From 8a605f44b017621eb2bd739d6c7c1de213d7a13f Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sun, 26 Jan 2020 23:12:00 +0100 Subject: [PATCH] Don't do stupid things like use a dn as a pattern Also add metadata fields in objects created on initialization --- acl.go | 10 ++++++++-- gobottin.hcl.example | 2 +- main.go | 11 +++++++---- read.go | 2 -- write.go | 3 --- 5 files changed, 16 insertions(+), 12 deletions(-) diff --git a/acl.go b/acl.go index 483e8fd..ec6e4de 100644 --- a/acl.go +++ b/acl.go @@ -87,8 +87,14 @@ func (entry *ACLEntry) Check(login *Login, action string, target string, attribu } } - rule_target_with_self := strings.ReplaceAll(entry.target, "SELF", login.user) - if !match(rule_target_with_self, target) { + matchTarget := match(entry.target, target) + if !matchTarget && len(target) >= len(login.user) { + start := len(target) - len(login.user) + if target[start:] == login.user { + matchTarget = match(entry.target, target[:start]+"SELF") + } + } + if !matchTarget { return false } diff --git a/gobottin.hcl.example b/gobottin.hcl.example index b522245..6132f68 100644 --- a/gobottin.hcl.example +++ b/gobottin.hcl.example @@ -12,7 +12,7 @@ job "directory" { task "server" { driver = "docker" config { - image = "lxpz/gobottin_amd64:3" + image = "lxpz/gobottin_amd64:5" readonly_rootfs = true port_map { ldap_port = 1389 diff --git a/main.go b/main.go index 8041eab..3d2d7f2 100644 --- a/main.go +++ b/main.go @@ -205,6 +205,9 @@ func (server *Server) init() error { base_attributes := Entry{ "objectClass": []string{"top", "dcObject", "organization"}, "structuralObjectClass": []string{"Organization"}, + ATTR_CREATORSNAME: []string{server.config.Suffix}, + ATTR_CREATETIMESTAMP: []string{genTimestamp()}, + ATTR_ENTRYUUID: []string{genUuid()}, } suffix_dn, err := parseDN(server.config.Suffix) if err != nil { @@ -227,9 +230,11 @@ func (server *Server) init() error { "objectClass": []string{"simpleSecurityObject", "organizationalRole"}, "description": []string{"LDAP administrator"}, "cn": []string{"admin"}, - ATTR_USERPASSWORD: []string{admin_pass_hash}, "structuralObjectClass": []string{"organizationalRole"}, - "permissions": []string{"read", "write"}, + ATTR_USERPASSWORD: []string{admin_pass_hash}, + ATTR_CREATORSNAME: []string{server.config.Suffix}, + ATTR_CREATETIMESTAMP: []string{genTimestamp()}, + ATTR_ENTRYUUID: []string{genUuid()}, } err = server.addElements(admin_dn, admin_attributes) @@ -373,5 +378,3 @@ func (server *Server) handleBindInternal(state *State, r *message.BindRequest) ( } return ldap.LDAPResultInvalidCredentials, nil } - - diff --git a/read.go b/read.go index 04106c5..29ef9ed 100644 --- a/read.go +++ b/read.go @@ -8,7 +8,6 @@ import ( message "github.com/vjeantet/goldap/message" ) - // Compare request ------------------------- func (server *Server) handleCompare(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) { @@ -62,7 +61,6 @@ func (server *Server) handleCompareInternal(state *State, r *message.CompareRequ return ldap.LDAPResultCompareFalse, nil } - // Search request ------------------------- func (server *Server) handleSearch(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) { diff --git a/write.go b/write.go index f86423a..868761f 100644 --- a/write.go +++ b/write.go @@ -8,7 +8,6 @@ import ( message "github.com/vjeantet/goldap/message" ) - // Add request ------------------------ func (server *Server) handleAdd(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) { @@ -149,7 +148,6 @@ func (server *Server) handleAddInternal(state *State, r *message.AddRequest) (in return ldap.LDAPResultSuccess, nil } - // Delete request ------------------------ func (server *Server) handleDelete(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) { @@ -279,7 +277,6 @@ func (server *Server) handleDeleteInternal(state *State, r *message.DelRequest) return ldap.LDAPResultSuccess, nil } - // Modify request ------------------------ func (server *Server) handleModify(s ldap.UserState, w ldap.ResponseWriter, m *ldap.Message) {