A cloud-native LDAP server backed by a Consul datastore
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

240 lines
6.2 KiB

package main
import (
"fmt"
"strings"
ldap "bottin/ldapserver"
message "github.com/lor00x/goldap/message"
)
// Compare request -------------------------
func (server *Server) handleCompare(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
state := s.(*State)
r := m.GetCompareRequest()
code, err := server.handleCompareInternal(state, &r)
res := ldap.NewResponse(code)
if err != nil {
res.SetDiagnosticMessage(err.Error())
}
w.Write(message.CompareResponse(res))
}
func (server *Server) handleCompareInternal(state *State, r *message.CompareRequest) (int, error) {
attr := string(r.Ava().AttributeDesc())
expected := string(r.Ava().AssertionValue())
dn, err := server.checkDN(string(r.Entry()), false)
if err != nil {
return ldap.LDAPResultInvalidDNSyntax, err
}
// Check permissions
if !server.config.Acl.Check(&state.login, dn, "read", []string{attr}) {
return ldap.LDAPResultInsufficientAccessRights, nil
}
// Do query
exists, err := server.objectExists(dn)
if err != nil {
return ldap.LDAPResultOperationsError, err
}
if !exists {
return ldap.LDAPResultNoSuchObject, fmt.Errorf("Not found: %s", dn)
}
values, err := server.getAttribute(dn, attr)
if err != nil {
return ldap.LDAPResultOperationsError, err
}
for _, v := range values {
if valueMatch(attr, v, expected) {
return ldap.LDAPResultCompareTrue, nil
}
}
return ldap.LDAPResultCompareFalse, nil
}
// Search request -------------------------
func (server *Server) handleSearch(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {
state := s.(*State)
r := m.GetSearchRequest()
code, err := server.handleSearchInternal(state, w, &r)
res := ldap.NewResponse(code)
if err != nil {
res.SetDiagnosticMessage(err.Error())
}
if code != ldap.LDAPResultSuccess {
server.logger.Printf("Failed to do search %#v (%s)", r, err)
}
w.Write(message.SearchResultDone(res))
}
func (server *Server) handleSearchInternal(state *State, w ldap.ResponseWriter, r *message.SearchRequest) (int, error) {
baseObject, err := server.checkDN(string(r.BaseObject()), true)
if err != nil {
return ldap.LDAPResultInvalidDNSyntax, err
}
server.logger.Tracef("-- SEARCH REQUEST: --")
server.logger.Tracef("Request BaseDn=%s", baseObject)
server.logger.Tracef("Request Filter=%s", r.Filter())
server.logger.Tracef("Request FilterString=%s", r.FilterString())
server.logger.Tracef("Request Attributes=%s", r.Attributes())
server.logger.Tracef("Request TimeLimit=%d", r.TimeLimit().Int())
if !server.config.Acl.Check(&state.login, "read", baseObject, []string{}) {
return ldap.LDAPResultInsufficientAccessRights, fmt.Errorf("Please specify a base object on which you have read rights")
}
baseObjectLevel := len(strings.Split(baseObject, ","))
basePath, err := dnToConsul(baseObject)
if err != nil {
return ldap.LDAPResultInvalidDNSyntax, err
}
if r.Scope() == message.SearchRequestScopeBaseObject {
basePath += "/attribute="
} else {
basePath += "/"
}
data, _, err := server.kv.List(basePath, nil)
if err != nil {
return ldap.LDAPResultOperationsError, err
}
entries, err := parseConsulResult(data)
if err != nil {
return ldap.LDAPResultOperationsError, err
}
server.logger.Tracef("in %s: %#v", basePath, data)
server.logger.Tracef("%#v", entries)
for dn, entry := range entries {
if r.Scope() == message.SearchRequestScopeBaseObject {
if dn != baseObject {
continue
}
} else if r.Scope() == message.SearchRequestSingleLevel {
objectLevel := len(strings.Split(dn, ","))
if objectLevel != baseObjectLevel+1 {
continue
}
}
// Filter out if we don't match requested filter
matched, err := applyFilter(entry, r.Filter())
if err != nil {
return ldap.LDAPResultUnwillingToPerform, err
}
if !matched {
continue
}
// Filter out if user is not allowed to read this
if !server.config.Acl.Check(&state.login, "read", dn, []string{}) {
continue
}
e := ldap.NewSearchResultEntry(dn)
for attr, val := range entry {
// If attribute is not in request, exclude it from returned entry
if len(r.Attributes()) > 0 {
found := false
for _, requested := range r.Attributes() {
if string(requested) == "1.1" && len(r.Attributes()) == 1 {
break
}
if string(requested) == "*" || strings.EqualFold(string(requested), attr) {
found = true
break
}
}
if !found {
continue
}
}
// If we are not allowed to read attribute, exclude it from returned entry
if !server.config.Acl.Check(&state.login, "read", dn, []string{attr}) {
continue
}
// Send result
for _, v := range val {
e.AddAttribute(message.AttributeDescription(attr),
message.AttributeValue(v))
}
}
w.Write(e)
}
return ldap.LDAPResultSuccess, nil
}
func applyFilter(entry Entry, filter message.Filter) (bool, error) {
if fAnd, ok := filter.(message.FilterAnd); ok {
for _, cond := range fAnd {
res, err := applyFilter(entry, cond)
if err != nil {
return false, err
}
if !res {
return false, nil
}
}
return true, nil
} else if fOr, ok := filter.(message.FilterOr); ok {
for _, cond := range fOr {
res, err := applyFilter(entry, cond)
if err != nil {
return false, err
}
if res {
return true, nil
}
}
return false, nil
} else if fNot, ok := filter.(message.FilterNot); ok {
res, err := applyFilter(entry, fNot.Filter)
if err != nil {
return false, err
}
return !res, nil
} else if fPresent, ok := filter.(message.FilterPresent); ok {
what := string(fPresent)
// Case insensitive search
for desc, values := range entry {
if strings.EqualFold(what, desc) {
return len(values) > 0, nil
}
}
return false, nil
} else if fEquality, ok := filter.(message.FilterEqualityMatch); ok {
desc := string(fEquality.AttributeDesc())
target := string(fEquality.AssertionValue())
// Case insensitive attribute search
for entry_desc, value := range entry {
if strings.EqualFold(entry_desc, desc) {
for _, val := range value {
if valueMatch(entry_desc, val, target) {
return true, nil
}
}
return false, nil
}
}
return false, nil
} else {
return false, fmt.Errorf("Unsupported filter: %#v %T", filter, filter)
}
}