Mercurial > gemma
comparison pkg/controllers/pwreset.go @ 438:ffdb507d5b42
Removed db service user. Use an impersonated metamorph user instead.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Tue, 21 Aug 2018 11:33:19 +0200 |
parents | c1047fd04a3a |
children | fc37e7072022 |
comparison
equal
deleted
inserted
replaced
437:b8366b24dc55 | 438:ffdb507d5b42 |
---|---|
13 | 13 |
14 "github.com/gorilla/mux" | 14 "github.com/gorilla/mux" |
15 | 15 |
16 "gemma.intevation.de/gemma/pkg/auth" | 16 "gemma.intevation.de/gemma/pkg/auth" |
17 "gemma.intevation.de/gemma/pkg/common" | 17 "gemma.intevation.de/gemma/pkg/common" |
18 "gemma.intevation.de/gemma/pkg/config" | |
19 "gemma.intevation.de/gemma/pkg/misc" | 18 "gemma.intevation.de/gemma/pkg/misc" |
20 ) | 19 ) |
21 | 20 |
22 const ( | 21 const ( |
23 insertRequestSQL = `INSERT INTO pw_reset.password_reset_requests | 22 insertRequestSQL = `INSERT INTO pw_reset.password_reset_requests |
53 maxPasswordResets = 1000 | 52 maxPasswordResets = 1000 |
54 maxPasswordRequestsPerUser = 5 | 53 maxPasswordRequestsPerUser = 5 |
55 cleanupPause = 15 * time.Minute | 54 cleanupPause = 15 * time.Minute |
56 ) | 55 ) |
57 | 56 |
57 const pwResetRole = "pw_reset" | |
58 | |
58 var ( | 59 var ( |
59 passwordResetRequestMailTmpl = template.Must( | 60 passwordResetRequestMailTmpl = template.Must( |
60 template.New("request").Parse(`You have requested a password change | 61 template.New("request").Parse(`You have requested a password change |
61 for your account {{ .User }} on | 62 for your account {{ .User }} on |
62 {{ .HTTPS }}://{{ .Server }} | 63 {{ .HTTPS }}://{{ .Server }} |
81 | 82 |
82 Best regards | 83 Best regards |
83 Your service team`)) | 84 Your service team`)) |
84 ) | 85 ) |
85 | 86 |
86 func asServiceUser(fn func(*sql.DB) error) error { | |
87 db, err := auth.OpenDB(config.ServiceUser(), config.ServicePassword()) | |
88 if err == nil { | |
89 defer db.Close() | |
90 err = fn(db) | |
91 } | |
92 return err | |
93 } | |
94 | |
95 func init() { | 87 func init() { |
96 go removeOutdated() | 88 go removeOutdated() |
97 } | 89 } |
98 | 90 |
99 func removeOutdated() { | 91 func removeOutdated() { |
100 for { | 92 for { |
101 time.Sleep(cleanupPause) | 93 time.Sleep(cleanupPause) |
102 err := asServiceUser(func(db *sql.DB) error { | 94 err := auth.RunAs(pwResetRole, func(db *sql.DB) error { |
103 good := time.Now().Add(-passwordResetValid) | 95 good := time.Now().Add(-passwordResetValid) |
104 _, err := db.Exec(cleanupRequestsSQL, good) | 96 _, err := db.Exec(cleanupRequestsSQL, good) |
105 return err | 97 return err |
106 }) | 98 }) |
107 if err != nil { | 99 if err != nil { |
182 return | 174 return |
183 } | 175 } |
184 | 176 |
185 var hash, email string | 177 var hash, email string |
186 | 178 |
187 if err = asServiceUser(func(db *sql.DB) error { | 179 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error { |
188 | 180 |
189 var count int64 | 181 var count int64 |
190 if err := db.QueryRow(countRequestsSQL).Scan(&count); err != nil { | 182 if err := db.QueryRow(countRequestsSQL).Scan(&count); err != nil { |
191 return err | 183 return err |
192 } | 184 } |
247 return | 239 return |
248 } | 240 } |
249 | 241 |
250 var email, user, password string | 242 var email, user, password string |
251 | 243 |
252 if err = asServiceUser(func(db *sql.DB) error { | 244 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error { |
253 err := db.QueryRow(findRequestSQL, hash).Scan(&email, &user) | 245 err := db.QueryRow(findRequestSQL, hash).Scan(&email, &user) |
254 switch { | 246 switch { |
255 case err == sql.ErrNoRows: | 247 case err == sql.ErrNoRows: |
256 return JSONError{http.StatusNotFound, "No such hash"} | 248 return JSONError{http.StatusNotFound, "No such hash"} |
257 case err != nil: | 249 case err != nil: |