rewrite api in go/gin

2024-06-18 21:23:22 +00:00
parent cb4a3e4031
commit a5d01e3bed
12 changed files with 768 additions and 710 deletions
--- a/app/app.go
+++ b/app/app.go
@@ -0,0 +1,295 @@
+package app
+
+import (
+	"encoding/gob"
+	"flag"
+	"log"
+	"net/http"
+	"strconv"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+	uuid "github.com/nu7hatch/gouuid"
+)
+
+var LDAPSessions map[string]*LDAPClient
+
+func Run() {
+	gob.Register(LDAPClient{})
+
+	configPath := flag.String("config", "config.json", "path to config.json file")
+	flag.Parse()
+
+	config := GetConfig(*configPath)
+	log.Println("Initialized config from " + *configPath)
+
+	gin.SetMode(gin.ReleaseMode)
+	router := gin.Default()
+	store := cookie.NewStore([]byte(config.SessionSecretKey))
+	store.Options(sessions.Options{
+		Path:     config.SessionCookie.Path,
+		HttpOnly: config.SessionCookie.HttpOnly,
+		Secure:   config.SessionCookie.Secure,
+		MaxAge:   config.SessionCookie.MaxAge,
+	})
+	router.Use(sessions.Sessions(config.SessionCookieName, store))
+
+	LDAPSessions = make(map[string]*LDAPClient)
+
+	router.POST("/ticket", func(c *gin.Context) {
+		var body Login
+		if err := c.ShouldBind(&body); err != nil { // bad request from binding
+			c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+			return
+		}
+
+		newLDAPClient, err := NewLDAPClient(config)
+		if err != nil { // failed to dial ldap server, considered a server error
+			c.JSON(http.StatusInternalServerError, gin.H{"auth": false, "error": err.Error()})
+			return
+		}
+		err = newLDAPClient.BindUser(body.Username, body.Password)
+		if err != nil { // failed to authenticate, return error
+			c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+			return
+		}
+
+		// successful binding at this point
+		// create new session
+		session := sessions.Default(c)
+		// create (hopefully) safe uuid to map to ldap session
+		uuid, _ := uuid.NewV4()
+		// set uuid mapping in session
+		session.Set("SessionUUID", uuid.String())
+		// set uuid mapping in LDAPSessions
+		LDAPSessions[uuid.String()] = newLDAPClient
+		// save the session
+		session.Save()
+		// return successful auth
+		c.JSON(http.StatusOK, gin.H{"auth": true})
+	})
+
+	router.DELETE("/ticket", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		delete(LDAPSessions, uuid)
+		session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so it is deleted
+		_ = session.Save()
+		c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+	})
+
+	router.GET("/users", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.GetAllUsers()
+		c.JSON(status, res)
+	})
+
+	router.POST("/users/:userid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		var body User
+		if err := c.ShouldBind(&body); err != nil { // bad request from binding
+			c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+			return
+		}
+
+		// check if user already exists
+		status, res := LDAPSession.GetUser(c.Param("userid"))
+		if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
+			status, res = LDAPSession.AddUser(c.Param("userid"), body)
+			c.JSON(status, res)
+		} else { // user already exists, attempt to modify user
+			status, res = LDAPSession.ModUser(c.Param("userid"), body)
+			c.JSON(status, res)
+		}
+	})
+
+	router.GET("/users/:userid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.GetUser(c.Param("userid"))
+		c.JSON(status, res)
+	})
+
+	router.DELETE("/users/:userid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.DelUser(c.Param("userid"))
+		c.JSON(status, res)
+	})
+
+	router.GET("/groups", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.GetAllGroups()
+		c.JSON(status, res)
+	})
+
+	router.GET("/groups/:groupid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.GetGroup(c.Param("groupid"))
+		c.JSON(status, res)
+	})
+
+	router.POST("/groups/:groupid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		var body Group
+		if err := c.ShouldBind(&body); err != nil { // bad request from binding
+			c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
+			return
+		}
+
+		// check if user already exists
+		status, res := LDAPSession.GetGroup(c.Param("groupid"))
+		if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
+			status, res = LDAPSession.AddGroup(c.Param("groupid"), body)
+			c.JSON(status, res)
+		} else { // user already exists, attempt to modify user
+			status, res = LDAPSession.ModGroup(c.Param("groupid"), body)
+			c.JSON(status, res)
+		}
+	})
+
+	router.DELETE("/groups/:groupid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.DelGroup(c.Param("groupid"))
+		c.JSON(status, res)
+	})
+
+	router.POST("/groups/:groupid/members/:userid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.AddUserToGroup(c.Param("userid"), c.Param("groupid"))
+		c.JSON(status, res)
+	})
+
+	router.DELETE("/groups/:groupid/members/:userid", func(c *gin.Context) {
+		session := sessions.Default(c)
+		SessionUUID := session.Get("SessionUUID")
+		if SessionUUID == nil {
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+		uuid := SessionUUID.(string)
+		LDAPSession := LDAPSessions[uuid]
+		if LDAPSession == nil { // does not have registered ldap session associated with cookie session
+			c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
+			return
+		}
+
+		status, res := LDAPSession.DelUserFromGroup(c.Param("userid"), c.Param("groupid"))
+		c.JSON(status, res)
+	})
+
+	router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
+}
--- a/app/ldap.go
+++ b/app/ldap.go
@@ -0,0 +1,368 @@
+package app
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+)
+
+type LDAPClient struct {
+	client   *ldap.Conn
+	basedn   string
+	peopledn string
+	groupsdn string
+}
+
+func NewLDAPClient(config Config) (*LDAPClient, error) {
+	LDAPConn, err := ldap.DialURL(config.LdapURL)
+	return &LDAPClient{
+		client:   LDAPConn,
+		basedn:   config.BaseDN,
+		peopledn: "ou=people," + config.BaseDN,
+		groupsdn: "ou=groups," + config.BaseDN,
+	}, err
+}
+
+func (l LDAPClient) BindUser(username string, password string) error {
+	userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn)
+	return l.client.Bind(userdn, password)
+}
+
+func (l LDAPClient) GetAllUsers() (int, gin.H) {
+	searchRequest := ldap.NewSearchRequest(
+		l.peopledn, // The base dn to search
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(&(objectClass=inetOrgPerson))",          // The filter to apply
+		[]string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
+		nil,
+	)
+
+	searchResponse, err := l.client.Search(searchRequest) // perform search
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	var results = []gin.H{} // create list of results
+
+	for _, entry := range searchResponse.Entries { // for each result,
+		results = append(results, gin.H{
+			"dn": entry.DN,
+			"attributes": gin.H{
+				"cn":   entry.GetAttributeValue("cn"),
+				"sn":   entry.GetAttributeValue("sn"),
+				"mail": entry.GetAttributeValue("mail"),
+				"uid":  entry.GetAttributeValue("uid"),
+			},
+		})
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+		"users": results,
+	}
+}
+
+func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
+	if user.CN == "" || user.SN == "" || user.UserPassword == "" {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": "Missing one of required fields: cn, sn, userpassword",
+		}
+	}
+
+	addRequest := ldap.NewAddRequest(
+		fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // DN
+		nil, // controls
+	)
+	addRequest.Attribute("sn", []string{user.SN})
+	addRequest.Attribute("cn", []string{user.CN})
+	addRequest.Attribute("userPassword", []string{user.CN})
+	addRequest.Attribute("objectClass", []string{"inetOrgPerson"})
+
+	err := l.client.Add(addRequest)
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) GetUser(uid string) (int, gin.H) {
+	searchRequest := ldap.NewSearchRequest( //  setup search for user by uid
+		fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(&(objectClass=inetOrgPerson))",          // The filter to apply
+		[]string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
+		nil,
+	)
+
+	searchResponse, err := l.client.Search(searchRequest) // perform search
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	entry := searchResponse.Entries[0]
+	result := gin.H{
+		"dn": entry.DN,
+		"attributes": gin.H{
+			"cn":   entry.GetAttributeValue("cn"),
+			"sn":   entry.GetAttributeValue("sn"),
+			"mail": entry.GetAttributeValue("mail"),
+			"uid":  entry.GetAttributeValue("uid"),
+		},
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+		"user":  result,
+	}
+}
+
+func (l LDAPClient) ModUser(uid string, user User) (int, gin.H) {
+	if user.CN == "" && user.SN == "" && user.UserPassword == "" {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": "Requires one of fields: cn, sn, userpassword",
+		}
+	}
+
+	modifyRequest := ldap.NewModifyRequest(
+		fmt.Sprintf("uid=%s,%s", uid, l.peopledn),
+		nil,
+	)
+	if user.CN != "" {
+		modifyRequest.Replace("cn", []string{user.CN})
+	}
+	if user.SN != "" {
+		modifyRequest.Replace("sn", []string{user.SN})
+	}
+	if user.UserPassword != "" {
+		modifyRequest.Replace("userPassword", []string{user.UserPassword})
+	}
+
+	err := l.client.Modify(modifyRequest)
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) DelUser(uid string) (int, gin.H) {
+	userDN := fmt.Sprintf("uid=%s,%s", uid, l.peopledn)
+
+	// assumes that olcMemberOfRefint=true updates member attributes of referenced groups
+
+	deleteUserRequest := ldap.NewDelRequest( // setup delete request
+		userDN,
+		nil,
+	)
+
+	err := l.client.Del(deleteUserRequest) // delete user
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) GetAllGroups() (int, gin.H) {
+	searchRequest := ldap.NewSearchRequest(
+		l.groupsdn, // The base dn to search
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(&(objectClass=groupOfNames))", // The filter to apply
+		[]string{"cn", "member"},        // A list attributes to retrieve
+		nil,
+	)
+
+	searchResponse, err := l.client.Search(searchRequest) // perform search
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	var results = []gin.H{} // create list of results
+
+	for _, entry := range searchResponse.Entries { // for each result,
+		results = append(results, gin.H{
+			"dn": entry.DN,
+			"attributes": gin.H{
+				"cn":     entry.GetAttributeValue("cn"),
+				"member": entry.GetAttributeValues("member"),
+			},
+		})
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":     true,
+		"error":  nil,
+		"groups": results,
+	}
+}
+
+func (l LDAPClient) GetGroup(gid string) (int, gin.H) {
+	searchRequest := ldap.NewSearchRequest( //  setup search for user by uid
+		fmt.Sprintf("cn=%s,%s", gid, l.groupsdn), // The base dn to search
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		"(&(objectClass=groupOfNames))", // The filter to apply
+		[]string{"cn", "member"},        // A list attributes to retrieve
+		nil,
+	)
+
+	searchResponse, err := l.client.Search(searchRequest) // perform search
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	entry := searchResponse.Entries[0]
+	result := gin.H{
+		"dn": entry.DN,
+		"attributes": gin.H{
+			"cn":     entry.GetAttributeValue("cn"),
+			"member": entry.GetAttributeValues("member"),
+		},
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+		"group": result,
+	}
+}
+
+func (l LDAPClient) AddGroup(gid string, group Group) (int, gin.H) {
+	addRequest := ldap.NewAddRequest(
+		fmt.Sprintf("cn=%s,%s", gid, l.groupsdn), // DN
+		nil,                                      // controls
+	)
+	addRequest.Attribute("cn", []string{gid})
+	addRequest.Attribute("member", []string{""})
+	addRequest.Attribute("objectClass", []string{"groupOfNames"})
+
+	err := l.client.Add(addRequest)
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) ModGroup(gid string, group Group) (int, gin.H) {
+	return 200, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) DelGroup(gid string) (int, gin.H) {
+	groupDN := fmt.Sprintf("cn=%s,%s", gid, l.groupsdn)
+
+	// assumes that memberOf overlay will automatically update referenced memberOf attributes
+
+	deleteGroupRequest := ldap.NewDelRequest( // setup delete request
+		groupDN,
+		nil,
+	)
+
+	err := l.client.Del(deleteGroupRequest) // delete group
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) AddUserToGroup(uid string, gid string) (int, gin.H) {
+	userDN := fmt.Sprintf("uid=%s,%s", uid, l.peopledn)
+	groupDN := fmt.Sprintf("cn=%s,%s", gid, l.groupsdn)
+
+	modifyRequest := ldap.NewModifyRequest( // modify group member value
+		groupDN,
+		nil,
+	)
+
+	modifyRequest.Add("member", []string{userDN}) // add user to group member attribute
+
+	err := l.client.Modify(modifyRequest) // modify group
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
+
+func (l LDAPClient) DelUserFromGroup(uid string, gid string) (int, gin.H) {
+	userDN := fmt.Sprintf("uid=%s,%s", uid, l.peopledn)
+	groupDN := fmt.Sprintf("cn=%s,%s", gid, l.groupsdn)
+
+	modifyRequest := ldap.NewModifyRequest( // modify group member value
+		groupDN,
+		nil,
+	)
+
+	modifyRequest.Delete("member", []string{userDN}) // remove user from group member attribute
+
+	err := l.client.Modify(modifyRequest) // modify group
+	if err != nil {
+		return http.StatusBadRequest, gin.H{
+			"ok":    false,
+			"error": err,
+		}
+	}
+
+	return http.StatusOK, gin.H{
+		"ok":    true,
+		"error": nil,
+	}
+}
--- a/app/utils.go
+++ b/app/utils.go
@@ -0,0 +1,48 @@
+package app
+
+import (
+	"encoding/json"
+	"log"
+	"os"
+)
+
+type Config struct {
+	ListenPort        int    `json:"listenPort"`
+	LdapURL           string `json:"ldapURL"`
+	BaseDN            string `json:"baseDN"`
+	SessionSecretKey  string `json:"sessionSecretKey"`
+	SessionCookieName string `json:"sessionCookieName"`
+	SessionCookie     struct {
+		Path     string `json:"path"`
+		HttpOnly bool   `json:"httpOnly"`
+		Secure   bool   `json:"secure"`
+		MaxAge   int    `json:"maxAge"`
+	}
+}
+
+func GetConfig(configPath string) Config {
+	content, err := os.ReadFile(configPath)
+	if err != nil {
+		log.Fatal("Error when opening config file: ", err)
+	}
+	var config Config
+	err = json.Unmarshal(content, &config)
+	if err != nil {
+		log.Fatal("Error during parsing config file: ", err)
+	}
+	return config
+}
+
+type Login struct { // login body struct
+	Username string `form:"username" binding:"required"`
+	Password string `form:"password" binding:"required"`
+}
+
+type User struct { // add or modify user body struct
+	CN           string `form:"cn"`
+	SN           string `form:"sn"`
+	UserPassword string `form:"userpassword"`
+}
+
+type Group struct { // add or modify group body struct
+}