Fix: Fix error handling and improve cache management

Handle error on Redis account update and ensure proper cache name processing. Improve error logging and validate single cache name requirement before redis operations to prevent incorrect cache updates. Signed-off-by: Christian Roessner <c@roessner.co>
croessner · Nov 11, 2024 · 7ffc802 · 7ffc802
1 parent 7295c28
commit 7ffc802
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 39 deletions.
diff --git a/server/backend/cache.go b/server/backend/cache.go
@@ -156,10 +156,6 @@ func SaveUserDataToRedis[T RedisCache](ctx context.Context, guid string, key str
 //   - It retrieves the LDAP search protocol configuration for the requested protocol.
 //   - If a cache name is found in the LDAP search protocol configuration, it adds it to the cacheNames set.
 //
-// If backends is CacheAll or CacheSQL:
-//   - It retrieves the SQL search protocol configuration for the requested protocol.
-//   - If a cache name is found in the SQL search protocol configuration, it adds it to the cacheNames set.
-//
 // If backends is CacheAll or CacheLua:
 //   - It retrieves the Lua search protocol configuration for the requested protocol.
 //   - If a cache name is found in the Lua search protocol configuration, it adds it to the cacheNames set.

diff --git a/server/core/auth.go b/server/core/auth.go
@@ -1571,6 +1571,11 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 
 	if a.UserFound && !a.NoAuth {
 		accountName, err = a.updateUserAccountInRedis()
+		if err != nil {
+			level.Error(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, err.Error())
+
+			return global.AuthResultTempFail
+		}
 
 		if !passDBResult.Authenticated {
 			a.processPWHist()
@@ -1580,48 +1585,47 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 	if useCache && !a.NoAuth {
 		// Make sure the cache backend is in front of the used backend.
 		if passDBResult.Authenticated {
-			if backendPos[global.BackendCache] < backendPos[a.UsedPassDBBackend] {
-				var usedBackend global.CacheNameBackend
-
-				switch a.UsedPassDBBackend {
-				case global.BackendLDAP:
-					usedBackend = global.CacheLDAP
-				case global.BackendLua:
-					usedBackend = global.CacheLua
-				case global.BackendUnknown:
-				case global.BackendCache:
-				case global.BackendLocalCache:
-				}
-
-				cacheNames := backend.GetCacheNames(a.Protocol.Get(), usedBackend)
+			if accountName != "" {
+				if backendPos[global.BackendCache] < backendPos[a.UsedPassDBBackend] {
+					var usedBackend global.CacheNameBackend
+
+					switch a.UsedPassDBBackend {
+					case global.BackendLDAP:
+						usedBackend = global.CacheLDAP
+					case global.BackendLua:
+						usedBackend = global.CacheLua
+					case global.BackendUnknown:
+					case global.BackendCache:
+					case global.BackendLocalCache:
+					}
 
-				for _, cacheName := range cacheNames.GetStringSlice() {
-					if err != nil {
-						level.Error(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, err.Error())
+					cacheNames := backend.GetCacheNames(a.Protocol.Get(), usedBackend)
+					if len(cacheNames) != 1 {
+						level.Error(log.Logger).Log(global.LogKeyGUID, a.GUID, global.LogKeyMsg, "Cache names are not correct")
 
 						return global.AuthResultTempFail
 					}
 
-					if accountName != "" {
-						redisUserKey := config.LoadableConfig.Server.Redis.Prefix + "ucp:" + cacheName + ":" + accountName
-						ppc := &backend.PositivePasswordCache{
-							AccountField:      a.AccountField,
-							TOTPSecretField:   a.TOTPSecretField,
-							UniqueUserIDField: a.UniqueUserIDField,
-							DisplayNameField:  a.DisplayNameField,
-							Password: func() string {
-								if a.Password != "" {
-									return util.GetHash(util.PreparePassword(a.Password))
-								}
-
-								return a.Password
-							}(),
-							Backend:    a.SourcePassDBBackend,
-							Attributes: a.Attributes,
-						}
+					cacheName := cacheNames.GetStringSlice()[global.SliceWithOneElement]
+
+					redisUserKey := config.LoadableConfig.Server.Redis.Prefix + "ucp:" + cacheName + ":" + accountName
+					ppc := &backend.PositivePasswordCache{
+						AccountField:      a.AccountField,
+						TOTPSecretField:   a.TOTPSecretField,
+						UniqueUserIDField: a.UniqueUserIDField,
+						DisplayNameField:  a.DisplayNameField,
+						Password: func() string {
+							if a.Password != "" {
+								return util.GetHash(util.PreparePassword(a.Password))
+							}
 
-						go backend.SaveUserDataToRedis(a.HTTPClientContext, *a.GUID, redisUserKey, config.LoadableConfig.Server.Redis.PosCacheTTL, ppc)
+							return a.Password
+						}(),
+						Backend:    a.SourcePassDBBackend,
+						Attributes: a.Attributes,
 					}
+
+					go backend.SaveUserDataToRedis(a.HTTPClientContext, *a.GUID, redisUserKey, config.LoadableConfig.Server.Redis.PosCacheTTL, ppc)
 				}
 			}
 		} else {