im.go

/*

 Copyright 2019 The KubeSphere Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.

*/
package iam

import (
	"encoding/json"
	"errors"
	"fmt"
	"github.com/emicklei/go-restful"
	"github.com/go-ldap/ldap"
	"github.com/go-redis/redis"
	"golang.org/x/oauth2"
	"io/ioutil"
	"k8s.io/klog"
	"kubesphere.io/kubesphere/pkg/constants"
	"kubesphere.io/kubesphere/pkg/db"
	"kubesphere.io/kubesphere/pkg/informers"
	"kubesphere.io/kubesphere/pkg/models/devops"
	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
	"kubesphere.io/kubesphere/pkg/models/kubectl"
	"kubesphere.io/kubesphere/pkg/server/params"
	clientset "kubesphere.io/kubesphere/pkg/simple/client"
	ldappool "kubesphere.io/kubesphere/pkg/simple/client/ldap"
	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
	"net/http"
	"regexp"
	"sort"
	"strconv"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	rbacv1 "k8s.io/api/rbac/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
	"kubesphere.io/kubesphere/pkg/models"
	"kubesphere.io/kubesphere/pkg/utils/jwtutil"
)

type IdentityManagementInterface interface {
	CreateUser(user *User) (*User, error)
	DescribeUser(username string) (*User, error)
	Login(username, password, ip string) (*oauth2.Token, error)
}

type imOperator struct {
	config    Config
	ldap      ldappool.Client
	redis     redis.Client
	initUsers []initUser
}

type initUser struct {
	User
	Hidden bool `json:"hidden"`
}

const (
	authRateLimitRegex         = `(\d+)/(\d+[s|m|h])`
	defaultMaxAuthFailed       = 5
	defaultAuthTimeInterval    = 30 * time.Minute
	mailAttribute              = "mail"
	uidAttribute               = "uid"
	descriptionAttribute       = "description"
	preferredLanguageAttribute = "preferredLanguage"
	createTimestampAttribute   = "createTimestampAttribute"
	dateTimeLayout             = "20060102150405Z"
)

func IdentityManagementInit(ldap ldappool.Client, config Config) (IdentityManagementInterface, error) {

	//maxAuthFailed, authTimeInterval := parseAuthRateLimit(authRateLimit)

	imOperator := &imOperator{ldap: ldap, config: config}

	err := imOperator.checkAndCreateDefaultUser()

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	err = imOperator.checkAndCreateDefaultGroup()

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	return imOperator, nil
}

func parseAuthRateLimit(authRateLimit string) (int, time.Duration) {
	regex := regexp.MustCompile(authRateLimitRegex)
	groups := regex.FindStringSubmatch(authRateLimit)

	maxCount := defaultMaxAuthFailed
	timeInterval := defaultAuthTimeInterval

	if len(groups) == 3 {
		maxCount, _ = strconv.Atoi(groups[1])
		timeInterval, _ = time.ParseDuration(groups[2])
	} else {
		klog.Warning("invalid auth rate limit", authRateLimit)
	}

	return maxCount, timeInterval
}

func (im *imOperator) checkAndCreateDefaultGroup() error {

	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()

	groupSearchRequest := ldap.NewSearchRequest(
		im.ldap.GroupSearchBase(),
		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
		"(&(objectClass=posixGroup))",
		nil,
		nil,
	)

	_, err = conn.Search(groupSearchRequest)

	if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
		err = im.createGroupsBaseDN()
		if err != nil {
			return fmt.Errorf("GroupBaseDN %s create failed: %s\n", im.ldap.GroupSearchBase(), err)
		}
	}

	if err != nil {
		return fmt.Errorf("iam database init failed: %s\n", err)
	}

	return nil
}

func (im *imOperator) checkAndCreateDefaultUser() error {
	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()

	userSearchRequest := ldap.NewSearchRequest(
		im.ldap.UserSearchBase(),
		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
		"(&(objectClass=inetOrgPerson))",
		[]string{"uid"},
		nil,
	)

	result, err := conn.Search(userSearchRequest)

	if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
		err = im.createUserBaseDN()
		if err != nil {
			return fmt.Errorf("UserBaseDN %s create failed: %s\n", im.ldap.UserSearchBase(), err)
		}
	}

	if err != nil {
		return fmt.Errorf("iam database init failed: %s\n", err)
	}

	data, err := ioutil.ReadFile(im.config.userInitFile)

	if err == nil {
		json.Unmarshal(data, &im.initUsers)
	}

	im.initUsers = append(im.initUsers, initUser{User: User{Username: constants.AdminUserName, Email: im.config.adminEmail, Password: im.config.adminPassword, Description: "Administrator account that was always created by default.", ClusterRole: constants.ClusterAdmin}})

	for _, user := range im.initUsers {
		if result == nil || !containsUser(result.Entries, user) {
			_, err = im.CreateUser(&user.User)
			if err != nil && !ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
				klog.Errorln(err)
				return err
			}
		}
	}

	return nil
}

func containsUser(entries []*ldap.Entry, user initUser) bool {
	for _, entry := range entries {
		uid := entry.GetAttributeValue("uid")
		if uid == user.Username {
			return true
		}
	}
	return false
}

func (im *imOperator) createUserBaseDN() error {

	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()
	groupsCreateRequest := ldap.NewAddRequest(im.ldap.UserSearchBase(), nil)
	groupsCreateRequest.Attribute("objectClass", []string{"organizationalUnit", "top"})
	groupsCreateRequest.Attribute("ou", []string{"Users"})
	return conn.Add(groupsCreateRequest)
}

func (im *imOperator) createGroupsBaseDN() error {

	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()
	groupsCreateRequest := ldap.NewAddRequest(im.ldap.GroupSearchBase(), nil)
	groupsCreateRequest.Attribute("objectClass", []string{"organizationalUnit", "top"})
	groupsCreateRequest.Attribute("ou", []string{"Groups"})
	return conn.Add(groupsCreateRequest)
}

// User login
func (im *imOperator) Login(username, password, ip string) (*oauth2.Token, error) {

	records, err := im.redis.Keys(fmt.Sprintf("kubesphere:authfailed:%s:*", username)).Result()

	if err != nil {
		klog.Error(err)
		return nil, err
	}

	if len(records) >= im.config.maxAuthFailed {
		return nil, restful.NewError(http.StatusTooManyRequests, "auth rate limit exceeded")
	}

	user, err := im.DescribeUser(&User{Username: username, Email: username})

	conn, err := im.ldap.NewConn()
	if err != nil {
		klog.Error(err)
		return nil, err
	}
	defer conn.Close()

	dn := fmt.Sprintf("%s=%s,%s", uidAttribute, user.Username, im.ldap.UserSearchBase())

	// bind as the user to verify their password
	err = conn.Bind(dn, password)

	if err != nil {
		if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
			authFailedCacheKey := fmt.Sprintf("kubesphere:authfailed:%s:%d", user.Username, time.Now().UnixNano())
			im.redis.Set(authFailedCacheKey, "", im.config.authTimeInterval)
		}
		return nil, err
	}

	claims := jwt.MapClaims{}

	loginTime := time.Now()
	// token without expiration time will auto sliding
	claims["username"] = user.Username
	claims["email"] = user.Email
	claims["iat"] = loginTime.Unix()

	token := jwtutil.MustSigned(claims)

	if !im.config.enableMultiLogin {
		// multi login not allowed, remove the previous token
		sessionCacheKey := fmt.Sprintf("kubesphere:users:%s:token:*", user.Username)
		sessions, err := im.redis.Keys(sessionCacheKey).Result()

		if err != nil {
			klog.Errorln(err)
			return nil, err
		}

		if len(sessions) > 0 {
			klog.V(4).Infoln("revoke token", sessions)
			err = im.redis.Del(sessions...).Err()
			if err != nil {
				klog.Errorln(err)
				return nil, err
			}
		}
	}

	// cache token with expiration time
	sessionCacheKey := fmt.Sprintf("kubesphere:users:%s:token:%s", user.Username, token)
	if err = im.redis.Set(sessionCacheKey, token, im.config.tokenIdleTimeout).Err(); err != nil {
		klog.Errorln(err)
		return nil, err
	}

	im.loginRecord(user.Username, ip, loginTime)

	return &oauth2.Token{AccessToken: token}, nil
}

func (im *imOperator) loginRecord(username, ip string, loginTime time.Time) {
	if ip != "" {
		im.redis.RPush(fmt.Sprintf("kubesphere:users:%s:login-log", username), fmt.Sprintf("%s,%s", loginTime.UTC().Format("2006-01-02T15:04:05Z"), ip))
		im.redis.LTrim(fmt.Sprintf("kubesphere:users:%s:login-log", username), -10, -1)
	}
}

func (im *imOperator) LoginHistory(username string) ([]string, error) {
	data, err := im.redis.LRange(fmt.Sprintf("kubesphere:users:%s:login-log", username), -10, -1).Result()

	if err != nil {
		return nil, err
	}

	return data, nil
}

func (im *imOperator) ListUsers(conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) {
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	pageControl := ldap.NewControlPaging(1000)

	users := make([]User, 0)

	filter := "(&(objectClass=inetOrgPerson))"

	if keyword := conditions.Match["keyword"]; keyword != "" {
		filter = fmt.Sprintf("(&(objectClass=inetOrgPerson)(|(uid=*%s*)(mail=*%s*)(description=*%s*)))", keyword, keyword, keyword)
	}

	if username := conditions.Match["username"]; username != "" {
		uidFilter := ""
		for _, username := range strings.Split(username, "|") {
			uidFilter += fmt.Sprintf("(uid=%s)", username)
		}
		filter = fmt.Sprintf("(&(objectClass=inetOrgPerson)(|%s))", uidFilter)
	}

	if email := conditions.Match["email"]; email != "" {
		emailFilter := ""
		for _, username := range strings.Split(email, "|") {
			emailFilter += fmt.Sprintf("(mail=%s)", username)
		}
		filter = fmt.Sprintf("(&(objectClass=inetOrgPerson)(|%s))", emailFilter)
	}

	for {
		userSearchRequest := ldap.NewSearchRequest(
			im.ldap.UserSearchBase(),
			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
			filter,
			[]string{"uid", "mail", "description", "preferredLanguage", "createTimestamp"},
			[]ldap.Control{pageControl},
		)

		response, err := conn.Search(userSearchRequest)

		if err != nil {
			klog.Errorln("search user", err)
			return nil, err
		}

		for _, entry := range response.Entries {

			uid := entry.GetAttributeValue("uid")
			email := entry.GetAttributeValue("mail")
			description := entry.GetAttributeValue("description")
			lang := entry.GetAttributeValue("preferredLanguage")
			createTimestamp, _ := time.Parse("20060102150405Z", entry.GetAttributeValue("createTimestamp"))

			user := User{Username: uid, Email: email, Description: description, Lang: lang, CreateTime: createTimestamp}

			if !im.shouldHidden(user) {
				users = append(users, user)
			}
		}

		updatedControl := ldap.FindControl(response.Controls, ldap.ControlTypePaging)
		if ctrl, ok := updatedControl.(*ldap.ControlPaging); ctrl != nil && ok && len(ctrl.Cookie) != 0 {
			pageControl.SetCookie(ctrl.Cookie)
			continue
		}

		break
	}

	sort.Slice(users, func(i, j int) bool {
		if reverse {
			tmp := i
			i = j
			j = tmp
		}
		switch orderBy {
		case "username":
			return strings.Compare(users[i].Username, users[j].Username) <= 0
		case "createTime":
			fallthrough
		default:
			return users[i].CreateTime.Before(users[j].CreateTime)
		}
	})

	items := make([]interface{}, 0)

	for i, user := range users {

		if i >= offset && len(items) < limit {

			user.LastLoginTime = im.GetLastLoginTime(user.Username)
			clusterRole, err := im.GetUserClusterRole(user.Username)
			if err != nil {
				return nil, err
			}
			user.ClusterRole = clusterRole.Name
			items = append(items, user)
		}
	}

	return &models.PageableResponse{Items: items, TotalCount: len(users)}, nil
}

func (im *imOperator) shouldHidden(user User) bool {
	for _, initUser := range im.initUsers {
		if initUser.Username == user.Username {
			return initUser.Hidden
		}
	}
	return false
}

func (im *imOperator) DescribeUser(user *User) (*User, error) {
	conn, err := im.ldap.NewConn()

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}
	defer conn.Close()

	filter := fmt.Sprintf("(&(objectClass=inetOrgPerson)(|(uid=%s)(mail=%s)))", user.Username, user.Email)

	searchRequest := ldap.NewSearchRequest(
		im.ldap.UserSearchBase(),
		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 1, 0, false,
		filter,
		[]string{mailAttribute, descriptionAttribute, preferredLanguageAttribute, createTimestampAttribute},
		nil,
	)

	result, err := conn.Search(searchRequest)

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	if len(result.Entries) != 1 {
		return nil, ldap.NewError(ldap.LDAPResultNoSuchObject, errors.New("user does not exist"))
	}

	entry := result.Entries[0]

	return convertLdapEntryToUser(entry), nil
}

func convertLdapEntryToUser(entry *ldap.Entry) *User {
	username := entry.GetAttributeValue(uidAttribute)
	email := entry.GetAttributeValue(mailAttribute)
	description := entry.GetAttributeValue(descriptionAttribute)
	lang := entry.GetAttributeValue(preferredLanguageAttribute)
	createTimestamp, _ := time.Parse(dateTimeLayout, entry.GetAttributeValue(createTimestampAttribute))
	return &User{Username: username, Email: email, Description: description, Lang: lang, CreateTime: createTimestamp}
}

func (im *imOperator) GetLastLoginTime(username string) string {
	cacheKey := fmt.Sprintf("kubesphere:users:%s:login-log", username)
	lastLogin, err := im.redis.LRange(cacheKey, -1, -1).Result()
	if err != nil {
		return ""
	}

	if len(lastLogin) > 0 {
		return strings.Split(lastLogin[0], ",")[0]
	}

	return ""
}

func (im *imOperator) DeleteUser(username string) error {
	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()

	deleteRequest := ldap.NewDelRequest(fmt.Sprintf("uid=%s,%s", username, im.ldap.UserSearchBase()), nil)

	if err = conn.Del(deleteRequest); err != nil {
		klog.Errorln("delete user", err)
		return err
	}

	if err = im.deleteRoleBindings(username); err != nil {
		klog.Errorln("delete user role bindings failed", username, err)
	}

	if err := kubeconfig.DelKubeConfig(username); err != nil {
		klog.Errorln("delete user kubeconfig failed", username, err)
	}

	if err := kubectl.DelKubectlDeploy(username); err != nil {
		klog.Errorln("delete user terminal pod failed", username, err)
	}

	if err := im.deleteUserInDevOps(username); err != nil {
		klog.Errorln("delete user in devops failed", username, err)
	}
	return nil

}

// deleteUserInDevOps is used to clean up user data of devops, such as permission rules
func (im *imOperator) deleteUserInDevOps(username string) error {

	devopsDb, err := clientset.ClientSets().MySQL()
	if err != nil {
		if err == clientset.ErrClientSetNotEnabled {
			klog.Warning("mysql is not enable")
			return nil
		}
		return err
	}

	dp, err := clientset.ClientSets().Devops()
	if err != nil {
		if err == clientset.ErrClientSetNotEnabled {
			klog.Warning("devops client is not enable")
			return nil
		}
		return err
	}

	jenkinsClient := dp.Jenkins()

	_, err = devopsDb.DeleteFrom(devops.ProjectMembershipTableName).
		Where(db.And(
			db.Eq(devops.ProjectMembershipUsernameColumn, username),
		)).Exec()
	if err != nil {
		klog.Errorf("%+v", err)
		return err
	}

	err = jenkinsClient.DeleteUserInProject(username)
	if err != nil {
		klog.Errorf("%+v", err)
		return err
	}
	return nil
}

func (im *imOperator) deleteRoleBindings(username string) error {
	roleBindingLister := informers.SharedInformerFactory().Rbac().V1().RoleBindings().Lister()
	roleBindings, err := roleBindingLister.List(labels.Everything())

	if err != nil {
		return err
	}

	for _, roleBinding := range roleBindings {
		roleBinding = roleBinding.DeepCopy()
		length1 := len(roleBinding.Subjects)

		for index, subject := range roleBinding.Subjects {
			if subject.Kind == rbacv1.UserKind && subject.Name == username {
				roleBinding.Subjects = append(roleBinding.Subjects[:index], roleBinding.Subjects[index+1:]...)
				index--
			}
		}

		length2 := len(roleBinding.Subjects)

		if length2 == 0 {
			deletePolicy := metav1.DeletePropagationBackground
			err = clientset.ClientSets().K8s().Kubernetes().RbacV1().RoleBindings(roleBinding.Namespace).Delete(roleBinding.Name, &metav1.DeleteOptions{PropagationPolicy: &deletePolicy})

			if err != nil {
				klog.Errorf("delete role binding %s %s %s failed: %v", username, roleBinding.Namespace, roleBinding.Name, err)
			}
		} else if length2 < length1 {
			_, err = clientset.ClientSets().K8s().Kubernetes().RbacV1().RoleBindings(roleBinding.Namespace).Update(roleBinding)

			if err != nil {
				klog.Errorf("update role binding %s %s %s failed: %v", username, roleBinding.Namespace, roleBinding.Name, err)
			}
		}
	}

	clusterRoleBindingLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoleBindings().Lister()
	clusterRoleBindings, err := clusterRoleBindingLister.List(labels.Everything())

	for _, clusterRoleBinding := range clusterRoleBindings {
		clusterRoleBinding = clusterRoleBinding.DeepCopy()
		length1 := len(clusterRoleBinding.Subjects)

		for index, subject := range clusterRoleBinding.Subjects {
			if subject.Kind == rbacv1.UserKind && subject.Name == username {
				clusterRoleBinding.Subjects = append(clusterRoleBinding.Subjects[:index], clusterRoleBinding.Subjects[index+1:]...)
				index--
			}
		}

		length2 := len(clusterRoleBinding.Subjects)
		if length2 == 0 {
			// delete if it's not workspace role binding
			if isWorkspaceRoleBinding(clusterRoleBinding) {
				_, err = clientset.ClientSets().K8s().Kubernetes().RbacV1().ClusterRoleBindings().Update(clusterRoleBinding)
			} else {
				deletePolicy := metav1.DeletePropagationBackground
				err = clientset.ClientSets().K8s().Kubernetes().RbacV1().ClusterRoleBindings().Delete(clusterRoleBinding.Name, &metav1.DeleteOptions{PropagationPolicy: &deletePolicy})
			}
			if err != nil {
				klog.Errorf("update cluster role binding %s failed:%s", clusterRoleBinding.Name, err)
			}
		} else if length2 < length1 {
			_, err = clientset.ClientSets().K8s().Kubernetes().RbacV1().ClusterRoleBindings().Update(clusterRoleBinding)

			if err != nil {
				klog.Errorf("update cluster role binding %s failed:%s", clusterRoleBinding.Name, err)
			}
		}

	}

	return nil
}

func (im *imOperator) isWorkspaceRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding) bool {
	return k8sutil.IsControlledBy(clusterRoleBinding.OwnerReferences, "Workspace", "")
}

func (im *imOperator) CreateUser(user *User) (*User, error) {
	user.Username = strings.TrimSpace(user.Username)
	user.Email = strings.TrimSpace(user.Email)
	user.Password = strings.TrimSpace(user.Password)
	user.Description = strings.TrimSpace(user.Description)

	existed, err := im.DescribeUser(user)

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	if existed != nil {
		return nil, ldap.NewError(ldap.LDAPResultEntryAlreadyExists, errors.New("username or email already exists"))
	}

	uidNumber := im.uidNumberNext()

	createRequest := ldap.NewAddRequest(fmt.Sprintf("uid=%s,%s", user.Username, im.ldap.UserSearchBase()), nil)
	createRequest.Attribute("objectClass", []string{"inetOrgPerson", "posixAccount", "top"})
	createRequest.Attribute("cn", []string{user.Username})                       // RFC4519: common name(s) for which the entity is known by
	createRequest.Attribute("sn", []string{" "})                                 // RFC2256: last (family) name(s) for which the entity is known by
	createRequest.Attribute("gidNumber", []string{"500"})                        // RFC2307: An integer uniquely identifying a group in an administrative domain
	createRequest.Attribute("homeDirectory", []string{"/home/" + user.Username}) // The absolute path to the home directory
	createRequest.Attribute("uid", []string{user.Username})                      // RFC4519: user identifier
	createRequest.Attribute("uidNumber", []string{strconv.Itoa(uidNumber)})      // RFC2307: An integer uniquely identifying a user in an administrative domain
	createRequest.Attribute("mail", []string{user.Email})                        // RFC1274: RFC822 Mailbox
	createRequest.Attribute("userPassword", []string{user.Password})             // RFC4519/2307: password of user
	if user.Lang != "" {
		createRequest.Attribute("preferredLanguage", []string{user.Lang})
	}
	if user.Description != "" {
		createRequest.Attribute("description", []string{user.Description}) // RFC4519: descriptive information
	}

	conn, err := im.ldap.NewConn()

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	err = conn.Add(createRequest)

	if err != nil {
		klog.Errorln(err)
		return nil, err
	}

	return user, nil
}

func (im *imOperator) UpdateUser(user *User) (*User, error) {

	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return nil, err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	dn := fmt.Sprintf("uid=%s,%s", user.Username, im.ldap.UserSearchBase())
	userModifyRequest := ldap.NewModifyRequest(dn, nil)
	if user.Email != "" {
		userSearchRequest := ldap.NewSearchRequest(
			im.ldap.UserSearchBase(),
			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
			fmt.Sprintf("(&(objectClass=inetOrgPerson)(mail=%s))", user.Email),
			[]string{"uid", "mail"},
			nil,
		)
		result, err := conn.Search(userSearchRequest)
		if err != nil {
			klog.Error(err)
			return nil, err
		}
		if len(result.Entries) > 1 {
			err = ldap.NewError(ldap.ErrorDebugging, fmt.Errorf("email is duplicated: %s", user.Email))
			klog.Error(err)
			return nil, err
		}
		if len(result.Entries) == 1 && result.Entries[0].GetAttributeValue("uid") != user.Username {
			err = ldap.NewError(ldap.LDAPResultEntryAlreadyExists, fmt.Errorf("email is duplicated: %s", user.Email))
			klog.Error(err)
			return nil, err
		}
		userModifyRequest.Replace("mail", []string{user.Email})
	}
	if user.Description != "" {
		userModifyRequest.Replace("description", []string{user.Description})
	}

	if user.Lang != "" {
		userModifyRequest.Replace("preferredLanguage", []string{user.Lang})
	}

	if user.Password != "" {
		userModifyRequest.Replace("userPassword", []string{user.Password})
	}

	err = conn.Modify(userModifyRequest)

	if err != nil {
		klog.Error(err)
		return nil, err
	}

	if user.ClusterRole != "" {
		err = CreateClusterRoleBinding(user.Username, user.ClusterRole)

		if err != nil {
			klog.Errorln(err)
			return nil, err
		}
	}

	// clear auth failed record
	if user.Password != "" {
		redisClient, err := clientset.ClientSets().Redis()
		if err != nil {
			return nil, err
		}

		records, err := im.redis.Keys(fmt.Sprintf("kubesphere:authfailed:%s:*", user.Username)).Result()

		if err == nil {
			im.redis.Del(records...)
		}
	}

	return GetUserInfo(user.Username)
}
func (im *imOperator) DeleteGroup(path string) error {

	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return err
	}
	defer conn.Close()

	searchBase, cn := splitPath(path)

	groupDeleteRequest := ldap.NewDelRequest(fmt.Sprintf("cn=%s,%s", cn, searchBase), nil)
	err = conn.Del(groupDeleteRequest)

	if err != nil {
		klog.Errorln("delete user group", err)
		return err
	}

	return nil
}

func (im *imOperator) CreateGroup(group *models.Group) (*models.Group, error) {

	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return nil, err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	maxGid, err := getMaxGid()

	if err != nil {
		klog.Errorln("get max gid", err)
		return nil, err
	}

	maxGid += 1

	if group.Path == "" {
		group.Path = group.Name
	}

	searchBase, cn := splitPath(group.Path)

	groupCreateRequest := ldap.NewAddRequest(fmt.Sprintf("cn=%s,%s", cn, searchBase), nil)
	groupCreateRequest.Attribute("objectClass", []string{"posixGroup", "top"})
	groupCreateRequest.Attribute("cn", []string{cn})
	groupCreateRequest.Attribute("gidNumber", []string{strconv.Itoa(maxGid)})

	if group.Description != "" {
		groupCreateRequest.Attribute("description", []string{group.Description})
	}

	if group.Members != nil {
		groupCreateRequest.Attribute("memberUid", group.Members)
	}

	err = conn.Add(groupCreateRequest)

	if err != nil {
		klog.Errorln("create group", err)
		return nil, err
	}

	group.Gid = strconv.Itoa(maxGid)

	return DescribeGroup(group.Path)
}

func (im *imOperator) UpdateGroup(group *models.Group) (*models.Group, error) {

	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return nil, err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	old, err := DescribeGroup(group.Path)

	if err != nil {
		return nil, err
	}

	searchBase, cn := splitPath(group.Path)

	groupUpdateRequest := ldap.NewModifyRequest(fmt.Sprintf("cn=%s,%s", cn, searchBase), nil)

	if old.Description == "" {
		if group.Description != "" {
			groupUpdateRequest.Add("description", []string{group.Description})
		}
	} else {
		if group.Description != "" {
			groupUpdateRequest.Replace("description", []string{group.Description})
		} else {
			groupUpdateRequest.Delete("description", []string{})
		}
	}

	if group.Members != nil {
		groupUpdateRequest.Replace("memberUid", group.Members)
	}

	err = conn.Modify(groupUpdateRequest)

	if err != nil {
		klog.Errorln("update group", err)
		return nil, err
	}

	return group, nil
}

func (im *imOperator) ChildList(path string) ([]models.Group, error) {

	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return nil, err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	var groupSearchRequest *ldap.SearchRequest
	if path == "" {
		groupSearchRequest = ldap.NewSearchRequest(client.GroupSearchBase(),
			ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
			"(&(objectClass=posixGroup))",
			[]string{"cn", "gidNumber", "memberUid", "description"},
			nil)
	} else {
		searchBase, cn := splitPath(path)
		groupSearchRequest = ldap.NewSearchRequest(fmt.Sprintf("cn=%s,%s", cn, searchBase),
			ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
			"(&(objectClass=posixGroup))",
			[]string{"cn", "gidNumber", "memberUid", "description"},
			nil)
	}

	result, err := conn.Search(groupSearchRequest)

	if err != nil {
		return nil, err
	}

	groups := make([]models.Group, 0)

	for _, v := range result.Entries {
		dn := v.DN
		cn := v.GetAttributeValue("cn")
		gid := v.GetAttributeValue("gidNumber")
		members := v.GetAttributeValues("memberUid")
		description := v.GetAttributeValue("description")

		group := models.Group{Path: convertDNToPath(dn), Name: cn, Gid: gid, Members: members, Description: description}

		childSearchRequest := ldap.NewSearchRequest(dn,
			ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
			"(&(objectClass=posixGroup))",
			[]string{""},
			nil)

		result, err = conn.Search(childSearchRequest)

		if err != nil {
			return nil, err
		}

		childGroups := make([]string, 0)

		for _, v := range result.Entries {
			child := convertDNToPath(v.DN)
			childGroups = append(childGroups, child)
		}

		group.ChildGroups = childGroups

		groups = append(groups, group)
	}

	return groups, nil
}

func (im *imOperator) DescribeGroup(path string) (*models.Group, error) {
	client, err := clientset.ClientSets().Ldap()
	if err != nil {
		return nil, err
	}
	conn, err := im.ldap.NewConn()
	if err != nil {
		return nil, err
	}
	defer conn.Close()

	searchBase, cn := splitPath(path)

	groupSearchRequest := ldap.NewSearchRequest(searchBase,
		ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
		fmt.Sprintf("(&(objectClass=posixGroup)(cn=%s))", cn),
		[]string{"cn", "gidNumber", "memberUid", "description"},
		nil)

	result, err := conn.Search(groupSearchRequest)

	if err != nil {
		klog.Errorln("search group", err)
		return nil, err
	}

	if len(result.Entries) != 1 {
		return nil, ldap.NewError(ldap.LDAPResultNoSuchObject, fmt.Errorf("group %s does not exist", path))
	}

	dn := result.Entries[0].DN
	cn = result.Entries[0].GetAttributeValue("cn")
	gid := result.Entries[0].GetAttributeValue("gidNumber")
	members := result.Entries[0].GetAttributeValues("memberUid")
	description := result.Entries[0].GetAttributeValue("description")

	group := models.Group{Path: convertDNToPath(dn), Name: cn, Gid: gid, Members: members, Description: description}

	childGroups := make([]string, 0)

	group.ChildGroups = childGroups

	return &group, nil

}

func (im *imOperator) WorkspaceUsersTotalCount(workspace string) (int, error) {
	workspaceRoleBindings, err := GetWorkspaceRoleBindings(workspace)

	if err != nil {
		return 0, err
	}

	users := make([]string, 0)

	for _, roleBinding := range workspaceRoleBindings {
		for _, subject := range roleBinding.Subjects {
			if subject.Kind == rbacv1.UserKind && !k8sutil.ContainsUser(users, subject.Name) {
				users = append(users, subject.Name)
			}
		}
	}

	return len(users), nil
}

func (im *imOperator) ListWorkspaceUsers(workspace string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) {

	workspaceRoleBindings, err := GetWorkspaceRoleBindings(workspace)

	if err != nil {
		return nil, err
	}

	users := make([]*User, 0)

	for _, roleBinding := range workspaceRoleBindings {
		for _, subject := range roleBinding.Subjects {
			if subject.Kind == rbacv1.UserKind && !k8sutil.ContainsUser(users, subject.Name) {
				user, err := GetUserInfo(subject.Name)
				if err != nil {
					return nil, err
				}
				prefix := fmt.Sprintf("workspace:%s:", workspace)
				user.WorkspaceRole = fmt.Sprintf("workspace-%s", strings.TrimPrefix(roleBinding.Name, prefix))
				if matchConditions(conditions, user) {
					users = append(users, user)
				}
			}
		}
	}

	// order & reverse
	sort.Slice(users, func(i, j int) bool {
		if reverse {
			tmp := i
			i = j
			j = tmp
		}
		switch orderBy {
		default:
			fallthrough
		case "name":
			return strings.Compare(users[i].Username, users[j].Username) <= 0
		}
	})

	result := make([]interface{}, 0)

	for i, d := range users {
		if i >= offset && (limit == -1 || len(result) < limit) {
			result = append(result, d)
		}
	}

	return &models.PageableResponse{Items: result, TotalCount: len(users)}, nil
}

func (im *imOperator) uidNumberNext() int {
	return 0
}

func matchConditions(conditions *params.Conditions, user *User) bool {
	for k, v := range conditions.Match {
		switch k {
		case "keyword":
			if !strings.Contains(user.Username, v) &&
				!strings.Contains(user.Email, v) &&
				!strings.Contains(user.Description, v) {
				return false
			}
		case "name":
			names := strings.Split(v, "|")
			if !sliceutil.HasString(names, user.Username) {
				return false
			}
		case "email":
			email := strings.Split(v, "|")
			if !sliceutil.HasString(email, user.Email) {
				return false
			}
		case "role":
			if user.WorkspaceRole != v {
				return false
			}
		}
	}
	return true
}

type User struct {
	Username    string    `json:"username"`
	Email       string    `json:"email"`
	Lang        string    `json:"lang,omitempty"`
	Description string    `json:"description"`
	CreateTime  time.Time `json:"create_time"`
	Groups      []string  `json:"groups,omitempty"`
	Password    string    `json:"password,omitempty"`
}