From fb7310a57907407fbf0b142d3813ef4df778dd03 Mon Sep 17 00:00:00 2001
From: "abbas.gheydi" <abbas.gheydi@gmail.com>
Date: Mon, 12 Feb 2024 21:58:18 +0330
Subject: [PATCH] feat: username normalisation (#8)

---
 pkgs/authentiate/ldap.go     | 19 ++++++++++++-------
 pkgs/rad/safe.go             |  2 +-
 pkgs/storage/postgres_otp.go | 29 ++++++++++++++++++++++++++++-
 3 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/pkgs/authentiate/ldap.go b/pkgs/authentiate/ldap.go
index 0eabca8..83de3e1 100644
--- a/pkgs/authentiate/ldap.go
+++ b/pkgs/authentiate/ldap.go
@@ -52,23 +52,28 @@ func (l LdapProvider) isUserAuthorized(groups []string) bool {
 	return false
 }
 
-func (l LdapProvider) IsUserAuthenticated(username string, password string, checkForVendorFortinetGroup bool) (authStat bool, vendorFortinetGroupName []string) {
+func (l LdapProvider) IsUserAuthenticated(username string, password string, checkForVendorFortinetGroup bool) (isAuthenticated bool, vendorFortinetGroupName []string) {
 
-	verifyPasswordAndRetrieveGroupsFromLdap := func(groups []string) (authStat bool, joinedGroupsName []string, err error) {
+	if strings.Contains(username, "\\") {
+		splitChar := "\\"
+		username = strings.Split(username, splitChar)[0]
+	}
+
+	verifyPasswordAndRetrieveGroupsFromLdap := func(groups []string) (isAuthenticated bool, joinedGroupsName []string, err error) {
 		ldapMutex.RLock()
 		defer ldapMutex.RLocker().Unlock()
-		authStat, _, joinedGroupsName, err = ldapAuth.AuthenticateExtended(l.LdapConfig, username, password, []string{"cn"}, groups)
+		isAuthenticated, _, joinedGroupsName, err = ldapAuth.AuthenticateExtended(l.LdapConfig, username, password, []string{"cn"}, groups)
 		return
 	}
 
-	authStat, joinedGroupsName, err := verifyPasswordAndRetrieveGroupsFromLdap(l.LdapGroupsFilter)
+	isAuthenticated, joinedGroupsName, err := verifyPasswordAndRetrieveGroupsFromLdap(l.LdapGroupsFilter)
 
-	if authStat {
-		authStat = l.isUserAuthorized(joinedGroupsName)
+	if isAuthenticated {
+		isAuthenticated = l.isUserAuthorized(joinedGroupsName)
 	}
 
 	if checkForVendorFortinetGroup {
-		if authStat {
+		if isAuthenticated {
 			_, vendorFortinetGroupName, err = verifyPasswordAndRetrieveGroupsFromLdap(l.FortiGroups)
 		}
 	}
diff --git a/pkgs/rad/safe.go b/pkgs/rad/safe.go
index ac68e38..506f344 100644
--- a/pkgs/rad/safe.go
+++ b/pkgs/rad/safe.go
@@ -6,7 +6,7 @@ import (
 	"unicode"
 )
 
-var usernameRegexp = regexp.MustCompile(`^[0-9A-Za-z_.@\-]{1,30}$`)
+var usernameRegexp = regexp.MustCompile(`^[0-9A-Za-z_.\-]{1,30}[@|\\]?[0-9A-Za-z_.\-]{1,30}$`)
 
 func IsOtpCodeSafe(input string) bool {
 	if len([]rune(input)) != 6 {
diff --git a/pkgs/storage/postgres_otp.go b/pkgs/storage/postgres_otp.go
index b5ca655..8726868 100644
--- a/pkgs/storage/postgres_otp.go
+++ b/pkgs/storage/postgres_otp.go
@@ -2,7 +2,9 @@ package storage
 
 import (
 	"errors"
+	"fmt"
 	"log"
+	"strings"
 	"sync"
 	"time"
 
@@ -33,6 +35,16 @@ type otps struct {
 type postgresOtp struct{}
 
 func (p postgresOtp) Set(username string, secret string) error {
+	username = strings.ToLower(username)
+
+	if strings.Contains(username, "@") || strings.Contains(username, "\\") {
+		splitChar := "@"
+		if strings.Contains(username, "\\") {
+			splitChar = "\\"
+		}
+		return fmt.Errorf("username is not valid. please insert a username without %v", splitChar)
+
+	}
 
 	otpUser := otps{
 		Username: username,
@@ -49,6 +61,7 @@ func (p postgresOtp) Set(username string, secret string) error {
 }
 
 func (p postgresOtp) Update(username string, secret string) error {
+	username = strings.ToLower(username)
 
 	otpUser := otps{
 		Username: username,
@@ -71,6 +84,7 @@ func (p postgresOtp) Update(username string, secret string) error {
 }
 
 func (p postgresOtp) Delete(username string) error {
+	username = strings.ToLower(username)
 
 	otpUser := otps{Username: username}
 	tx := db_otp.Model(&otpUser).Where("username = ?", username).Delete(otpUser)
@@ -88,11 +102,24 @@ func (p postgresOtp) Delete(username string) error {
 }
 
 func (p postgresOtp) Get(username string) (password string, err error) {
-
+	username = strings.ToLower(username)
+	if strings.Contains(username, "\\") {
+		splitChar := "\\"
+		username = strings.Split(username, splitChar)[0]
+	}
 	otpUser := otps{Username: username}
 
 	tx := db_otp.First(&otpUser, "Username = ?", username)
+	if tx.Error != nil && strings.Contains(tx.Error.Error(), "record not found") {
+		if strings.Contains(username, "@") {
+			splitChar := "@"
+			username = strings.Split(username, splitChar)[0]
+			tx = db_otp.First(&otpUser, "Username = ?", username)
+		}
+
+	}
 	if tx.Error != nil {
+
 		return "", tx.Error
 	}