ergo/irc/ldap/login.go

// Copyright (c) 2020 Matt Ouille
// Copyright (c) 2020 Shivaram Lingamneni
// released under the MIT license

// Portions of this code copyright Grafana Labs and contributors
// and released under the Apache 2.0 license

// Copying Grafana's original comment on the different cases for LDAP:
// There are several cases -
// 1. "admin" user
// Bind the "admin" user (defined in Grafana config file) which has the search privileges
// in LDAP server, then we search the targeted user through that bind, then the second
// perform the bind via passed login/password.
// 2. Single bind
// // If all the users meant to be used with Grafana have the ability to search in LDAP server
// then we bind with LDAP server with targeted login/password
// and then search for the said user in order to retrive all the information about them
// 3. Unauthenticated bind
// For some LDAP configurations it is allowed to search the
// user without login/password binding with LDAP server, in such case
// we will perform "unauthenticated bind", then search for the
// targeted user and then perform the bind with passed login/password.

// Note: the only validation we do on users is to check RequiredGroups.
// If RequiredGroups is not set and we can do a single bind, we don't
// even need to search. So our case 2 is not restricted
// to setups where all the users have search privileges: we only need to
// be able to do DN resolution via pure string substitution.

package ldap

import (
	"errors"
	"fmt"

	ldap "github.com/go-ldap/ldap/v3"

	"github.com/oragono/oragono/irc/logger"
)

var (
	ErrUserNotInRequiredGroup = errors.New("User is not a member of any required groups")
)

// equivalent of Grafana's `Server`, but unexported
// also, `log` was renamed to `logger`, since the APIs are slightly different
// and this way the compiler will catch any unchanged references to Grafana's `Server.log`
type serverConn struct {
	Config     *ServerConfig
	Connection *ldap.Conn
	logger     *logger.Manager
}

func CheckLDAPPassphrase(config ServerConfig, accountName, passphrase string, log *logger.Manager) (err error) {
	defer func() {
		if err != nil {
			log.Debug("ldap", "failed passphrase check", err.Error())
		}
	}()

	server := serverConn{
		Config: &config,
		logger: log,
	}

	err = server.Dial()
	if err != nil {
		return
	}
	defer server.Close()

	server.Connection.SetTimeout(config.Timeout)

	passphraseChecked := false

	if server.shouldSingleBind() {
		log.Debug("ldap", "attempting single bind to", accountName)
		err = server.userBind(server.singleBindDN(accountName), passphrase)
		passphraseChecked = (err == nil)
	} else if server.shouldAdminBind() {
		log.Debug("ldap", "attempting admin bind to", config.BindDN)
		err = server.userBind(config.BindDN, config.BindPassword)
	} else {
		log.Debug("ldap", "attempting unauthenticated bind")
		err = server.Connection.UnauthenticatedBind(config.BindDN)
	}

	if err != nil {
		return
	}

	if passphraseChecked && len(config.RequireGroups) == 0 {
		return nil
	}

	users, err := server.users([]string{accountName})
	if err != nil {
		log.Debug("ldap", "failed user lookup")
		return err
	}

	if len(users) == 0 {
		return ErrCouldNotFindUser
	}

	user := users[0]

	log.Debug("ldap", "looked up user", user.DN)

	err = server.validateGroupMembership(user)
	if err != nil {
		return err
	}

	if !passphraseChecked {
		log.Debug("ldap", "rebinding", user.DN)
		err = server.userBind(user.DN, passphrase)
	}

	return err
}

func (server *serverConn) validateGroupMembership(user *ldap.Entry) (err error) {
	if len(server.Config.RequireGroups) == 0 {
		return
	}

	var memberOf []string
	memberOf, err = server.getMemberOf(user)
	if err != nil {
		server.logger.Debug("ldap", "could not retrieve group memberships", err.Error())
		return
	}
	server.logger.Debug("ldap", fmt.Sprintf("found group memberships: %v", memberOf))
	foundGroup := false
	for _, inGroup := range memberOf {
		for _, acceptableGroup := range server.Config.RequireGroups {
			if inGroup == acceptableGroup {
				foundGroup = true
				break
			}
		}
		if foundGroup {
			break
		}
	}
	if foundGroup {
		return nil
	} else {
		return ErrUserNotInRequiredGroup
	}
}
additional LDAP support 2020-02-11 12:35:17 +01:00			`// Copyright (c) 2020 Matt Ouille`
			`// Copyright (c) 2020 Shivaram Lingamneni`
			`// released under the MIT license`

			`// Portions of this code copyright Grafana Labs and contributors`
			`// and released under the Apache 2.0 license`

			`// Copying Grafana's original comment on the different cases for LDAP:`
			`// There are several cases -`
			`// 1. "admin" user`
			`// Bind the "admin" user (defined in Grafana config file) which has the search privileges`
			`// in LDAP server, then we search the targeted user through that bind, then the second`
			`// perform the bind via passed login/password.`
			`// 2. Single bind`
			`// // If all the users meant to be used with Grafana have the ability to search in LDAP server`
			`// then we bind with LDAP server with targeted login/password`
			`// and then search for the said user in order to retrive all the information about them`
			`// 3. Unauthenticated bind`
			`// For some LDAP configurations it is allowed to search the`
			`// user without login/password binding with LDAP server, in such case`
			`// we will perform "unauthenticated bind", then search for the`
			`// targeted user and then perform the bind with passed login/password.`

			`// Note: the only validation we do on users is to check RequiredGroups.`
			`// If RequiredGroups is not set and we can do a single bind, we don't`
			`// even need to search. So our case 2 is not restricted`
			`// to setups where all the users have search privileges: we only need to`
			`// be able to do DN resolution via pure string substitution.`

			`package ldap`

			`import (`
			`"errors"`
			`"fmt"`

			`ldap "github.com/go-ldap/ldap/v3"`

			`"github.com/oragono/oragono/irc/logger"`
			`)`

			`var (`
			`ErrUserNotInRequiredGroup = errors.New("User is not a member of any required groups")`
			`)`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			// equivalent of Grafana's `Server`, but unexported
minor fixes 2020-02-12 04:08:41 +01:00			// also, `log` was renamed to `logger`, since the APIs are slightly different
			// and this way the compiler will catch any unchanged references to Grafana's `Server.log`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`type serverConn struct {`
			`Config *ServerConfig`
			`Connection *ldap.Conn`
minor fixes 2020-02-12 04:08:41 +01:00			`logger *logger.Manager`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`}`

			`func CheckLDAPPassphrase(config ServerConfig, accountName, passphrase string, log *logger.Manager) (err error) {`
additional LDAP support 2020-02-11 12:35:17 +01:00			`defer func() {`
			`if err != nil {`
			`log.Debug("ldap", "failed passphrase check", err.Error())`
			`}`
			`}()`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`server := serverConn{`
			`Config: &config,`
minor fixes 2020-02-12 04:08:41 +01:00			`logger: log,`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`}`

			`err = server.Dial()`
additional LDAP support 2020-02-11 12:35:17 +01:00			`if err != nil {`
			`return`
			`}`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`defer server.Close()`
additional LDAP support 2020-02-11 12:35:17 +01:00
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`server.Connection.SetTimeout(config.Timeout)`
additional LDAP support 2020-02-11 12:35:17 +01:00
			`passphraseChecked := false`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`if server.shouldSingleBind() {`
additional LDAP support 2020-02-11 12:35:17 +01:00			`log.Debug("ldap", "attempting single bind to", accountName)`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`err = server.userBind(server.singleBindDN(accountName), passphrase)`
additional LDAP support 2020-02-11 12:35:17 +01:00			`passphraseChecked = (err == nil)`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`} else if server.shouldAdminBind() {`
additional LDAP support 2020-02-11 12:35:17 +01:00			`log.Debug("ldap", "attempting admin bind to", config.BindDN)`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`err = server.userBind(config.BindDN, config.BindPassword)`
additional LDAP support 2020-02-11 12:35:17 +01:00			`} else {`
			`log.Debug("ldap", "attempting unauthenticated bind")`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`err = server.Connection.UnauthenticatedBind(config.BindDN)`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`

			`if err != nil {`
			`return`
			`}`

			`if passphraseChecked && len(config.RequireGroups) == 0 {`
			`return nil`
			`}`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`users, err := server.users([]string{accountName})`
additional LDAP support 2020-02-11 12:35:17 +01:00			`if err != nil {`
			`log.Debug("ldap", "failed user lookup")`
			`return err`
			`}`

			`if len(users) == 0 {`
			`return ErrCouldNotFindUser`
			`}`

			`user := users[0]`

			`log.Debug("ldap", "looked up user", user.DN)`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`err = server.validateGroupMembership(user)`
additional LDAP support 2020-02-11 12:35:17 +01:00			`if err != nil {`
			`return err`
			`}`

			`if !passphraseChecked {`
			`log.Debug("ldap", "rebinding", user.DN)`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`err = server.userBind(user.DN, passphrase)`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`return err`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`func (server serverConn) validateGroupMembership(user ldap.Entry) (err error) {`
			`if len(server.Config.RequireGroups) == 0 {`
			`return`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`

improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`var memberOf []string`
			`memberOf, err = server.getMemberOf(user)`
			`if err != nil {`
minor fixes 2020-02-12 04:08:41 +01:00			`server.logger.Debug("ldap", "could not retrieve group memberships", err.Error())`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`return`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`
minor fixes 2020-02-12 04:08:41 +01:00			`server.logger.Debug("ldap", fmt.Sprintf("found group memberships: %v", memberOf))`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`foundGroup := false`
			`for _, inGroup := range memberOf {`
			`for _, acceptableGroup := range server.Config.RequireGroups {`
			`if inGroup == acceptableGroup {`
			`foundGroup = true`
additional LDAP support 2020-02-11 12:35:17 +01:00			`break`
			`}`
			`}`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`if foundGroup {`
additional LDAP support 2020-02-11 12:35:17 +01:00			`break`
			`}`
			`}`
improve maintainability and license compliance 0. Maximum parity with upstream code 1. Added Apache-required modification notices 2. Added Apache license 2020-02-11 22:09:43 +01:00			`if foundGroup {`
			`return nil`
			`} else {`
			`return ErrUserNotInRequiredGroup`
			`}`
additional LDAP support 2020-02-11 12:35:17 +01:00			`}`