Files
ProxmoxAAS-LDAP/app/app.go
2025-02-11 07:06:58 +00:00

326 lines
10 KiB
Go

package app
import (
"crypto/rand"
"encoding/gob"
"flag"
"log"
"net/http"
"strconv"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie"
"github.com/gin-gonic/gin"
"github.com/go-ldap/ldap/v3"
uuid "github.com/nu7hatch/gouuid"
)
var LDAPSessions map[string]*LDAPClient
var AppVersion = "1.0.6"
var APIVersion = "1.0.4"
func Run() {
gob.Register(LDAPClient{})
log.Printf("Starting ProxmoxAAS-LDAP version %s\n", APIVersion)
configPath := flag.String("config", "config.json", "path to config.json file")
flag.Parse()
config, err := GetConfig(*configPath)
if err != nil {
log.Fatalf("Error when reading config file: %s\n", err)
}
log.Printf("Read in config from %s\n", *configPath)
secretKey := make([]byte, 256)
n, err := rand.Read(secretKey)
if err != nil {
log.Fatalf("Error when generating session secret key: %s\n", err.Error())
}
log.Printf("Generated session secret key of length %d\n", n)
gin.SetMode(gin.ReleaseMode)
router := gin.Default()
store := cookie.NewStore(secretKey)
store.Options(sessions.Options{
Path: config.SessionCookie.Path,
HttpOnly: config.SessionCookie.HttpOnly,
Secure: config.SessionCookie.Secure,
MaxAge: config.SessionCookie.MaxAge,
})
router.Use(sessions.Sessions(config.SessionCookieName, store))
log.Printf("Started API router and cookie store (Name: %s Params: %+v)\n", config.SessionCookieName, config.SessionCookie)
LDAPSessions = make(map[string]*LDAPClient)
router.GET("/version", func(c *gin.Context) {
c.JSON(http.StatusOK, gin.H{"version": APIVersion, "app-version": AppVersion})
})
router.POST("/ticket", func(c *gin.Context) {
var body Login
if err := c.ShouldBind(&body); err != nil { // bad request from binding
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
newLDAPClient, err := NewLDAPClient(config)
if err != nil { // failed to dial ldap server, considered a server error
c.JSON(http.StatusInternalServerError, gin.H{"auth": false, "error": err.Error()})
return
}
err = newLDAPClient.BindUser(body.Username, body.Password)
if err != nil { // failed to authenticate, return error
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
// successful binding at this point
// create new session
session := sessions.Default(c)
// create (hopefully) safe uuid to map to ldap session
uuid, _ := uuid.NewV4()
// set uuid mapping in session
session.Set("SessionUUID", uuid.String())
// set uuid mapping in LDAPSessions
LDAPSessions[uuid.String()] = newLDAPClient
// save the session
session.Save()
// return successful auth
c.JSON(http.StatusOK, gin.H{"auth": true})
})
router.DELETE("/ticket", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
delete(LDAPSessions, uuid)
session.Options(sessions.Options{MaxAge: -1}) // set max age to -1 so it is deleted
session.Save()
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
})
router.GET("/users", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.GetAllUsers()
c.JSON(status, HandleResponse(res))
})
router.POST("/users/:userid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
// check if user already exists
status, res := LDAPSession.GetUser(c.Param("userid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // user does not already exist, create new user
var body UserRequired // all user attributes required for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.AddUser(c.Param("userid"), body)
c.JSON(status, HandleResponse(res))
} else { // user already exists, attempt to modify user
var body UserOptional // all user attributes optional for new users
if err := c.ShouldBind(&body); err != nil { // attempt to bind user data
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
status, res = LDAPSession.ModUser(c.Param("userid"), body)
c.JSON(status, HandleResponse(res))
}
})
router.GET("/users/:userid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.GetUser(c.Param("userid"))
c.JSON(status, HandleResponse(res))
})
router.DELETE("/users/:userid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.DelUser(c.Param("userid"))
c.JSON(status, HandleResponse(res))
})
router.GET("/groups", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.GetAllGroups()
c.JSON(status, HandleResponse(res))
})
router.GET("/groups/:groupid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.GetGroup(c.Param("groupid"))
c.JSON(status, HandleResponse(res))
})
router.POST("/groups/:groupid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
var body Group
if err := c.ShouldBind(&body); err != nil { // bad request from binding
c.JSON(http.StatusBadRequest, gin.H{"auth": false, "error": err.Error()})
return
}
// check if group already exists
status, res := LDAPSession.GetGroup(c.Param("groupid"))
if status != 200 && ldap.IsErrorWithCode(res["error"].(error), ldap.LDAPResultNoSuchObject) { // group does not already exist, create new group
status, res = LDAPSession.AddGroup(c.Param("groupid"), body)
c.JSON(status, HandleResponse(res))
} else { // group already exists, attempt to modify group
status, res = LDAPSession.ModGroup(c.Param("groupid"), body)
c.JSON(status, HandleResponse(res))
}
})
router.DELETE("/groups/:groupid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.DelGroup(c.Param("groupid"))
c.JSON(status, HandleResponse(res))
})
router.POST("/groups/:groupid/members/:userid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.AddUserToGroup(c.Param("userid"), c.Param("groupid"))
c.JSON(status, HandleResponse(res))
})
router.DELETE("/groups/:groupid/members/:userid", func(c *gin.Context) {
session := sessions.Default(c)
SessionUUID := session.Get("SessionUUID")
if SessionUUID == nil {
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
uuid := SessionUUID.(string)
LDAPSession := LDAPSessions[uuid]
if LDAPSession == nil { // does not have registered ldap session associated with cookie session
c.JSON(http.StatusUnauthorized, gin.H{"auth": false})
return
}
status, res := LDAPSession.DelUserFromGroup(c.Param("userid"), c.Param("groupid"))
c.JSON(status, HandleResponse(res))
})
log.Printf("Starting LDAP API on port %s\n", strconv.Itoa(config.ListenPort))
err = router.Run("0.0.0.0:" + strconv.Itoa(config.ListenPort))
if err != nil {
log.Fatalf("Error starting router: %s", err.Error())
}
}