mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-10 22:19:31 +01:00
153 lines
4.1 KiB
Go
153 lines
4.1 KiB
Go
// Copyright (c) 2020 Matt Ouille
|
|
// Copyright (c) 2020 Shivaram Lingamneni
|
|
// released under the MIT license
|
|
|
|
// Portions of this code copyright Grafana Labs and contributors
|
|
// and released under the Apache 2.0 license
|
|
|
|
// Copying Grafana's original comment on the different cases for LDAP:
|
|
// There are several cases -
|
|
// 1. "admin" user
|
|
// Bind the "admin" user (defined in Grafana config file) which has the search privileges
|
|
// in LDAP server, then we search the targeted user through that bind, then the second
|
|
// perform the bind via passed login/password.
|
|
// 2. Single bind
|
|
// // If all the users meant to be used with Grafana have the ability to search in LDAP server
|
|
// then we bind with LDAP server with targeted login/password
|
|
// and then search for the said user in order to retrive all the information about them
|
|
// 3. Unauthenticated bind
|
|
// For some LDAP configurations it is allowed to search the
|
|
// user without login/password binding with LDAP server, in such case
|
|
// we will perform "unauthenticated bind", then search for the
|
|
// targeted user and then perform the bind with passed login/password.
|
|
|
|
// Note: the only validation we do on users is to check RequiredGroups.
|
|
// If RequiredGroups is not set and we can do a single bind, we don't
|
|
// even need to search. So our case 2 is not restricted
|
|
// to setups where all the users have search privileges: we only need to
|
|
// be able to do DN resolution via pure string substitution.
|
|
|
|
package ldap
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
|
|
ldap "github.com/go-ldap/ldap/v3"
|
|
|
|
"github.com/oragono/oragono/irc/logger"
|
|
)
|
|
|
|
var (
|
|
ErrUserNotInRequiredGroup = errors.New("User is not a member of any required groups")
|
|
)
|
|
|
|
// equivalent of Grafana's `Server`, but unexported
|
|
// also, `log` was renamed to `logger`, since the APIs are slightly different
|
|
// and this way the compiler will catch any unchanged references to Grafana's `Server.log`
|
|
type serverConn struct {
|
|
Config *ServerConfig
|
|
Connection *ldap.Conn
|
|
logger *logger.Manager
|
|
}
|
|
|
|
func CheckLDAPPassphrase(config ServerConfig, accountName, passphrase string, log *logger.Manager) (err error) {
|
|
defer func() {
|
|
if err != nil {
|
|
log.Debug("ldap", "failed passphrase check", err.Error())
|
|
}
|
|
}()
|
|
|
|
server := serverConn{
|
|
Config: &config,
|
|
logger: log,
|
|
}
|
|
|
|
err = server.Dial()
|
|
if err != nil {
|
|
return
|
|
}
|
|
defer server.Close()
|
|
|
|
server.Connection.SetTimeout(config.Timeout)
|
|
|
|
passphraseChecked := false
|
|
|
|
if server.shouldSingleBind() {
|
|
log.Debug("ldap", "attempting single bind to", accountName)
|
|
err = server.userBind(server.singleBindDN(accountName), passphrase)
|
|
passphraseChecked = (err == nil)
|
|
} else if server.shouldAdminBind() {
|
|
log.Debug("ldap", "attempting admin bind to", config.BindDN)
|
|
err = server.userBind(config.BindDN, config.BindPassword)
|
|
} else {
|
|
log.Debug("ldap", "attempting unauthenticated bind")
|
|
err = server.Connection.UnauthenticatedBind(config.BindDN)
|
|
}
|
|
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if passphraseChecked && len(config.RequireGroups) == 0 {
|
|
return nil
|
|
}
|
|
|
|
users, err := server.users([]string{accountName})
|
|
if err != nil {
|
|
log.Debug("ldap", "failed user lookup")
|
|
return err
|
|
}
|
|
|
|
if len(users) == 0 {
|
|
return ErrCouldNotFindUser
|
|
}
|
|
|
|
user := users[0]
|
|
|
|
log.Debug("ldap", "looked up user", user.DN)
|
|
|
|
err = server.validateGroupMembership(user)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !passphraseChecked {
|
|
log.Debug("ldap", "rebinding", user.DN)
|
|
err = server.userBind(user.DN, passphrase)
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
func (server *serverConn) validateGroupMembership(user *ldap.Entry) (err error) {
|
|
if len(server.Config.RequireGroups) == 0 {
|
|
return
|
|
}
|
|
|
|
var memberOf []string
|
|
memberOf, err = server.getMemberOf(user)
|
|
if err != nil {
|
|
server.logger.Debug("ldap", "could not retrieve group memberships", err.Error())
|
|
return
|
|
}
|
|
server.logger.Debug("ldap", fmt.Sprintf("found group memberships: %v", memberOf))
|
|
foundGroup := false
|
|
for _, inGroup := range memberOf {
|
|
for _, acceptableGroup := range server.Config.RequireGroups {
|
|
if inGroup == acceptableGroup {
|
|
foundGroup = true
|
|
break
|
|
}
|
|
}
|
|
if foundGroup {
|
|
break
|
|
}
|
|
}
|
|
if foundGroup {
|
|
return nil
|
|
} else {
|
|
return ErrUserNotInRequiredGroup
|
|
}
|
|
}
|