documize/domain/auth/ldap/ldap.go

// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com

package ldap

import (
	"crypto/tls"
	"fmt"
	"strings"

	lm "github.com/documize/community/model/auth"
	// "github.com/documize/community/model/user"
	"github.com/pkg/errors"
	ld "gopkg.in/ldap.v2"
)

// Connect establishes connection to LDAP server.
func connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
	address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)

	fmt.Println("Connecting to LDAP server", address)

	l, err = ld.Dial("tcp", address)
	if err != nil {
		err = errors.Wrap(err, "unable to dial LDAP server")
		return
	}

	if c.EncryptionType == lm.EncryptionTypeStartTLS {
		fmt.Println("Using StartTLS with LDAP server")
		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
		if err != nil {
			err = errors.Wrap(err, "unable to startTLS with LDAP server")
			return
		}
	}

	return
}

// Authenticate user against LDAP provider.
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bool, err error) {
	success = false
	userAttrs := c.GetUserFilterAttributes()
	filter := fmt.Sprintf("(%s=%s)", c.AttributeUserRDN, username)

	searchRequest := ld.NewSearchRequest(
		c.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		filter,
		userAttrs,
		nil,
	)

	err = l.Bind(c.BindDN, c.BindPassword)
	if err != nil {
		errors.Wrap(err, "unable to bind admin user")
		return
	}

	sr, err := l.Search(searchRequest)
	if err != nil {
		err = errors.Wrap(err, "unable to execute LDAP search during authentication")
		return
	}

	if len(sr.Entries) == 0 {
		err = errors.Wrap(err, "user not found during LDAP authentication")
		return
	}
	if len(sr.Entries) != 1 {
		err = errors.Wrap(err, "dupe users found during LDAP authentication")
		return
	}

	userdn := sr.Entries[0].DN

	// Bind as the user to verify their password
	err = l.Bind(userdn, pwd)
	if err != nil {
		return false, nil
	}

	return true, nil
}

// ExecuteUserFilter returns all matching LDAP users.
func executeUserFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
	l, err := connect(c)
	if err != nil {
		err = errors.Wrap(err, "unable to dial LDAP server")
		return
	}
	defer l.Close()

	// Authenticate with LDAP server using admin credentials.
	err = l.Bind(c.BindDN, c.BindPassword)
	if err != nil {
		errors.Wrap(err, "unable to bind admin user")
		return
	}

	searchRequest := ld.NewSearchRequest(
		c.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		c.UserFilter,
		c.GetUserFilterAttributes(),
		nil,
	)

	sr, err := l.Search(searchRequest)
	if err != nil {
		errors.Wrap(err, "unable to execute directory search for user filter "+c.UserFilter)
		return
	}

	for _, e := range sr.Entries {
		u = append(u, extractUser(c, e))
	}

	return
}

// ExecuteGroupFilter returns all matching LDAP users that are paft of specified groups.
func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
	l, err := connect(c)
	if err != nil {
		err = errors.Wrap(err, "unable to dial LDAP server")
		return
	}
	defer l.Close()

	// Authenticate with LDAP server using admin credentials.
	err = l.Bind(c.BindDN, c.BindPassword)
	if err != nil {
		errors.Wrap(err, "unable to bind admin user")
		return
	}

	searchRequest := ld.NewSearchRequest(
		c.BaseDN,
		ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
		c.GroupFilter,
		c.GetGroupFilterAttributes(),
		nil,
	)

	sr, err := l.Search(searchRequest)
	if err != nil {
		errors.Wrap(err, "unable to execute directory search for user filter "+c.GroupFilter)
		return
	}

	for _, g := range sr.Entries {
		rawMembers := g.GetAttributeValues(c.AttributeGroupMember)
		if len(rawMembers) == 0 {
			continue
		}

		for _, entry := range rawMembers {
			// get CN element from DN
			parts := strings.Split(entry, ",")
			if len(parts) == 0 {
				continue
			}
			filter := fmt.Sprintf("(%s)", parts[0])

			usr := ld.NewSearchRequest(
				c.BaseDN,
				ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
				filter,
				c.GetUserFilterAttributes(),
				nil,
			)

			ue, err := l.Search(usr)
			if err != nil {
				continue
			}

			if len(ue.Entries) > 0 {
				for _, ur := range ue.Entries {
					u = append(u, extractUser(c, ur))
				}
			}
		}
	}

	return
}

// extractUser build user record from LDAP result attributes.
func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
	u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)
	u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)
	u.Email = e.GetAttributeValue(c.AttributeUserEmail)
	u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)
	u.CN = e.GetAttributeValue("cn")

	return
}
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.`
			`//`
			`// This software (Documize Community Edition) is licensed under`
			`// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html`
			`//`
			`// You can operate outside the AGPL restrictions by purchasing`
			`// Documize Enterprise Edition and obtaining a commercial license`
			`// by contacting <sales@documize.com>.`
			`//`
			`// https://documize.com`

			`package ldap`

			`import (`
			`"crypto/tls"`
			`"fmt"`
Discrete data loading functions 2018-09-01 14:50:37 +01:00			`"strings"`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00
			`lm "github.com/documize/community/model/auth"`
Refactor LDAP code into discrete functions 2018-08-31 21:00:51 +01:00			`// "github.com/documize/community/model/user"`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`"github.com/pkg/errors"`
			`ld "gopkg.in/ldap.v2"`
			`)`

			`// Connect establishes connection to LDAP server.`
Refactor LDAP code into discrete functions 2018-08-31 21:00:51 +01:00			`func connect(c lm.LDAPConfig) (l *ld.Conn, err error) {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)`

			`fmt.Println("Connecting to LDAP server", address)`

			`l, err = ld.Dial("tcp", address)`
			`if err != nil {`
			`err = errors.Wrap(err, "unable to dial LDAP server")`
			`return`
			`}`

Discrete data loading functions 2018-09-01 14:50:37 +01:00			`if c.EncryptionType == lm.EncryptionTypeStartTLS {`
Refactor LDAP tests with reusable code 2018-08-30 16:01:36 +01:00			`fmt.Println("Using StartTLS with LDAP server")`
			`err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})`
			`if err != nil {`
			`err = errors.Wrap(err, "unable to startTLS with LDAP server")`
			`return`
			`}`
			`}`

			`return`
			`}`
Refactor LDAP code into discrete functions 2018-08-31 21:00:51 +01:00
			`// Authenticate user against LDAP provider.`
			`func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bool, err error) {`
			`success = false`
			`userAttrs := c.GetUserFilterAttributes()`
			`filter := fmt.Sprintf("(%s=%s)", c.AttributeUserRDN, username)`

			`searchRequest := ld.NewSearchRequest(`
			`c.BaseDN,`
			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`filter,`
			`userAttrs,`
			`nil,`
			`)`

			`err = l.Bind(c.BindDN, c.BindPassword)`
			`if err != nil {`
			`errors.Wrap(err, "unable to bind admin user")`
			`return`
			`}`

			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`err = errors.Wrap(err, "unable to execute LDAP search during authentication")`
			`return`
			`}`

			`if len(sr.Entries) == 0 {`
			`err = errors.Wrap(err, "user not found during LDAP authentication")`
			`return`
			`}`
			`if len(sr.Entries) != 1 {`
			`err = errors.Wrap(err, "dupe users found during LDAP authentication")`
			`return`
			`}`

			`userdn := sr.Entries[0].DN`

			`// Bind as the user to verify their password`
			`err = l.Bind(userdn, pwd)`
			`if err != nil {`
			`return false, nil`
			`}`

			`return true, nil`
			`}`

			`// ExecuteUserFilter returns all matching LDAP users.`
			`func executeUserFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {`
			`l, err := connect(c)`
			`if err != nil {`
			`err = errors.Wrap(err, "unable to dial LDAP server")`
			`return`
			`}`
			`defer l.Close()`

			`// Authenticate with LDAP server using admin credentials.`
			`err = l.Bind(c.BindDN, c.BindPassword)`
			`if err != nil {`
			`errors.Wrap(err, "unable to bind admin user")`
			`return`
			`}`

			`searchRequest := ld.NewSearchRequest(`
			`c.BaseDN,`
			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`c.UserFilter,`
			`c.GetUserFilterAttributes(),`
			`nil,`
			`)`

			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`errors.Wrap(err, "unable to execute directory search for user filter "+c.UserFilter)`
			`return`
			`}`

			`for _, e := range sr.Entries {`
			`u = append(u, extractUser(c, e))`
			`}`

			`return`
			`}`

Discrete data loading functions 2018-09-01 14:50:37 +01:00			`// ExecuteGroupFilter returns all matching LDAP users that are paft of specified groups.`
			`func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {`
			`l, err := connect(c)`
			`if err != nil {`
			`err = errors.Wrap(err, "unable to dial LDAP server")`
			`return`
			`}`
			`defer l.Close()`

			`// Authenticate with LDAP server using admin credentials.`
			`err = l.Bind(c.BindDN, c.BindPassword)`
			`if err != nil {`
			`errors.Wrap(err, "unable to bind admin user")`
			`return`
			`}`

			`searchRequest := ld.NewSearchRequest(`
			`c.BaseDN,`
			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`c.GroupFilter,`
			`c.GetGroupFilterAttributes(),`
			`nil,`
			`)`

			`sr, err := l.Search(searchRequest)`
			`if err != nil {`
			`errors.Wrap(err, "unable to execute directory search for user filter "+c.GroupFilter)`
			`return`
			`}`

			`for _, g := range sr.Entries {`
			`rawMembers := g.GetAttributeValues(c.AttributeGroupMember)`
			`if len(rawMembers) == 0 {`
			`continue`
			`}`

			`for _, entry := range rawMembers {`
			`// get CN element from DN`
			`parts := strings.Split(entry, ",")`
			`if len(parts) == 0 {`
			`continue`
			`}`
			`filter := fmt.Sprintf("(%s)", parts[0])`

			`usr := ld.NewSearchRequest(`
			`c.BaseDN,`
			`ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,`
			`filter,`
			`c.GetUserFilterAttributes(),`
			`nil,`
			`)`

			`ue, err := l.Search(usr)`
			`if err != nil {`
			`continue`
			`}`

			`if len(ue.Entries) > 0 {`
			`for _, ur := range ue.Entries {`
			`u = append(u, extractUser(c, ur))`
			`}`
			`}`
			`}`
			`}`

			`return`
			`}`

Refactor LDAP code into discrete functions 2018-08-31 21:00:51 +01:00			`// extractUser build user record from LDAP result attributes.`
			`func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {`
			`u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)`
			`u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)`
			`u.Email = e.GetAttributeValue(c.AttributeUserEmail)`
			`u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)`
			`u.CN = e.GetAttributeValue("cn")`

			`return`
			`}`