Implement Search with basic filter support

2020-01-19 17:55:25 +01:00 · 2020-01-19 17:55:25 +01:00 · 4c5b3d929d
parent 67fa504e20
commit 4c5b3d929d
1 changed files with 206 additions and 6 deletions
--- a/main.go
+++ b/main.go
@ -27,6 +27,62 @@ func dnToConsul(dn string) string {
 	return strings.Join(rdns, "/")
 }

+func consulToDN(pair *consul.KVPair) (string, string, []byte) {
+	path := strings.Split(pair.Key, "/")
+	dn := ""
+	for _, cpath := range path {
+		if cpath == "" {
+			continue
+		}
+		kv := strings.Split(cpath, "=")
+		if len(kv) == 2 && kv[0] == "attribute" {
+			return dn, kv[1], pair.Value
+		}
+		if dn != "" {
+			dn = "," + dn
+		}
+		dn = cpath + dn
+	}
+	return dn, "", nil
+}
+
+func parseConsulResult(data []*consul.KVPair) (map[string]Entry, error) {
+	aggregator := map[string]Entry{}
+
+	for _, kv := range data {
+		log.Printf("%s %s", kv.Key, string(kv.Value))
+		dn, attr, val := consulToDN(kv)
+		if attr == "" || val == nil {
+			continue
+		}
+		if _, exists := aggregator[dn]; !exists {
+			aggregator[dn] = Entry{}
+		}
+		var value interface{}
+		err := json.Unmarshal(val, &value)
+		if err != nil {
+			return nil, err
+		}
+		if vlist, ok := value.([]interface{}); ok {
+			vlist2 := []string{}
+			for _, v := range vlist {
+				if vstr, ok := v.(string); ok {
+					vlist2 = append(vlist2, vstr)
+				} else {
+					return nil, fmt.Errorf("Not a string: %#v", v)
+				}
+			}
+			aggregator[dn][attr] = vlist2
+		} else if vstr, ok := value.(string); ok {
+			aggregator[dn][attr] = vstr
+		} else {
+			return nil, fmt.Errorf("Not a string or a list of strings: %#v", value)
+		}
+	}
+
+	return aggregator, nil
+}
+
 type DNComponent struct {
 	Type  string
 	Value string
@ -63,7 +119,7 @@ type State struct {
 	bindDn string
 }

-type Attributes map[string]interface{}
+type Entry map[string]interface{}

 func main() {
 	//ldap logger
@ -95,6 +151,7 @@ func main() {

 	routes := ldap.NewRouteMux()
 	routes.Bind(gobottin.handleBind)
+	routes.Search(gobottin.handleSearch)
 	ldapserver.Handle(routes)

 	// listen on 10389
@ -120,7 +177,7 @@ func (server *Server) init() error {
 		return nil
 	}

-	base_attributes := Attributes{
+	base_attributes := Entry{
 		"objectClass":           []string{"top", "dcObject", "organization"},
 		"structuralObjectClass": "Organization",
 	}
@ -141,7 +198,7 @@ func (server *Server) init() error {
 	admin_pass_hash := SSHAEncode([]byte(admin_pass_str))

 	admin_dn := "cn=admin," + server.config.Suffix
-	admin_attributes := Attributes{
+	admin_attributes := Entry{
 		"objectClass":           []string{"simpleSecurityObject", "organizationalRole"},
 		"description":           "LDAP administrator",
 		"cn":                    "admin",
@ -164,7 +221,7 @@ func (server *Server) init() error {
 	return nil
 }

-func (server *Server) addElements(dn string, attrs Attributes) error {
+func (server *Server) addElements(dn string, attrs Entry) error {
 	prefix := dnToConsul(dn)
 	for k, v := range attrs {
 		json, err := json.Marshal(v)
@ -184,7 +241,7 @@ func (server *Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m *lda
 	state := s.(*State)
 	r := m.GetBindRequest()

-	result_code, err := server.handleBindInternal(state, w, r)
+	result_code, err := server.handleBindInternal(state, w, &r)

 	res := ldap.NewBindResponse(result_code)
 	if err != nil {
@ -194,7 +251,7 @@ func (server *Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m *lda
 	w.Write(res)
 }

-func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r message.BindRequest) (int, error) {
+func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r *message.BindRequest) (int, error) {

 	pair, _, err := server.kv.Get(dnToConsul(string(r.Name()))+"/attribute=userpassword", nil)
 	if err != nil {
@ -219,3 +276,146 @@ func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 }
+
+func (server *Server) handleSearch(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
+	state := s.(*State)
+	r := m.GetSearchRequest()
+
+	code, err := server.handleSearchInternal(state, w, &r)
+
+	res := ldap.NewResponse(code)
+	if err != nil {
+		res.SetDiagnosticMessage(err.Error())
+	}
+	w.Write(message.SearchResultDone(res))
+}
+
+func (server *Server) handleSearchInternal(state *State, w ldap.ResponseWriter, r *message.SearchRequest) (int, error) {
+
+	log.Printf("-- SEARCH REQUEST: --")
+	log.Printf("Request BaseDn=%s", r.BaseObject())
+	log.Printf("Request Filter=%s", r.Filter())
+	log.Printf("Request FilterString=%s", r.FilterString())
+	log.Printf("Request Attributes=%s", r.Attributes())
+	log.Printf("Request TimeLimit=%d", r.TimeLimit().Int())
+
+	// TODO check authorizations
+
+	basePath := dnToConsul(string(r.BaseObject())) + "/"
+	data, _, err := server.kv.List(basePath, nil)
+	if err != nil {
+		return ldap.LDAPResultOperationsError, err
+	}
+
+	entries, err := parseConsulResult(data)
+	if err != nil {
+		return ldap.LDAPResultOperationsError, err
+	}
+	log.Printf("in %s: %#v", basePath, data)
+	log.Printf("%#v", entries)
+
+	for dn, entry := range entries {
+		// TODO filter out if no permission to read this
+		matched, err := applyFilter(entry, r.Filter())
+		if err != nil {
+			return ldap.LDAPResultOperationsError, err
+		}
+		if !matched {
+			continue
+		}
+
+		e := ldap.NewSearchResultEntry(dn)
+		for attr, val := range entry {
+			// If attribute is not in request, exclude it from returned entry
+			if len(r.Attributes()) > 0 {
+				found := false
+				for _, need := range r.Attributes() {
+					if string(need) == attr {
+						found = true
+						break
+					}
+				}
+				if !found {
+					continue
+				}
+			}
+			// Send result
+			if val_str, ok := val.(string); ok {
+				e.AddAttribute(message.AttributeDescription(attr),
+					message.AttributeValue(val_str))
+			} else if val_strlist, ok := val.([]string); ok {
+				for _, v := range val_strlist {
+					e.AddAttribute(message.AttributeDescription(attr),
+						message.AttributeValue(v))
+				}
+			} else {
+				panic(fmt.Sprintf("Invalid value: %#v", val))
+			}
+		}
+		w.Write(e)
+	}
+
+	return ldap.LDAPResultSuccess, nil
+}
+
+func applyFilter(entry Entry, filter message.Filter) (bool, error) {
+	if fAnd, ok := filter.(message.FilterAnd); ok {
+		for _, cond := range fAnd {
+			res, err := applyFilter(entry, cond)
+			if err != nil {
+				return false, err
+			}
+			if !res {
+				return false, nil
+			}
+		}
+		return true, nil
+	} else if fOr, ok := filter.(message.FilterOr); ok {
+		for _, cond := range fOr {
+			res, err := applyFilter(entry, cond)
+			if err != nil {
+				return false, err
+			}
+			if res {
+				return true, nil
+			}
+		}
+		return false, nil
+	} else if fNot, ok := filter.(message.FilterNot); ok {
+		res, err := applyFilter(entry, fNot.Filter)
+		if err != nil {
+			return false, err
+		}
+		return !res, nil
+	} else if fPresent, ok := filter.(message.FilterPresent); ok {
+		what := string(fPresent)
+		log.Printf("Present filter: %s", what)
+		if _, ok := entry[what]; ok {
+			return true, nil
+		}
+		return false, nil
+	} else if fEquality, ok := filter.(message.FilterEqualityMatch); ok {
+		desc := string(fEquality.AttributeDesc())
+		target := string(fEquality.AssertionValue())
+		if value, ok := entry[desc]; ok {
+			if vstr, ok := value.(string); ok {
+				// If we have one value for the key, match exactly
+				return vstr == target, nil
+			} else if vlist, ok := value.([]string); ok {
+				// If we have several values for the key, one must match
+				for _, val := range vlist {
+					if val == target {
+						return true, nil
+					}
+				}
+				return false, nil
+			} else {
+				panic(fmt.Sprintf("Invalid value: %#v", value))
+			}
+		} else {
+			return false, nil
+		}
+	} else {
+		return false, fmt.Errorf("Unsupported filter: %#v %T", filter, filter)
+	}
+}