improve permissions system

ldap.go

@@ -25,7 +25,7 @@ type ldapConfig struct {
 	certAuth     string
 	ipMin        net.IP
 	ipMax        net.IP
-	upgradeFrom  string
+	upgradeFrom  []string
 	routes       []string
 }
 
@@ -46,21 +46,31 @@ func (l *ldapConfig) addIPRange(s string) error {
 
 // auth loop. Try all auth profiles from startProfile
 // return the last possible profile and the mail if we found a mail like login
-func (s *OpenVpnMgt) AuthLoop(startProfile, user, pass string, overridePwdCheck bool) (string, string, string) {
+func (s *OpenVpnMgt) AuthLoop(startProfile, user, pass string, overridePwdCheck bool) (string, string, string, []string) {
 	login := []string{user}
 	profile := startProfile
 	mail := ""
 	otpSalt := ""
+	profilePath := []string{}
 
 	re := rcache.Get("^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$")
 
 	for {
+		// the first login that match the mail regexp is the mail address
 		if mail == "" && re.MatchString(login[0]) {
 			mail = login[0]
 		}
 		n := profile
 		for k, ldap := range s.ldap {
-			if ldap.upgradeFrom != profile {
+			// check if the current profile is an upgrade of the previous one
+			// check the startup profile first
+			ok := (profile == "") && (len(ldap.upgradeFrom) == 0)
+			for _, possible := range ldap.upgradeFrom {
+				if possible == profile {
+					ok = true
+				}
+			}
+			if !ok {
 				continue
 			}
 			err, userOk, passOk, attributes := ldap.Auth(login, pass)
@@ -90,6 +100,8 @@ func (s *OpenVpnMgt) AuthLoop(startProfile, user, pass string, overridePwdCheck
 				// we have either a positive auth ok a previous valid one
 				if passOk || profile != "" || overridePwdCheck {
 					profile = k
+					profilePath = append(profilePath, profile)
+					break
 				}
 			}
 		}
@@ -100,7 +112,7 @@ func (s *OpenVpnMgt) AuthLoop(startProfile, user, pass string, overridePwdCheck
 		}
 	}
 
-	return profile, mail, otpSalt
+	return profile, mail, otpSalt, profilePath
 }
 
 // override the real DialTLS function