fix critical userPassword bug,

improve ldap user/group data handling
This commit is contained in:
Arthur Lu 2024-10-05 00:08:58 +00:00
parent bf0596d385
commit eacc349cac
3 changed files with 137 additions and 77 deletions

View File

@ -15,7 +15,7 @@ import (
) )
var LDAPSessions map[string]*LDAPClient var LDAPSessions map[string]*LDAPClient
var APIVersion = "1.0.1" var APIVersion = "1.0.2"
func Run() { func Run() {
gob.Register(LDAPClient{}) gob.Register(LDAPClient{})
@ -122,18 +122,22 @@ func Run() {
return return
} }
var body User
if err := c.ShouldBind(&body); err != nil { // bad request from binding
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
// check if user already exists // check if user already exists
status, res := LDAPSession.GetUser(c.Param("userid")) status, res := LDAPSession.GetUser(c.Param("userid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
var body UserRequired // all user attributes required for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.AddUser(c.Param("userid"), body) status, res = LDAPSession.AddUser(c.Param("userid"), body)
c.JSON(status, res) c.JSON(status, res)
} else { // user already exists, attempt to modify user } else { // user already exists, attempt to modify user
var body UserOptional // all user attributes optional for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.ModUser(c.Param("userid"), body) status, res = LDAPSession.ModUser(c.Param("userid"), body)
c.JSON(status, res) c.JSON(status, res)
} }
@ -231,12 +235,12 @@ func Run() {
return return
} }
// check if user already exists // check if group already exists
status, res := LDAPSession.GetGroup(c.Param("groupid")) status, res := LDAPSession.GetGroup(c.Param("groupid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // group does not already exist, create new group
status, res = LDAPSession.AddGroup(c.Param("groupid"), body) status, res = LDAPSession.AddGroup(c.Param("groupid"), body)
c.JSON(status, res) c.JSON(status, res)
} else { // user already exists, attempt to modify user } else { // group already exists, attempt to modify group
status, res = LDAPSession.ModGroup(c.Param("groupid"), body) status, res = LDAPSession.ModGroup(c.Param("groupid"), body)
c.JSON(status, res) c.JSON(status, res)
} }

View File

@ -8,6 +8,7 @@ import (
"github.com/go-ldap/ldap/v3" "github.com/go-ldap/ldap/v3"
) )
// LDAPClient wrapper struct containing the connection, baseDN, peopleDN, and groupsDN
type LDAPClient struct { type LDAPClient struct {
client *ldap.Conn client *ldap.Conn
basedn string basedn string
@ -15,6 +16,7 @@ type LDAPClient struct {
groupsdn string groupsdn string
} }
// returns a new LDAPClient from the config
func NewLDAPClient(config Config) (*LDAPClient, error) { func NewLDAPClient(config Config) (*LDAPClient, error) {
LDAPConn, err := ldap.DialURL(config.LdapURL) LDAPConn, err := ldap.DialURL(config.LdapURL)
return &LDAPClient{ return &LDAPClient{
@ -25,6 +27,7 @@ func NewLDAPClient(config Config) (*LDAPClient, error) {
}, err }, err
} }
// bind a user using username and password to the LDAPClient
func (l LDAPClient) BindUser(username string, password string) error { func (l LDAPClient) BindUser(username string, password string) error {
userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn) userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn)
return l.client.Bind(userdn, password) return l.client.Bind(userdn, password)
@ -50,16 +53,8 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
var results = []gin.H{} // create list of results var results = []gin.H{} // create list of results
for _, entry := range searchResponse.Entries { // for each result, for _, entry := range searchResponse.Entries { // for each result,
results = append(results, gin.H{ user := LDAPEntryToLDAPUser(entry)
"dn": entry.DN, results = append(results, LDAPUserToGin(user))
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"sn": entry.GetAttributeValue("sn"),
"mail": entry.GetAttributeValue("mail"),
"uid": entry.GetAttributeValue("uid"),
"memberOf": entry.GetAttributeValues("memberOf"),
},
})
} }
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
@ -69,37 +64,6 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
} }
} }
func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
if user.CN == "" || user.SN == "" || user.UserPassword == "" {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": "Missing one of required fields: cn, sn, userpassword",
}
}
addRequest := ldap.NewAddRequest(
fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // DN
nil, // controls
)
addRequest.Attribute("sn", []string{user.SN})
addRequest.Attribute("cn", []string{user.CN})
addRequest.Attribute("userPassword", []string{user.CN})
addRequest.Attribute("objectClass", []string{"inetOrgPerson"})
err := l.client.Add(addRequest)
if err != nil {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": err,
}
}
return http.StatusOK, gin.H{
"ok": true,
"error": nil,
}
}
func (l LDAPClient) GetUser(uid string) (int, gin.H) { func (l LDAPClient) GetUser(uid string) (int, gin.H) {
searchRequest := ldap.NewSearchRequest( // setup search for user by uid searchRequest := ldap.NewSearchRequest( // setup search for user by uid
fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
@ -118,16 +82,9 @@ func (l LDAPClient) GetUser(uid string) (int, gin.H) {
} }
entry := searchResponse.Entries[0] entry := searchResponse.Entries[0]
result := gin.H{
"dn": entry.DN, user := LDAPEntryToLDAPUser(entry)
"attributes": gin.H{ result := LDAPUserToGin(user)
"cn": entry.GetAttributeValue("cn"),
"sn": entry.GetAttributeValue("sn"),
"mail": entry.GetAttributeValue("mail"),
"uid": entry.GetAttributeValue("uid"),
"memberOf": entry.GetAttributeValues("memberOf"),
},
}
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
"ok": true, "ok": true,
@ -136,7 +93,38 @@ func (l LDAPClient) GetUser(uid string) (int, gin.H) {
} }
} }
func (l LDAPClient) ModUser(uid string, user User) (int, gin.H) { func (l LDAPClient) AddUser(uid string, user UserRequired) (int, gin.H) {
if user.CN == "" || user.SN == "" || user.UserPassword == "" {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": "Missing one of required fields: cn, sn, userpassword",
}
}
addRequest := ldap.NewAddRequest(
fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // DN
nil, // controls
)
addRequest.Attribute("sn", []string{user.SN})
addRequest.Attribute("cn", []string{user.CN})
addRequest.Attribute("userPassword", []string{user.UserPassword})
addRequest.Attribute("objectClass", []string{"inetOrgPerson"})
err := l.client.Add(addRequest)
if err != nil {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": err,
}
}
return http.StatusOK, gin.H{
"ok": true,
"error": nil,
}
}
func (l LDAPClient) ModUser(uid string, user UserOptional) (int, gin.H) {
if user.CN == "" && user.SN == "" && user.UserPassword == "" { if user.CN == "" && user.SN == "" && user.UserPassword == "" {
return http.StatusBadRequest, gin.H{ return http.StatusBadRequest, gin.H{
"ok": false, "ok": false,
@ -216,13 +204,8 @@ func (l LDAPClient) GetAllGroups() (int, gin.H) {
var results = []gin.H{} // create list of results var results = []gin.H{} // create list of results
for _, entry := range searchResponse.Entries { // for each result, for _, entry := range searchResponse.Entries { // for each result,
results = append(results, gin.H{ group := LDAPEntryToLDAPGroup(entry)
"dn": entry.DN, results = append(results, LDAPGroupToGin(group))
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"member": entry.GetAttributeValues("member"),
},
})
} }
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
@ -250,13 +233,8 @@ func (l LDAPClient) GetGroup(gid string) (int, gin.H) {
} }
entry := searchResponse.Entries[0] entry := searchResponse.Entries[0]
result := gin.H{ group := LDAPEntryToLDAPGroup(entry)
"dn": entry.DN, result := LDAPGroupToGin(group)
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"member": entry.GetAttributeValues("member"),
},
}
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
"ok": true, "ok": true,

View File

@ -4,6 +4,9 @@ import (
"encoding/json" "encoding/json"
"log" "log"
"os" "os"
"github.com/gin-gonic/gin"
"github.com/go-ldap/ldap/v3"
) )
type Config struct { type Config struct {
@ -38,11 +41,86 @@ type Login struct { // login body struct
Password string `form:"password" binding:"required"` Password string `form:"password" binding:"required"`
} }
type User struct { // add or modify user body struct type LDAPUserAttributes struct {
CN string
SN string
Mail string
UID string
MemberOf []string
}
type LDAPUser struct {
DN string
Attributes LDAPUserAttributes
}
func LDAPEntryToLDAPUser(entry *ldap.Entry) LDAPUser {
return LDAPUser{
DN: entry.DN,
Attributes: LDAPUserAttributes{
CN: entry.GetAttributeValue("cn"),
SN: entry.GetAttributeValue("sn"),
Mail: entry.GetAttributeValue("mail"),
UID: entry.GetAttributeValue("uid"),
MemberOf: entry.GetAttributeValues("memberOf"),
},
}
}
func LDAPUserToGin(user LDAPUser) gin.H {
return gin.H{
"dn": user.DN,
"attributes": gin.H{
"cn": user.Attributes.CN,
"sn": user.Attributes.SN,
"mail": user.Attributes.Mail,
"uid": user.Attributes.UID,
"memberOf": user.Attributes.MemberOf,
},
}
}
type LDAPGroupAttributes struct {
CN string
Member []string
}
type LDAPGroup struct {
DN string
Attributes LDAPGroupAttributes
}
func LDAPEntryToLDAPGroup(entry *ldap.Entry) LDAPGroup {
return LDAPGroup{
DN: entry.DN,
Attributes: LDAPGroupAttributes{
CN: entry.GetAttributeValue("cn"),
Member: entry.GetAttributeValues("member"),
},
}
}
func LDAPGroupToGin(group LDAPGroup) gin.H {
return gin.H{
"dn": group.DN,
"attributes": gin.H{
"cn": group.Attributes.CN,
"member": group.Attributes.Member,
},
}
}
type UserOptional struct { // add or modify user body struct
CN string `form:"cn"` CN string `form:"cn"`
SN string `form:"sn"` SN string `form:"sn"`
UserPassword string `form:"userpassword"` UserPassword string `form:"userpassword"`
} }
type UserRequired struct { // add or modify user body struct
CN string `form:"cn" binding:"required"`
SN string `form:"sn" binding:"required"`
UserPassword string `form:"userpassword" binding:"required"`
}
type Group struct { // add or modify group body struct type Group struct { // add or modify group body struct
} }