time.Time `json:"created_at" xorm:"DateTime created"`
UpdatedAt time.Time `json:"updated_at" xorm:"DateTime updated"`

22
server/dbdata/user_test.go
View File

@ -56,7 +56,6 @@ func TestCheckUser(t *testing.T) {
err = CheckUser("aaa", "bbbbbbb", group2)
if ast.NotNil(err) {
ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
}
// 添加用户策略
dns2 := []ValData{{Val: "8.8.8.8"}}
@ -66,4 +65,25 @@ func TestCheckUser(t *testing.T) {
ast.Nil(err)
err = CheckUser("aaa", u.PinCode, group)
ast.Nil(err)
// 添加一个ldap组
group3 := "group3"
authData = map[string]interface{}{
"type": "ldap",
"ldap": map[string]interface{}{
"addr": "192.168.8.12:389",
"tls": true,
"bind_name": "userfind@abc.com",
"bind_pwd": "afdbfdsafds",
"base_dn": "dc=abc,dc=com",
"search_attr": "sAMAccountName",
"member_of": "cn=vpn,cn=user,dc=abc,dc=com",
},
}
g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
err = SetGroup(&g3)
ast.Nil(err)
err = CheckUser("aaa", "bbbbbbb", group3)
if ast.NotNil(err) {
ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
}
}

136
server/dbdata/userauth_ldap.go Normal file
View File

@ -0,0 +1,136 @@
package dbdata
import (
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"net"
"reflect"
"regexp"
"time"
"github.com/go-ldap/ldap"
)
type AuthLdap struct {
Addr string `json:"addr"`
Tls bool `json:"tls"`
BindName string `json:"bind_name"`
BindPwd string `json:"bind_pwd"`
BaseDn string `json:"base_dn"`
SearchAttr string `json:"search_attr"`
MemberOf string `json:"member_of"`
}
func init() {
authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
}
func (auth AuthLdap) checkData(authData map[string]interface{}) error {
authType := authData["type"].(string)
bodyBytes, err := json.Marshal(authData[authType])
if err != nil {
return errors.New("LDAP配置填写有误")
}
json.Unmarshal(bodyBytes, &auth)
// 支持域名和IP, 必须填写端口
if !ValidateIpPort(auth.Addr) && !ValidateDomainPort(auth.Addr) {
return errors.New("LDAP的服务器地址(含端口)填写有误")
}
if auth.BindName == "" {
return errors.New("LDAP的用户查询账号不能为空")
}
if auth.BindPwd == "" {
return errors.New("LDAP的用户查询密码不能为空")
}
if auth.BaseDn == "" || !ValidateDN(auth.BaseDn) {
return errors.New("LDAP的BaseName填写有误")
}
if auth.SearchAttr == "" {
return errors.New("LDAP的搜索属性不能为空")
}
if auth.MemberOf != "" && !ValidateDN(auth.MemberOf) {
return errors.New("LDAP的绑定DN填写有误")
}
return nil
}
func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
pl := len(pwd)
if name == "" || pl < 1 {
return fmt.Errorf("%s %s", name, "密码错误")
}
authType := g.Auth["type"].(string)
if _, ok := g.Auth[authType]; !ok {
return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
}
bodyBytes, err := json.Marshal(g.Auth[authType])
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
}
err = json.Unmarshal(bodyBytes, &auth)
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
}
// 检测服务器和端口的可用性
_, err = net.DialTimeout("tcp", auth.Addr, 3*time.Second)
if err != nil {
return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
}
// 连接LDAP
l, err := ldap.Dial("tcp", auth.Addr)
if err != nil {
return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
}
defer l.Close()
if auth.Tls {
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
if err != nil {
return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
}
}
err = l.Bind(auth.BindName, auth.BindPwd)
if err != nil {
return fmt.Errorf("%s LDAP 查询用户的账密有误,请重新检查 %s", name, err.Error())
}
filterAttr := "(objectClass=person)"
filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
if auth.MemberOf != "" {
filterAttr += "(memberOf:=" + auth.MemberOf + ")"
}
searchRequest := ldap.NewSearchRequest(
auth.BaseDn,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
fmt.Sprintf("(&%s)", filterAttr),
[]string{},
nil,
)
sr, err := l.Search(searchRequest)
if err != nil {
return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
}
if len(sr.Entries) != 1 {
if len(sr.Entries) == 0 {
return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
}
return fmt.Errorf("LDAP发现 %s 用户,存在多个账号", name)
}
userDN := sr.Entries[0].DN
fmt.Println(userDN)
err = l.Bind(userDN, pwd)
if err != nil {
return fmt.Errorf("%s LDAP 登入失败,请检查登入的账号或密码 %s", name, err.Error())
}
return nil
}
func ValidateDomainPort(addr string) bool {
re := regexp.MustCompile(`^([a-zA-Z0-9][-a-zA-Z0-9]{0,62}\.)+[A-Za-z]{2,18}\:([0-9]|[1-9]\d{1,3}|[1-5]\d{4}|6[0-5]{2}[0-3][0-5])$`)
return re.MatchString(addr)
}
func ValidateDN(dn string) bool {
re := regexp.MustCompile(`^(?:(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+,)*(?:CN|cn|OU|ou|DC|dc)\=[^,'"]+$`)
return re.MatchString(dn)
}

99
web/src/pages/group/List.vue
View File

@ -228,22 +228,45 @@
<el-tab-pane label="认证方式" name="authtype">
<el-form-item label="认证" prop="authtype">
<el-radio-group v-model="ruleForm.auth.type">
<el-radio-group v-model="ruleForm.auth.type" @change="authTypeChange">
<el-radio label="local" border>本地</el-radio>
<el-radio label="radius" border>Radius</el-radio>
<el-radio label="ldap" border>LDAP</el-radio>
</el-radio-group>
</el-form-item>
<el-form-item label="Radius密钥" v-if="ruleForm.auth.type == 'radius'">
<el-col :span="10">
<el-input v-model="ruleForm.auth.radius.secret"></el-input>
</el-col>
</el-form-item>
<el-form-item label="Radius服务器" v-if="ruleForm.auth.type == 'radius'">
<el-col :span="10">
<el-input v-model="ruleForm.auth.radius.addr" placeholder="输入IP和端口 192.168.2.1:1812"></el-input>
</el-col>
</el-form-item>
</el-tab-pane>
</el-form-item>
<templete v-if="ruleForm.auth.type == 'radius'">
<el-form-item label="服务器地址" prop="auth.radius.addr" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.addr" placeholder="输入IP和端口 192.168.2.1:1812"></el-input>
</el-form-item>
<el-form-item label="密钥" prop="auth.radius.secret" :rules="this.ruleForm.auth.type== 'radius' ? this.rules['auth.radius.secret'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.radius.secret"></el-input>
</el-form-item>
</templete>
<templete v-if="ruleForm.auth.type == 'ldap'">
<el-form-item label="服务器地址" prop="auth.ldap.addr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.addr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.addr" placeholder="例如 192.168.2.1:389"></el-input>
</el-form-item>
<el-form-item label="开启TLS" prop="auth.ldap.tls">
<el-switch v-model="ruleForm.auth.ldap.tls"></el-switch>
</el-form-item>
<el-form-item label="查询账号" prop="auth.ldap.bind_name" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_name'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.bind_name"></el-input>
</el-form-item>
<el-form-item label="查询密码" prop="auth.ldap.bind_pwd" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.bind_pwd'] : [{ required: false }]">
<el-input type="password" v-model="ruleForm.auth.ldap.bind_pwd"></el-input>
</el-form-item>
<el-form-item label="BaseDN" prop="auth.ldap.base_dn" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.base_dn'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.base_dn" placeholder="例如 DC=abc,DC=com"></el-input>
</el-form-item>
<el-form-item label="搜索属性" prop="auth.ldap.search_attr" :rules="this.ruleForm.auth.type== 'ldap' ? this.rules['auth.ldap.search_attr'] : [{ required: false }]">
<el-input v-model="ruleForm.auth.ldap.search_attr" placeholder="例如 sAMAccountName"></el-input>
</el-form-item>
<el-form-item label="绑定DN" prop="auth.ldap.member_of">
<el-input v-model="ruleForm.auth.ldap.member_of" placeholder="例如 CN=test,CN=User,DC=abc,DC=com"></el-input>
</el-form-item>
</templete>
</el-tab-pane>
<el-tab-pane label="路由设置" name="route">
<el-form-item label="包含路由" prop="route_include">
@ -368,6 +391,19 @@ export default {
activeTab : "general",
readMore: {},
readMinRows : 5,
defAuth : {
type:'local',
radius:{addr:"", secret:""},
ldap:{
addr:"",
tls:false,
base_dn:"",
search_attr:"sAMAccountName",
member_of:"",
bind_name:"",
bind_pwd:"",
},
},
ruleForm: {
bandwidth: 0,
status: 1,
@ -376,7 +412,7 @@ export default {
route_include: [{val: 'all', note: '默认全局代理'}],
route_exclude: [],
link_acl: [],
auth : {"type":'local'}
auth : {},
},
rules: {
name: [
@ -390,17 +426,37 @@ export default {
status: [
{required: true}
],
"auth.radius.addr": [
{required: true, message: '请输入Radius服务器', trigger: 'blur'}
],
"auth.radius.secret": [
{required: true, message: '请输入Radius密钥', trigger: 'blur'}
],
"auth.ldap.addr": [
{required: true, message: '请输入服务器地址(含端口)', trigger: 'blur'}
],
"auth.ldap.bind_name": [
{required: true, message: '请输入查询账号', trigger: 'blur'}
],
"auth.ldap.bind_pwd": [
{required: true, message: '请输入查询密码', trigger: 'blur'}
],
"auth.ldap.base_dn": [
{required: true, message: '请输入BaseDN值', trigger: 'blur'}
],
"auth.ldap.search_attr": [
{required: true, message: '请输入搜索属性', trigger: 'blur'}
],
},
}
},
methods: {
setAuthData(row) {
var defAuthData = {"type":'local',
"radius":{"addr":"", "secret":""},
}
if (this.ruleForm.auth.type == "local" || !row) {
this.ruleForm.auth = defAuthData;
}
if (! row) {
this.ruleForm.auth = JSON.parse(JSON.stringify(this.defAuth));
return ;
}
this.ruleForm.auth = Object.assign(JSON.parse(JSON.stringify(this.defAuth)), row.auth);
},
handleDel(row) {
axios.post('/group/del?id=' + row.id).then(resp => {
@ -503,6 +559,9 @@ export default {
this.$set(this.readMore, id, true);
}
},
authTypeChange() {
this.$refs['ruleForm'].clearValidate();
}
},
}
</script>