新增：ldap用户OTP认证(同步ldap用户到本地【仅作为管理otp秘钥，支持ldap用户下发客户端证书】)

新增：支持用户批量发送邮件，批量删除
2025-09-15 15:46:53 +08:00 · 2025-08-29 15:11:38 +08:00
parent 861b07a47d
commit efdcd236f5
9 changed files with 649 additions and 13928 deletions
--- a/server/admin/api_group.go
+++ b/server/admin/api_group.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"strconv"

+	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 )

@@ -149,3 +150,35 @@ func GroupAuthLogin(w http.ResponseWriter, r *http.Request) {
 	}
 	RespSucess(w, "ok")
 }
+func SaveLdapUsers(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	defer r.Body.Close()
+
+	v := &dbdata.Group{}
+	err = json.Unmarshal(body, v)
+	if err != nil {
+		RespError(w, RespParamErr, "参数错误")
+		return
+	}
+
+	// 保存LDAP用户
+	if v.Auth["type"] == "ldap" {
+		authLdap := dbdata.AuthLdap{}
+		if err := authLdap.ParseGroup(v); err != nil {
+			RespError(w, RespInternalErr, err)
+			return
+		}
+		go func() {
+			if err := authLdap.SaveUsers(v); err != nil {
+				base.Error("LDAP用户同步失败:", err)
+			} else {
+				base.Info("LDAP用户同步成功")
+			}
+		}()
+	}
+	RespSucess(w, "LDAP用户同步成功")
+}
--- a/server/admin/api_user.go
+++ b/server/admin/api_user.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -41,10 +42,10 @@ func UserList(w http.ResponseWriter, r *http.Request) {
 	// 查询前缀匹配
 	if len(prefix) > 0 {
 		fuzzy := "%" + prefix + "%"
-		where := "username LIKE ? OR nickname LIKE ? OR email LIKE ?"
+		where := "username LIKE ? OR nickname LIKE ? OR email LIKE ? OR type LIKE ?"

-		count = dbdata.FindWhereCount(&dbdata.User{}, where, fuzzy, fuzzy, fuzzy)
-		err = dbdata.FindWhere(&datas, pageSize, page, where, fuzzy, fuzzy, fuzzy)
+		count = dbdata.FindWhereCount(&dbdata.User{}, where, fuzzy, fuzzy, fuzzy, fuzzy)
+		err = dbdata.FindWhere(&datas, pageSize, page, where, fuzzy, fuzzy, fuzzy, fuzzy)
 	} else {
 		count = dbdata.CountAll(&dbdata.User{})
 		err = dbdata.Find(&datas, pageSize, page)
@@ -220,6 +221,97 @@ func UserReline(w http.ResponseWriter, r *http.Request) {
 	RespSucess(w, nil)
 }

+// 批量发送邮件
+func UserBatchSendEmail(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		UserIds []int `json:"user_ids"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	if len(req.UserIds) == 0 {
+		RespError(w, RespInternalErr, errors.New("用户ID列表不能为空"))
+		return
+	}
+
+	successCount := 0
+	failCount := 0
+
+	for _, userId := range req.UserIds {
+		user := &dbdata.User{}
+		err := dbdata.One("Id", userId, user)
+		if err != nil {
+			failCount++
+			continue
+		}
+
+		// 发送邮件
+		err = userAccountMail(user)
+		if err != nil {
+			base.Error("批量发送邮件失败:", user.Username, err)
+			failCount++
+		} else {
+			successCount++
+		}
+	}
+
+	msg := fmt.Sprintf("批量发送邮件完成，成功：%d，失败：%d", successCount, failCount)
+
+	if successCount > 0 {
+		RespSucess(w, msg)
+	} else {
+		RespError(w, RespInternalErr, errors.New(msg))
+	}
+}
+
+// 批量删除用户
+func UserBatchDelete(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		UserIds []int `json:"user_ids"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	if len(req.UserIds) == 0 {
+		RespError(w, RespInternalErr, errors.New("用户ID列表不能为空"))
+		return
+	}
+
+	successCount := 0
+	failCount := 0
+
+	for _, userId := range req.UserIds {
+		user := &dbdata.User{}
+		err := dbdata.One("Id", userId, user)
+		if err != nil {
+			failCount++
+			continue
+		}
+
+		err = dbdata.Del(user)
+		if err != nil {
+			base.Error("批量删除用户失败:", user.Username, err)
+			failCount++
+		} else {
+			successCount++
+		}
+	}
+
+	msg := fmt.Sprintf("批量删除完成，成功：%d，失败：%d", successCount, failCount)
+
+	if successCount > 0 {
+		RespSucess(w, msg)
+	} else {
+		RespError(w, RespInternalErr, errors.New(msg))
+	}
+}
+
 type userAccountMailData struct {
 	Issuer       string
 	LinkAddr     string
@@ -285,6 +377,10 @@ func userAccountMail(user *dbdata.User) error {
 		DisableOtp:   user.DisableOtp,
 	}

+	if user.Type == "ldap" {
+		data.PinCode = "同ldap密码"
+	}
+
 	if user.LimitTime == nil {
 		data.LimitTime = "无限制"
 	} else {
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -87,6 +87,8 @@ func StartAdmin() {
 	r.HandleFunc("/user/policy/del", PolicyDel)
 	r.HandleFunc("/user/reset/forgotPassword", ForgotPassword).Name("forgot_password")
 	r.HandleFunc("/user/reset/resetPassword", ResetPassword).Name("reset_password")
+	r.HandleFunc("/user/batch/send_email", UserBatchSendEmail).Methods(http.MethodPost)
+	r.HandleFunc("/user/batch/delete", UserBatchDelete).Methods(http.MethodPost)

 	r.HandleFunc("/group/list", GroupList)
 	r.HandleFunc("/group/names", GroupNames)
@@ -95,6 +97,7 @@ func StartAdmin() {
 	r.HandleFunc("/group/set", GroupSet)
 	r.HandleFunc("/group/del", GroupDel)
 	r.HandleFunc("/group/auth_login", GroupAuthLogin)
+	r.HandleFunc("/group/saveldapusers", SaveLdapUsers)

 	r.HandleFunc("/statsinfo/list", StatsInfoList)
 	r.HandleFunc("/locksinfo/list", GetLocksInfo)
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -26,6 +26,7 @@ type Group struct {

 type User struct {
 	Id       int    `json:"id" xorm:"pk autoincr not null"`
+	Type     string `json:"type" xorm:"varchar(20) default('local')"`
 	Username string `json:"username" xorm:"varchar(60) not null unique"`
 	Nickname string `json:"nickname" xorm:"varchar(255)"`
 	Email    string `json:"email" xorm:"varchar(255)"`
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -114,6 +114,9 @@ func checkLocalUser(name, pwd, group string, ext map[string]interface{}) error {
 			return fmt.Errorf("%s %s", name, "用户已过期")
 		}
 	}
+	if v.Type == "ldap" {
+		return fmt.Errorf("%s %s", name, "LDAP用户不能使用本地认证")
+	}
 	// 判断用户组信息
 	if !utils.InArrStr(v.Groups, group) {
 		return fmt.Errorf("%s %s", name, "用户组错误")
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -11,7 +11,10 @@ import (
 	"strconv"
 	"time"

+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/go-ldap/ldap"
+	"github.com/xlzd/gotp"
 )

 type AuthLdap struct {
@@ -23,12 +26,205 @@ type AuthLdap struct {
 	ObjectClass string `json:"object_class"`
 	SearchAttr  string `json:"search_attr"`
 	MemberOf    string `json:"member_of"`
+	EnableOTP   bool   `json:"enable_otp"`
 }

 func init() {
 	authRegistry["ldap"] = reflect.TypeOf(AuthLdap{})
 }

+// 建立 LDAP 连接
+func (auth AuthLdap) Connect() (*ldap.Conn, error) {
+	// 检测服务器和端口的可用性
+	con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("LDAP服务器连接异常, 请检测服务器和端口: %s", err.Error())
+	}
+	con.Close()
+
+	// 连接LDAP
+	l, err := ldap.Dial("tcp", auth.Addr)
+	if err != nil {
+		return nil, fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+	}
+
+	if auth.Tls {
+		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return nil, fmt.Errorf("LDAP TLS连接失败 %s", err.Error())
+		}
+	}
+
+	err = l.Bind(auth.BindName, auth.BindPwd)
+	if err != nil {
+		return nil, fmt.Errorf("LDAP 管理员 DN或密码填写有误 %s", err.Error())
+	}
+
+	return l, nil
+}
+
+// 构建LDAP搜索过滤器
+func (auth AuthLdap) SearchFilter(username string) string {
+	filterAttr := "(objectClass=" + auth.ObjectClass + ")"
+
+	if username != "" {
+		filterAttr += "(" + auth.SearchAttr + "=" + username + ")"
+	} else {
+		filterAttr += "(" + auth.SearchAttr + "=*)"
+	}
+
+	if auth.MemberOf != "" {
+		filterAttr += "(memberOf:=" + auth.MemberOf + ")"
+	}
+
+	return fmt.Sprintf("(&%s)", filterAttr)
+}
+
+// 从组配置中解析LDAP认证配置
+func (auth *AuthLdap) ParseGroup(g *Group) error {
+	authType := g.Auth["type"].(string)
+	if _, ok := g.Auth[authType]; !ok {
+		return fmt.Errorf("LDAP的ldap值不存在")
+	}
+
+	bodyBytes, err := json.Marshal(g.Auth[authType])
+	if err != nil {
+		return fmt.Errorf("LDAP Marshal出现错误: %s", err.Error())
+	}
+
+	err = json.Unmarshal(bodyBytes, auth)
+	if err != nil {
+		return fmt.Errorf("LDAP Unmarshal出现错误: %s", err.Error())
+	}
+
+	// 设置默认值
+	if auth.ObjectClass == "" {
+		auth.ObjectClass = "person"
+	}
+
+	return nil
+}
+
+// 搜索用户
+func (auth AuthLdap) SearchUsers(l *ldap.Conn, username string, attributes []string) (*ldap.SearchResult, error) {
+	filter := auth.SearchFilter(username)
+
+	searchRequest := ldap.NewSearchRequest(
+		auth.BaseDn,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 30, false,
+		filter,
+		[]string{},
+		nil,
+	)
+
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		return nil, fmt.Errorf("LDAP 查询失败 %s %s %s", auth.BaseDn, filter, err.Error())
+	}
+
+	return sr, nil
+}
+
+func (auth AuthLdap) SaveUsers(g *Group) error {
+	// 解析LDAP配置
+	if err := auth.ParseGroup(g); err != nil {
+		return fmt.Errorf("LDAP配置填写有误: %s", err.Error())
+	}
+
+	// 建立LDAP连接
+	l, err := auth.Connect()
+	if err != nil {
+		return err
+	}
+	defer l.Close()
+
+	// 搜索所有用户
+	sr, err := auth.SearchUsers(l, "", []string{
+		"displayName",
+		"mail",
+		"userAccountControl", // AD用户状态
+		"accountExpires",     // AD账号过期时间
+		"shadowExpire",       // Linux LDAP用户状态
+		auth.SearchAttr,
+	})
+	if err != nil {
+		return err
+	}
+	// 创建LDAP用户映射
+	ldapUserMap := make(map[string]bool)
+	// 处理搜索结果
+	for _, entry := range sr.Entries {
+		// 检查用户状态，只同步正常用户
+		if err := parseEntries(&ldap.SearchResult{Entries: []*ldap.Entry{entry}}); err != nil {
+			continue
+		}
+		var groups []string
+		ldapuser := &User{
+			Type:       "ldap",
+			Username:   entry.GetAttributeValue(auth.SearchAttr),
+			Nickname:   entry.GetAttributeValue("displayName"),
+			Email:      entry.GetAttributeValue("mail"),
+			Groups:     append(groups, g.Name),
+			DisableOtp: !auth.EnableOTP,
+			OtpSecret:  gotp.RandomSecret(32),
+			SendEmail:  false,
+			Status:     1,
+		}
+		ldapUserMap[ldapuser.Username] = true // 添加LDAP用户到映射中
+		// 新增或更新ldap用户
+		u := &User{}
+		if err := One("username", ldapuser.Username, u); err != nil {
+			if CheckErrNotFound(err) {
+				if err := Add(ldapuser); err != nil {
+					base.Error("新增ldap用户失败", ldapuser.Username, err)
+					continue
+				}
+				continue
+			}
+			base.Error("查询用户失败", ldapuser.Username, err)
+			continue
+		}
+		if u.Type != "ldap" {
+			base.Warn("已存在本地同名用户:", ldapuser.Username)
+			continue
+		}
+		// 现有LDAP用户，更新字段
+		u.Nickname = entry.GetAttributeValue("displayName")
+		u.DisableOtp = !auth.EnableOTP
+		if u.OtpSecret == "" {
+			u.OtpSecret = gotp.RandomSecret(32)
+		}
+		if u.Email == "" {
+			u.Email = entry.GetAttributeValue("mail")
+		}
+		if !utils.InArrStr(u.Groups, g.Name) {
+			u.Groups = append(u.Groups, g.Name)
+		}
+
+		if err := Set(u); err != nil {
+			return fmt.Errorf("更新ldap用户%s失败:%v", u.Username, err.Error())
+		}
+	}
+	// 查询本地LDAP用户
+	var localLdapUsers []User
+	if err := FindWhere(&localLdapUsers, 0, 0, "type = 'ldap' AND groups LIKE ?", "%"+g.Name+"%"); err != nil {
+		base.Error("查询本地LDAP用户失败:", err)
+		return nil
+	}
+
+	// 删除LDAP中不存在的本地用户
+	for _, localUser := range localLdapUsers {
+		if !ldapUserMap[localUser.Username] {
+			if err := Del(&localUser); err != nil {
+				base.Error("删除本地LDAP用户失败:", localUser.Username, err)
+			} else {
+				base.Info("删除本地LDAP用户:", localUser.Username)
+			}
+		}
+	}
+	return nil
+}
+
 func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 	authType := authData["type"].(string)
 	bodyBytes, err := json.Marshal(authData[authType])
@@ -62,73 +258,37 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 }

 func (auth AuthLdap) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
-	pl := len(pwd)
-	if name == "" || pl < 1 {
+	if name == "" || len(pwd) < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
-	authType := g.Auth["type"].(string)
-	if _, ok := g.Auth[authType]; !ok {
-		return fmt.Errorf("%s %s", name, "LDAP的ldap值不存在")
+	// 解析LDAP配置
+	if err := auth.ParseGroup(g); err != nil {
+		return fmt.Errorf("%s %s", name, err.Error())
 	}
-	bodyBytes, err := json.Marshal(g.Auth[authType])
+	// 建立LDAP连接
+	l, err := auth.Connect()
 	if err != nil {
-		return fmt.Errorf("%s %s", name, "LDAP Marshal出现错误")
-	}
-	err = json.Unmarshal(bodyBytes, &auth)
-	if err != nil {
-		return fmt.Errorf("%s %s", name, "LDAP Unmarshal出现错误")
-	}
-	// 检测服务器和端口的可用性
-	con, err := net.DialTimeout("tcp", auth.Addr, 3*time.Second)
-	if err != nil {
-		return fmt.Errorf("%s %s", name, "LDAP服务器连接异常, 请检测服务器和端口")
-	}
-	defer con.Close()
-	// 连接LDAP
-	l, err := ldap.Dial("tcp", auth.Addr)
-	if err != nil {
-		return fmt.Errorf("LDAP连接失败 %s %s", auth.Addr, err.Error())
+		return fmt.Errorf("%s %s", name, err.Error())
 	}
 	defer l.Close()
-	if auth.Tls {
-		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
-		if err != nil {
-			return fmt.Errorf("%s LDAP TLS连接失败 %s", name, err.Error())
-		}
-	}
-	err = l.Bind(auth.BindName, auth.BindPwd)
+	// 搜索特定用户
+	sr, err := auth.SearchUsers(l, name, []string{})
 	if err != nil {
-		return fmt.Errorf("%s LDAP 管理员 DN或密码填写有误 %s", name, err.Error())
-	}
-	if auth.ObjectClass == "" {
-		auth.ObjectClass = "person"
-	}
-	filterAttr := "(objectClass=" + auth.ObjectClass + ")"
-	filterAttr += "(" + auth.SearchAttr + "=" + name + ")"
-	if auth.MemberOf != "" {
-		filterAttr += "(memberOf:=" + auth.MemberOf + ")"
-	}
-	searchRequest := ldap.NewSearchRequest(
-		auth.BaseDn,
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 3, false,
-		fmt.Sprintf("(&%s)", filterAttr),
-		[]string{},
-		nil,
-	)
-	sr, err := l.Search(searchRequest)
-	if err != nil {
-		return fmt.Errorf("%s LDAP 查询失败 %s %s %s", name, auth.BaseDn, filterAttr, err.Error())
+		return fmt.Errorf("%s %s", name, err.Error())
 	}
+	// 验证搜索结果
 	if len(sr.Entries) != 1 {
 		if len(sr.Entries) == 0 {
 			return fmt.Errorf("LDAP 找不到 %s 用户, 请检查用户或LDAP配置参数", name)
 		}
 		return fmt.Errorf("LDAP发现 %s 用户，存在多个账号", name)
 	}
+	// 检查账号状态
 	err = parseEntries(sr)
 	if err != nil {
 		return fmt.Errorf("LDAP %s 用户 %s", name, err.Error())
 	}
+	// 验证用户密码
 	userDN := sr.Entries[0].DN
 	err = l.Bind(userDN, pwd)
 	if err != nil {
@@ -140,6 +300,19 @@ func (auth AuthLdap) checkUser(name, pwd string, g *Group, ext map[string]interf
 func parseEntries(sr *ldap.SearchResult) error {
 	for _, attr := range sr.Entries[0].Attributes {
 		switch attr.Name {
+		case "userAccountControl": // Active Directory用户状态属性
+			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)
+			if val == 514 { // 514为禁用，512为启用
+				return fmt.Errorf("账号已禁用")
+			}
+		case "accountExpires": // Active Directory账号过期时间
+			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)
+			if val > 0 && val < 9223372036854775807 { // 不是永不过期
+				expireTime := time.Unix((val-116444736000000000)/10000000, 0)
+				if expireTime.Before(time.Now()) {
+					return fmt.Errorf("账号已过期")
+				}
+			}
 		case "shadowExpire":
 			// -1 启用, 1 停用, >1 从1970-01-01至到期日的天数
 			val, _ := strconv.ParseInt(attr.Values[0], 10, 64)