fix: duplicate email

Signed-off-by: Nhongming <talonwan@yunify.com>

pkg/apiserver/iam/im.go

@@ -19,6 +19,7 @@ package iam
 
 import (
 	"fmt"
+	"github.com/golang/glog"
 	"kubesphere.io/kubesphere/pkg/params"
 	"net/http"
 	"regexp"
@@ -43,22 +44,29 @@ func CreateUser(req *restful.Request, resp *restful.Response) {
 	err := req.ReadEntity(&user)
 
 	if err != nil {
+		glog.Info(err)
 		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if user.Username == "" {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid username")))
+		err = fmt.Errorf("invalid username: %s", user.Username)
+		glog.Info(err, user.Username)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if !regexp.MustCompile(emailRegex).MatchString(user.Email) {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email")))
+		err = fmt.Errorf("invalid email: %s", user.Email)
+		glog.Info(err, user.Email)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if len(user.Password) < 6 {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password")))
+		err = fmt.Errorf("invalid password")
+		glog.Info(err, user.Password)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
@@ -66,9 +74,11 @@ func CreateUser(req *restful.Request, resp *restful.Response) {
 
 	if err != nil {
 		if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
+			glog.Info(err)
 			resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err))
 			return
 		}
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -82,13 +92,16 @@ func DeleteUser(req *restful.Request, resp *restful.Response) {
 	operator := req.HeaderParameter(constants.UserNameHeader)
 
 	if operator == username {
-		resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(fmt.Errorf("cannot delete yourself")))
+		err := fmt.Errorf("cannot delete yourself")
+		glog.Info(err)
+		resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(err))
 		return
 	}
 
 	err := iam.DeleteUser(username)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -105,22 +118,29 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 	err := req.ReadEntity(&user)
 
 	if err != nil {
+		glog.Info(err)
 		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if usernameInPath != user.Username {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath)))
+		err = fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath)
+		glog.Info(err)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if !regexp.MustCompile(emailRegex).MatchString(user.Email) {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email")))
+		err = fmt.Errorf("invalid email: %s", user.Email)
+		glog.Info(err)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
 	if user.Password != "" && len(user.Password) < 6 {
-		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password")))
+		err = fmt.Errorf("invalid password")
+		glog.Info(err)
+		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
 
@@ -128,14 +148,17 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 	if usernameInHeader == user.Username && user.Password != "" {
 		isUserManager, err := isUserManager(usernameInHeader)
 		if err != nil {
-			resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
+			glog.Error(err)
+			resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 			return
 		}
 		if !isUserManager {
 			_, err = iam.Login(usernameInHeader, user.CurrentPassword, "")
 		}
 		if err != nil {
-			resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("incorrect current password")))
+			err = fmt.Errorf("incorrect current password")
+			glog.Info(err)
+			resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 			return
 		}
 	}
@@ -143,6 +166,13 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 	result, err := iam.UpdateUser(&user)
 
 	if err != nil {
+		if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
+			glog.Info(err)
+			resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err))
+			return
+		}
+
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -166,6 +196,7 @@ func UserLoginLogs(req *restful.Request, resp *restful.Response) {
 	logs, err := iam.LoginLog(username)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -193,8 +224,10 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
 
 	if err != nil {
 		if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
+			glog.Info(err)
 			resp.WriteHeaderAndEntity(http.StatusNotFound, errors.Wrap(err))
 		} else {
+			glog.Error(err)
 			resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		}
 		return
@@ -203,6 +236,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
 	clusterRole, err := iam.GetUserClusterRole(username)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -212,6 +246,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) {
 	clusterRules, err := iam.GetUserClusterSimpleRules(username)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -234,6 +269,7 @@ func Precheck(req *restful.Request, resp *restful.Response) {
 	exist, err := iam.UserCreateCheck(check)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}
@@ -254,6 +290,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) {
 	reverse := params.ParseReverse(req)
 
 	if err != nil {
+		glog.Info(err)
 		resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err))
 		return
 	}
@@ -261,6 +298,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) {
 	users, err := iam.ListUsers(conditions, orderBy, reverse, limit, offset)
 
 	if err != nil {
+		glog.Error(err)
 		resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err))
 		return
 	}

pkg/models/iam/im.go

@@ -875,6 +875,7 @@ func UpdateUser(user *models.User) (*models.User, error) {
 	conn, err := ldapclient.Client()
 
 	if err != nil {
+		glog.Error(err)
 		return nil, err
 	}
 
@@ -883,6 +884,28 @@ func UpdateUser(user *models.User) (*models.User, error) {
 	dn := fmt.Sprintf("uid=%s,%s", user.Username, ldapclient.UserSearchBase)
 	userModifyRequest := ldap.NewModifyRequest(dn, nil)
 	if user.Email != "" {
+		userSearchRequest := ldap.NewSearchRequest(
+			ldapclient.UserSearchBase,
+			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+			fmt.Sprintf("(&(objectClass=inetOrgPerson)(mail=%s))", user.Email),
+			[]string{"uid", "mail"},
+			nil,
+		)
+		result, err := conn.Search(userSearchRequest)
+		if err != nil {
+			glog.Error(err)
+			return nil, err
+		}
+		if len(result.Entries) > 1 {
+			err = ldap.NewError(ldap.ErrorDebugging, fmt.Errorf("email is duplicated: %s", user.Email))
+			glog.Error(err)
+			return nil, err
+		}
+		if len(result.Entries) == 1 && result.Entries[0].GetAttributeValue("uid") != user.Username {
+			err = ldap.NewError(ldap.LDAPResultEntryAlreadyExists, fmt.Errorf("email is duplicated: %s", user.Email))
+			glog.Error(err)
+			return nil, err
+		}
 		userModifyRequest.Replace("mail", []string{user.Email})
 	}
 	if user.Description != "" {
@@ -902,12 +925,14 @@ func UpdateUser(user *models.User) (*models.User, error) {
 	}
 
 	if err != nil {
+		glog.Error(err)
 		return nil, err
 	}
 
 	err = conn.Modify(userModifyRequest)
 
 	if err != nil {
+		glog.Error(err)
 		return nil, err
 	}