Compare commits

..

No commits in common. "main" and "v1.0.0" have entirely different histories.
main ... v1.0.0

17 changed files with 123 additions and 1864 deletions

4
.gitignore vendored
View File

@ -1,3 +1,3 @@
go.sum **/go.sum
dist/*
**/config.json **/config.json
dist/*

View File

@ -1,23 +1,9 @@
.PHONY: build test clean dev-init dev-reinit
build: clean build: clean
@echo "======================== Building Binary =======================" CGO_ENABLED=0 go build -ldflags="-s -w" -o dist/ .
CGO_ENABLED=0 go build -ldflags="-s -w" -v -o dist/ .
test: dev-reinit test: clean
@echo "======================== Running Tests =========================" go run .
go test -v -cover -coverpkg=./app/ -coverprofile coverage ./test/
@echo "======================= Coverage Report ========================"
go tool cover -func=coverage
@rm -f coverage
clean: clean:
@echo "======================== Cleaning Project ======================"
go clean go clean
rm -f dist/* rm -f dist/*
dev-init:
@cd scripts; make dev-init
dev-reinit:
@cd scripts; make dev-reinit

View File

@ -28,26 +28,9 @@ ProxmoxAAS LDAP provides a simple API for managing users and groups in a simplif
### Installation ### Installation
1. Download `proxmoxaas-ldap` binary and `template.config.json` file from [releases](https://git.tronnet.net/tronnet/ProxmoxAAS-LDAP/releases) 1. Download `proxmoxaas-ldap` binary and `template.config.json` file from [releases](releases)
2. Rename `template.config.json` to `config.json` and modify: 2. Rename `template.config.json` to `config.json` and modify:
- ldapURL: url to the ldap server ie. `ldap://ldap.domain.net` - ldapURL: url to the ldap server ie. `ldap://ldap.domain.net`
- baseDN: base DN ie. `dc=domain,dc=net` - baseDN: base DN ie. `dc=domain,dc=net`
- sessionSecretKey: random value used to randomize cookie values, replace with any sufficiently large random string - sessionSecretKey: random value used to randomize cookie values, replace with any sufficiently large random string
3. Run the binary 3. Run the binary
## Building and Testing from Source
Building requires the go toolchain. Testing requires the go toolchain, make, and apt. Currently only supports Debian.
### Building from Source
1. Clone the repository
2. Run `go get` to get requirements
3. Run `make` to build the binary
### Testing Source
1. Clone the repository
2. Run `go get` to get requirements
3. Run `make dev-init` to install test requirements including openldap (slapd), ldap-utils, debconf-utils
4. Run `make tests` to run all tests

View File

@ -15,22 +15,16 @@ import (
) )
var LDAPSessions map[string]*LDAPClient var LDAPSessions map[string]*LDAPClient
var AppVersion = "1.0.5" var APIVersion = "1.0.0"
var APIVersion = "1.0.4"
func Run() { func Run() {
gob.Register(LDAPClient{}) gob.Register(LDAPClient{})
log.Printf("Starting ProxmoxAAS-LDAP version %s\n", APIVersion)
configPath := flag.String("config", "config.json", "path to config.json file") configPath := flag.String("config", "config.json", "path to config.json file")
flag.Parse() flag.Parse()
config, err := GetConfig(*configPath) config := GetConfig(*configPath)
if err != nil { log.Println("Initialized config from " + *configPath)
log.Fatal("Error when reading config file: ", err)
}
log.Printf("Read in config from %s\n", *configPath)
gin.SetMode(gin.ReleaseMode) gin.SetMode(gin.ReleaseMode)
router := gin.Default() router := gin.Default()
@ -43,12 +37,10 @@ func Run() {
}) })
router.Use(sessions.Sessions(config.SessionCookieName, store)) router.Use(sessions.Sessions(config.SessionCookieName, store))
log.Printf("Started API router and cookie store (Name: %s Params: %+v)\n", config.SessionCookieName, config.SessionCookie)
LDAPSessions = make(map[string]*LDAPClient) LDAPSessions = make(map[string]*LDAPClient)
router.GET("/version", func(c *gin.Context) { router.GET("/version", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"version": APIVersion, "app-version": AppVersion}) c.JSON(http.StatusOK, gin.H{"version": APIVersion})
}) })
router.POST("/ticket", func(c *gin.Context) { router.POST("/ticket", func(c *gin.Context) {
@ -94,7 +86,7 @@ func Run() {
uuid := SessionUUID.(string) uuid := SessionUUID.(string)
delete(LDAPSessions, uuid) delete(LDAPSessions, uuid)
session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so it is deleted session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so it is deleted
session.Save() _ = session.Save()
c.JSON(http.StatusUnauthorized, gin.H{"auth": false}) c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
}) })
@ -113,7 +105,7 @@ func Run() {
} }
status, res := LDAPSession.GetAllUsers() status, res := LDAPSession.GetAllUsers()
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.POST("/users/:userid", func(c *gin.Context) { router.POST("/users/:userid", func(c *gin.Context) {
@ -130,24 +122,20 @@ func Run() {
return return
} }
var body User
if err := c.ShouldBind(&body); err != nil { // bad request from binding
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
// check if user already exists // check if user already exists
status, res := LDAPSession.GetUser(c.Param("userid")) status, res := LDAPSession.GetUser(c.Param("userid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
var body UserRequired // all user attributes required for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.AddUser(c.Param("userid"), body) status, res = LDAPSession.AddUser(c.Param("userid"), body)
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
} else { // user already exists, attempt to modify user } else { // user already exists, attempt to modify user
var body UserOptional // all user attributes optional for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.ModUser(c.Param("userid"), body) status, res = LDAPSession.ModUser(c.Param("userid"), body)
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
} }
}) })
@ -166,7 +154,7 @@ func Run() {
} }
status, res := LDAPSession.GetUser(c.Param("userid")) status, res := LDAPSession.GetUser(c.Param("userid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.DELETE("/users/:userid", func(c *gin.Context) { router.DELETE("/users/:userid", func(c *gin.Context) {
@ -184,7 +172,7 @@ func Run() {
} }
status, res := LDAPSession.DelUser(c.Param("userid")) status, res := LDAPSession.DelUser(c.Param("userid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.GET("/groups", func(c *gin.Context) { router.GET("/groups", func(c *gin.Context) {
@ -202,7 +190,7 @@ func Run() {
} }
status, res := LDAPSession.GetAllGroups() status, res := LDAPSession.GetAllGroups()
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.GET("/groups/:groupid", func(c *gin.Context) { router.GET("/groups/:groupid", func(c *gin.Context) {
@ -220,7 +208,7 @@ func Run() {
} }
status, res := LDAPSession.GetGroup(c.Param("groupid")) status, res := LDAPSession.GetGroup(c.Param("groupid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.POST("/groups/:groupid", func(c *gin.Context) { router.POST("/groups/:groupid", func(c *gin.Context) {
@ -243,14 +231,14 @@ func Run() {
return return
} }
// check if group already exists // check if user already exists
status, res := LDAPSession.GetGroup(c.Param("groupid")) status, res := LDAPSession.GetGroup(c.Param("groupid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // group does not already exist, create new group if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
status, res = LDAPSession.AddGroup(c.Param("groupid"), body) status, res = LDAPSession.AddGroup(c.Param("groupid"), body)
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
} else { // group already exists, attempt to modify group } else { // user already exists, attempt to modify user
status, res = LDAPSession.ModGroup(c.Param("groupid"), body) status, res = LDAPSession.ModGroup(c.Param("groupid"), body)
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
} }
}) })
@ -269,7 +257,7 @@ func Run() {
} }
status, res := LDAPSession.DelGroup(c.Param("groupid")) status, res := LDAPSession.DelGroup(c.Param("groupid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.POST("/groups/:groupid/members/:userid", func(c *gin.Context) { router.POST("/groups/:groupid/members/:userid", func(c *gin.Context) {
@ -287,7 +275,7 @@ func Run() {
} }
status, res := LDAPSession.AddUserToGroup(c.Param("userid"), c.Param("groupid")) status, res := LDAPSession.AddUserToGroup(c.Param("userid"), c.Param("groupid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
router.DELETE("/groups/:groupid/members/:userid", func(c *gin.Context) { router.DELETE("/groups/:groupid/members/:userid", func(c *gin.Context) {
@ -305,10 +293,8 @@ func Run() {
} }
status, res := LDAPSession.DelUserFromGroup(c.Param("userid"), c.Param("groupid")) status, res := LDAPSession.DelUserFromGroup(c.Param("userid"), c.Param("groupid"))
c.JSON(status, HandleResponse(res)) c.JSON(status, res)
}) })
log.Printf("Starting LDAP API on port %s\n", strconv.Itoa(config.ListenPort))
router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort)) router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
} }

View File

@ -1,8 +1,6 @@
package app package app
import ( import (
"crypto/tls"
"errors"
"fmt" "fmt"
"net/http" "net/http"
@ -10,7 +8,6 @@ import (
"github.com/go-ldap/ldap/v3" "github.com/go-ldap/ldap/v3"
) )
// LDAPClient wrapper struct containing the connection, baseDN, peopleDN, and groupsDN
type LDAPClient struct { type LDAPClient struct {
client *ldap.Conn client *ldap.Conn
basedn string basedn string
@ -18,20 +15,8 @@ type LDAPClient struct {
groupsdn string groupsdn string
} }
// returns a new LDAPClient from the config
func NewLDAPClient(config Config) (*LDAPClient, error) { func NewLDAPClient(config Config) (*LDAPClient, error) {
LDAPConn, err := ldap.DialURL(config.LdapURL) LDAPConn, err := ldap.DialURL(config.LdapURL)
if err != nil {
return nil, err
}
if config.StartTLS {
err = LDAPConn.StartTLS(&tls.Config{InsecureSkipVerify: true})
if err != nil {
return nil, err
}
}
return &LDAPClient{ return &LDAPClient{
client: LDAPConn, client: LDAPConn,
basedn: config.BaseDN, basedn: config.BaseDN,
@ -40,7 +25,6 @@ func NewLDAPClient(config Config) (*LDAPClient, error) {
}, err }, err
} }
// bind a user using username and password to the LDAPClient
func (l LDAPClient) BindUser(username string, password string) error { func (l LDAPClient) BindUser(username string, password string) error {
userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn) userdn := fmt.Sprintf("uid=%s,%s", username, l.peopledn)
return l.client.Bind(userdn, password) return l.client.Bind(userdn, password)
@ -51,7 +35,7 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
l.peopledn, // The base dn to search l.peopledn, // The base dn to search
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
"(&(objectClass=inetOrgPerson))", // The filter to apply "(&(objectClass=inetOrgPerson))", // The filter to apply
[]string{"dn", "cn", "sn", "mail", "uid", "memberOf"}, // A list attributes to retrieve []string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
nil, nil,
) )
@ -66,8 +50,15 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
var results = []gin.H{} // create list of results var results = []gin.H{} // create list of results
for _, entry := range searchResponse.Entries { // for each result, for _, entry := range searchResponse.Entries { // for each result,
user := LDAPEntryToLDAPUser(entry) results = append(results, gin.H{
results = append(results, LDAPUserToGin(user)) "dn": entry.DN,
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"sn": entry.GetAttributeValue("sn"),
"mail": entry.GetAttributeValue("mail"),
"uid": entry.GetAttributeValue("uid"),
},
})
} }
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
@ -77,43 +68,11 @@ func (l LDAPClient) GetAllUsers() (int, gin.H) {
} }
} }
func (l LDAPClient) GetUser(uid string) (int, gin.H) { func (l LDAPClient) AddUser(uid string, user User) (int, gin.H) {
searchRequest := ldap.NewSearchRequest( // setup search for user by uid if user.CN == "" || user.SN == "" || user.UserPassword == "" {
fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
"(&(objectClass=inetOrgPerson))", // The filter to apply
[]string{"dn", "cn", "sn", "mail", "uid", "memberOf"}, // A list attributes to retrieve
nil,
)
searchResponse, err := l.client.Search(searchRequest) // perform search
if err != nil {
return http.StatusBadRequest, gin.H{ return http.StatusBadRequest, gin.H{
"ok": false, "ok": false,
"error": err, "error": "Missing one of required fields: cn, sn, userpassword",
}
}
entry := searchResponse.Entries[0]
user := LDAPEntryToLDAPUser(entry)
result := LDAPUserToGin(user)
return http.StatusOK, gin.H{
"ok": true,
"error": nil,
"user": result,
}
}
func (l LDAPClient) AddUser(uid string, user UserRequired) (int, gin.H) {
if user.CN == "" || user.SN == "" || user.UserPassword == "" || user.Mail == "" {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": ldap.NewError(
ldap.LDAPResultUnwillingToPerform,
errors.New("missing one of required fields: cn, sn, mail, userpassword"),
),
} }
} }
@ -123,8 +82,7 @@ func (l LDAPClient) AddUser(uid string, user UserRequired) (int, gin.H) {
) )
addRequest.Attribute("sn", []string{user.SN}) addRequest.Attribute("sn", []string{user.SN})
addRequest.Attribute("cn", []string{user.CN}) addRequest.Attribute("cn", []string{user.CN})
addRequest.Attribute("mail", []string{user.Mail}) addRequest.Attribute("userPassword", []string{user.CN})
addRequest.Attribute("userPassword", []string{user.UserPassword})
addRequest.Attribute("objectClass", []string{"inetOrgPerson"}) addRequest.Attribute("objectClass", []string{"inetOrgPerson"})
err := l.client.Add(addRequest) err := l.client.Add(addRequest)
@ -141,14 +99,46 @@ func (l LDAPClient) AddUser(uid string, user UserRequired) (int, gin.H) {
} }
} }
func (l LDAPClient) ModUser(uid string, user UserOptional) (int, gin.H) { func (l LDAPClient) GetUser(uid string) (int, gin.H) {
if user.CN == "" && user.SN == "" && user.UserPassword == "" && user.Mail == "" { searchRequest := ldap.NewSearchRequest( // setup search for user by uid
fmt.Sprintf("uid=%s,%s", uid, l.peopledn), // The base dn to search
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
"(&(objectClass=inetOrgPerson))", // The filter to apply
[]string{"dn", "cn", "sn", "mail", "uid"}, // A list attributes to retrieve
nil,
)
searchResponse, err := l.client.Search(searchRequest) // perform search
if err != nil {
return http.StatusBadRequest, gin.H{ return http.StatusBadRequest, gin.H{
"ok": false, "ok": false,
"error": ldap.NewError( "error": err,
ldap.LDAPResultUnwillingToPerform, }
errors.New("requires one of fields: cn, sn, mail, userpassword"), }
),
entry := searchResponse.Entries[0]
result := gin.H{
"dn": entry.DN,
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"sn": entry.GetAttributeValue("sn"),
"mail": entry.GetAttributeValue("mail"),
"uid": entry.GetAttributeValue("uid"),
},
}
return http.StatusOK, gin.H{
"ok": true,
"error": nil,
"user": result,
}
}
func (l LDAPClient) ModUser(uid string, user User) (int, gin.H) {
if user.CN == "" && user.SN == "" && user.UserPassword == "" {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": "Requires one of fields: cn, sn, userpassword",
} }
} }
@ -162,9 +152,6 @@ func (l LDAPClient) ModUser(uid string, user UserOptional) (int, gin.H) {
if user.SN != "" { if user.SN != "" {
modifyRequest.Replace("sn", []string{user.SN}) modifyRequest.Replace("sn", []string{user.SN})
} }
if user.Mail != "" {
modifyRequest.Replace("mail", []string{user.Mail})
}
if user.UserPassword != "" { if user.UserPassword != "" {
modifyRequest.Replace("userPassword", []string{user.UserPassword}) modifyRequest.Replace("userPassword", []string{user.UserPassword})
} }
@ -227,8 +214,13 @@ func (l LDAPClient) GetAllGroups() (int, gin.H) {
var results = []gin.H{} // create list of results var results = []gin.H{} // create list of results
for _, entry := range searchResponse.Entries { // for each result, for _, entry := range searchResponse.Entries { // for each result,
group := LDAPEntryToLDAPGroup(entry) results = append(results, gin.H{
results = append(results, LDAPGroupToGin(group)) "dn": entry.DN,
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"member": entry.GetAttributeValues("member"),
},
})
} }
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
@ -256,8 +248,13 @@ func (l LDAPClient) GetGroup(gid string) (int, gin.H) {
} }
entry := searchResponse.Entries[0] entry := searchResponse.Entries[0]
group := LDAPEntryToLDAPGroup(entry) result := gin.H{
result := LDAPGroupToGin(group) "dn": entry.DN,
"attributes": gin.H{
"cn": entry.GetAttributeValue("cn"),
"member": entry.GetAttributeValues("member"),
},
}
return http.StatusOK, gin.H{ return http.StatusOK, gin.H{
"ok": true, "ok": true,
@ -290,22 +287,7 @@ func (l LDAPClient) AddGroup(gid string, group Group) (int, gin.H) {
} }
func (l LDAPClient) ModGroup(gid string, group Group) (int, gin.H) { func (l LDAPClient) ModGroup(gid string, group Group) (int, gin.H) {
modifyRequest := ldap.NewModifyRequest( return 200, gin.H{
fmt.Sprintf("cn=%s,%s", gid, l.groupsdn),
nil,
)
modifyRequest.Replace("cn", []string{gid})
err := l.client.Modify(modifyRequest)
if err != nil {
return http.StatusBadRequest, gin.H{
"ok": false,
"error": err,
}
}
return http.StatusOK, gin.H{
"ok": true, "ok": true,
"error": nil, "error": nil,
} }

View File

@ -2,16 +2,13 @@ package app
import ( import (
"encoding/json" "encoding/json"
"log"
"os" "os"
"github.com/gin-gonic/gin"
"github.com/go-ldap/ldap/v3"
) )
type Config struct { type Config struct {
ListenPort int `json:"listenPort"` ListenPort int `json:"listenPort"`
LdapURL string `json:"ldapURL"` LdapURL string `json:"ldapURL"`
StartTLS bool `json:"startTLS"`
BaseDN string `json:"baseDN"` BaseDN string `json:"baseDN"`
SessionSecretKey string `json:"sessionSecretKey"` SessionSecretKey string `json:"sessionSecretKey"`
SessionCookieName string `json:"sessionCookieName"` SessionCookieName string `json:"sessionCookieName"`
@ -23,17 +20,17 @@ type Config struct {
} }
} }
func GetConfig(configPath string) (Config, error) { func GetConfig(configPath string) Config {
content, err := os.ReadFile(configPath) content, err := os.ReadFile(configPath)
if err != nil { if err != nil {
return Config{}, err log.Fatal("Error when opening config file: ", err)
} }
var config Config var config Config
err = json.Unmarshal(content, &config) err = json.Unmarshal(content, &config)
if err != nil { if err != nil {
return Config{}, err log.Fatal("Error during parsing config file: ", err)
} }
return config, nil return config
} }
type Login struct { // login body struct type Login struct { // login body struct
@ -41,103 +38,11 @@ type Login struct { // login body struct
Password string `form:"password" binding:"required"` Password string `form:"password" binding:"required"`
} }
type LDAPUserAttributes struct { type User struct { // add or modify user body struct
CN string
SN string
Mail string
UID string
MemberOf []string
}
type LDAPUser struct {
DN string
Attributes LDAPUserAttributes
}
func LDAPEntryToLDAPUser(entry *ldap.Entry) LDAPUser {
return LDAPUser{
DN: entry.DN,
Attributes: LDAPUserAttributes{
CN: entry.GetAttributeValue("cn"),
SN: entry.GetAttributeValue("sn"),
Mail: entry.GetAttributeValue("mail"),
UID: entry.GetAttributeValue("uid"),
MemberOf: entry.GetAttributeValues("memberOf"),
},
}
}
func LDAPUserToGin(user LDAPUser) gin.H {
return gin.H{
"dn": user.DN,
"attributes": gin.H{
"cn": user.Attributes.CN,
"sn": user.Attributes.SN,
"mail": user.Attributes.Mail,
"uid": user.Attributes.UID,
"memberOf": user.Attributes.MemberOf,
},
}
}
type LDAPGroupAttributes struct {
CN string
Member []string
}
type LDAPGroup struct {
DN string
Attributes LDAPGroupAttributes
}
func LDAPEntryToLDAPGroup(entry *ldap.Entry) LDAPGroup {
return LDAPGroup{
DN: entry.DN,
Attributes: LDAPGroupAttributes{
CN: entry.GetAttributeValue("cn"),
Member: entry.GetAttributeValues("member"),
},
}
}
func LDAPGroupToGin(group LDAPGroup) gin.H {
return gin.H{
"dn": group.DN,
"attributes": gin.H{
"cn": group.Attributes.CN,
"member": group.Attributes.Member,
},
}
}
type UserOptional struct { // add or modify user body struct
CN string `form:"cn"` CN string `form:"cn"`
SN string `form:"sn"` SN string `form:"sn"`
Mail string `form:"mail"`
UserPassword string `form:"userpassword"` UserPassword string `form:"userpassword"`
} }
type UserRequired struct { // add or modify user body struct
CN string `form:"cn" binding:"required"`
SN string `form:"sn" binding:"required"`
Mail string `form:"mail" binding:"required"`
UserPassword string `form:"userpassword" binding:"required"`
}
type Group struct { // add or modify group body struct type Group struct { // add or modify group body struct
} }
func HandleResponse(response gin.H) gin.H {
if response["error"] != nil {
err := response["error"].(error)
LDAPerr := err.(*ldap.Error)
response["error"] = gin.H{
"code": LDAPerr.ResultCode,
"result": ldap.LDAPResultCodeMap[LDAPerr.ResultCode],
"message": LDAPerr.Err.Error(),
}
return response
} else {
return response
}
}

View File

@ -1,7 +1,6 @@
{ {
"listenPort": 80, "listenPort": 80,
"ldapURL": "ldap://localhost", "ldapURL": "ldap://localhost",
"startTLS": true,
"basedn": "dc=example,dc=com", "basedn": "dc=example,dc=com",
"sessionSecretKey": "super secret key", "sessionSecretKey": "super secret key",
"sessionCookieName": "PAASLDAPAuthTicket", "sessionCookieName": "PAASLDAPAuthTicket",

28
go.mod
View File

@ -1,6 +1,6 @@
module proxmoxaas-ldap module proxmoxaas-ldap
go 1.23.2 go 1.22.4
require ( require (
github.com/gin-contrib/sessions v1.0.1 github.com/gin-contrib/sessions v1.0.1
@ -11,37 +11,35 @@ require (
require ( require (
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/bytedance/sonic v1.12.3 // indirect github.com/bytedance/sonic v1.11.8 // indirect
github.com/bytedance/sonic/loader v0.2.1 // indirect github.com/bytedance/sonic/loader v0.1.1 // indirect
github.com/cloudwego/base64x v0.1.4 // indirect github.com/cloudwego/base64x v0.1.4 // indirect
github.com/cloudwego/iasm v0.2.0 // indirect github.com/cloudwego/iasm v0.2.0 // indirect
github.com/gabriel-vasile/mimetype v1.4.6 // indirect github.com/gabriel-vasile/mimetype v1.4.4 // indirect
github.com/gin-contrib/sse v0.1.0 // indirect github.com/gin-contrib/sse v0.1.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/locales v0.14.1 // indirect
github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/go-playground/validator/v10 v10.22.1 // indirect github.com/go-playground/validator/v10 v10.22.0 // indirect
github.com/goccy/go-json v0.10.3 // indirect github.com/goccy/go-json v0.10.3 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/uuid v1.6.0 // indirect github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/context v1.1.2 // indirect github.com/gorilla/context v1.1.2 // indirect
github.com/gorilla/securecookie v1.1.2 // indirect github.com/gorilla/securecookie v1.1.2 // indirect
github.com/gorilla/sessions v1.4.0 // indirect github.com/gorilla/sessions v1.3.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/cpuid/v2 v2.2.8 // indirect github.com/klauspost/cpuid/v2 v2.2.8 // indirect
github.com/knz/go-libedit v1.10.1 // indirect
github.com/leodido/go-urn v1.4.0 // indirect github.com/leodido/go-urn v1.4.0 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-isatty v0.0.20 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect
github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
github.com/ugorji/go/codec v1.2.12 // indirect github.com/ugorji/go/codec v1.2.12 // indirect
golang.org/x/arch v0.11.0 // indirect golang.org/x/arch v0.8.0 // indirect
golang.org/x/crypto v0.28.0 // indirect golang.org/x/crypto v0.24.0 // indirect
golang.org/x/net v0.30.0 // indirect golang.org/x/net v0.26.0 // indirect
golang.org/x/sys v0.26.0 // indirect golang.org/x/sys v0.21.0 // indirect
golang.org/x/text v0.19.0 // indirect golang.org/x/text v0.16.0 // indirect
google.golang.org/protobuf v1.35.1 // indirect google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect
) )

View File

@ -1,18 +0,0 @@
.PHONY: prerequisites dev-init dev-reinit
prerequisites:
@echo "=================== Installing Prerequisites ==================="
apt install debconf-utils slapd ldap-utils sudo gettext
git clone https://git.tronnet.net/tronnet/open-ldap-setup
cd open-ldap-setup/; bash gencert.sh < ../gencert.conf;
rm -rf open-ldap-setup/
dev-init: prerequisites dev-reinit
dev-reinit:
@echo "====================== Initializing Slapd ======================"
cat debconf-slapd.conf | debconf-set-selections
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd
git clone https://git.tronnet.net/tronnet/open-ldap-setup
cd open-ldap-setup/; bash setup.sh < ../setup.conf;
rm -rf open-ldap-setup/

View File

@ -1,16 +0,0 @@
slapd slapd/password1 password admin
slapd slapd/internal/adminpw password admin
slapd slapd/internal/generated_adminpw password admin
slapd slapd/password2 password admin
slapd slapd/unsafe_selfwrite_acl note
slapd slapd/purge_database boolean true
slapd slapd/domain string test.paasldap
slapd slapd/ppolicy_schema_needs_update select abort installation
slapd slapd/invalid_config boolean true
slapd slapd/move_old_database boolean true
slapd slapd/backend select MDB
slapd shared/organization string paasldap
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
slapd slapd/no_configuration boolean false
slapd slapd/dump_database select when needed
slapd slapd/password_mismatch note

View File

@ -1,2 +0,0 @@
paasldap
localhost

View File

@ -1,10 +0,0 @@
dc=test,dc=paasldap
adminuser
adminuser@test.paasldap
admin
user
admin123
admin123
/etc/ssl/certs/ldap-ca-cert.pem
/etc/ldap/ldap-server-cert.pem
/etc/ldap/ldap-server-key.pem

View File

@ -1 +0,0 @@
{,,}

File diff suppressed because it is too large Load Diff

View File

@ -1,14 +0,0 @@
{
"listenPort": 80,
"ldapURL": "ldap://localhost",
"startTLS": true,
"basedn": "dc=test,dc=paasldap",
"sessionSecretKey": "test",
"sessionCookieName": "PAASLDAPAuthTicket",
"sessionCookie": {
"path": "/",
"httpOnly": true,
"secure": false,
"maxAge": 7200
}
}

View File

@ -1,156 +0,0 @@
package tests
import (
"fmt"
"math/rand"
"net/http"
"proxmoxaas-ldap/app"
"reflect"
"testing"
"github.com/gin-gonic/gin"
"github.com/go-ldap/ldap/v3"
)
func RandInt(min int, max int) int {
return rand.Intn(max+1-min) + min
}
func RandString(n int) string {
var letters = []rune("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
b := make([]rune, n)
for i := range b {
b[i] = letters[rand.Intn(len(letters))]
}
return string(b)
}
// random ldap style DN
func RandDN(n int) string {
return fmt.Sprintf("cn=%s,ou=%s,dc=%s,dc=%s", RandString(n), RandString(n), RandString(n), RandString(n))
}
// typically for testing values of a variable
func AssertEquals[T comparable](t *testing.T, label string, a T, b T) {
t.Helper()
if a != b {
t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
}
}
// asserting the success or failure of a generic error
func AssertError(t *testing.T, label string, gotErr error, expectErr error) {
t.Helper()
if gotErr != nil && expectErr != nil {
if gotErr.Error() != expectErr.Error() {
t.Errorf(`%s returned %s; expected %s`, label, gotErr.Error(), expectErr.Error())
}
} else {
if gotErr != expectErr {
t.Errorf(`%s returned %s; expected %s`, label, gotErr.Error(), expectErr.Error())
}
}
}
// typically for asserting the success or failure of an ldap result
func AssertLDAPError(t *testing.T, label string, gotErr any, expectErrCode uint16) {
t.Helper()
expectError := ldap.LDAPResultCodeMap[expectErrCode]
if expectErrCode == ldap.LDAPResultSuccess { // expect success
if gotErr != nil { // got an error
gotErr := gotErr.(error)
t.Errorf(`%s returned %s; expected %s.`, label, gotErr.Error(), "success")
} // did not get an error
} else { // expect error
if gotErr == nil { // did not get an error
t.Errorf(`%s returned %s; expected %s.`, label, "success", expectError)
return
}
gotErr := gotErr.(error)
if !ldap.IsErrorWithCode(gotErr, expectErrCode) { // got an error that does not match the expected error
t.Errorf(`%s returned %s; expected %s.`, label, gotErr.Error(), expectError)
} // got the expected error
}
}
// typically for asserting the success or failure of an http result
func AssertStatus(t *testing.T, label string, gotCode int, expectCode int) {
t.Helper()
if expectCode == http.StatusOK {
if gotCode != http.StatusOK { // got an error
t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
}
} else { // expect error
if gotCode == http.StatusOK { // did not get an error
t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
} else if gotCode != expectCode { // got an error that does not match the expected error
t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
}
}
}
// compare if two users are equal, accepts LDAPUser or gin.H
func AssertLDAPUserEquals(t *testing.T, label string, a any, b app.LDAPUser) {
t.Helper()
aObj, ok := a.(app.LDAPUser)
if ok {
if !reflect.DeepEqual(aObj, b) {
t.Errorf(`%s = %#v; expected %#v.`, label, aObj, b)
}
return
}
aGin, ok := a.(gin.H)
if ok {
bGin := app.LDAPUserToGin(b)
if !reflect.DeepEqual(aGin, bGin) {
t.Errorf(`%s = %#v; expected %#v.`, label, aGin, bGin)
}
return
}
// not a supported type
t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
}
// compare if two users are equal, accepts LDAPUser or gin.H
func AssertLDAPGroupEquals(t *testing.T, label string, a any, b app.LDAPGroup) {
t.Helper()
aObj, ok := a.(app.LDAPGroup)
if ok {
if !reflect.DeepEqual(aObj, b) {
t.Errorf(`%s = %#v; expected %#v.`, label, aObj, b)
}
return
}
aGin, ok := a.(gin.H)
if ok {
bGin := app.LDAPGroupToGin(b)
if !reflect.DeepEqual(aGin, bGin) {
t.Errorf(`%s = %#v; expected %#v.`, label, aGin, bGin)
}
return
}
// not a supported type
t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
}
var _config, _ = app.GetConfig("test_config.json")
var BaseDN = _config.BaseDN
var PeopleDN = fmt.Sprintf("ou=people,%s", BaseDN)
var GroupDN = fmt.Sprintf("ou=groups,%s", BaseDN)
type User struct {
username string
password string
userObj app.LDAPUser
}
type Group struct {
groupname string
groupObj app.LDAPGroup
}

View File

@ -1,126 +0,0 @@
package tests
import (
"errors"
"fmt"
app "proxmoxaas-ldap/app"
"testing"
"github.com/gin-gonic/gin"
"github.com/go-ldap/ldap/v3"
)
// test the GetConfig utility function because it used in other tests
func TestConfig_ValidPath(t *testing.T) {
config, err := app.GetConfig("test_config.json")
AssertError(t, "GetConfig()", err, nil)
AssertEquals(t, "config.ListenPort", config.ListenPort, 80)
AssertEquals(t, "config.LdapURL", config.LdapURL, "ldap://localhost")
AssertEquals(t, "config.BaseDN", config.BaseDN, "dc=test,dc=paasldap")
AssertEquals(t, "config.SessionSecretKey", config.SessionSecretKey, "test")
AssertEquals(t, "config.SessionCookieName", config.SessionCookieName, "PAASLDAPAuthTicket")
AssertEquals(t, "config.SessionCookie.Path", config.SessionCookie.Path, "/")
AssertEquals(t, "config.SessionCookie.HttpOnly", config.SessionCookie.HttpOnly, true)
AssertEquals(t, "config.SessionCookie.Secure", config.SessionCookie.Secure, false)
AssertEquals(t, "config.SessionCookie.MaxAge", config.SessionCookie.MaxAge, 7200)
}
func TestConfig_InvalidPath(t *testing.T) {
badFileName := RandString(16)
_, err := app.GetConfig(badFileName)
expectedErr := fmt.Errorf("open %s: no such file or directory", badFileName)
AssertError(t, "GetConfig()", err, expectedErr)
_, err = app.GetConfig("bad_config.json")
expectedErr = fmt.Errorf("invalid character ',' looking for beginning of object key string")
AssertError(t, "GetConfig()", err, expectedErr)
}
// test the LDAPEntryToUser and LDAPUserToGin utility functions
func TestLDAPUserDataPipeline(t *testing.T) {
var memberOf []string
for i := 0; i < RandInt(5, 20); i++ {
memberOf = append(memberOf, RandDN(16))
}
expectedUser := app.LDAPUser{
DN: RandDN(16),
Attributes: app.LDAPUserAttributes{
CN: RandString(16),
SN: RandString(16),
Mail: RandString(16),
UID: RandString(16),
MemberOf: memberOf,
},
}
attributes := make(map[string][]string)
attributes["cn"] = []string{expectedUser.Attributes.CN}
attributes["sn"] = []string{expectedUser.Attributes.SN}
attributes["mail"] = []string{expectedUser.Attributes.Mail}
attributes["uid"] = []string{expectedUser.Attributes.UID}
attributes["memberOf"] = expectedUser.Attributes.MemberOf
entry := ldap.NewEntry(expectedUser.DN, attributes)
user := app.LDAPEntryToLDAPUser(entry)
AssertLDAPUserEquals(t, "LDAPEntryToLDAPUser(entry) -> user", user, expectedUser)
json := app.LDAPUserToGin(user)
AssertLDAPUserEquals(t, "LDAPUserToGin(user) -> json", json, expectedUser)
}
// test the LDAPEntryToGroup and LDAPGroupToGin utility functions
func TestLDAPGroupDataPipeline(t *testing.T) {
var member []string
for i := 0; i < RandInt(5, 20); i++ {
member = append(member, RandDN(16))
}
expectedGroup := app.LDAPGroup{
DN: RandDN(16),
Attributes: app.LDAPGroupAttributes{
Member: member,
},
}
attributes := make(map[string][]string)
attributes["member"] = expectedGroup.Attributes.Member
entry := ldap.NewEntry(expectedGroup.DN, attributes)
group := app.LDAPEntryToLDAPGroup(entry)
AssertLDAPGroupEquals(t, "LDAPEntryToLDAPGroup(entry) -> group", group, expectedGroup)
json := app.LDAPGroupToGin(group)
AssertLDAPGroupEquals(t, "LDAPGroupToGin(group) -> json", json, expectedGroup)
}
func TestHandleResponse(t *testing.T) {
for errorCode := range ldap.LDAPResultCodeMap {
expectedMessage := RandString(16)
LDAPerr := ldap.NewError(errorCode, errors.New(expectedMessage))
res := gin.H{
"error": LDAPerr,
}
LDAPResult := ldap.LDAPResultCodeMap[errorCode]
handledResponseError := (app.HandleResponse(res))["error"].(gin.H)
AssertEquals(t, `HandleResponse(res)["error"]["code"]`, handledResponseError["code"].(uint16), errorCode)
AssertEquals(t, `HandleResponse(res)["error"]["result"]`, handledResponseError["result"].(string), LDAPResult)
AssertEquals(t, `HandleResponse(res)["error"]["message"]`, handledResponseError["message"].(string), expectedMessage)
}
res := gin.H{
"ok": true,
"status": RandInt(0, 600),
}
handledResponse := app.HandleResponse(res)
AssertEquals(t, `HandleResponse(res)["ok"]`, handledResponse["ok"].(bool), res["ok"].(bool))
AssertEquals(t, `HandleResponse(res)["satus"]`, handledResponse["status"].(int), res["status"].(int))
AssertEquals(t, `HandleResponse(res)["error"]`, handledResponse["error"], nil)
}