mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 69 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2898 Commits
21 Branches
Tree: 0fec07665c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0fec07665c'
${ noResults }
oragono/irc/ldap/login.go

login.go 4.1KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152 
  1. // Copyright (c) 2020 Matt Ouille

  2. // Copyright (c) 2020 Shivaram Lingamneni

  3. // released under the MIT license

  4. 

  5. // Portions of this code copyright Grafana Labs and contributors

  6. // and released under the Apache 2.0 license

  7. 

  8. // Copying Grafana's original comment on the different cases for LDAP:

  9. // There are several cases -

  10. // 1. "admin" user

  11. // Bind the "admin" user (defined in Grafana config file) which has the search privileges

  12. // in LDAP server, then we search the targeted user through that bind, then the second

  13. // perform the bind via passed login/password.

  14. // 2. Single bind

  15. // // If all the users meant to be used with Grafana have the ability to search in LDAP server

  16. // then we bind with LDAP server with targeted login/password

  17. // and then search for the said user in order to retrive all the information about them

  18. // 3. Unauthenticated bind

  19. // For some LDAP configurations it is allowed to search the

  20. // user without login/password binding with LDAP server, in such case

  21. // we will perform "unauthenticated bind", then search for the

  22. // targeted user and then perform the bind with passed login/password.

  23. 

  24. // Note: the only validation we do on users is to check RequiredGroups.

  25. // If RequiredGroups is not set and we can do a single bind, we don't

  26. // even need to search. So our case 2 is not restricted

  27. // to setups where all the users have search privileges: we only need to

  28. // be able to do DN resolution via pure string substitution.

  29. 

  30. package ldap

  31. 

  32. import (

  33. 	"errors"

  34. 	"fmt"

  35. 

  36. 	ldap "github.com/go-ldap/ldap/v3"

  37. 

  38. 	"github.com/oragono/oragono/irc/logger"

  39. )

  40. 

  41. var (

  42. 	ErrUserNotInRequiredGroup = errors.New("User is not a member of any required groups")

  43. )

  44. 

  45. // equivalent of Grafana's `Server`, but unexported

  46. // also, `log` was renamed to `logger`, since the APIs are slightly different

  47. // and this way the compiler will catch any unchanged references to Grafana's `Server.log`

  48. type serverConn struct {

  49. 	Config     *ServerConfig

  50. 	Connection *ldap.Conn

  51. 	logger     *logger.Manager

  52. }

  53. 

  54. func CheckLDAPPassphrase(config ServerConfig, accountName, passphrase string, log *logger.Manager) (err error) {

  55. 	defer func() {

  56. 		if err != nil {

  57. 			log.Debug("ldap", "failed passphrase check", err.Error())

  58. 		}

  59. 	}()

  60. 

  61. 	server := serverConn{

  62. 		Config: &config,

  63. 		logger: log,

  64. 	}

  65. 

  66. 	err = server.Dial()

  67. 	if err != nil {

  68. 		return

  69. 	}

  70. 	defer server.Close()

  71. 

  72. 	server.Connection.SetTimeout(config.Timeout)

  73. 

  74. 	passphraseChecked := false

  75. 

  76. 	if server.shouldSingleBind() {

  77. 		log.Debug("ldap", "attempting single bind to", accountName)

  78. 		err = server.userBind(server.singleBindDN(accountName), passphrase)

  79. 		passphraseChecked = (err == nil)

  80. 	} else if server.shouldAdminBind() {

  81. 		log.Debug("ldap", "attempting admin bind to", config.BindDN)

  82. 		err = server.userBind(config.BindDN, config.BindPassword)

  83. 	} else {

  84. 		log.Debug("ldap", "attempting unauthenticated bind")

  85. 		err = server.Connection.UnauthenticatedBind(config.BindDN)

  86. 	}

  87. 

  88. 	if err != nil {

  89. 		return

  90. 	}

  91. 

  92. 	if passphraseChecked && len(config.RequireGroups) == 0 {

  93. 		return nil

  94. 	}

  95. 

  96. 	users, err := server.users([]string{accountName})

  97. 	if err != nil {

  98. 		log.Debug("ldap", "failed user lookup")

  99. 		return err

  100. 	}

  101. 

  102. 	if len(users) == 0 {

  103. 		return ErrCouldNotFindUser

  104. 	}

  105. 

  106. 	user := users[0]

  107. 

  108. 	log.Debug("ldap", "looked up user", user.DN)

  109. 

  110. 	err = server.validateGroupMembership(user)

  111. 	if err != nil {

  112. 		return err

  113. 	}

  114. 

  115. 	if !passphraseChecked {

  116. 		log.Debug("ldap", "rebinding", user.DN)

  117. 		err = server.userBind(user.DN, passphrase)

  118. 	}

  119. 

  120. 	return err

  121. }

  122. 

  123. func (server *serverConn) validateGroupMembership(user *ldap.Entry) (err error) {

  124. 	if len(server.Config.RequireGroups) == 0 {

  125. 		return

  126. 	}

  127. 

  128. 	var memberOf []string

  129. 	memberOf, err = server.getMemberOf(user)

  130. 	if err != nil {

  131. 		server.logger.Debug("ldap", "could not retrieve group memberships", err.Error())

  132. 		return

  133. 	}

  134. 	server.logger.Debug("ldap", fmt.Sprintf("found group memberships: %v", memberOf))

  135. 	foundGroup := false

  136. 	for _, inGroup := range memberOf {

  137. 		for _, acceptableGroup := range server.Config.RequireGroups {

  138. 			if inGroup == acceptableGroup {

  139. 				foundGroup = true

  140. 				break

  141. 			}

  142. 		}

  143. 		if foundGroup {

  144. 			break

  145. 		}

  146. 	}

  147. 	if foundGroup {

  148. 		return nil

  149. 	} else {

  150. 		return ErrUserNotInRequiredGroup

  151. 	}

  152. }