Mercurial > gemma

comparison pkg/controllers/pwreset.go @ 438:ffdb507d5b42

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Removed db service user. Use an impersonated metamorph user instead.
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Tue, 21 Aug 2018 11:33:19 +0200
parents c1047fd04a3a
children fc37e7072022
comparison
equal deleted inserted replaced
437:b8366b24dc55 438:ffdb507d5b42
13 13
14 "github.com/gorilla/mux" 14 "github.com/gorilla/mux"
15 15
16 "gemma.intevation.de/gemma/pkg/auth" 16 "gemma.intevation.de/gemma/pkg/auth"
17 "gemma.intevation.de/gemma/pkg/common" 17 "gemma.intevation.de/gemma/pkg/common"
18 "gemma.intevation.de/gemma/pkg/config"
19 "gemma.intevation.de/gemma/pkg/misc" 18 "gemma.intevation.de/gemma/pkg/misc"
20 ) 19 )
21 20
22 const ( 21 const (
23 insertRequestSQL = `INSERT INTO pw_reset.password_reset_requests 22 insertRequestSQL = `INSERT INTO pw_reset.password_reset_requests
53 maxPasswordResets = 1000 52 maxPasswordResets = 1000
54 maxPasswordRequestsPerUser = 5 53 maxPasswordRequestsPerUser = 5
55 cleanupPause = 15 * time.Minute 54 cleanupPause = 15 * time.Minute
56 ) 55 )
57 56
57 const pwResetRole = "pw_reset"
58
58 var ( 59 var (
59 passwordResetRequestMailTmpl = template.Must( 60 passwordResetRequestMailTmpl = template.Must(
60 template.New("request").Parse(`You have requested a password change 61 template.New("request").Parse(`You have requested a password change
61 for your account {{ .User }} on 62 for your account {{ .User }} on
62 {{ .HTTPS }}://{{ .Server }} 63 {{ .HTTPS }}://{{ .Server }}
81 82
82 Best regards 83 Best regards
83 Your service team`)) 84 Your service team`))
84 ) 85 )
85 86
86 func asServiceUser(fn func(*sql.DB) error) error {
87 db, err := auth.OpenDB(config.ServiceUser(), config.ServicePassword())
88 if err == nil {
89 defer db.Close()
90 err = fn(db)
91 }
92 return err
93 }
94
95 func init() { 87 func init() {
96 go removeOutdated() 88 go removeOutdated()
97 } 89 }
98 90
99 func removeOutdated() { 91 func removeOutdated() {
100 for { 92 for {
101 time.Sleep(cleanupPause) 93 time.Sleep(cleanupPause)
102 err := asServiceUser(func(db *sql.DB) error { 94 err := auth.RunAs(pwResetRole, func(db *sql.DB) error {
103 good := time.Now().Add(-passwordResetValid) 95 good := time.Now().Add(-passwordResetValid)
104 _, err := db.Exec(cleanupRequestsSQL, good) 96 _, err := db.Exec(cleanupRequestsSQL, good)
105 return err 97 return err
106 }) 98 })
107 if err != nil { 99 if err != nil {
182 return 174 return
183 } 175 }
184 176
185 var hash, email string 177 var hash, email string
186 178
187 if err = asServiceUser(func(db *sql.DB) error { 179 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error {
188 180
189 var count int64 181 var count int64
190 if err := db.QueryRow(countRequestsSQL).Scan(&count); err != nil { 182 if err := db.QueryRow(countRequestsSQL).Scan(&count); err != nil {
191 return err 183 return err
192 } 184 }
247 return 239 return
248 } 240 }
249 241
250 var email, user, password string 242 var email, user, password string
251 243
252 if err = asServiceUser(func(db *sql.DB) error { 244 if err = auth.RunAs(pwResetRole, func(db *sql.DB) error {
253 err := db.QueryRow(findRequestSQL, hash).Scan(&email, &user) 245 err := db.QueryRow(findRequestSQL, hash).Scan(&email, &user)
254 switch { 246 switch {
255 case err == sql.ErrNoRows: 247 case err == sql.ErrNoRows:
256 return JSONError{http.StatusNotFound, "No such hash"} 248 return JSONError{http.StatusNotFound, "No such hash"}
257 case err != nil: 249 case err != nil: