From d3beb7e523db7f7aa566901dab97007f13eebf58 Mon Sep 17 00:00:00 2001 From: Abhishek K <32607604+abhishek9686@users.noreply.github.com> Date: Mon, 8 Apr 2024 20:07:48 +0530 Subject: [PATCH] Oauth user logic cleanup (#2877) * additionl logs for oauth user flow * add more debug logs * add more debug logs * add set auth secret * fix fetch pass * make sure auth secret is set only once * make sure auth secret is set only once --- auth/auth.go | 25 +++++++++---------------- auth/google.go | 1 + logic/auth.go | 40 +++++++++++++++++++++++++++++++++------- 3 files changed, 43 insertions(+), 23 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index f139c2c47..ff46f0e4f 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -32,7 +32,6 @@ const ( github_provider_name = "github" oidc_provider_name = "oidc" verify_user = "verifyuser" - auth_key = "netmaker_auth" user_signin_length = 16 node_signin_length = 64 headless_signin_length = 32 @@ -75,10 +74,10 @@ func InitializeAuthProvider() string { if functions == nil { return "" } - var _, err = FetchPassValue(logic.RandomString(64)) + logger.Log(0, "setting oauth secret") + var err = logic.SetAuthSecret(logic.RandomString(64)) if err != nil { - logger.Log(0, err.Error()) - return "" + logger.FatalLog("failed to set auth_secret", err.Error()) } var authInfo = servercfg.GetAuthProviderInfo() var serverConn = servercfg.GetAPIHost() @@ -248,6 +247,7 @@ func addUser(email string) error { } // generate random password to adapt to current model var newPass, fetchErr = FetchPassValue("") if fetchErr != nil { + slog.Error("failed to get password", "error", err.Error()) return fetchErr } var newUser = models.User{ @@ -255,6 +255,7 @@ func addUser(email string) error { Password: newPass, } if !hasSuperAdmin { // must be first attempt, create a superadmin + logger.Log(0, "creating superadmin") if err = logic.CreateSuperAdmin(&newUser); err != nil { slog.Error("error creating super admin from user", "email", email, "error", err) } else { @@ -264,7 +265,7 @@ func addUser(email string) error { // TODO: add ability to add users with preemptive permissions newUser.IsAdmin = false if err = logic.CreateUser(&newUser); err != nil { - logger.Log(1, "error creating user,", email, "; user not added") + logger.Log(0, "error creating user,", email, "; user not added", "error", err.Error()) } else { logger.Log(0, "user created from ", email) } @@ -277,20 +278,12 @@ func FetchPassValue(newValue string) (string, error) { type valueHolder struct { Value string `json:"value" bson:"value"` } - var b64NewValue = base64.StdEncoding.EncodeToString([]byte(newValue)) - var newValueHolder = &valueHolder{ - Value: b64NewValue, - } - var data, marshalErr = json.Marshal(newValueHolder) - if marshalErr != nil { - return "", marshalErr - } - - var currentValue, err = logic.FetchAuthSecret(auth_key, string(data)) + newValueHolder := valueHolder{} + var currentValue, err = logic.FetchAuthSecret() if err != nil { return "", err } - var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder) + var unmarshErr = json.Unmarshal([]byte(currentValue), &newValueHolder) if unmarshErr != nil { return "", unmarshErr } diff --git a/auth/google.go b/auth/google.go index 267e2a9dc..31c8dafa8 100644 --- a/auth/google.go +++ b/auth/google.go @@ -91,6 +91,7 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) { } user, err := logic.GetUser(content.Email) if err != nil { + logger.Log(0, "error fetching user: ", err.Error()) handleOauthUserNotFound(w) return } diff --git a/logic/auth.go b/logic/auth.go index 3d9524033..e2a660db7 100644 --- a/logic/auth.go +++ b/logic/auth.go @@ -1,6 +1,7 @@ package logic import ( + "encoding/base64" "encoding/json" "errors" "fmt" @@ -15,6 +16,10 @@ import ( "github.com/gravitl/netmaker/models" ) +const ( + auth_key = "netmaker_auth" +) + // HasSuperAdmin - checks if server has an superadmin/owner func HasSuperAdmin() (bool, error) { @@ -96,12 +101,14 @@ func CreateUser(user *models.User) error { } var err = ValidateUser(user) if err != nil { + logger.Log(0, "failed to validate user", err.Error()) return err } // encrypt that password so we never see it again hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5) if err != nil { + logger.Log(0, "error encrypting pass", err.Error()) return err } // set password to encrypted password @@ -109,6 +116,7 @@ func CreateUser(user *models.User) error { tokenString, _ := CreateUserJWT(user.UserName, user.IsSuperAdmin, user.IsAdmin) if tokenString == "" { + logger.Log(0, "failed to generate token", err.Error()) return err } @@ -117,10 +125,12 @@ func CreateUser(user *models.User) error { // connect db data, err := json.Marshal(user) if err != nil { + logger.Log(0, "failed to marshal", err.Error()) return err } err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME) if err != nil { + logger.Log(0, "failed to insert user", err.Error()) return err } @@ -279,15 +289,31 @@ func DeleteUser(user string) (bool, error) { return true, nil } +func SetAuthSecret(secret string) error { + type valueHolder struct { + Value string `json:"value" bson:"value"` + } + record, err := FetchAuthSecret() + if err == nil { + v := valueHolder{} + json.Unmarshal([]byte(record), &v) + if v.Value != "" { + return nil + } + } + var b64NewValue = base64.StdEncoding.EncodeToString([]byte(secret)) + newValueHolder := valueHolder{ + Value: b64NewValue, + } + d, _ := json.Marshal(newValueHolder) + return database.Insert(auth_key, string(d), database.GENERATED_TABLE_NAME) +} + // FetchAuthSecret - manages secrets for oauth -func FetchAuthSecret(key string, secret string) (string, error) { - var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, key) +func FetchAuthSecret() (string, error) { + var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, auth_key) if err != nil { - if err = database.Insert(key, secret, database.GENERATED_TABLE_NAME); err != nil { - return "", err - } else { - return secret, nil - } + return "", err } return record, nil }