[Update] 修改认证

8b06c4a1 · ibuler · 93d1b3f1 · 8b06c4a1 · 8b06c4a1 · 8b06c4a1
Commit 8b06c4a1 authored May 09, 2019 by ibuler
9 changed files
--- a/pkg/auth/server.go
+++ b/pkg/auth/server.go
 package auth
 import (
-	"cocogo/pkg/cctx"
-	"cocogo/pkg/i18n"
 	"strings"
 	"github.com/gliderlabs/ssh"
 	gossh "golang.org/x/crypto/ssh"
+	"cocogo/pkg/cctx"
 	"cocogo/pkg/common"
+	"cocogo/pkg/i18n"
 	"cocogo/pkg/logger"
 	"cocogo/pkg/service"
 )
@@ -16,34 +16,34 @@ import (
 var mfaInstruction = i18n.T("Please enter 6 digits.")
 var mfaQuestion = i18n.T("[MFA auth]: ")
-var contentKeyMFASeed = "MFASeed"
+const (
+	actionAccepted        = "Accepted"
+	actionFailed          = "Failed"
+	actionPartialAccepted = "Partial accepted"
+)
 func checkAuth(ctx ssh.Context, password, publicKey string) (res ssh.AuthResult) {
 	username := ctx.User()
-	remoteAddr := strings.Split(ctx.RemoteAddr().String(), ":")[0]
-	resp, err := service.Authenticate(username, password, publicKey, remoteAddr, "T")
 	authMethod := "publickey"
-	action := "Accepted"
+	action := actionAccepted
 	res = ssh.AuthFailed
 	if password != "" {
 		authMethod = "password"
 	}
-	if err != nil {
+	remoteAddr := strings.Split(ctx.RemoteAddr().String(), ":")[0]
-		action = "Failed"
-	} else if resp.Seed != "" && resp.Token == "" {
+	resp, err := service.Authenticate(username, password, publicKey, remoteAddr, "T")
-		ctx.SetValue(contentKeyMFASeed, resp.Seed)
+	if err != nil {
-		res = ssh.AuthPartiallySuccessful
+		action = actionFailed
-	} else {
+		logger.Infof("%s %s for %s from %s", action, authMethod, username, remoteAddr)
-		res = ssh.AuthSuccessful
+		return
 	}
 	if resp != nil {
-		switch resp.User.IsMFA {
+		switch resp.User.OTPLevel {
 		case 0:
 			res = ssh.AuthSuccessful
-		case 1:
+		case 1, 2:
-			res = ssh.AuthPartiallySuccessful
+			action = actionPartialAccepted
-		case 2:
 			res = ssh.AuthPartiallySuccessful
 		default:
 		}
@@ -51,14 +51,12 @@ func checkAuth(ctx ssh.Context, password, publicKey string) (res ssh.AuthResult)
 		ctx.SetValue(cctx.ContextKeySeed, resp.Seed)
 		ctx.SetValue(cctx.ContextKeyToken, resp.Token)
 	}
 	logger.Infof("%s %s for %s from %s", action, authMethod, username, remoteAddr)
 	return res
 }
 func CheckUserPassword(ctx ssh.Context, password string) ssh.AuthResult {
-	res := checkAuth(ctx, password, "")
+	return checkAuth(ctx, password, "")
-	return res
 }
 func CheckUserPublicKey(ctx ssh.Context, key ssh.PublicKey) ssh.AuthResult {
@@ -67,32 +65,40 @@ func CheckUserPublicKey(ctx ssh.Context, key ssh.PublicKey) ssh.AuthResult {
 	return checkAuth(ctx, "", publicKey)
 }
-func CheckMFA(ctx ssh.Context, challenger gossh.KeyboardInteractiveChallenge) ssh.AuthResult {
+func CheckMFA(ctx ssh.Context, challenger gossh.KeyboardInteractiveChallenge) (res ssh.AuthResult) {
 	username := ctx.User()
+	remoteAddr := strings.Split(ctx.RemoteAddr().String(), ":")[0]
+	res = ssh.AuthFailed
+	defer func() {
+		authMethod := "MFA"
+		if res == ssh.AuthSuccessful {
+			action := actionAccepted
+			logger.Infof("%s %s for %s from %s", action, authMethod, username, remoteAddr)
+		} else {
+			action := actionFailed
+			logger.Errorf("%s %s for %s from %s", action, authMethod, username, remoteAddr)
+		}
+	}()
 	answers, err := challenger(username, mfaInstruction, []string{mfaQuestion}, []bool{true})
-	if err != nil {
+	if err != nil || len(answers) != 1 {
-		return ssh.AuthFailed
+		return
-	}
-	if len(answers) != 1 {
-		return ssh.AuthFailed
 	}
 	mfaCode := answers[0]
-	seed, ok := ctx.Value(contentKeyMFASeed).(string)
+	seed, ok := ctx.Value(cctx.ContextKeySeed).(string)
 	if !ok {
 		logger.Error("Mfa Auth failed, may be user password or publickey auth failed")
-		return ssh.AuthFailed
+		return
 	}
 	resp, err := service.CheckUserOTP(seed, mfaCode)
 	if err != nil {
 		logger.Error("Mfa Auth failed: ", err)
-		return ssh.AuthFailed
+		return
 	}
 	if resp.Token != "" {
-		return ssh.AuthSuccessful
+		res = ssh.AuthSuccessful
+		return
 	}
-	return ssh.AuthFailed
+	return
 }
 func CheckUserNeedMFA(ctx ssh.Context) (methods []string) {

--- a/pkg/common/client.go
+++ b/pkg/common/client.go
@@ -85,7 +85,7 @@ func (c *Client) parseUrlQuery(url string, params []map[string]string) string {
 	return url
 }
-func (c *Client) ParseUrl(url string, params []map[string]string) string {
+func (c *Client) parseUrl(url string, params []map[string]string) string {
 	url = c.parseUrlQuery(url, params)
 	if c.BaseHost != "" {
 		url = strings.TrimRight(c.BaseHost, "/") + url
@@ -126,7 +126,7 @@ func (c *Client) SetReqHeaders(req *http.Request) {
 }
 func (c *Client) NewRequest(method, url string, body interface{}, params []map[string]string) (req *http.Request, err error) {
-	url = c.ParseUrl(url, params)
+	url = c.parseUrl(url, params)
 	reader, err := c.marshalData(body)
 	if err != nil {
 		return

--- a/pkg/handler/session.go
+++ b/pkg/handler/session.go
--- a/pkg/model/terminal.go
+++ b/pkg/model/terminal.go
@@ -7,7 +7,7 @@ type Terminal struct {
 		Id        string `json:"id"`
 		Name      string `json:"name"`
 		AccessKey struct {
-			Id     string `json:"id"`
+			ID     string `json:"id"`
 			Secret string `json:"secret"`
 		} `json:"access_key"`
 	} `json:"service_account"`

--- a/pkg/model/users.go
+++ b/pkg/model/users.go
@@ -25,15 +25,14 @@ type AuthResponse struct {
 }
 type User struct {
-	Id       string `json:"id"`
+	ID       string `json:"id"`
 	Name     string `json:"name"`
 	Username string `json:"username"`
 	Email    string `json:"email"`
-	OTPLevel int    `json:"otp_level"`
 	Role     string `json:"role"`
 	IsValid  bool   `json:"is_valid"`
 	IsActive bool   `json:"is_active"`
-	IsMFA    int    `json:"otp_level"`
+	OTPLevel int    `json:"otp_level"`
 }
 type TokenUser struct {

--- a/pkg/service/accesskey.go
+++ b/pkg/service/accesskey.go
@@ -20,7 +20,7 @@ var (
 )
 type AccessKey struct {
-	Id     string
+	ID     string
 	Secret string
 	Path   string
 	Value  string
@@ -29,7 +29,7 @@ type AccessKey struct {
 func (ak AccessKey) Sign() (string, string) {
 	date := common.HTTPGMTDate()
 	signature := common.MakeSignature(ak.Secret, date)
-	return date, fmt.Sprintf("Sign %s:%s", ak.Id, signature)
+	return date, fmt.Sprintf("Sign %s:%s", ak.ID, signature)
 }
 func (ak *AccessKey) LoadAccessKeyFromStr(key string) error {
@@ -40,7 +40,7 @@ func (ak *AccessKey) LoadAccessKeyFromStr(key string) error {
 	if len(keySlice) != 2 {
 		return AccessKeyInvalid
 	}
-	ak.Id = keySlice[0]
+	ak.ID = keySlice[0]
 	ak.Secret = keySlice[1]
 	return nil
 }
@@ -74,7 +74,7 @@ func (ak *AccessKey) SaveToFile() error {
 	if err != nil {
 		return err
 	}
-	_, err = f.WriteString(fmt.Sprintf("%s:%s", ak.Id, ak.Secret))
+	_, err = f.WriteString(fmt.Sprintf("%s:%s", ak.ID, ak.Secret))
 	if err != nil {
 		logger.Error(err)
 	}
@@ -92,7 +92,7 @@ func (ak *AccessKey) Register(times int) error {
 		logger.Error(msg)
 		os.Exit(1)
 	}
-	ak.Id = res.ServiceAccount.AccessKey.Id
+	ak.ID = res.ServiceAccount.AccessKey.ID
 	ak.Secret = res.ServiceAccount.AccessKey.Secret
 	return nil
 }

--- a/pkg/service/perms.go
+++ b/pkg/service/perms.go
@@ -7,12 +7,12 @@ import (
 	"cocogo/pkg/model"
 )
-func GetUserAssets(userId, cachePolicy string) (assets model.AssetList) {
+func GetUserAssets(userID, cachePolicy string) (assets model.AssetList) {
 	if cachePolicy == "" {
 		cachePolicy = "0"
 	}
 	payload := map[string]string{"cache_policy": cachePolicy}
-	Url := fmt.Sprintf(UserAssetsURL, userId)
+	Url := fmt.Sprintf(UserAssetsURL, userID)
 	err := authClient.Get(Url, &assets, payload)
 	if err != nil {
 		logger.Error("GetUserAssets---err")

--- a/pkg/service/users.go
+++ b/pkg/service/users.go
@@ -23,8 +23,7 @@ func Authenticate(username, password, publicKey, remoteAddr, loginType string) (
 		"remote_addr": remoteAddr,
 		"login_type":  loginType,
 	}
-	Url := client.ParseUrl(UserAuthURL, nil)
+	err = client.Post(UserAuthURL, data, &resp)
-	err = client.Post(Url, data, &resp)
 	if err != nil {
 		logger.Error(err)
@@ -32,33 +31,8 @@ func Authenticate(username, password, publicKey, remoteAddr, loginType string) (
 	return
 }
-func AuthenticateMFA(seed, code, loginType string) (resp *model.AuthResponse, err error) {
+func GetUserProfile(userID string) (user *model.User) {
-	/*
+	Url := fmt.Sprintf(UserDetailURL, userID)
-		data = {
-		            'seed': seed,
-		            'otp_code': otp_code,
-		            'login_type': login_type,
-		        }
-	*/
-	data := map[string]string{
-		"seed":       seed,
-		"otp_code":   code,
-		"login_type": loginType,
-	}
-	Url := client.ParseUrl(AuthMFAURL, nil)
-	err = client.Post(Url, data, resp)
-	if err != nil {
-		logger.Error(err)
-	}
-	return
-}
-func GetUserProfile(userId string) (user *model.User) {
-	Url := fmt.Sprintf(UserDetailURL, userId)
 	err := authClient.Get(Url, user)
 	if err != nil {
 		logger.Error(err)
@@ -98,9 +72,9 @@ func CheckUserOTP(seed, code string) (resp *AuthResp, err error) {
 	return
 }
-func CheckUserCookie(sessionId, csrfToken string) (user *model.User) {
+func CheckUserCookie(sessionID, csrfToken string) (user *model.User) {
 	client.SetCookie("csrftoken", csrfToken)
-	client.SetCookie("sessionid", sessionId)
+	client.SetCookie("sessionid", sessionID)
 	err := client.Get(UserProfileURL, &user)
 	if err != nil {
 		logger.Error(err)

--- a/pkg/webssh/handler.go
+++ b/pkg/webssh/handler.go
@@ -28,7 +28,7 @@ func AuthDecorator(handler http.HandlerFunc) http.HandlerFunc {
 			}
 		}
 		user := service.CheckUserCookie(sessionid, csrfToken)
-		if user.Id == "" {
+		if user.ID == "" {
 			// Todo: 构建login的url
 			http.Redirect(responseWriter, request, "", http.StatusFound)
 			return