First impl of LDAP login

2022-05-23 18:19:33 +02:00 · 2022-05-23 18:19:33 +02:00 · 262eabdca9
commit 262eabdca9
parent 53881fdb21
5 changed files with 318 additions and 22 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -342,6 +342,16 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
 [[package]]
 name = "form_urlencoded"
 version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191"
 dependencies = [
 "matches",
 "percent-encoding",
 ]
 [[package]]
 name = "futures"
 version = "0.3.21"
@ -588,6 +598,17 @@ dependencies = [
 "tokio-native-tls",
 ]
 [[package]]
 name = "idna"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8"
 dependencies = [
 "matches",
 "unicode-bidi",
 "unicode-normalization",
 ]
 [[package]]
 name = "im"
 version = "15.1.0"
@ -668,6 +689,41 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 [[package]]
 name = "lber"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8a99b520993b21a6faab32643cf4726573dc18ca4cf2d48cbeb24d248c86c930"
 dependencies = [
 "byteorder",
 "bytes",
 "nom",
 ]
 [[package]]
 name = "ldap3"
 version = "0.10.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ef35dc747152dd47bdc6aaeb35a232f84cbc8d84ae4cb9673aea810a6570ab8f"
 dependencies = [
 "async-trait",
 "bytes",
 "futures",
 "futures-util",
 "lazy_static",
 "lber",
 "log",
 "native-tls",
 "nom",
 "percent-encoding",
 "thiserror",
 "tokio",
 "tokio-native-tls",
 "tokio-stream",
 "tokio-util",
 "url",
 ]
 [[package]]
 name = "libc"
 version = "0.2.126"
@ -708,6 +764,8 @@ dependencies = [
 "im",
 "itertools",
 "k2v-client",
 "ldap3",
 "log",
 "pretty_env_logger",
 "rand",
 "rmp-serde",
@ -723,6 +781,12 @@ dependencies = [
 "zstd",
 ]
 [[package]]
 name = "matches"
 version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f"
 [[package]]
 name = "md-5"
 version = "0.9.1"
@ -770,6 +834,12 @@ dependencies = [
 "tempfile",
 ]
 [[package]]
 name = "nom"
 version = "2.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf51a729ecf40266a2368ad335a5fdde43471f545a967109cd62146ecf8b66ff"
 [[package]]
 name = "num-integer"
 version = "0.1.45"
@ -1406,6 +1476,21 @@ dependencies = [
 "syn",
 ]
 [[package]]
 name = "tinyvec"
 version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
 dependencies = [
 "tinyvec_macros",
 ]
 [[package]]
 name = "tinyvec_macros"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c"
 [[package]]
 name = "tokio"
 version = "1.18.2"
@ -1446,6 +1531,17 @@ dependencies = [
 "tokio",
 ]
 [[package]]
 name = "tokio-stream"
 version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "50145484efff8818b5ccd256697f36863f587da82cf8b409c53adf1e840798e3"
 dependencies = [
 "futures-core",
 "pin-project-lite",
 "tokio",
 ]
 [[package]]
 name = "tokio-util"
 version = "0.7.2"
@ -1519,12 +1615,39 @@ version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987"
 [[package]]
 name = "unicode-bidi"
 version = "0.3.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992"
 [[package]]
 name = "unicode-ident"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee"
 [[package]]
 name = "unicode-normalization"
 version = "0.1.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d54590932941a9e9266f0832deed84ebe1bf2e4c9e4a3554d393d18f5e854bf9"
 dependencies = [
 "tinyvec",
 ]
 [[package]]
 name = "url"
 version = "2.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c"
 dependencies = [
 "form_urlencoded",
 "idna",
 "matches",
 "percent-encoding",
 ]
 [[package]]
 name = "vcpkg"
 version = "0.2.15"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -15,6 +15,8 @@ clap = { version = "3.1.18", features = ["derive", "env"] }
 hex = "0.4"
 im = "15"
 itertools = "0.10"
 ldap3 = { version = "0.10", default-features = false, features = ["tls"] }
 log = "0.4"
 pretty_env_logger = "0.4"
 rusoto_core = "0.48.0"
 rusoto_credential = "0.48.0"
--- a/src/bayou.rs
+++ b/src/bayou.rs
@ -1,6 +1,7 @@
 use std::time::{Duration, Instant};
 use anyhow::{anyhow, bail, Result};
 use log::debug;
 use rand::prelude::*;
 use serde::{Deserialize, Serialize};
 use tokio::io::AsyncReadExt;
@ -76,14 +77,14 @@ impl<S: BayouState> Bayou<S> {
    pub async fn sync(&mut self) -> Result<()> {
        // 1. List checkpoints
        let checkpoints = self.list_checkpoints().await?;
-        eprintln!("(sync) listed checkpoints: {:?}", checkpoints);
+        debug!("(sync) listed checkpoints: {:?}", checkpoints);
        // 2. Load last checkpoint if different from currently used one
        let checkpoint = if let Some((ts, key)) = checkpoints.last() {
            if *ts == self.checkpoint.0 {
                (*ts, None)
            } else {
-                eprintln!("(sync) loading checkpoint: {}", key);
+                debug!("(sync) loading checkpoint: {}", key);
                let mut gor = GetObjectRequest::default();
                gor.bucket = self.bucket.clone();
@ -94,7 +95,7 @@ impl<S: BayouState> Bayou<S> {
                let mut buf = Vec::with_capacity(obj_res.content_length.unwrap_or(128) as usize);
                obj_body.into_async_read().read_to_end(&mut buf).await?;
-                eprintln!("(sync) checkpoint body length: {}", buf.len());
+                debug!("(sync) checkpoint body length: {}", buf.len());
                let ck = open_deserialize::<S>(&buf, &self.key)?;
                (*ts, Some(ck))
@ -108,7 +109,7 @@ impl<S: BayouState> Bayou<S> {
        }
        if let Some(ck) = checkpoint.1 {
-            eprintln!(
+            debug!(
                "(sync) updating checkpoint to loaded state at {:?}",
                checkpoint.0
            );
@ -123,7 +124,7 @@ impl<S: BayouState> Bayou<S> {
        // 3. List all operations starting from checkpoint
        let ts_ser = self.checkpoint.0.serialize();
-        eprintln!("(sync) looking up operations starting at {}", ts_ser);
+        debug!("(sync) looking up operations starting at {}", ts_ser);
        let ops_map = self
            .k2v
            .read_batch(&[BatchReadOp {
@ -155,7 +156,7 @@ impl<S: BayouState> Bayou<S> {
            match &val.value[0] {
                K2vValue::Value(v) => {
                    let op = open_deserialize::<S::Op>(&v, &self.key)?;
-                    eprintln!("(sync) operation {}: {} {:?}", tsstr, base64::encode(v), op);
+                    debug!("(sync) operation {}: {} {:?}", tsstr, base64::encode(v), op);
                    ops.push((ts, op));
                }
                K2vValue::Tombstone => {
@ -164,7 +165,7 @@ impl<S: BayouState> Bayou<S> {
            }
        }
        ops.sort_by_key(|(ts, _)| *ts);
-        eprintln!("(sync) {} operations", ops.len());
+        debug!("(sync) {} operations", ops.len());
        if ops.len() < self.history.len() {
            bail!("Some operations have disappeared from storage!");
@ -239,7 +240,7 @@ impl<S: BayouState> Bayou<S> {
    pub async fn push(&mut self, op: S::Op) -> Result<()> {
        self.check_recent_sync().await?;
-        eprintln!("(push) add operation: {:?}", op);
+        debug!("(push) add operation: {:?}", op);
        let ts = Timestamp::after(
            self.history
@ -302,18 +303,18 @@ impl<S: BayouState> Bayou<S> {
        {
            Some(i) => i,
            None => {
-                eprintln!("(cp) Oldest operation is too recent to trigger checkpoint");
+                debug!("(cp) Oldest operation is too recent to trigger checkpoint");
                return Ok(());
            }
        };
        if i_cp < CHECKPOINT_MIN_OPS {
-            eprintln!("(cp) Not enough old operations to trigger checkpoint");
+            debug!("(cp) Not enough old operations to trigger checkpoint");
            return Ok(());
        }
        let ts_cp = self.history[i_cp].0;
-        eprintln!(
+        debug!(
            "(cp) we could checkpoint at time {} (index {} in history)",
            ts_cp.serialize(),
            i_cp
@ -321,13 +322,13 @@ impl<S: BayouState> Bayou<S> {
        // Check existing checkpoints: if last one is too recent, don't checkpoint again.
        let existing_checkpoints = self.list_checkpoints().await?;
-        eprintln!("(cp) listed checkpoints: {:?}", existing_checkpoints);
+        debug!("(cp) listed checkpoints: {:?}", existing_checkpoints);
        if let Some(last_cp) = existing_checkpoints.last() {
            if (ts_cp.msec as i128 - last_cp.0.msec as i128)
                < CHECKPOINT_INTERVAL.as_millis() as i128
            {
-                eprintln!(
+                debug!(
                    "(cp) last checkpoint is too recent: {}, not checkpointing",
                    last_cp.0.serialize()
                );
@ -335,7 +336,7 @@ impl<S: BayouState> Bayou<S> {
            }
        }
-        eprintln!("(cp) saving checkpoint at {}", ts_cp.serialize());
+        debug!("(cp) saving checkpoint at {}", ts_cp.serialize());
        // Calculate state at time of checkpoint
        let mut last_known_state = (0, &self.checkpoint.1);
@ -351,7 +352,7 @@ impl<S: BayouState> Bayou<S> {
        // Serialize and save checkpoint
        let cryptoblob = seal_serialize(&state_cp, &self.key)?;
-        eprintln!("(cp) checkpoint body length: {}", cryptoblob.len());
+        debug!("(cp) checkpoint body length: {}", cryptoblob.len());
        let mut por = PutObjectRequest::default();
        por.bucket = self.bucket.clone();
@ -366,7 +367,7 @@ impl<S: BayouState> Bayou<S> {
            // Delete blobs
            for (_ts, key) in existing_checkpoints[..last_to_keep].iter() {
-                eprintln!("(cp) drop old checkpoint {}", key);
+                debug!("(cp) drop old checkpoint {}", key);
                let mut dor = DeleteObjectRequest::default();
                dor.bucket = self.bucket.clone();
                dor.key = key.to_string();
--- a/src/config.rs
+++ b/src/config.rs
@ -41,8 +41,16 @@ pub struct LoginStaticUser {
 pub struct LoginLdapConfig {
    pub ldap_server: String,
-    pub search_dn: String,
+    #[serde(default)]
    pub pre_bind_on_login: bool,
    pub bind_dn: Option<String>,
    pub bind_password: Option<String>,
    pub search_base: String,
    pub username_attr: String,
    #[serde(default = "default_mail_attr")]
    pub mail_attr: String,
    pub aws_access_key_id_attr: String,
    pub aws_secret_access_key_attr: String,
    pub user_secret_attr: String,
@ -62,3 +70,7 @@ pub fn read_config(config_file: PathBuf) -> Result<Config> {
    Ok(toml::from_str(&config)?)
 }
 fn default_mail_attr() -> String {
    "mail".into()
 }
--- a/src/login/ldap_provider.rs
+++ b/src/login/ldap_provider.rs
@ -1,23 +1,181 @@
 use anyhow::Result;
 use async_trait::async_trait;
 use ldap3::{LdapConnAsync, Scope, SearchEntry};
 use log::debug;
 use rusoto_signature::Region;
 use crate::config::*;
 use crate::login::*;
 pub struct LdapLoginProvider {
-    // TODO
+    k2v_region: Region,
    s3_region: Region,
    ldap_server: String,
    pre_bind_on_login: bool,
    bind_dn_and_pw: Option<(String, String)>,
    search_base: String,
    attrs_to_retrieve: Vec<String>,
    username_attr: String,
    mail_attr: String,
    aws_access_key_id_attr: String,
    aws_secret_access_key_attr: String,
    user_secret_attr: String,
    alternate_user_secrets_attr: Option<String>,
    bucket_source: BucketSource,
 }
 enum BucketSource {
    Constant(String),
    Attr(String),
 }
 impl LdapLoginProvider {
-    pub fn new(_config: LoginLdapConfig, _k2v_region: Region, _s3_region: Region) -> Result<Self> {
+    pub fn new(config: LoginLdapConfig, k2v_region: Region, s3_region: Region) -> Result<Self> {
-        unimplemented!()
+        let bind_dn_and_pw = match (config.bind_dn, config.bind_password) {
            (Some(dn), Some(pw)) => Some((dn, pw)),
            (None, None) => None,
            _ => bail!(
                "If either of `bind_dn` or `bind_password` is set, the other must be set as well."
            ),
        };
        let bucket_source = match (config.bucket, config.bucket_attr) {
            (Some(b), None) => BucketSource::Constant(b),
            (None, Some(a)) => BucketSource::Attr(a),
            _ => bail!("Must set `bucket` or `bucket_attr`, but not both"),
        };
        if config.pre_bind_on_login && bind_dn_and_pw.is_none() {
            bail!("Cannot use `pre_bind_on_login` without setting `bind_dn` and `bind_password`");
        }
        let mut attrs_to_retrieve = vec![
            config.username_attr.clone(),
            config.mail_attr.clone(),
            config.aws_access_key_id_attr.clone(),
            config.aws_secret_access_key_attr.clone(),
            config.user_secret_attr.clone(),
        ];
        if let Some(a) = &config.alternate_user_secrets_attr {
            attrs_to_retrieve.push(a.clone());
        }
        if let BucketSource::Attr(a) = &bucket_source {
            attrs_to_retrieve.push(a.clone());
        }
        Ok(Self {
            k2v_region,
            s3_region,
            ldap_server: config.ldap_server,
            pre_bind_on_login: config.pre_bind_on_login,
            bind_dn_and_pw,
            search_base: config.search_base,
            attrs_to_retrieve,
            username_attr: config.username_attr,
            mail_attr: config.mail_attr,
            aws_access_key_id_attr: config.aws_access_key_id_attr,
            aws_secret_access_key_attr: config.aws_secret_access_key_attr,
            user_secret_attr: config.user_secret_attr,
            alternate_user_secrets_attr: config.alternate_user_secrets_attr,
            bucket_source,
        })
    }
 }
 #[async_trait]
 impl LoginProvider for LdapLoginProvider {
-    async fn login(&self, _username: &str, _password: &str) -> Result<Credentials> {
+    async fn login(&self, username: &str, password: &str) -> Result<Credentials> {
-        unimplemented!()
+        let (conn, mut ldap) = LdapConnAsync::new(&self.ldap_server).await?;
        ldap3::drive!(conn);
        if self.pre_bind_on_login {
            let (dn, pw) = self.bind_dn_and_pw.as_ref().unwrap();
            ldap.simple_bind(dn, pw).await?.success()?;
        }
        let username_is_ok = username
            .chars()
            .all(|c| c.is_alphanumeric() || "-+_.@".contains(c));
        if !username_is_ok {
            bail!("Invalid username, must contain only a-z A-Z 0-9 - + _ . @");
        }
        let (matches, _res) = ldap
            .search(
                &self.search_base,
                Scope::Subtree,
                &format!(
                    "(&(objectClass=inetOrgPerson)({}={}))",
                    self.username_attr, username
                ),
                &self.attrs_to_retrieve,
            )
            .await?
            .success()?;
        if matches.is_empty() {
            bail!("Invalid username");
        }
        if matches.len() > 1 {
            bail!("Invalid username (multiple matching accounts)");
        }
        let user = SearchEntry::construct(matches.into_iter().next().unwrap());
        debug!(
            "Found matching LDAP user for username {}: {}",
            username, user.dn
        );
        // Try to login against LDAP server with provided password
        // to check user's password
        ldap.simple_bind(&user.dn, password)
            .await?
            .success()
            .context("Invalid password")?;
        debug!("Ldap login with user name {} successfull", username);
        let get_attr = |attr: &str| -> Result<String> {
            Ok(user
                .attrs
                .get(attr)
                .ok_or(anyhow!("Missing attr: {}", attr))?
                .iter()
                .next()
                .ok_or(anyhow!("No value for attr: {}", attr))?
                .clone())
        };
        let aws_access_key_id = get_attr(&self.aws_access_key_id_attr)?;
        let aws_secret_access_key = get_attr(&self.aws_secret_access_key_attr)?;
        let bucket = match &self.bucket_source {
            BucketSource::Constant(b) => b.clone(),
            BucketSource::Attr(a) => get_attr(a)?,
        };
        let storage = StorageCredentials {
            k2v_region: self.k2v_region.clone(),
            s3_region: self.s3_region.clone(),
            aws_access_key_id,
            aws_secret_access_key,
            bucket,
        };
        let user_secret = get_attr(&self.user_secret_attr)?;
        let alternate_user_secrets = match &self.alternate_user_secrets_attr {
            None => vec![],
            Some(a) => user.attrs.get(a).cloned().unwrap_or_default(),
        };
        let user_secrets = UserSecrets {
            user_secret,
            alternate_user_secrets,
        };
        drop(ldap);
        let keys = CryptoKeys::open(&storage, &user_secrets, password).await?;
        Ok(Credentials { storage, keys })
    }
 }