harbor/api/user.go

/*
   Copyright (c) 2016 VMware, Inc. All Rights Reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package api

import (
	"net/http"
	"os"
	"strconv"
	"strings"

	"github.com/vmware/harbor/dao"
	"github.com/vmware/harbor/models"
	"github.com/vmware/harbor/utils/log"
)

// UserAPI handles request to /api/users/{}
type UserAPI struct {
	BaseAPI
	currentUserID    int
	userID           int
	SelfRegistration bool
	IsAdmin          bool
	AuthMode         string
}

type passwordReq struct {
	OldPassword string `json:"old_password"`
	NewPassword string `json:"new_password"`
}

// Prepare validates the URL and parms
func (ua *UserAPI) Prepare() {

	authMode := strings.ToLower(os.Getenv("AUTH_MODE"))
	if authMode == "" {
		authMode = "db_auth"
	}
	ua.AuthMode = authMode

	selfRegistration := strings.ToLower(os.Getenv("SELF_REGISTRATION"))
	if selfRegistration == "on" {
		ua.SelfRegistration = true
	}

	if ua.Ctx.Input.IsPost() {
		sessionUserID := ua.GetSession("userId")
		_, _, ok := ua.Ctx.Request.BasicAuth()
		if sessionUserID == nil && !ok {
			return
		}
	}

	ua.currentUserID = ua.ValidateUser()
	id := ua.Ctx.Input.Param(":id")
	if id == "current" {
		ua.userID = ua.currentUserID
	} else if len(id) > 0 {
		var err error
		ua.userID, err = strconv.Atoi(id)
		if err != nil {
			log.Errorf("Invalid user id, error: %v", err)
			ua.CustomAbort(http.StatusBadRequest, "Invalid user Id")
		}
		userQuery := models.User{UserID: ua.userID}
		u, err := dao.GetUser(userQuery)
		if err != nil {
			log.Errorf("Error occurred in GetUser, error: %v", err)
			ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
		}
		if u == nil {
			log.Errorf("User with Id: %d does not exist", ua.userID)
			ua.CustomAbort(http.StatusNotFound, "")
		}
	}

	var err error
	ua.IsAdmin, err = dao.IsAdminRole(ua.currentUserID)
	if err != nil {
		log.Errorf("Error occurred in IsAdminRole:%v", err)
		ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
	}

}

// Get ...
func (ua *UserAPI) Get() {
	if ua.userID == 0 { //list users
		if !ua.IsAdmin {
			log.Errorf("Current user, id: %d does not have admin role, can not list users", ua.currentUserID)
			ua.RenderError(http.StatusForbidden, "User does not have admin role")
			return
		}
		username := ua.GetString("username")
		userQuery := models.User{}
		if len(username) > 0 {
			userQuery.Username = "%" + username + "%"
		}
		userList, err := dao.ListUsers(userQuery)
		if err != nil {
			log.Errorf("Failed to get data from database, error: %v", err)
			ua.RenderError(http.StatusInternalServerError, "Failed to query from database")
			return
		}
		ua.Data["json"] = userList

	} else if ua.userID == ua.currentUserID || ua.IsAdmin {
		userQuery := models.User{UserID: ua.userID}
		u, err := dao.GetUser(userQuery)
		if err != nil {
			log.Errorf("Error occurred in GetUser, error: %v", err)
			ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
		}
		ua.Data["json"] = u
	} else {
		log.Errorf("Current user, id: %d does not have admin role, can not view other user's detail", ua.currentUserID)
		ua.RenderError(http.StatusForbidden, "User does not have admin role")
		return
	}
	ua.ServeJSON()
}

// Put ...
func (ua *UserAPI) Put() { //currently only for toggle admin, so no request body
	if !ua.IsAdmin {
		log.Warningf("current user, id: %d does not have admin role, can not update other user's role", ua.currentUserID)
		ua.RenderError(http.StatusForbidden, "User does not have admin role")
		return
	}
	userQuery := models.User{UserID: ua.userID}
	dao.ToggleUserAdminRole(userQuery)
}

// Post ...
func (ua *UserAPI) Post() {

	if !(ua.AuthMode == "db_auth") {
		ua.CustomAbort(http.StatusForbidden, "")
	}

	if !(ua.SelfRegistration || ua.IsAdmin) {
		log.Warning("Registration can only be used by admin role user when self-registration is off.")
		ua.CustomAbort(http.StatusForbidden, "")
	}

	user := models.User{}
	ua.DecodeJSONReq(&user)

	userID, err := dao.Register(user)
	if err != nil {
		log.Errorf("Error occurred in Register: %v", err)
		ua.RenderError(http.StatusInternalServerError, "Internal error.")
		return
	}

	ua.Redirect(http.StatusCreated, strconv.FormatInt(userID, 10))
}

// Delete ...
func (ua *UserAPI) Delete() {
	if !ua.IsAdmin {
		log.Warningf("current user, id: %d does not have admin role, can not remove user", ua.currentUserID)
		ua.RenderError(http.StatusForbidden, "User does not have admin role")
		return
	}
	var err error
	err = dao.DeleteUser(ua.userID)
	if err != nil {
		log.Errorf("Failed to delete data from database, error: %v", err)
		ua.RenderError(http.StatusInternalServerError, "Failed to delete User")
		return
	}
}

// ChangePassword handles PUT to /api/users/{}/password
func (ua *UserAPI) ChangePassword() {

	ldapAdminUser := (ua.AuthMode == "ldap_auth" && ua.userID == 1 && ua.userID == ua.currentUserID)
	
	if !(ua.AuthMode == "db_auth" || ldapAdminUser) {
		ua.CustomAbort(http.StatusForbidden, "")
	}

	if !ua.IsAdmin {
		if ua.userID != ua.currentUserID {
			log.Error("Guests can only change their own account.")
			ua.CustomAbort(http.StatusForbidden, "Guests can only change their own account.")
		}
	}

	var req passwordReq
	ua.DecodeJSONReq(&req)
	if req.OldPassword == "" {
		log.Error("Old password is blank")
		ua.CustomAbort(http.StatusBadRequest, "Old password is blank")
	}

	queryUser := models.User{UserID: ua.userID, Password: req.OldPassword}
	user, err := dao.CheckUserPassword(queryUser)
	if err != nil {
		log.Errorf("Error occurred in CheckUserPassword: %v", err)
		ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
	}
	if user == nil {
		log.Warning("Password input is not correct")
		ua.CustomAbort(http.StatusForbidden, "old_password_is_not_correct")
	}

	if req.NewPassword == "" {
		ua.CustomAbort(http.StatusBadRequest, "please_input_new_password")
	}
	updateUser := models.User{UserID: ua.userID, Password: req.NewPassword, Salt: user.Salt}
	err = dao.ChangeUserPassword(updateUser, req.OldPassword)
	if err != nil {
		log.Errorf("Error occurred in ChangeUserPassword: %v", err)
		ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
	}
}
Initial commit 2016-02-01 12:59:10 +01:00			`/*`
			`Copyright (c) 2016 VMware, Inc. All Rights Reserved.`
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`
fix package comment issue 2016-02-26 11:54:14 +01:00
Initial commit 2016-02-01 12:59:10 +01:00			`package api`

			`import (`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`"net/http"`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`"os"`
Initial commit 2016-02-01 12:59:10 +01:00			`"strconv"`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`"strings"`
Initial commit 2016-02-01 12:59:10 +01:00
			`"github.com/vmware/harbor/dao"`
			`"github.com/vmware/harbor/models"`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`"github.com/vmware/harbor/utils/log"`
Initial commit 2016-02-01 12:59:10 +01:00			`)`

add comments to pass golint 2016-02-26 11:35:55 +01:00			`// UserAPI handles request to /api/users/{}`
Initial commit 2016-02-01 12:59:10 +01:00			`type UserAPI struct {`
			`BaseAPI`
update per comments, add support for basic auth 2016-04-15 10:55:33 +02:00			`currentUserID int`
			`userID int`
			`SelfRegistration bool`
			`IsAdmin bool`
			`AuthMode string`
Initial commit 2016-02-01 12:59:10 +01:00			`}`

update changepassword to /api/users/:id/password 2016-04-21 07:27:47 +02:00			`type passwordReq struct {`
			OldPassword string `json:"old_password"`
			NewPassword string `json:"new_password"`
			`}`

add comments to pass golint 2016-02-26 11:35:55 +01:00			`// Prepare validates the URL and parms`
Initial commit 2016-02-01 12:59:10 +01:00			`func (ua *UserAPI) Prepare() {`

merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`authMode := strings.ToLower(os.Getenv("AUTH_MODE"))`
			`if authMode == "" {`
			`authMode = "db_auth"`
			`}`
			`ua.AuthMode = authMode`

			`selfRegistration := strings.ToLower(os.Getenv("SELF_REGISTRATION"))`
			`if selfRegistration == "on" {`
			`ua.SelfRegistration = true`
			`}`

change register to api/users 2016-04-01 13:42:13 +02:00			`if ua.Ctx.Input.IsPost() {`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`sessionUserID := ua.GetSession("userId")`
update per comments, add support for basic auth 2016-04-15 10:55:33 +02:00			`_, _, ok := ua.Ctx.Request.BasicAuth()`
			`if sessionUserID == nil && !ok {`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`return`
			`}`
change register to api/users 2016-04-01 13:42:13 +02:00			`}`

fix issues except comments related in main, auth, api packages 2016-02-25 06:40:08 +01:00			`ua.currentUserID = ua.ValidateUser()`
Initial commit 2016-02-01 12:59:10 +01:00			`id := ua.Ctx.Input.Param(":id")`
			`if id == "current" {`
fix issues except comments related in main, auth, api packages 2016-02-25 06:40:08 +01:00			`ua.userID = ua.currentUserID`
Initial commit 2016-02-01 12:59:10 +01:00			`} else if len(id) > 0 {`
			`var err error`
fix issues except comments related in main, auth, api packages 2016-02-25 06:40:08 +01:00			`ua.userID, err = strconv.Atoi(id)`
Initial commit 2016-02-01 12:59:10 +01:00			`if err != nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Invalid user id, error: %v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.CustomAbort(http.StatusBadRequest, "Invalid user Id")`
Initial commit 2016-02-01 12:59:10 +01:00			`}`
golint refactor for model 2016-02-26 03:15:01 +01:00			`userQuery := models.User{UserID: ua.userID}`
Initial commit 2016-02-01 12:59:10 +01:00			`u, err := dao.GetUser(userQuery)`
			`if err != nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Error occurred in GetUser, error: %v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.CustomAbort(http.StatusInternalServerError, "Internal error.")`
Initial commit 2016-02-01 12:59:10 +01:00			`}`
			`if u == nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("User with Id: %d does not exist", ua.userID)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.CustomAbort(http.StatusNotFound, "")`
Initial commit 2016-02-01 12:59:10 +01:00			`}`
			`}`

merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`var err error`
			`ua.IsAdmin, err = dao.IsAdminRole(ua.currentUserID)`
Initial commit 2016-02-01 12:59:10 +01:00			`if err != nil {`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`log.Errorf("Error occurred in IsAdminRole:%v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.CustomAbort(http.StatusInternalServerError, "Internal error.")`
Initial commit 2016-02-01 12:59:10 +01:00			`}`
update per comments, add support for basic auth 2016-04-15 10:55:33 +02:00
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`}`
Initial commit 2016-02-01 12:59:10 +01:00
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`// Get ...`
			`func (ua *UserAPI) Get() {`
fix issues except comments related in main, auth, api packages 2016-02-25 06:40:08 +01:00			`if ua.userID == 0 { //list users`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`if !ua.IsAdmin {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Current user, id: %d does not have admin role, can not list users", ua.currentUserID)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusForbidden, "User does not have admin role")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
			`username := ua.GetString("username")`
			`userQuery := models.User{}`
			`if len(username) > 0 {`
			`userQuery.Username = "%" + username + "%"`
			`}`
			`userList, err := dao.ListUsers(userQuery)`
			`if err != nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Failed to get data from database, error: %v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusInternalServerError, "Failed to query from database")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
			`ua.Data["json"] = userList`

merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`} else if ua.userID == ua.currentUserID \|\| ua.IsAdmin {`
golint refactor for model 2016-02-26 03:15:01 +01:00			`userQuery := models.User{UserID: ua.userID}`
Initial commit 2016-02-01 12:59:10 +01:00			`u, err := dao.GetUser(userQuery)`
			`if err != nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Error occurred in GetUser, error: %v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.CustomAbort(http.StatusInternalServerError, "Internal error.")`
Initial commit 2016-02-01 12:59:10 +01:00			`}`
			`ua.Data["json"] = u`
			`} else {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Current user, id: %d does not have admin role, can not view other user's detail", ua.currentUserID)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusForbidden, "User does not have admin role")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
			`ua.ServeJSON()`
			`}`

add comments to pass golint 2016-02-26 11:35:55 +01:00			`// Put ...`
Initial commit 2016-02-01 12:59:10 +01:00			`func (ua *UserAPI) Put() { //currently only for toggle admin, so no request body`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`if !ua.IsAdmin {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Warningf("current user, id: %d does not have admin role, can not update other user's role", ua.currentUserID)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusForbidden, "User does not have admin role")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
golint refactor for model 2016-02-26 03:15:01 +01:00			`userQuery := models.User{UserID: ua.userID}`
Initial commit 2016-02-01 12:59:10 +01:00			`dao.ToggleUserAdminRole(userQuery)`
			`}`

change register to api/users 2016-04-01 13:42:13 +02:00			`// Post ...`
			`func (ua *UserAPI) Post() {`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00
			`if !(ua.AuthMode == "db_auth") {`
			`ua.CustomAbort(http.StatusForbidden, "")`
			`}`

			`if !(ua.SelfRegistration \|\| ua.IsAdmin) {`
			`log.Warning("Registration can only be used by admin role user when self-registration is off.")`
			`ua.CustomAbort(http.StatusForbidden, "")`
			`}`

remove validate step as the duplication, and user model.User instead of new struct. 2016-04-06 05:26:24 +02:00			`user := models.User{}`
			`ua.DecodeJSONReq(&user)`
change register to api/users 2016-04-01 13:42:13 +02:00
add post return, add the URI to header location. 2016-04-22 11:57:39 +02:00			`userID, err := dao.Register(user)`
change register to api/users 2016-04-01 13:42:13 +02:00			`if err != nil {`
fix log issue 2016-04-05 11:45:47 +02:00			`log.Errorf("Error occurred in Register: %v", err)`
change register to api/users 2016-04-01 13:42:13 +02:00			`ua.RenderError(http.StatusInternalServerError, "Internal error.")`
			`return`
			`}`
update per comments, add support for basic auth 2016-04-15 06:33:48 +02:00
Change to get uri from http request, and response with relative path of resource. 2016-04-25 06:10:15 +02:00			`ua.Redirect(http.StatusCreated, strconv.FormatInt(userID, 10))`
change register to api/users 2016-04-01 13:42:13 +02:00			`}`

add comments to pass golint 2016-02-26 11:35:55 +01:00			`// Delete ...`
Initial commit 2016-02-01 12:59:10 +01:00			`func (ua *UserAPI) Delete() {`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`if !ua.IsAdmin {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Warningf("current user, id: %d does not have admin role, can not remove user", ua.currentUserID)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusForbidden, "User does not have admin role")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
merge code with api/user; refactor api/users 2016-04-08 09:25:52 +02:00			`var err error`
fix issues except comments related in main, auth, api packages 2016-02-25 06:40:08 +01:00			`err = dao.DeleteUser(ua.userID)`
Initial commit 2016-02-01 12:59:10 +01:00			`if err != nil {`
Use new logger for api package 2016-03-28 02:50:09 +02:00			`log.Errorf("Failed to delete data from database, error: %v", err)`
replace status codes with constants in net/http 2016-02-24 07:31:52 +01:00			`ua.RenderError(http.StatusInternalServerError, "Failed to delete User")`
Initial commit 2016-02-01 12:59:10 +01:00			`return`
			`}`
			`}`
update changepassword to /api/users/:id/password 2016-04-21 07:27:47 +02:00
			`// ChangePassword handles PUT to /api/users/{}/password`
			`func (ua *UserAPI) ChangePassword() {`

change password for admin user when in LDAP mode 2016-05-09 14:57:41 +02:00			`ldapAdminUser := (ua.AuthMode == "ldap_auth" && ua.userID == 1 && ua.userID == ua.currentUserID)`

			`if !(ua.AuthMode == "db_auth" \|\| ldapAdminUser) {`
update changepassword to /api/users/:id/password 2016-04-21 07:27:47 +02:00			`ua.CustomAbort(http.StatusForbidden, "")`
			`}`

			`if !ua.IsAdmin {`
			`if ua.userID != ua.currentUserID {`
			`log.Error("Guests can only change their own account.")`
			`ua.CustomAbort(http.StatusForbidden, "Guests can only change their own account.")`
			`}`
			`}`

			`var req passwordReq`
			`ua.DecodeJSONReq(&req)`
			`if req.OldPassword == "" {`
			`log.Error("Old password is blank")`
			`ua.CustomAbort(http.StatusBadRequest, "Old password is blank")`
			`}`

			`queryUser := models.User{UserID: ua.userID, Password: req.OldPassword}`
			`user, err := dao.CheckUserPassword(queryUser)`
			`if err != nil {`
			`log.Errorf("Error occurred in CheckUserPassword: %v", err)`
			`ua.CustomAbort(http.StatusInternalServerError, "Internal error.")`
			`}`
			`if user == nil {`
			`log.Warning("Password input is not correct")`
			`ua.CustomAbort(http.StatusForbidden, "old_password_is_not_correct")`
			`}`

			`if req.NewPassword == "" {`
			`ua.CustomAbort(http.StatusBadRequest, "please_input_new_password")`
			`}`
			`updateUser := models.User{UserID: ua.userID, Password: req.NewPassword, Salt: user.Salt}`
			`err = dao.ChangeUserPassword(updateUser, req.OldPassword)`
			`if err != nil {`
			`log.Errorf("Error occurred in ChangeUserPassword: %v", err)`
			`ua.CustomAbort(http.StatusInternalServerError, "Internal error.")`
			`}`
			`}`