Merge branch 'main' of https://git.tronnet.net/tronnet/ProxmoxAAS-LDAP

update dependencies

.gitignore

@@ -1,3 +1,3 @@
-**/go.sum
-**/config.json
+go.sum
 dist/*
+**/config.json

Makefile

@@ -1,9 +1,23 @@
-build: clean
-	CGO_ENABLED=0 go build -ldflags="-s -w" -o dist/ .
+.PHONY: build test clean dev-init dev-reinit
 
-test: clean
-	go run .
+build: clean
+	@echo "======================== Building Binary ======================="
+	CGO_ENABLED=0 go build -ldflags="-s -w" -v -o dist/ .
+
+test: dev-reinit
+	@echo "======================== Running Tests ========================="
+	go test -v -cover -coverpkg=./app/ -coverprofile coverage ./test/
+	@echo "======================= Coverage Report ========================"
+	go tool cover -func=coverage
+	@rm -f coverage
 
 clean:
+	@echo "======================== Cleaning Project ======================"
 	go clean
 	rm -f dist/*
+
+dev-init:
+	@cd scripts; make dev-init
+
+dev-reinit:
+	@cd scripts; make dev-reinit

README.md

@@ -28,9 +28,33 @@ ProxmoxAAS LDAP provides a simple API for managing users and groups in a simplif
 
 ### Installation
 
-1. Download `proxmoxaas-ldap` binary and `template.config.json` file from [releases](releases)
+1. Download `proxmoxaas-ldap` binary and `template.config.json` file from [releases](https://git.tronnet.net/tronnet/ProxmoxAAS-LDAP/releases)
 2. Rename `template.config.json` to `config.json` and modify:
+    - listenPort: port for PAAS-LDAP to bind and listen on 
     - ldapURL: url to the ldap server ie. `ldap://ldap.domain.net`
-    - baseDN: base DN ie. `dc=domain,dc=net`
-    - sessionSecretKey: random value used to randomize cookie values, replace with any sufficiently large random string
+    - startTLS: true if backend LDAP supports StartTLS
+    - basedn: base DN ie. `dc=domain,dc=net`
+    - sessionCookieName: name of the session cookie
+    - sessionCookie: specific cookie properties
+        - path: cookie path
+        - httpOnly: cookie http-only
+        - secure: cookie secure
+        - maxAge: cookie max-age
 3. Run the binary
+
+## Building and Testing from Source
+
+Building requires the go toolchain. Testing requires the go toolchain, make, and apt. Currently only supports Debian.
+
+### Building from Source
+
+1. Clone the repository
+2. Run `go get` to get requirements
+3. Run `make` to build the binary
+
+### Testing Source
+
+1. Clone the repository
+2. Run `go get` to get requirements
+3. Run `make dev-init` to install test requirements including openldap (slapd), ldap-utils, debconf-utils
+4. Run `make test` to run all tests

app/app.go

@@ -1,6 +1,7 @@
 package app
 
 import (
+	"crypto/rand"
 	"encoding/gob"
 	"flag"
 	"log"
@@ -15,10 +16,12 @@ import (
 )
 
 var LDAPSessions map[string]*LDAPClient
+var AppVersion = "1.0.6"
 var APIVersion = "1.0.4"
 
 func Run() {
 	gob.Register(LDAPClient{})
+	gin.SetMode(gin.ReleaseMode)
 
 	log.Printf("Starting ProxmoxAAS-LDAP version %s\n", APIVersion)
 
@@ -27,13 +30,19 @@ func Run() {
 
 	config, err := GetConfig(*configPath)
 	if err != nil {
-		log.Fatal("Error when reading config file: ", err)
+		log.Fatalf("Error when reading config file: %s\n", err)
 	}
 	log.Printf("Read in config from %s\n", *configPath)
 
-	gin.SetMode(gin.ReleaseMode)
+	secretKey := make([]byte, 256)
+	n, err := rand.Read(secretKey)
+	if err != nil {
+		log.Fatalf("Error when generating session secret key: %s\n", err.Error())
+	}
+	log.Printf("Generated session secret key of length %d\n", n)
+
 	router := gin.Default()
-	store := cookie.NewStore([]byte(config.SessionSecretKey))
+	store := cookie.NewStore(secretKey)
 	store.Options(sessions.Options{
 		Path:     config.SessionCookie.Path,
 		HttpOnly: config.SessionCookie.HttpOnly,
@@ -47,7 +56,7 @@ func Run() {
 	LDAPSessions = make(map[string]*LDAPClient)
 
 	router.GET("/version", func(c *gin.Context) {
-		c.JSON(http.StatusOK, gin.H{"version": APIVersion})
+		c.JSON(http.StatusOK, gin.H{"version": APIVersion, "app-version": AppVersion})
 	})
 
 	router.POST("/ticket", func(c *gin.Context) {
@@ -93,7 +102,7 @@ func Run() {
 		uuid := SessionUUID.(string)
 		delete(LDAPSessions, uuid)
 		session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so it is deleted
-		_ = session.Save()
+		session.Save()
 		c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
 	})
 
@@ -309,5 +318,8 @@ func Run() {
 
 	log.Printf("Starting LDAP API on port %s\n", strconv.Itoa(config.ListenPort))
 
-	router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
+	err = router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
+	if err != nil {
+		log.Fatalf("Error starting router: %s", err.Error())
+	}
 }

app/ldap.go

@@ -1,6 +1,7 @@
 package app
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -20,6 +21,17 @@ type LDAPClient struct {
 // returns a new LDAPClient from the config
 func NewLDAPClient(config Config) (*LDAPClient, error) {
 	LDAPConn, err := ldap.DialURL(config.LdapURL)
+	if err != nil {
+		return nil, err
+	}
+
+	if config.StartTLS {
+		err = LDAPConn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &LDAPClient{
 		client:   LDAPConn,
 		basedn:   config.BaseDN,

app/utils.go

@@ -11,8 +11,8 @@ import (
 type Config struct {
 	ListenPort        int    `json:"listenPort"`
 	LdapURL           string `json:"ldapURL"`
+	StartTLS          bool   `json:"startTLS"`
 	BaseDN            string `json:"baseDN"`
-	SessionSecretKey  string `json:"sessionSecretKey"`
 	SessionCookieName string `json:"sessionCookieName"`
 	SessionCookie     struct {
 		Path     string `json:"path"`

configs/template.config.json

@@ -1,8 +1,8 @@
 {
     "listenPort": 80,
     "ldapURL": "ldap://localhost",
+    "startTLS": true,
     "basedn": "dc=example,dc=com",
-    "sessionSecretKey": "super secret key",
     "sessionCookieName": "PAASLDAPAuthTicket",
     "sessionCookie": {
         "path": "/",

go.mod

@@ -1,36 +1,35 @@
 module proxmoxaas-ldap
 
-go 1.23
-
-toolchain go1.23.2
+go 1.23.6
 
 require (
-	github.com/gin-contrib/sessions v1.0.1
+	github.com/gin-contrib/sessions v1.0.2
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-ldap/ldap/v3 v3.4.8
+	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.12.3 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.6 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.22.1 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/go-playground/validator/v10 v10.24.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/gorilla/sessions v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/knz/go-libedit v1.10.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -38,11 +37,11 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
-	golang.org/x/arch v0.11.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
-	google.golang.org/protobuf v1.35.1 // indirect
+	golang.org/x/arch v0.14.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

scripts/Makefile

@@ -0,0 +1,18 @@
+.PHONY: prerequisites dev-init dev-reinit
+
+prerequisites:
+	@echo "=================== Installing Prerequisites ==================="
+	apt install debconf-utils slapd ldap-utils sudo gettext gnutls-bin
+	git clone https://git.tronnet.net/tronnet/open-ldap-setup
+	cd open-ldap-setup/; bash gencert.sh < ../gencert.conf;
+	rm -rf open-ldap-setup/
+
+dev-init: prerequisites dev-reinit
+
+dev-reinit:
+	@echo "====================== Initializing Slapd ======================"
+	cat debconf-slapd.conf | debconf-set-selections
+	DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd
+	git clone https://git.tronnet.net/tronnet/open-ldap-setup
+	cd open-ldap-setup/; bash setup.sh < ../setup.conf;
+	rm -rf open-ldap-setup/

scripts/debconf-slapd.conf

@@ -0,0 +1,16 @@
+slapd slapd/password1 password admin
+slapd slapd/internal/adminpw password admin
+slapd slapd/internal/generated_adminpw password admin
+slapd slapd/password2 password admin
+slapd slapd/unsafe_selfwrite_acl note
+slapd slapd/purge_database boolean true
+slapd slapd/domain string test.paasldap
+slapd slapd/ppolicy_schema_needs_update select abort installation
+slapd slapd/invalid_config boolean true
+slapd slapd/move_old_database boolean true
+slapd slapd/backend select MDB
+slapd shared/organization string paasldap
+slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+slapd slapd/no_configuration boolean false
+slapd slapd/dump_database select when needed
+slapd slapd/password_mismatch note

scripts/gencert.conf

@@ -0,0 +1,2 @@
+paasldap
+localhost

scripts/setup.conf

@@ -0,0 +1,10 @@
+dc=test,dc=paasldap
+adminuser
+adminuser@test.paasldap
+admin
+user
+admin123
+admin123
+/etc/ssl/certs/ldap-ca-cert.pem
+/etc/ldap/ldap-server-cert.pem
+/etc/ldap/ldap-server-key.pem

test/bad_config.json

@@ -0,0 +1 @@
+{,,}

test/test_config.json

@@ -0,0 +1,13 @@
+{
+    "listenPort": 80,
+    "ldapURL": "ldap://localhost",
+    "startTLS": true,
+    "basedn": "dc=test,dc=paasldap",
+    "sessionCookieName": "PAASLDAPAuthTicket",
+    "sessionCookie": {
+        "path": "/",
+        "httpOnly": true,
+        "secure": false,
+        "maxAge": 7200
+    }
+}

test/test_utils.go

@@ -0,0 +1,156 @@
+package tests
+
+import (
+	"fmt"
+	"math/rand"
+	"net/http"
+	"proxmoxaas-ldap/app"
+	"reflect"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+)
+
+func RandInt(min int, max int) int {
+	return rand.Intn(max+1-min) + min
+}
+
+func RandString(n int) string {
+	var letters = []rune("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+	b := make([]rune, n)
+	for i := range b {
+		b[i] = letters[rand.Intn(len(letters))]
+	}
+	return string(b)
+}
+
+// random ldap style DN
+func RandDN(n int) string {
+	return fmt.Sprintf("cn=%s,ou=%s,dc=%s,dc=%s", RandString(n), RandString(n), RandString(n), RandString(n))
+}
+
+// typically for testing values of a variable
+func AssertEquals[T comparable](t *testing.T, label string, a T, b T) {
+	t.Helper()
+	if a != b {
+		t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
+	}
+}
+
+// asserting the success or failure of a generic error
+func AssertError(t *testing.T, label string, gotErr error, expectErr error) {
+	t.Helper()
+	if gotErr != nil && expectErr != nil {
+		if gotErr.Error() != expectErr.Error() {
+			t.Errorf(`%s returned %s; expected %s`, label, gotErr.Error(), expectErr.Error())
+		}
+	} else {
+		if gotErr != expectErr {
+			t.Errorf(`%s returned %s; expected %s`, label, gotErr.Error(), expectErr.Error())
+		}
+	}
+}
+
+// typically for asserting the success or failure of an ldap result
+func AssertLDAPError(t *testing.T, label string, gotErr any, expectErrCode uint16) {
+	t.Helper()
+	expectError := ldap.LDAPResultCodeMap[expectErrCode]
+	if expectErrCode == ldap.LDAPResultSuccess { // expect success
+		if gotErr != nil { // got an error
+			gotErr := gotErr.(error)
+			t.Errorf(`%s returned %s; expected %s.`, label, gotErr.Error(), "success")
+		} // did not get an error
+	} else { // expect error
+		if gotErr == nil { // did not get an error
+			t.Errorf(`%s returned %s; expected %s.`, label, "success", expectError)
+			return
+		}
+		gotErr := gotErr.(error)
+		if !ldap.IsErrorWithCode(gotErr, expectErrCode) { // got an error that does not match the expected error
+			t.Errorf(`%s returned %s; expected %s.`, label, gotErr.Error(), expectError)
+		} // got the expected error
+	}
+}
+
+// typically for asserting the success or failure of an http result
+func AssertStatus(t *testing.T, label string, gotCode int, expectCode int) {
+	t.Helper()
+	if expectCode == http.StatusOK {
+		if gotCode != http.StatusOK { // got an error
+			t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
+		}
+	} else { // expect error
+		if gotCode == http.StatusOK { // did not get an error
+			t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
+		} else if gotCode != expectCode { // got an error that does not match the expected error
+			t.Errorf(`%s returned %d; expected %d.`, label, gotCode, expectCode)
+		}
+	}
+}
+
+// compare if two users are equal, accepts LDAPUser or gin.H
+func AssertLDAPUserEquals(t *testing.T, label string, a any, b app.LDAPUser) {
+	t.Helper()
+
+	aObj, ok := a.(app.LDAPUser)
+	if ok {
+		if !reflect.DeepEqual(aObj, b) {
+			t.Errorf(`%s = %#v; expected %#v.`, label, aObj, b)
+		}
+		return
+	}
+
+	aGin, ok := a.(gin.H)
+	if ok {
+		bGin := app.LDAPUserToGin(b)
+		if !reflect.DeepEqual(aGin, bGin) {
+			t.Errorf(`%s = %#v; expected %#v.`, label, aGin, bGin)
+		}
+		return
+	}
+
+	// not a supported type
+	t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
+}
+
+// compare if two users are equal, accepts LDAPUser or gin.H
+func AssertLDAPGroupEquals(t *testing.T, label string, a any, b app.LDAPGroup) {
+	t.Helper()
+
+	aObj, ok := a.(app.LDAPGroup)
+	if ok {
+		if !reflect.DeepEqual(aObj, b) {
+			t.Errorf(`%s = %#v; expected %#v.`, label, aObj, b)
+		}
+		return
+	}
+
+	aGin, ok := a.(gin.H)
+	if ok {
+		bGin := app.LDAPGroupToGin(b)
+		if !reflect.DeepEqual(aGin, bGin) {
+			t.Errorf(`%s = %#v; expected %#v.`, label, aGin, bGin)
+		}
+		return
+	}
+
+	// not a supported type
+	t.Errorf(`%s = %#v; expected %#v.`, label, a, b)
+}
+
+var _config, _ = app.GetConfig("test_config.json")
+var BaseDN = _config.BaseDN
+var PeopleDN = fmt.Sprintf("ou=people,%s", BaseDN)
+var GroupDN = fmt.Sprintf("ou=groups,%s", BaseDN)
+
+type User struct {
+	username string
+	password string
+	userObj  app.LDAPUser
+}
+
+type Group struct {
+	groupname string
+	groupObj  app.LDAPGroup
+}

test/unit_test.go

@@ -0,0 +1,125 @@
+package tests
+
+import (
+	"errors"
+	"fmt"
+	app "proxmoxaas-ldap/app"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+)
+
+// test the GetConfig utility function because it used in other tests
+func TestConfig_ValidPath(t *testing.T) {
+	config, err := app.GetConfig("test_config.json")
+
+	AssertError(t, "GetConfig()", err, nil)
+	AssertEquals(t, "config.ListenPort", config.ListenPort, 80)
+	AssertEquals(t, "config.LdapURL", config.LdapURL, "ldap://localhost")
+	AssertEquals(t, "config.BaseDN", config.BaseDN, "dc=test,dc=paasldap")
+	AssertEquals(t, "config.SessionCookieName", config.SessionCookieName, "PAASLDAPAuthTicket")
+	AssertEquals(t, "config.SessionCookie.Path", config.SessionCookie.Path, "/")
+	AssertEquals(t, "config.SessionCookie.HttpOnly", config.SessionCookie.HttpOnly, true)
+	AssertEquals(t, "config.SessionCookie.Secure", config.SessionCookie.Secure, false)
+	AssertEquals(t, "config.SessionCookie.MaxAge", config.SessionCookie.MaxAge, 7200)
+}
+
+func TestConfig_InvalidPath(t *testing.T) {
+	badFileName := RandString(16)
+	_, err := app.GetConfig(badFileName)
+	expectedErr := fmt.Errorf("open %s: no such file or directory", badFileName)
+	AssertError(t, "GetConfig()", err, expectedErr)
+
+	_, err = app.GetConfig("bad_config.json")
+	expectedErr = fmt.Errorf("invalid character ',' looking for beginning of object key string")
+	AssertError(t, "GetConfig()", err, expectedErr)
+}
+
+// test the LDAPEntryToUser and LDAPUserToGin utility functions
+func TestLDAPUserDataPipeline(t *testing.T) {
+	var memberOf []string
+	for i := 0; i < RandInt(5, 20); i++ {
+		memberOf = append(memberOf, RandDN(16))
+	}
+
+	expectedUser := app.LDAPUser{
+		DN: RandDN(16),
+		Attributes: app.LDAPUserAttributes{
+			CN:       RandString(16),
+			SN:       RandString(16),
+			Mail:     RandString(16),
+			UID:      RandString(16),
+			MemberOf: memberOf,
+		},
+	}
+
+	attributes := make(map[string][]string)
+	attributes["cn"] = []string{expectedUser.Attributes.CN}
+	attributes["sn"] = []string{expectedUser.Attributes.SN}
+	attributes["mail"] = []string{expectedUser.Attributes.Mail}
+	attributes["uid"] = []string{expectedUser.Attributes.UID}
+	attributes["memberOf"] = expectedUser.Attributes.MemberOf
+
+	entry := ldap.NewEntry(expectedUser.DN, attributes)
+
+	user := app.LDAPEntryToLDAPUser(entry)
+	AssertLDAPUserEquals(t, "LDAPEntryToLDAPUser(entry) -> user", user, expectedUser)
+
+	json := app.LDAPUserToGin(user)
+	AssertLDAPUserEquals(t, "LDAPUserToGin(user) -> json", json, expectedUser)
+}
+
+// test the LDAPEntryToGroup and LDAPGroupToGin utility functions
+func TestLDAPGroupDataPipeline(t *testing.T) {
+	var member []string
+	for i := 0; i < RandInt(5, 20); i++ {
+		member = append(member, RandDN(16))
+	}
+
+	expectedGroup := app.LDAPGroup{
+		DN: RandDN(16),
+		Attributes: app.LDAPGroupAttributes{
+			Member: member,
+		},
+	}
+
+	attributes := make(map[string][]string)
+	attributes["member"] = expectedGroup.Attributes.Member
+
+	entry := ldap.NewEntry(expectedGroup.DN, attributes)
+
+	group := app.LDAPEntryToLDAPGroup(entry)
+	AssertLDAPGroupEquals(t, "LDAPEntryToLDAPGroup(entry) -> group", group, expectedGroup)
+
+	json := app.LDAPGroupToGin(group)
+	AssertLDAPGroupEquals(t, "LDAPGroupToGin(group) -> json", json, expectedGroup)
+}
+
+func TestHandleResponse(t *testing.T) {
+	for errorCode := range ldap.LDAPResultCodeMap {
+		expectedMessage := RandString(16)
+		LDAPerr := ldap.NewError(errorCode, errors.New(expectedMessage))
+		res := gin.H{
+			"error": LDAPerr,
+		}
+		LDAPResult := ldap.LDAPResultCodeMap[errorCode]
+
+		handledResponseError := (app.HandleResponse(res))["error"].(gin.H)
+
+		AssertEquals(t, `HandleResponse(res)["error"]["code"]`, handledResponseError["code"].(uint16), errorCode)
+		AssertEquals(t, `HandleResponse(res)["error"]["result"]`, handledResponseError["result"].(string), LDAPResult)
+		AssertEquals(t, `HandleResponse(res)["error"]["message"]`, handledResponseError["message"].(string), expectedMessage)
+	}
+
+	res := gin.H{
+		"ok":     true,
+		"status": RandInt(0, 600),
+	}
+
+	handledResponse := app.HandleResponse(res)
+
+	AssertEquals(t, `HandleResponse(res)["ok"]`, handledResponse["ok"].(bool), res["ok"].(bool))
+	AssertEquals(t, `HandleResponse(res)["satus"]`, handledResponse["status"].(int), res["status"].(int))
+	AssertEquals(t, `HandleResponse(res)["error"]`, handledResponse["error"], nil)
+}