From d7b52eba1c7574e582520523e807e180c8878c64 Mon Sep 17 00:00:00 2001 From: commonism Date: Thu, 14 Oct 2021 08:57:03 +0200 Subject: [PATCH] ldap - compare DNs using DN.Equal (#60) * ldap - compare DNs using DN.Equal * ldap/isAdmin- restructure & remove code duplication Co-authored-by: Markus Koetter --- internal/ldap/config.go | 6 ++++++ internal/server/configuration.go | 6 ++++++ internal/server/ldapsync.go | 33 ++++++++++++++++---------------- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/internal/ldap/config.go b/internal/ldap/config.go index 4d581be..ff8a11c 100644 --- a/internal/ldap/config.go +++ b/internal/ldap/config.go @@ -1,5 +1,10 @@ package ldap +import ( + gldap "github.com/go-ldap/ldap/v3" +) + + type Type string const ( @@ -24,4 +29,5 @@ type Config struct { LoginFilter string `yaml:"loginFilter" envconfig:"LDAP_LOGIN_FILTER"` // {{login_identifier}} gets replaced with the login email address SyncFilter string `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"` AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal + AdminLdapGroup_ *gldap.DN `yaml:"-"` } diff --git a/internal/server/configuration.go b/internal/server/configuration.go index 68d2683..61ba426 100644 --- a/internal/server/configuration.go +++ b/internal/server/configuration.go @@ -12,6 +12,8 @@ import ( "github.com/pkg/errors" "github.com/sirupsen/logrus" "gopkg.in/yaml.v3" + + gldap "github.com/go-ldap/ldap/v3" ) var ErrInvalidSpecification = errors.New("specification must be a struct pointer") @@ -130,6 +132,10 @@ func NewConfig() *Config { if err != nil { logrus.Warnf("unable to load environment config: %v", err) } + cfg.LDAP.AdminLdapGroup_, err = gldap.ParseDN(cfg.LDAP.AdminLdapGroup) + if err != nil { + logrus.Warnf("Parsing AdminLDAPGroup failed: %v", err) + } if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" { logrus.Warnf("managing IP addresses only works on linux, feature disabled...") diff --git a/internal/server/ldapsync.go b/internal/server/ldapsync.go index b45bc46..eb9fc5c 100644 --- a/internal/server/ldapsync.go +++ b/internal/server/ldapsync.go @@ -8,6 +8,8 @@ import ( "github.com/h44z/wg-portal/internal/users" "github.com/sirupsen/logrus" "gorm.io/gorm" + + gldap "github.com/go-ldap/ldap/v3" ) func (s *Server) SyncLdapWithUserDatabase() { @@ -42,6 +44,19 @@ func (s *Server) SyncLdapWithUserDatabase() { logrus.Info("ldap user synchronization stopped") } +func (s Server)userIsInAdminGroup(ldapData *ldap.RawLdapData) bool { + if s.config.LDAP.AdminLdapGroup_ == nil { + return false + } + for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] { + var dn,_ = gldap.ParseDN(string(group)) + if s.config.LDAP.AdminLdapGroup_.Equal(dn) { + return true + } + } + return false +} + func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool { if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] { return true @@ -63,14 +78,7 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) return true } - ldapAdmin := false - for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] { - if string(group) == s.config.LDAP.AdminLdapGroup { - ldapAdmin = true - break - } - } - if user.IsAdmin != ldapAdmin { + if user.IsAdmin != s.userIsInAdminGroup(ldapData) { return true } @@ -143,17 +151,10 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) { user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute] - user.IsAdmin = false + user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i]) user.Source = users.UserSourceLdap user.DeletedAt = gorm.DeletedAt{} // Not deleted - for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] { - if string(group) == s.config.LDAP.AdminLdapGroup { - user.IsAdmin = true - break - } - } - if err = s.users.UpdateUser(user); err != nil { logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err) continue