Process request for a new account.
(s *Session, msg *ClientComMessage, rec *auth.Rec)
| 24 | |
| 25 | // Process request for a new account. |
| 26 | func replyCreateUser(s *Session, msg *ClientComMessage, rec *auth.Rec) { |
| 27 | // The session cannot authenticate with the new account because it's already authenticated. |
| 28 | if msg.Acc.Login && (!s.uid.IsZero() || rec != nil) { |
| 29 | s.queueOut(ErrAlreadyAuthenticated(msg.Id, "", msg.Timestamp)) |
| 30 | logs.Warn.Println("create user: login requested while authenticated, sid=", s.sid) |
| 31 | return |
| 32 | } |
| 33 | |
| 34 | // Find authenticator for the requested scheme. |
| 35 | authhdl := store.Store.GetLogicalAuthHandler(msg.Acc.Scheme) |
| 36 | if authhdl == nil { |
| 37 | // New accounts must have an authentication scheme |
| 38 | s.queueOut(ErrMalformed(msg.Id, "", msg.Timestamp)) |
| 39 | logs.Warn.Println("create user: unknown auth handler, sid=", s.sid) |
| 40 | return |
| 41 | } |
| 42 | |
| 43 | // Check if login is unique and compliance with the policy (not too long or too short). |
| 44 | if ok, err := authhdl.IsUnique(msg.Acc.Secret, s.remoteAddr); !ok { |
| 45 | logs.Warn.Println("create user: auth secret is not compliant", err, "sid=", s.sid) |
| 46 | s.queueOut(decodeStoreError(err, msg.Id, msg.Timestamp, |
| 47 | map[string]any{"what": "auth"})) |
| 48 | return |
| 49 | } |
| 50 | |
| 51 | var user types.User |
| 52 | var private any |
| 53 | |
| 54 | // If account state is being assigned, make sure the sender is a root user. |
| 55 | if msg.Acc.State != "" { |
| 56 | if auth.Level(msg.AuthLvl) != auth.LevelRoot { |
| 57 | logs.Warn.Println("create user: attempt to set account state by non-root, sid=", s.sid) |
| 58 | msg := ErrPermissionDenied(msg.Id, "", msg.Timestamp) |
| 59 | msg.Ctrl.Params = map[string]any{"what": "state"} |
| 60 | s.queueOut(msg) |
| 61 | return |
| 62 | } |
| 63 | |
| 64 | state, err := types.NewObjState(msg.Acc.State) |
| 65 | if err != nil || state == types.StateUndefined || state == types.StateDeleted { |
| 66 | logs.Warn.Println("create user: invalid account state", err, "sid=", s.sid) |
| 67 | s.queueOut(ErrMalformed(msg.Id, "", msg.Timestamp)) |
| 68 | return |
| 69 | } |
| 70 | user.State = state |
| 71 | } |
| 72 | |
| 73 | // Ensure tags are unique and not restricted. |
| 74 | if tags := normalizeTags(msg.Acc.Tags, globals.maxTagCount); tags != nil { |
| 75 | if !restrictedTagsEqual(tags, nil, globals.immutableTagNS) { |
| 76 | logs.Warn.Println("create user: attempt to directly assign restricted tags, sid=", s.sid) |
| 77 | msg := ErrPermissionDenied(msg.Id, "", msg.Timestamp) |
| 78 | msg.Ctrl.Params = map[string]any{"what": "tags"} |
| 79 | s.queueOut(msg) |
| 80 | return |
| 81 | } |
| 82 | user.Tags = tags |
| 83 | } |
no test coverage detected
searching dependent graphs…