diff --git a/pkg/apiserver/iam/im.go b/pkg/apiserver/iam/im.go index aa39cc02f5aaaf77835e2a774add89b569ef260a..5951fa47315ceb619023f684fe212e5d0815f6e6 100644 --- a/pkg/apiserver/iam/im.go +++ b/pkg/apiserver/iam/im.go @@ -19,6 +19,7 @@ package iam import ( "fmt" + "github.com/golang/glog" "kubesphere.io/kubesphere/pkg/params" "net/http" "regexp" @@ -43,22 +44,29 @@ func CreateUser(req *restful.Request, resp *restful.Response) { err := req.ReadEntity(&user) if err != nil { + glog.Info(err) resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if user.Username == "" { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid username"))) + err = fmt.Errorf("invalid username: %s", user.Username) + glog.Info(err, user.Username) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if !regexp.MustCompile(emailRegex).MatchString(user.Email) { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email"))) + err = fmt.Errorf("invalid email: %s", user.Email) + glog.Info(err, user.Email) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if len(user.Password) < 6 { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password"))) + err = fmt.Errorf("invalid password") + glog.Info(err, user.Password) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } @@ -66,9 +74,11 @@ func CreateUser(req *restful.Request, resp *restful.Response) { if err != nil { if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) { + glog.Info(err) resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err)) return } + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -82,13 +92,16 @@ func DeleteUser(req *restful.Request, resp *restful.Response) { operator := req.HeaderParameter(constants.UserNameHeader) if operator == username { - resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(fmt.Errorf("cannot delete yourself"))) + err := fmt.Errorf("cannot delete yourself") + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusForbidden, errors.Wrap(err)) return } err := iam.DeleteUser(username) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -105,22 +118,29 @@ func UpdateUser(req *restful.Request, resp *restful.Response) { err := req.ReadEntity(&user) if err != nil { + glog.Info(err) resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if usernameInPath != user.Username { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath))) + err = fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", user.Username, usernameInPath) + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if !regexp.MustCompile(emailRegex).MatchString(user.Email) { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid email"))) + err = fmt.Errorf("invalid email: %s", user.Email) + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } if user.Password != "" && len(user.Password) < 6 { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("invalid password"))) + err = fmt.Errorf("invalid password") + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } @@ -128,14 +148,17 @@ func UpdateUser(req *restful.Request, resp *restful.Response) { if usernameInHeader == user.Username && user.Password != "" { isUserManager, err := isUserManager(usernameInHeader) if err != nil { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) + glog.Error(err) + resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } if !isUserManager { _, err = iam.Login(usernameInHeader, user.CurrentPassword, "") } if err != nil { - resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(fmt.Errorf("incorrect current password"))) + err = fmt.Errorf("incorrect current password") + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } } @@ -143,6 +166,13 @@ func UpdateUser(req *restful.Request, resp *restful.Response) { result, err := iam.UpdateUser(&user) if err != nil { + if ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) { + glog.Info(err) + resp.WriteHeaderAndEntity(http.StatusConflict, errors.Wrap(err)) + return + } + + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -166,6 +196,7 @@ func UserLoginLogs(req *restful.Request, resp *restful.Response) { logs, err := iam.LoginLog(username) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -193,8 +224,10 @@ func DescribeUser(req *restful.Request, resp *restful.Response) { if err != nil { if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) { + glog.Info(err) resp.WriteHeaderAndEntity(http.StatusNotFound, errors.Wrap(err)) } else { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) } return @@ -203,6 +236,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) { clusterRole, err := iam.GetUserClusterRole(username) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -212,6 +246,7 @@ func DescribeUser(req *restful.Request, resp *restful.Response) { clusterRules, err := iam.GetUserClusterSimpleRules(username) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -234,6 +269,7 @@ func Precheck(req *restful.Request, resp *restful.Response) { exist, err := iam.UserCreateCheck(check) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } @@ -254,6 +290,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) { reverse := params.ParseReverse(req) if err != nil { + glog.Info(err) resp.WriteHeaderAndEntity(http.StatusBadRequest, errors.Wrap(err)) return } @@ -261,6 +298,7 @@ func ListUsers(req *restful.Request, resp *restful.Response) { users, err := iam.ListUsers(conditions, orderBy, reverse, limit, offset) if err != nil { + glog.Error(err) resp.WriteHeaderAndEntity(http.StatusInternalServerError, errors.Wrap(err)) return } diff --git a/pkg/models/iam/im.go b/pkg/models/iam/im.go index bbe9e49b05633b2b29c94e5fdb0da1a7eeee6daf..bf6f35b6dbbf852a7430bd484540e589e837ad2c 100644 --- a/pkg/models/iam/im.go +++ b/pkg/models/iam/im.go @@ -875,6 +875,7 @@ func UpdateUser(user *models.User) (*models.User, error) { conn, err := ldapclient.Client() if err != nil { + glog.Error(err) return nil, err } @@ -883,6 +884,28 @@ func UpdateUser(user *models.User) (*models.User, error) { dn := fmt.Sprintf("uid=%s,%s", user.Username, ldapclient.UserSearchBase) userModifyRequest := ldap.NewModifyRequest(dn, nil) if user.Email != "" { + userSearchRequest := ldap.NewSearchRequest( + ldapclient.UserSearchBase, + ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, + fmt.Sprintf("(&(objectClass=inetOrgPerson)(mail=%s))", user.Email), + []string{"uid", "mail"}, + nil, + ) + result, err := conn.Search(userSearchRequest) + if err != nil { + glog.Error(err) + return nil, err + } + if len(result.Entries) > 1 { + err = ldap.NewError(ldap.ErrorDebugging, fmt.Errorf("email is duplicated: %s", user.Email)) + glog.Error(err) + return nil, err + } + if len(result.Entries) == 1 && result.Entries[0].GetAttributeValue("uid") != user.Username { + err = ldap.NewError(ldap.LDAPResultEntryAlreadyExists, fmt.Errorf("email is duplicated: %s", user.Email)) + glog.Error(err) + return nil, err + } userModifyRequest.Replace("mail", []string{user.Email}) } if user.Description != "" { @@ -902,12 +925,14 @@ func UpdateUser(user *models.User) (*models.User, error) { } if err != nil { + glog.Error(err) return nil, err } err = conn.Modify(userModifyRequest) if err != nil { + glog.Error(err) return nil, err }