Implement Search with basic filter support
This commit is contained in:
parent
67fa504e20
commit
4c5b3d929d
1 changed files with 206 additions and 6 deletions
212
main.go
212
main.go
|
@ -27,6 +27,62 @@ func dnToConsul(dn string) string {
|
||||||
return strings.Join(rdns, "/")
|
return strings.Join(rdns, "/")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func consulToDN(pair *consul.KVPair) (string, string, []byte) {
|
||||||
|
path := strings.Split(pair.Key, "/")
|
||||||
|
dn := ""
|
||||||
|
for _, cpath := range path {
|
||||||
|
if cpath == "" {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
kv := strings.Split(cpath, "=")
|
||||||
|
if len(kv) == 2 && kv[0] == "attribute" {
|
||||||
|
return dn, kv[1], pair.Value
|
||||||
|
}
|
||||||
|
if dn != "" {
|
||||||
|
dn = "," + dn
|
||||||
|
}
|
||||||
|
dn = cpath + dn
|
||||||
|
}
|
||||||
|
return dn, "", nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func parseConsulResult(data []*consul.KVPair) (map[string]Entry, error) {
|
||||||
|
aggregator := map[string]Entry{}
|
||||||
|
|
||||||
|
for _, kv := range data {
|
||||||
|
log.Printf("%s %s", kv.Key, string(kv.Value))
|
||||||
|
dn, attr, val := consulToDN(kv)
|
||||||
|
if attr == "" || val == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if _, exists := aggregator[dn]; !exists {
|
||||||
|
aggregator[dn] = Entry{}
|
||||||
|
}
|
||||||
|
var value interface{}
|
||||||
|
err := json.Unmarshal(val, &value)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if vlist, ok := value.([]interface{}); ok {
|
||||||
|
vlist2 := []string{}
|
||||||
|
for _, v := range vlist {
|
||||||
|
if vstr, ok := v.(string); ok {
|
||||||
|
vlist2 = append(vlist2, vstr)
|
||||||
|
} else {
|
||||||
|
return nil, fmt.Errorf("Not a string: %#v", v)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
aggregator[dn][attr] = vlist2
|
||||||
|
} else if vstr, ok := value.(string); ok {
|
||||||
|
aggregator[dn][attr] = vstr
|
||||||
|
} else {
|
||||||
|
return nil, fmt.Errorf("Not a string or a list of strings: %#v", value)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return aggregator, nil
|
||||||
|
}
|
||||||
|
|
||||||
type DNComponent struct {
|
type DNComponent struct {
|
||||||
Type string
|
Type string
|
||||||
Value string
|
Value string
|
||||||
|
@ -63,7 +119,7 @@ type State struct {
|
||||||
bindDn string
|
bindDn string
|
||||||
}
|
}
|
||||||
|
|
||||||
type Attributes map[string]interface{}
|
type Entry map[string]interface{}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
//ldap logger
|
//ldap logger
|
||||||
|
@ -95,6 +151,7 @@ func main() {
|
||||||
|
|
||||||
routes := ldap.NewRouteMux()
|
routes := ldap.NewRouteMux()
|
||||||
routes.Bind(gobottin.handleBind)
|
routes.Bind(gobottin.handleBind)
|
||||||
|
routes.Search(gobottin.handleSearch)
|
||||||
ldapserver.Handle(routes)
|
ldapserver.Handle(routes)
|
||||||
|
|
||||||
// listen on 10389
|
// listen on 10389
|
||||||
|
@ -120,7 +177,7 @@ func (server *Server) init() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
base_attributes := Attributes{
|
base_attributes := Entry{
|
||||||
"objectClass": []string{"top", "dcObject", "organization"},
|
"objectClass": []string{"top", "dcObject", "organization"},
|
||||||
"structuralObjectClass": "Organization",
|
"structuralObjectClass": "Organization",
|
||||||
}
|
}
|
||||||
|
@ -141,7 +198,7 @@ func (server *Server) init() error {
|
||||||
admin_pass_hash := SSHAEncode([]byte(admin_pass_str))
|
admin_pass_hash := SSHAEncode([]byte(admin_pass_str))
|
||||||
|
|
||||||
admin_dn := "cn=admin," + server.config.Suffix
|
admin_dn := "cn=admin," + server.config.Suffix
|
||||||
admin_attributes := Attributes{
|
admin_attributes := Entry{
|
||||||
"objectClass": []string{"simpleSecurityObject", "organizationalRole"},
|
"objectClass": []string{"simpleSecurityObject", "organizationalRole"},
|
||||||
"description": "LDAP administrator",
|
"description": "LDAP administrator",
|
||||||
"cn": "admin",
|
"cn": "admin",
|
||||||
|
@ -164,7 +221,7 @@ func (server *Server) init() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (server *Server) addElements(dn string, attrs Attributes) error {
|
func (server *Server) addElements(dn string, attrs Entry) error {
|
||||||
prefix := dnToConsul(dn)
|
prefix := dnToConsul(dn)
|
||||||
for k, v := range attrs {
|
for k, v := range attrs {
|
||||||
json, err := json.Marshal(v)
|
json, err := json.Marshal(v)
|
||||||
|
@ -184,7 +241,7 @@ func (server *Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m *lda
|
||||||
state := s.(*State)
|
state := s.(*State)
|
||||||
r := m.GetBindRequest()
|
r := m.GetBindRequest()
|
||||||
|
|
||||||
result_code, err := server.handleBindInternal(state, w, r)
|
result_code, err := server.handleBindInternal(state, w, &r)
|
||||||
|
|
||||||
res := ldap.NewBindResponse(result_code)
|
res := ldap.NewBindResponse(result_code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -194,7 +251,7 @@ func (server *Server) handleBind(s ldap.UserState, w ldap.ResponseWriter, m *lda
|
||||||
w.Write(res)
|
w.Write(res)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r message.BindRequest) (int, error) {
|
func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r *message.BindRequest) (int, error) {
|
||||||
|
|
||||||
pair, _, err := server.kv.Get(dnToConsul(string(r.Name()))+"/attribute=userpassword", nil)
|
pair, _, err := server.kv.Get(dnToConsul(string(r.Name()))+"/attribute=userpassword", nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -219,3 +276,146 @@ func (server *Server) handleBindInternal(state *State, w ldap.ResponseWriter, r
|
||||||
return ldap.LDAPResultInvalidCredentials, nil
|
return ldap.LDAPResultInvalidCredentials, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (server *Server) handleSearch(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
|
||||||
|
state := s.(*State)
|
||||||
|
r := m.GetSearchRequest()
|
||||||
|
|
||||||
|
code, err := server.handleSearchInternal(state, w, &r)
|
||||||
|
|
||||||
|
res := ldap.NewResponse(code)
|
||||||
|
if err != nil {
|
||||||
|
res.SetDiagnosticMessage(err.Error())
|
||||||
|
}
|
||||||
|
w.Write(message.SearchResultDone(res))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (server *Server) handleSearchInternal(state *State, w ldap.ResponseWriter, r *message.SearchRequest) (int, error) {
|
||||||
|
|
||||||
|
log.Printf("-- SEARCH REQUEST: --")
|
||||||
|
log.Printf("Request BaseDn=%s", r.BaseObject())
|
||||||
|
log.Printf("Request Filter=%s", r.Filter())
|
||||||
|
log.Printf("Request FilterString=%s", r.FilterString())
|
||||||
|
log.Printf("Request Attributes=%s", r.Attributes())
|
||||||
|
log.Printf("Request TimeLimit=%d", r.TimeLimit().Int())
|
||||||
|
|
||||||
|
// TODO check authorizations
|
||||||
|
|
||||||
|
basePath := dnToConsul(string(r.BaseObject())) + "/"
|
||||||
|
data, _, err := server.kv.List(basePath, nil)
|
||||||
|
if err != nil {
|
||||||
|
return ldap.LDAPResultOperationsError, err
|
||||||
|
}
|
||||||
|
|
||||||
|
entries, err := parseConsulResult(data)
|
||||||
|
if err != nil {
|
||||||
|
return ldap.LDAPResultOperationsError, err
|
||||||
|
}
|
||||||
|
log.Printf("in %s: %#v", basePath, data)
|
||||||
|
log.Printf("%#v", entries)
|
||||||
|
|
||||||
|
for dn, entry := range entries {
|
||||||
|
// TODO filter out if no permission to read this
|
||||||
|
matched, err := applyFilter(entry, r.Filter())
|
||||||
|
if err != nil {
|
||||||
|
return ldap.LDAPResultOperationsError, err
|
||||||
|
}
|
||||||
|
if !matched {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
e := ldap.NewSearchResultEntry(dn)
|
||||||
|
for attr, val := range entry {
|
||||||
|
// If attribute is not in request, exclude it from returned entry
|
||||||
|
if len(r.Attributes()) > 0 {
|
||||||
|
found := false
|
||||||
|
for _, need := range r.Attributes() {
|
||||||
|
if string(need) == attr {
|
||||||
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !found {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Send result
|
||||||
|
if val_str, ok := val.(string); ok {
|
||||||
|
e.AddAttribute(message.AttributeDescription(attr),
|
||||||
|
message.AttributeValue(val_str))
|
||||||
|
} else if val_strlist, ok := val.([]string); ok {
|
||||||
|
for _, v := range val_strlist {
|
||||||
|
e.AddAttribute(message.AttributeDescription(attr),
|
||||||
|
message.AttributeValue(v))
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
panic(fmt.Sprintf("Invalid value: %#v", val))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
w.Write(e)
|
||||||
|
}
|
||||||
|
|
||||||
|
return ldap.LDAPResultSuccess, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func applyFilter(entry Entry, filter message.Filter) (bool, error) {
|
||||||
|
if fAnd, ok := filter.(message.FilterAnd); ok {
|
||||||
|
for _, cond := range fAnd {
|
||||||
|
res, err := applyFilter(entry, cond)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if !res {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true, nil
|
||||||
|
} else if fOr, ok := filter.(message.FilterOr); ok {
|
||||||
|
for _, cond := range fOr {
|
||||||
|
res, err := applyFilter(entry, cond)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
if res {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
} else if fNot, ok := filter.(message.FilterNot); ok {
|
||||||
|
res, err := applyFilter(entry, fNot.Filter)
|
||||||
|
if err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
return !res, nil
|
||||||
|
} else if fPresent, ok := filter.(message.FilterPresent); ok {
|
||||||
|
what := string(fPresent)
|
||||||
|
log.Printf("Present filter: %s", what)
|
||||||
|
if _, ok := entry[what]; ok {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
} else if fEquality, ok := filter.(message.FilterEqualityMatch); ok {
|
||||||
|
desc := string(fEquality.AttributeDesc())
|
||||||
|
target := string(fEquality.AssertionValue())
|
||||||
|
if value, ok := entry[desc]; ok {
|
||||||
|
if vstr, ok := value.(string); ok {
|
||||||
|
// If we have one value for the key, match exactly
|
||||||
|
return vstr == target, nil
|
||||||
|
} else if vlist, ok := value.([]string); ok {
|
||||||
|
// If we have several values for the key, one must match
|
||||||
|
for _, val := range vlist {
|
||||||
|
if val == target {
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
} else {
|
||||||
|
panic(fmt.Sprintf("Invalid value: %#v", value))
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return false, fmt.Errorf("Unsupported filter: %#v %T", filter, filter)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue