cc-backend/auth/ldap.go

package auth

import (
	"crypto/tls"
	"errors"
	"os"
	"strings"
	"time"

	"github.com/ClusterCockpit/cc-backend/log"

	"github.com/go-ldap/ldap/v3"
)

type LdapConfig struct {
	Url        string `json:"url"`
	UserBase   string `json:"user_base"`
	SearchDN   string `json:"search_dn"`
	UserBind   string `json:"user_bind"`
	UserFilter string `json:"user_filter"`
	TLS        bool   `json:"tls"`

	// Parsed using time.ParseDuration.
	SyncInterval    string `json:"sync_interval"`
	SyncDelOldUsers bool   `json:"sync_del_old_users"`
}

func (auth *Authentication) initLdap() error {
	auth.ldapSyncUserPassword = os.Getenv("LDAP_ADMIN_PASSWORD")
	if auth.ldapSyncUserPassword == "" {
		log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync or authentication will not work)")
	}

	if auth.ldapConfig.SyncInterval != "" {
		interval, err := time.ParseDuration(auth.ldapConfig.SyncInterval)
		if err != nil {
			return err
		}

		if interval == 0 {
			return nil
		}

		go func() {
			ticker := time.NewTicker(interval)
			for t := range ticker.C {
				log.Printf("LDAP sync started at %s", t.Format(time.RFC3339))
				if err := auth.SyncWithLDAP(auth.ldapConfig.SyncDelOldUsers); err != nil {
					log.Errorf("LDAP sync failed: %s", err.Error())
				}
				log.Print("LDAP sync done")
			}
		}()
	}

	return nil
}

// TODO: Add a connection pool or something like
// that so that connections can be reused/cached.
func (auth *Authentication) getLdapConnection(admin bool) (*ldap.Conn, error) {
	conn, err := ldap.DialURL(auth.ldapConfig.Url)
	if err != nil {
		return nil, err
	}

	if auth.ldapConfig.TLS {
		if err := conn.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil {
			conn.Close()
			return nil, err
		}
	}

	if admin {
		if err := conn.Bind(auth.ldapConfig.SearchDN, auth.ldapSyncUserPassword); err != nil {
			conn.Close()
			return nil, err
		}
	}

	return conn, nil
}

func (auth *Authentication) loginViaLdap(user *User, password string) error {
	l, err := auth.getLdapConnection(false)
	if err != nil {
		return err
	}
	defer l.Close()

	userDn := strings.Replace(auth.ldapConfig.UserBind, "{username}", user.Username, -1)
	if err := l.Bind(userDn, password); err != nil {
		return err
	}

	user.ViaLdap = true
	return nil
}

// Delete users where user.ldap is 1 and that do not show up in the ldap search results.
// Add users to the users table that are new in the ldap search results.
func (auth *Authentication) SyncWithLDAP(deleteOldUsers bool) error {
	if auth.ldapConfig == nil {
		return errors.New("ldap not enabled")
	}

	const IN_DB int = 1
	const IN_LDAP int = 2
	const IN_BOTH int = 3

	users := map[string]int{}
	rows, err := auth.db.Query(`SELECT username FROM user WHERE user.ldap = 1`)
	if err != nil {
		return err
	}

	for rows.Next() {
		var username string
		if err := rows.Scan(&username); err != nil {
			return err
		}

		users[username] = IN_DB
	}

	l, err := auth.getLdapConnection(true)
	if err != nil {
		return err
	}
	defer l.Close()

	ldapResults, err := l.Search(ldap.NewSearchRequest(
		auth.ldapConfig.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
		auth.ldapConfig.UserFilter, []string{"dn", "uid", "gecos"}, nil))
	if err != nil {
		return err
	}

	newnames := map[string]string{}
	for _, entry := range ldapResults.Entries {
		username := entry.GetAttributeValue("uid")
		if username == "" {
			return errors.New("no attribute 'uid'")
		}

		_, ok := users[username]
		if !ok {
			users[username] = IN_LDAP
			newnames[username] = entry.GetAttributeValue("gecos")
		} else {
			users[username] = IN_BOTH
		}
	}

	for username, where := range users {
		if where == IN_DB && deleteOldUsers {
			log.Infof("ldap-sync: remove %#v (does not show up in LDAP anymore)", username)
			if _, err := auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username); err != nil {
				return err
			}
		} else if where == IN_LDAP {
			name := newnames[username]
			log.Infof("ldap-sync: add %#v (name: %#v, roles: [], ldap: true)", username, name)
			if _, err := auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
				username, 1, name, "[]"); err != nil {
				return err
			}
		}
	}

	return nil
}
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`package auth`

			`import (`
			`"crypto/tls"`
			`"errors"`
			`"os"`
			`"strings"`
Automatically sync via LDAP at interval 2022-02-14 14:37:33 +01:00			`"time"`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
use a custom logger 2022-01-27 10:35:26 +01:00			`"github.com/ClusterCockpit/cc-backend/log"`

authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`"github.com/go-ldap/ldap/v3"`
			`)`

			`type LdapConfig struct {`
			Url string `json:"url"`
			UserBase string `json:"user_base"`
			SearchDN string `json:"search_dn"`
			UserBind string `json:"user_bind"`
			UserFilter string `json:"user_filter"`
			TLS bool `json:"tls"`
Automatically sync via LDAP at interval 2022-02-14 14:37:33 +01:00
			`// Parsed using time.ParseDuration.`
			SyncInterval string `json:"sync_interval"`
			SyncDelOldUsers bool `json:"sync_del_old_users"`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`func (auth *Authentication) initLdap() error {`
			`auth.ldapSyncUserPassword = os.Getenv("LDAP_ADMIN_PASSWORD")`
			`if auth.ldapSyncUserPassword == "" {`
use a custom logger 2022-01-27 10:35:26 +01:00			`log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync or authentication will not work)")`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`
Automatically sync via LDAP at interval 2022-02-14 14:37:33 +01:00
			`if auth.ldapConfig.SyncInterval != "" {`
			`interval, err := time.ParseDuration(auth.ldapConfig.SyncInterval)`
			`if err != nil {`
			`return err`
			`}`

			`if interval == 0 {`
			`return nil`
			`}`

			`go func() {`
			`ticker := time.NewTicker(interval)`
			`for t := range ticker.C {`
			`log.Printf("LDAP sync started at %s", t.Format(time.RFC3339))`
			`if err := auth.SyncWithLDAP(auth.ldapConfig.SyncDelOldUsers); err != nil {`
			`log.Errorf("LDAP sync failed: %s", err.Error())`
			`}`
			`log.Print("LDAP sync done")`
			`}`
			`}()`
			`}`

authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`return nil`
			`}`

			`// TODO: Add a connection pool or something like`
			`// that so that connections can be reused/cached.`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`func (auth Authentication) getLdapConnection(admin bool) (ldap.Conn, error) {`
			`conn, err := ldap.DialURL(auth.ldapConfig.Url)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err != nil {`
			`return nil, err`
			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`if auth.ldapConfig.TLS {`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err := conn.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil {`
			`conn.Close()`
			`return nil, err`
			`}`
			`}`

authentication: roles as regular array; simplified LDAP 2022-01-27 09:29:11 +01:00			`if admin {`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`if err := conn.Bind(auth.ldapConfig.SearchDN, auth.ldapSyncUserPassword); err != nil {`
authentication: roles as regular array; simplified LDAP 2022-01-27 09:29:11 +01:00			`conn.Close()`
			`return nil, err`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

			`return conn, nil`
			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`func (auth Authentication) loginViaLdap(user User, password string) error {`
			`l, err := auth.getLdapConnection(false)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err != nil {`
			`return err`
			`}`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`defer l.Close()`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
Refactor auth/ 2022-02-14 14:22:44 +01:00			`userDn := strings.Replace(auth.ldapConfig.UserBind, "{username}", user.Username, -1)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err := l.Bind(userDn, password); err != nil {`
			`return err`
			`}`

			`user.ViaLdap = true`
			`return nil`
			`}`

			`// Delete users where user.ldap is 1 and that do not show up in the ldap search results.`
			`// Add users to the users table that are new in the ldap search results.`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`func (auth *Authentication) SyncWithLDAP(deleteOldUsers bool) error {`
			`if auth.ldapConfig == nil {`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`return errors.New("ldap not enabled")`
			`}`

			`const IN_DB int = 1`
			`const IN_LDAP int = 2`
			`const IN_BOTH int = 3`

			`users := map[string]int{}`
Refactor auth/ 2022-02-14 14:22:44 +01:00			rows, err := auth.db.Query(`SELECT username FROM user WHERE user.ldap = 1`)
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err != nil {`
			`return err`
			`}`

			`for rows.Next() {`
			`var username string`
			`if err := rows.Scan(&username); err != nil {`
			`return err`
			`}`

			`users[username] = IN_DB`
			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`l, err := auth.getLdapConnection(true)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err != nil {`
			`return err`
			`}`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`defer l.Close()`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
			`ldapResults, err := l.Search(ldap.NewSearchRequest(`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`auth.ldapConfig.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,`
			`auth.ldapConfig.UserFilter, []string{"dn", "uid", "gecos"}, nil))`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`if err != nil {`
			`return err`
			`}`

			`newnames := map[string]string{}`
			`for _, entry := range ldapResults.Entries {`
			`username := entry.GetAttributeValue("uid")`
			`if username == "" {`
			`return errors.New("no attribute 'uid'")`
			`}`

			`_, ok := users[username]`
			`if !ok {`
			`users[username] = IN_LDAP`
			`newnames[username] = entry.GetAttributeValue("gecos")`
			`} else {`
			`users[username] = IN_BOTH`
			`}`
			`}`

			`for username, where := range users {`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`if where == IN_DB && deleteOldUsers {`
use a custom logger 2022-01-27 10:35:26 +01:00			`log.Infof("ldap-sync: remove %#v (does not show up in LDAP anymore)", username)`
Refactor auth/ 2022-02-14 14:22:44 +01:00			if _, err := auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username); err != nil {
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`return err`
			`}`
			`} else if where == IN_LDAP {`
			`name := newnames[username]`
use a custom logger 2022-01-27 10:35:26 +01:00			`log.Infof("ldap-sync: add %#v (name: %#v, roles: [], ldap: true)", username, name)`
Refactor auth/ 2022-02-14 14:22:44 +01:00			if _, err := auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`username, 1, name, "[]"); err != nil {`
			`return err`
			`}`
			`}`
			`}`

			`return nil`
			`}`