Capture LDAP configuration

2025-08-01 19:45:24 +02:00 · 2018-09-03 17:36:54 +01:00 · 2018-09-03 17:36:54 +01:00 · 1ce7e53398
commit 1ce7e53398
parent fd167234ae
15 changed files with 647 additions and 714 deletions
--- a/domain/auth/ldap/ad_test.go
+++ b/domain/auth/ldap/ad_test.go
@ -31,8 +31,8 @@ var testConfigPublicAD = lm.LDAPConfig{
 	BaseDN:                   "DC=mycompany,DC=local",
 	BindDN:                   "CN=ad-admin,CN=Users,DC=mycompany,DC=local",
 	BindPassword:             "8B5tNRLvbk8K",
-	UserFilter:               "",
-	GroupFilter:              "",
+	UserFilter:               "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))",
+	GroupFilter:              "(|(cn=Accounting)(cn=IT))",
 	AttributeUserRDN:         "sAMAccountName",
 	AttributeUserFirstname:   "givenName",
 	AttributeUserLastname:    "sn",
@ -43,8 +43,6 @@ var testConfigPublicAD = lm.LDAPConfig{
 }

 func TestUserFilter_PublicAD(t *testing.T) {
-	testConfigPublicAD.UserFilter = "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))"
-
 	e, err := executeUserFilter(testConfigPublicAD)
 	if err != nil {
 		t.Error("unable to exeucte user filter", err.Error())
@ -64,8 +62,6 @@ func TestUserFilter_PublicAD(t *testing.T) {
 }

 func TestGroupFilter_PublicAD(t *testing.T) {
-	testConfigPublicAD.GroupFilter = "(|(cn=Accounting)(cn=IT))"
-
 	e, err := executeGroupFilter(testConfigPublicAD)
 	if err != nil {
 		t.Error("unable to exeucte group filter", err.Error())
--- a/domain/auth/ldap/endpoint.go
+++ b/domain/auth/ldap/endpoint.go
@ -14,9 +14,9 @@ package ldap
 import (
 	"crypto/tls"
 	// "database/sql"
-	// "encoding/json"
+	"encoding/json"
 	"fmt"
-	// "io/ioutil"
+	"io/ioutil"
 	"net/http"
 	// "sort"
 	// "strings"
@ -24,15 +24,15 @@ import (
 	"github.com/documize/community/core/env"
 	"github.com/documize/community/core/response"
 	// "github.com/documize/community/core/secrets"
-	// "github.com/documize/community/core/streamutil"
+	"github.com/documize/community/core/streamutil"
 	// "github.com/documize/community/core/stringutil"
 	"github.com/documize/community/domain"
 	// "github.com/documize/community/domain/auth"
 	// usr "github.com/documize/community/domain/user"
 	ath "github.com/documize/community/model/auth"
 	lm "github.com/documize/community/model/auth"
+	"github.com/documize/community/model/user"
 	ld "gopkg.in/ldap.v2"
-	// "github.com/documize/community/model/user"
 )

 // Handler contains the runtime information such as logging and database.
@ -41,6 +41,70 @@ type Handler struct {
 	Store   *domain.Store
 }

+// Preview connects to LDAP using paylaod and returns
+// first 100 users for.
+// and marks Keycloak disabled users as inactive.
+func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
+	h.Runtime.Log.Info("Sync'ing with LDAP")
+
+	ctx := domain.GetRequestContext(r)
+	if !ctx.Administrator {
+		response.WriteForbiddenError(w)
+		return
+	}
+
+	var result struct {
+		Message string      `json:"message"`
+		IsError bool        `json:"isError"`
+		Users   []user.User `json:"users"`
+	}
+
+	// Read the request.
+	defer streamutil.Close(r.Body)
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		result.Message = "Error: unable read request body"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	// Decode LDAP config.
+	c := lm.LDAPConfig{}
+	err = json.Unmarshal(body, &c)
+	if err != nil {
+		result.Message = "Error: unable read LDAP configuration payload"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	h.Runtime.Log.Info("Fetching LDAP users")
+
+	users, err := fetchUsers(c)
+	if err != nil {
+		result.Message = "Error: unable fetch users from LDAP"
+		result.IsError = true
+		response.WriteJSON(w, result)
+		h.Runtime.Log.Error(result.Message, err)
+		return
+	}
+
+	result.IsError = false
+	result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
+	if len(users) > 100 {
+		result.Users = users[:100]
+	} else {
+		result.Users = users
+	}
+
+	h.Runtime.Log.Info(result.Message)
+
+	response.WriteJSON(w, result)
+}
+
 // Sync gets list of Keycloak users and inserts new users into Documize
 // and marks Keycloak disabled users as inactive.
 func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
@ -233,145 +297,145 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
 }

 // Authenticate checks Keycloak authentication credentials.
-// func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
-// 	method := "authenticate"
-// 	ctx := domain.GetRequestContext(r)
+func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
+	// 	method := "authenticate"
+	// 	ctx := domain.GetRequestContext(r)

-// 	defer streamutil.Close(r.Body)
-// 	body, err := ioutil.ReadAll(r.Body)
-// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Bad payload")
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	defer streamutil.Close(r.Body)
+	// 	body, err := ioutil.ReadAll(r.Body)
+	// 	if err != nil {
+	// 		response.WriteBadRequestError(w, method, "Bad payload")
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	a := ath.KeycloakAuthRequest{}
-// 	err = json.Unmarshal(body, &a)
-// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, err.Error())
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	a := ath.KeycloakAuthRequest{}
+	// 	err = json.Unmarshal(body, &a)
+	// 	if err != nil {
+	// 		response.WriteBadRequestError(w, method, err.Error())
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
-// 	a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
-// 	a.Email = strings.TrimSpace(strings.ToLower(a.Email))
+	// 	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
+	// 	a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
+	// 	a.Email = strings.TrimSpace(strings.ToLower(a.Email))

-// 	// Check for required fields.
-// 	if len(a.Email) == 0 {
-// 		response.WriteUnauthorizedError(w)
-// 		return
-// 	}
+	// 	// Check for required fields.
+	// 	if len(a.Email) == 0 {
+	// 		response.WriteUnauthorizedError(w)
+	// 		return
+	// 	}

-// 	org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
-// 	if err != nil {
-// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
+	// 	if err != nil {
+	// 		response.WriteUnauthorizedError(w)
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	ctx.OrgID = org.RefID
+	// 	ctx.OrgID = org.RefID

-// 	// Fetch Keycloak auth provider config
-// 	ac := ath.KeycloakConfig{}
-// 	err = json.Unmarshal([]byte(org.AuthConfig), &ac)
-// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	// Fetch Keycloak auth provider config
+	// 	ac := ath.KeycloakConfig{}
+	// 	err = json.Unmarshal([]byte(org.AuthConfig), &ac)
+	// 	if err != nil {
+	// 		response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	// Decode and prepare RSA Public Key used by keycloak to sign JWT.
-// 	pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
-// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
-// 	pk := string(pkb)
-// 	pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
+	// 	// Decode and prepare RSA Public Key used by keycloak to sign JWT.
+	// 	pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
+	// 	if err != nil {
+	// 		response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}
+	// 	pk := string(pkb)
+	// 	pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)

-// 	// Decode and verify Keycloak JWT
-// 	claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
-// 	if err != nil {
-// 		response.WriteBadRequestError(w, method, err.Error())
-// 		h.Runtime.Log.Info("decodeKeycloakJWT failed")
-// 		return
-// 	}
+	// 	// Decode and verify Keycloak JWT
+	// 	claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
+	// 	if err != nil {
+	// 		response.WriteBadRequestError(w, method, err.Error())
+	// 		h.Runtime.Log.Info("decodeKeycloakJWT failed")
+	// 		return
+	// 	}

-// 	// Compare the contents from JWT with what we have.
-// 	// Guards against MITM token tampering.
-// 	if a.Email != claims["email"].(string) {
-// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Info(">> Start Keycloak debug")
-// 		h.Runtime.Log.Info(a.Email)
-// 		h.Runtime.Log.Info(claims["email"].(string))
-// 		h.Runtime.Log.Info(">> End Keycloak debug")
-// 		return
-// 	}
+	// 	// Compare the contents from JWT with what we have.
+	// 	// Guards against MITM token tampering.
+	// 	if a.Email != claims["email"].(string) {
+	// 		response.WriteUnauthorizedError(w)
+	// 		h.Runtime.Log.Info(">> Start Keycloak debug")
+	// 		h.Runtime.Log.Info(a.Email)
+	// 		h.Runtime.Log.Info(claims["email"].(string))
+	// 		h.Runtime.Log.Info(">> End Keycloak debug")
+	// 		return
+	// 	}

-// 	h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
+	// 	h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)

-// 	u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
-// 	if err != nil && err != sql.ErrNoRows {
-// 		response.WriteServerError(w, method, err)
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
+	// 	if err != nil && err != sql.ErrNoRows {
+	// 		response.WriteServerError(w, method, err)
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	// Create user account if not found
-// 	if err == sql.ErrNoRows {
-// 		h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
+	// 	// Create user account if not found
+	// 	if err == sql.ErrNoRows {
+	// 		h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)

-// 		u = user.User{}
-// 		u.Firstname = a.Firstname
-// 		u.Lastname = a.Lastname
-// 		u.Email = a.Email
-// 		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
-// 		u.Salt = secrets.GenerateSalt()
-// 		u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
+	// 		u = user.User{}
+	// 		u.Firstname = a.Firstname
+	// 		u.Lastname = a.Lastname
+	// 		u.Email = a.Email
+	// 		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
+	// 		u.Salt = secrets.GenerateSalt()
+	// 		u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)

-// 		err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
-// 		if err != nil {
-// 			response.WriteServerError(w, method, err)
-// 			h.Runtime.Log.Error(method, err)
-// 			return
-// 		}
-// 	}
+	// 		err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
+	// 		if err != nil {
+	// 			response.WriteServerError(w, method, err)
+	// 			h.Runtime.Log.Error(method, err)
+	// 			return
+	// 		}
+	// 	}

-// 	// Password correct and active user
-// 	if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
-// 		response.WriteUnauthorizedError(w)
-// 		return
-// 	}
+	// 	// Password correct and active user
+	// 	if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
+	// 		response.WriteUnauthorizedError(w)
+	// 		return
+	// 	}

-// 	// Attach user accounts and work out permissions.
-// 	usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
+	// 	// Attach user accounts and work out permissions.
+	// 	usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)

-// 	// No accounts signals data integrity problem
-// 	// so we reject login request.
-// 	if len(u.Accounts) == 0 {
-// 		response.WriteUnauthorizedError(w)
-// 		h.Runtime.Log.Error(method, err)
-// 		return
-// 	}
+	// 	// No accounts signals data integrity problem
+	// 	// so we reject login request.
+	// 	if len(u.Accounts) == 0 {
+	// 		response.WriteUnauthorizedError(w)
+	// 		h.Runtime.Log.Error(method, err)
+	// 		return
+	// 	}

-// 	// Abort login request if account is disabled.
-// 	for _, ac := range u.Accounts {
-// 		if ac.OrgID == org.RefID {
-// 			if ac.Active == false {
-// 				response.WriteUnauthorizedError(w)
-// 				h.Runtime.Log.Error(method, err)
-// 				return
-// 			}
-// 			break
-// 		}
-// 	}
+	// 	// Abort login request if account is disabled.
+	// 	for _, ac := range u.Accounts {
+	// 		if ac.OrgID == org.RefID {
+	// 			if ac.Active == false {
+	// 				response.WriteUnauthorizedError(w)
+	// 				h.Runtime.Log.Error(method, err)
+	// 				return
+	// 			}
+	// 			break
+	// 		}
+	// 	}

-// 	// Generate JWT token
-// 	authModel := ath.AuthenticationModel{}
-// 	authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
-// 	authModel.User = u
+	// 	// Generate JWT token
+	// 	authModel := ath.AuthenticationModel{}
+	// 	authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
+	// 	authModel.User = u

-// 	response.WriteJSON(w, authModel)
-// }
+	// 	response.WriteJSON(w, authModel)
+}
--- a/domain/auth/ldap/ldap.go
+++ b/domain/auth/ldap/ldap.go
@ -16,8 +16,9 @@ import (
 	"fmt"
 	"strings"

+	"github.com/documize/community/core/stringutil"
 	lm "github.com/documize/community/model/auth"
-	// "github.com/documize/community/model/user"
+	"github.com/documize/community/model/user"
 	"github.com/pkg/errors"
 	ld "gopkg.in/ldap.v2"
 )
@ -201,9 +202,79 @@ func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
 func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
 	u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)
 	u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)
-	u.Email = e.GetAttributeValue(c.AttributeUserEmail)
+	u.Email = strings.ToLower(e.GetAttributeValue(c.AttributeUserEmail))
 	u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)
 	u.CN = e.GetAttributeValue("cn")

+	// Make name elements from DisplayName if we can.
+	if (len(u.Firstname) == 0 || len(u.Firstname) == 0) &&
+		len(e.GetAttributeValue(c.AttributeUserDisplayName)) > 0 {
+	}
+
+	if len(u.Firstname) == 0 {
+		u.Firstname = "Empty"
+	}
+	if len(u.Lastname) == 0 {
+		u.Lastname = "Empty"
+	}
+
+	return
+}
+
+// ConvertUsers creates a unique list of users using email as primary key.
+// The result is a collection of Documize user objects.
+func convertUsers(c lm.LDAPConfig, lu []lm.LDAPUser) (du []user.User) {
+	for _, i := range lu {
+		add := true
+		for _, j := range du {
+			if len(j.Email) > 0 && i.Email == j.Email {
+				add = false
+				break
+			}
+		}
+		// skip if empty email address
+		add = len(i.Email) > 0
+		if add {
+			nu := user.User{}
+			nu.Editor = c.DefaultPermissionAddSpace
+			nu.Active = true
+			nu.Email = i.Email
+			nu.ViewUsers = false
+			nu.Analytics = false
+			nu.Admin = false
+			nu.Global = false
+			nu.Firstname = i.Firstname
+			nu.Lastname = i.Lastname
+			nu.Initials = stringutil.MakeInitials(i.Firstname, i.Lastname)
+
+			du = append(du, nu)
+		}
+	}
+
+	return
+}
+
+// FetchUsers from LDAP server using both User and Group filters.
+func fetchUsers(c lm.LDAPConfig) (du []user.User, err error) {
+	du = []user.User{}
+
+	e1, err := executeUserFilter(c)
+	if err != nil {
+		err = errors.Wrap(err, "unable to execute user filter")
+		return
+	}
+
+	e2, err := executeGroupFilter(c)
+	if err != nil {
+		err = errors.Wrap(err, "unable to execute group filter")
+		return
+	}
+
+	// convert users from LDAP format to Documize format.
+	e3 := []lm.LDAPUser{}
+	e3 = append(e3, e1...)
+	e3 = append(e3, e2...)
+	du = convertUsers(c, e3)
+
 	return
 }
--- a/domain/auth/ldap/local_test.go
+++ b/domain/auth/ldap/local_test.go
@ -60,6 +60,32 @@ func TestUserFilter_LocalLDAP(t *testing.T) {
 	}
 }

+func TestDualFilters_LocalLDAP(t *testing.T) {
+	testConfigLocalLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
+	e1, err := executeUserFilter(testConfigLocalLDAP)
+	if err != nil {
+		t.Error("unable to exeucte user filter", err.Error())
+		return
+	}
+
+	testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"
+	e2, err := executeGroupFilter(testConfigLocalLDAP)
+	if err != nil {
+		t.Error("unable to exeucte group filter", err.Error())
+		return
+	}
+
+	e3 := []lm.LDAPUser{}
+	e3 = append(e3, e1...)
+	e3 = append(e3, e2...)
+	users := convertUsers(testConfigLocalLDAP, e3)
+
+	for _, u := range users {
+		t.Logf("(%s %s) @ %s\n",
+			u.Firstname, u.Lastname, u.Email)
+	}
+}
+
 func TestGroupFilter_LocalLDAP(t *testing.T) {
 	testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"

@ -74,11 +100,6 @@ func TestGroupFilter_LocalLDAP(t *testing.T) {
 	}

 	t.Logf("LDAP group search entries found: %d", len(e))
-
-	for _, u := range e {
-		t.Logf("[%s] %s (%s %s) @ %s\n",
-			u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
-	}
 }

 func TestAuthenticate_LocalLDAP(t *testing.T) {