2015-08-16 14:31:54 +08:00
// Copyright 2014 The Gogs Authors. All rights reserved.
2020-09-10 23:30:07 +08:00
// Copyright 2020 The Gitea Authors. All rights reserved.
2014-04-23 00:55:27 +08:00
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
2015-08-16 14:31:54 +08:00
// Package ldap provide functions & structure to query a LDAP ldap directory
2014-04-23 00:55:27 +08:00
// For now, it's mainly tested again an MS Active Directory service, see README.md for more information
package ldap
import (
2015-09-15 03:48:51 +08:00
"crypto/tls"
2014-04-23 00:55:27 +08:00
"fmt"
2015-10-27 09:08:59 +08:00
"strings"
2014-05-03 10:48:14 +08:00
2016-11-11 00:24:48 +08:00
"code.gitea.io/gitea/modules/log"
2019-02-18 20:34:37 +08:00
2020-10-16 03:27:33 +08:00
"github.com/go-ldap/ldap/v3"
2014-04-23 00:55:27 +08:00
)
2016-11-27 14:03:59 +08:00
// SecurityProtocol protocol type
2016-07-08 07:25:09 +08:00
type SecurityProtocol int
// Note: new type must be added at the end of list to maintain compatibility.
const (
2016-11-08 00:38:43 +08:00
SecurityProtocolUnencrypted SecurityProtocol = iota
2016-11-08 04:58:22 +08:00
SecurityProtocolLDAPS
SecurityProtocolStartTLS
2016-07-08 07:25:09 +08:00
)
2016-11-27 14:03:59 +08:00
// Source Basic LDAP authentication service
2015-09-15 03:48:51 +08:00
type Source struct {
2018-05-24 12:59:02 +08:00
Name string // canonical name (ie. corporate.ad)
Host string // LDAP host
Port int // port number
SecurityProtocol SecurityProtocol
SkipVerify bool
BindDN string // DN to bind with
BindPassword string // Bind DN password
UserBase string // Base search path for users
UserDN string // Template for the DN of the user for simple auth
AttributeUsername string // Username attribute
AttributeName string // First name attribute
AttributeSurname string // Surname attribute
AttributeMail string // E-mail attribute
AttributesInBind bool // fetch attributes in bind context (not user)
AttributeSSHPublicKey string // LDAP SSH Public Key attribute
SearchPageSize uint32 // Search with paging page size
Filter string // Query filter to validate entry
AdminFilter string // Query filter to check if user is admin
2020-03-05 14:30:33 +08:00
RestrictedFilter string // Query filter to check if user is restricted
2018-05-24 12:59:02 +08:00
Enabled bool // if this source is disabled
2020-01-20 11:47:39 +08:00
AllowDeactivateAll bool // Allow an empty search response to deactivate all users from this source
2020-09-10 23:30:07 +08:00
GroupsEnabled bool // if the group checking is enabled
GroupDN string // Group Search Base
GroupFilter string // Group Name Filter
GroupMemberUID string // Group Attribute containing array of UserUID
UserUID string // User Attribute listed in Group
2014-04-23 00:55:27 +08:00
}
2017-05-10 21:10:18 +08:00
// SearchResult : user data
type SearchResult struct {
2018-05-24 12:59:02 +08:00
Username string // Username
Name string // Name
Surname string // Surname
Mail string // E-mail address
SSHPublicKey [ ] string // SSH Public Key
IsAdmin bool // if user is administrator
2020-03-05 14:30:33 +08:00
IsRestricted bool // if user is restricted
2017-05-10 21:10:18 +08:00
}
2015-10-27 09:08:59 +08:00
func ( ls * Source ) sanitizedUserQuery ( username string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00()*\\"
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid query characters. Aborting." , username )
return "" , false
}
return fmt . Sprintf ( ls . Filter , username ) , true
}
func ( ls * Source ) sanitizedUserDN ( username string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4514: "special characters"
2017-11-13 17:32:16 +08:00
badCharacters := "\x00()*\\,='\"#+;<>"
2015-10-27 09:08:59 +08:00
if strings . ContainsAny ( username , badCharacters ) {
log . Debug ( "'%s' contains invalid DN characters. Aborting." , username )
return "" , false
}
return fmt . Sprintf ( ls . UserDN , username ) , true
}
2020-09-10 23:30:07 +08:00
func ( ls * Source ) sanitizedGroupFilter ( group string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4515
badCharacters := "\x00*\\"
if strings . ContainsAny ( group , badCharacters ) {
log . Trace ( "Group filter invalid query characters: %s" , group )
return "" , false
}
return group , true
}
func ( ls * Source ) sanitizedGroupDN ( groupDn string ) ( string , bool ) {
// See http://tools.ietf.org/search/rfc4514: "special characters"
badCharacters := "\x00()*\\'\"#+;<>"
if strings . ContainsAny ( groupDn , badCharacters ) || strings . HasPrefix ( groupDn , " " ) || strings . HasSuffix ( groupDn , " " ) {
log . Trace ( "Group DN contains invalid query characters: %s" , groupDn )
return "" , false
}
return groupDn , true
}
2016-02-16 18:58:00 +08:00
func ( ls * Source ) findUserDN ( l * ldap . Conn , name string ) ( string , bool ) {
2015-08-13 07:58:27 +08:00
log . Trace ( "Search for LDAP user: %s" , name )
// A search for the user.
2015-10-27 09:08:59 +08:00
userFilter , ok := ls . sanitizedUserQuery ( name )
if ! ok {
return "" , false
}
2016-02-16 19:36:40 +08:00
log . Trace ( "Searching for DN using filter %s and base %s" , userFilter , ls . UserBase )
2015-08-13 07:58:27 +08:00
search := ldap . NewSearchRequest (
ls . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 ,
false , userFilter , [ ] string { } , nil )
// Ensure we found a user
sr , err := l . Search ( search )
if err != nil || len ( sr . Entries ) < 1 {
2015-08-18 04:03:11 +08:00
log . Debug ( "Failed search using filter[%s]: %v" , userFilter , err )
2015-08-16 14:31:54 +08:00
return "" , false
2015-08-13 07:58:27 +08:00
} else if len ( sr . Entries ) > 1 {
log . Debug ( "Filter '%s' returned more than one user." , userFilter )
2015-08-16 14:31:54 +08:00
return "" , false
2014-04-23 00:55:27 +08:00
}
2015-08-13 07:58:27 +08:00
2015-08-16 14:31:54 +08:00
userDN := sr . Entries [ 0 ] . DN
2015-08-13 07:58:27 +08:00
if userDN == "" {
2019-04-02 15:48:31 +08:00
log . Error ( "LDAP search was successful, but found no DN!" )
2015-08-16 14:31:54 +08:00
return "" , false
2015-08-13 07:58:27 +08:00
}
2015-08-16 14:31:54 +08:00
return userDN , true
2014-04-23 00:55:27 +08:00
}
2016-07-08 07:25:09 +08:00
func dial ( ls * Source ) ( * ldap . Conn , error ) {
log . Trace ( "Dialing LDAP with security protocol (%v) without verifying: %v" , ls . SecurityProtocol , ls . SkipVerify )
tlsCfg := & tls . Config {
ServerName : ls . Host ,
InsecureSkipVerify : ls . SkipVerify ,
}
2016-11-08 04:58:22 +08:00
if ls . SecurityProtocol == SecurityProtocolLDAPS {
2016-07-08 07:25:09 +08:00
return ldap . DialTLS ( "tcp" , fmt . Sprintf ( "%s:%d" , ls . Host , ls . Port ) , tlsCfg )
}
conn , err := ldap . Dial ( "tcp" , fmt . Sprintf ( "%s:%d" , ls . Host , ls . Port ) )
if err != nil {
return nil , fmt . Errorf ( "Dial: %v" , err )
}
2016-11-08 04:58:22 +08:00
if ls . SecurityProtocol == SecurityProtocolStartTLS {
2016-07-08 07:25:09 +08:00
if err = conn . StartTLS ( tlsCfg ) ; err != nil {
conn . Close ( )
return nil , fmt . Errorf ( "StartTLS: %v" , err )
}
}
return conn , nil
}
func bindUser ( l * ldap . Conn , userDN , passwd string ) error {
log . Trace ( "Binding with userDN: %s" , userDN )
err := l . Bind ( userDN , passwd )
if err != nil {
log . Debug ( "LDAP auth. failed for %s, reason: %v" , userDN , err )
return err
}
log . Trace ( "Bound successfully with userDN: %s" , userDN )
return err
}
2017-05-10 21:10:18 +08:00
func checkAdmin ( l * ldap . Conn , ls * Source , userDN string ) bool {
2020-03-05 14:30:33 +08:00
if len ( ls . AdminFilter ) == 0 {
return false
}
log . Trace ( "Checking admin with filter %s and base %s" , ls . AdminFilter , userDN )
search := ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . AdminFilter ,
[ ] string { ls . AttributeName } ,
nil )
2017-05-10 21:10:18 +08:00
2020-03-05 14:30:33 +08:00
sr , err := l . Search ( search )
2017-05-10 21:10:18 +08:00
2020-03-05 14:30:33 +08:00
if err != nil {
log . Error ( "LDAP Admin Search failed unexpectedly! (%v)" , err )
} else if len ( sr . Entries ) < 1 {
log . Trace ( "LDAP Admin Search found no matching entries." )
} else {
return true
}
return false
}
func checkRestricted ( l * ldap . Conn , ls * Source , userDN string ) bool {
if len ( ls . RestrictedFilter ) == 0 {
return false
}
if ls . RestrictedFilter == "*" {
return true
}
log . Trace ( "Checking restricted with filter %s and base %s" , ls . RestrictedFilter , userDN )
search := ldap . NewSearchRequest (
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , ls . RestrictedFilter ,
[ ] string { ls . AttributeName } ,
nil )
sr , err := l . Search ( search )
if err != nil {
log . Error ( "LDAP Restrictred Search failed unexpectedly! (%v)" , err )
} else if len ( sr . Entries ) < 1 {
log . Trace ( "LDAP Restricted Search found no matching entries." )
} else {
return true
2017-05-10 21:10:18 +08:00
}
return false
}
2016-11-27 14:03:59 +08:00
// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
2017-05-10 21:10:18 +08:00
func ( ls * Source ) SearchEntry ( name , passwd string , directBind bool ) * SearchResult {
2016-12-12 08:46:51 +08:00
// See https://tools.ietf.org/search/rfc4513#section-5.1.2
if len ( passwd ) == 0 {
2019-04-02 15:48:31 +08:00
log . Debug ( "Auth. failed for %s, password cannot be empty" , name )
2017-05-10 21:10:18 +08:00
return nil
2016-12-12 08:46:51 +08:00
}
2016-07-08 07:25:09 +08:00
l , err := dial ( ls )
2016-02-16 18:58:00 +08:00
if err != nil {
2019-04-02 15:48:31 +08:00
log . Error ( "LDAP Connect error, %s:%v" , ls . Host , err )
2016-02-16 18:58:00 +08:00
ls . Enabled = false
2017-05-10 21:10:18 +08:00
return nil
2016-02-16 18:58:00 +08:00
}
defer l . Close ( )
2015-09-05 11:39:23 +08:00
var userDN string
if directBind {
2015-09-17 00:15:14 +08:00
log . Trace ( "LDAP will bind directly via UserDN template: %s" , ls . UserDN )
2015-10-27 09:08:59 +08:00
var ok bool
userDN , ok = ls . sanitizedUserDN ( name )
2018-12-28 00:51:19 +08:00
2015-10-27 09:08:59 +08:00
if ! ok {
2017-05-10 21:10:18 +08:00
return nil
2015-10-27 09:08:59 +08:00
}
2018-12-28 00:51:19 +08:00
err = bindUser ( l , userDN , passwd )
if err != nil {
return nil
}
if ls . UserBase != "" {
// not everyone has a CN compatible with input name so we need to find
// the real userDN in that case
userDN , ok = ls . findUserDN ( l , name )
if ! ok {
return nil
}
}
2015-09-05 11:39:23 +08:00
} else {
log . Trace ( "LDAP will use BindDN." )
var found bool
2018-12-28 00:51:19 +08:00
if ls . BindDN != "" && ls . BindPassword != "" {
err := l . Bind ( ls . BindDN , ls . BindPassword )
if err != nil {
log . Debug ( "Failed to bind as BindDN[%s]: %v" , ls . BindDN , err )
return nil
}
log . Trace ( "Bound as BindDN %s" , ls . BindDN )
} else {
log . Trace ( "Proceeding with anonymous LDAP search." )
}
2016-02-16 18:58:00 +08:00
userDN , found = ls . findUserDN ( l , name )
2015-09-05 11:39:23 +08:00
if ! found {
2017-05-10 21:10:18 +08:00
return nil
2015-09-05 11:39:23 +08:00
}
2015-08-13 07:58:27 +08:00
}
2018-12-28 00:51:19 +08:00
if ! ls . AttributesInBind {
2016-02-16 19:33:16 +08:00
// binds user (checking password) before looking-up attributes in user context
err = bindUser ( l , userDN , passwd )
if err != nil {
2017-05-10 21:10:18 +08:00
return nil
2016-02-16 19:33:16 +08:00
}
2014-04-23 00:55:27 +08:00
}
2015-10-27 09:08:59 +08:00
userFilter , ok := ls . sanitizedUserQuery ( name )
if ! ok {
2017-05-10 21:10:18 +08:00
return nil
2015-10-27 09:08:59 +08:00
}
2019-01-24 07:25:33 +08:00
var isAttributeSSHPublicKeySet = len ( strings . TrimSpace ( ls . AttributeSSHPublicKey ) ) > 0
attribs := [ ] string { ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail }
2020-09-10 23:30:07 +08:00
if len ( strings . TrimSpace ( ls . UserUID ) ) > 0 {
attribs = append ( attribs , ls . UserUID )
}
2019-01-24 07:25:33 +08:00
if isAttributeSSHPublicKeySet {
attribs = append ( attribs , ls . AttributeSSHPublicKey )
}
2020-09-10 23:30:07 +08:00
log . Trace ( "Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'" , ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail , ls . AttributeSSHPublicKey , ls . UserUID , userFilter , userDN )
2014-09-08 08:04:47 +08:00
search := ldap . NewSearchRequest (
2015-08-13 07:58:27 +08:00
userDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
2019-01-24 07:25:33 +08:00
attribs , nil )
2015-08-13 07:58:27 +08:00
2014-04-23 00:55:27 +08:00
sr , err := l . Search ( search )
if err != nil {
2019-04-02 15:48:31 +08:00
log . Error ( "LDAP Search failed unexpectedly! (%v)" , err )
2017-05-10 21:10:18 +08:00
return nil
2015-08-13 07:58:27 +08:00
} else if len ( sr . Entries ) < 1 {
2015-09-05 11:39:23 +08:00
if directBind {
2019-01-20 03:57:27 +08:00
log . Trace ( "User filter inhibited user login." )
2015-09-05 11:39:23 +08:00
} else {
2019-01-20 03:57:27 +08:00
log . Trace ( "LDAP Search found no matching entries." )
2015-09-05 11:39:23 +08:00
}
2017-05-10 21:10:18 +08:00
return nil
2014-04-23 00:55:27 +08:00
}
2015-08-13 07:58:27 +08:00
2019-01-24 07:25:33 +08:00
var sshPublicKey [ ] string
2016-07-12 07:07:57 +08:00
username := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeUsername )
firstname := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeName )
surname := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeSurname )
mail := sr . Entries [ 0 ] . GetAttributeValue ( ls . AttributeMail )
2020-09-10 23:30:07 +08:00
uid := sr . Entries [ 0 ] . GetAttributeValue ( ls . UserUID )
// Check group membership
if ls . GroupsEnabled {
groupFilter , ok := ls . sanitizedGroupFilter ( ls . GroupFilter )
if ! ok {
return nil
}
groupDN , ok := ls . sanitizedGroupDN ( ls . GroupDN )
if ! ok {
return nil
}
log . Trace ( "Fetching groups '%v' with filter '%s' and base '%s'" , ls . GroupMemberUID , groupFilter , groupDN )
groupSearch := ldap . NewSearchRequest (
groupDN , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , groupFilter ,
[ ] string { ls . GroupMemberUID } ,
nil )
srg , err := l . Search ( groupSearch )
if err != nil {
log . Error ( "LDAP group search failed: %v" , err )
return nil
} else if len ( srg . Entries ) < 1 {
log . Error ( "LDAP group search failed: 0 entries" )
return nil
}
isMember := false
Entries :
for _ , group := range srg . Entries {
for _ , member := range group . GetAttributeValues ( ls . GroupMemberUID ) {
if ( ls . UserUID == "dn" && member == sr . Entries [ 0 ] . DN ) || member == uid {
isMember = true
break Entries
}
}
}
if ! isMember {
log . Error ( "LDAP group membership test failed" )
return nil
}
}
2019-01-24 07:25:33 +08:00
if isAttributeSSHPublicKeySet {
sshPublicKey = sr . Entries [ 0 ] . GetAttributeValues ( ls . AttributeSSHPublicKey )
}
2017-05-10 21:10:18 +08:00
isAdmin := checkAdmin ( l , ls , userDN )
2020-03-05 14:30:33 +08:00
var isRestricted bool
if ! isAdmin {
isRestricted = checkRestricted ( l , ls , userDN )
}
2015-08-19 12:34:03 +08:00
2017-05-10 21:10:18 +08:00
if ! directBind && ls . AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser ( l , userDN , passwd )
2015-09-01 20:40:11 +08:00
if err != nil {
2017-05-10 21:10:18 +08:00
return nil
2015-09-01 20:40:11 +08:00
}
2015-08-19 12:34:03 +08:00
}
2017-05-10 21:10:18 +08:00
return & SearchResult {
2018-12-28 01:28:48 +08:00
Username : username ,
Name : firstname ,
Surname : surname ,
Mail : mail ,
SSHPublicKey : sshPublicKey ,
IsAdmin : isAdmin ,
2020-03-05 14:30:33 +08:00
IsRestricted : isRestricted ,
2017-05-10 21:10:18 +08:00
}
}
2018-05-05 22:30:47 +08:00
// UsePagedSearch returns if need to use paged search
func ( ls * Source ) UsePagedSearch ( ) bool {
return ls . SearchPageSize > 0
}
2017-05-10 21:10:18 +08:00
// SearchEntries : search an LDAP source for all users matching userFilter
2019-08-25 02:53:37 +08:00
func ( ls * Source ) SearchEntries ( ) ( [ ] * SearchResult , error ) {
2017-05-10 21:10:18 +08:00
l , err := dial ( ls )
if err != nil {
2019-04-02 15:48:31 +08:00
log . Error ( "LDAP Connect error, %s:%v" , ls . Host , err )
2017-05-10 21:10:18 +08:00
ls . Enabled = false
2019-08-25 02:53:37 +08:00
return nil , err
2017-05-10 21:10:18 +08:00
}
defer l . Close ( )
if ls . BindDN != "" && ls . BindPassword != "" {
err := l . Bind ( ls . BindDN , ls . BindPassword )
2016-02-16 19:33:16 +08:00
if err != nil {
2017-05-10 21:10:18 +08:00
log . Debug ( "Failed to bind as BindDN[%s]: %v" , ls . BindDN , err )
2019-08-25 02:53:37 +08:00
return nil , err
2017-05-10 21:10:18 +08:00
}
log . Trace ( "Bound as BindDN %s" , ls . BindDN )
} else {
log . Trace ( "Proceeding with anonymous LDAP search." )
}
userFilter := fmt . Sprintf ( ls . Filter , "*" )
2019-01-24 07:25:33 +08:00
var isAttributeSSHPublicKeySet = len ( strings . TrimSpace ( ls . AttributeSSHPublicKey ) ) > 0
attribs := [ ] string { ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail }
if isAttributeSSHPublicKeySet {
attribs = append ( attribs , ls . AttributeSSHPublicKey )
}
2018-05-24 12:59:02 +08:00
log . Trace ( "Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s" , ls . AttributeUsername , ls . AttributeName , ls . AttributeSurname , ls . AttributeMail , ls . AttributeSSHPublicKey , userFilter , ls . UserBase )
2017-05-10 21:10:18 +08:00
search := ldap . NewSearchRequest (
ls . UserBase , ldap . ScopeWholeSubtree , ldap . NeverDerefAliases , 0 , 0 , false , userFilter ,
2019-01-24 07:25:33 +08:00
attribs , nil )
2017-05-10 21:10:18 +08:00
2018-05-05 22:30:47 +08:00
var sr * ldap . SearchResult
if ls . UsePagedSearch ( ) {
sr , err = l . SearchWithPaging ( search , ls . SearchPageSize )
} else {
sr , err = l . Search ( search )
}
2017-05-10 21:10:18 +08:00
if err != nil {
2019-04-02 15:48:31 +08:00
log . Error ( "LDAP Search failed unexpectedly! (%v)" , err )
2019-08-25 02:53:37 +08:00
return nil , err
2017-05-10 21:10:18 +08:00
}
result := make ( [ ] * SearchResult , len ( sr . Entries ) )
for i , v := range sr . Entries {
result [ i ] = & SearchResult {
2019-01-24 07:25:33 +08:00
Username : v . GetAttributeValue ( ls . AttributeUsername ) ,
Name : v . GetAttributeValue ( ls . AttributeName ) ,
Surname : v . GetAttributeValue ( ls . AttributeSurname ) ,
Mail : v . GetAttributeValue ( ls . AttributeMail ) ,
IsAdmin : checkAdmin ( l , ls , v . DN ) ,
}
2020-03-05 14:30:33 +08:00
if ! result [ i ] . IsAdmin {
result [ i ] . IsRestricted = checkRestricted ( l , ls , v . DN )
}
2019-01-24 07:25:33 +08:00
if isAttributeSSHPublicKeySet {
result [ i ] . SSHPublicKey = v . GetAttributeValues ( ls . AttributeSSHPublicKey )
2016-02-16 19:33:16 +08:00
}
}
2019-08-25 02:53:37 +08:00
return result , nil
2014-04-23 00:55:27 +08:00
}