osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Observar 15
Favorito 7
Wiki 捐赠
本站源代码
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
Tag: 4f0cac5ea6
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 4f0cac5ea6
${ noResults }
com/modules/auth/ldap/ldap.go

373 linhas
11KB
Original Anotar Histórico 

  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // Package ldap provide functions & structure to query a LDAP ldap directory

  6. // For now, it's mainly tested again an MS Active Directory service, see README.md for more information

  7. package ldap

  8. 

  9. import (

  10. 	"crypto/tls"

  11. 	"fmt"

  12. 	"strings"

  13. 

  14. 	"code.gitea.io/gitea/modules/log"

  15. 

  16. 	ldap "gopkg.in/ldap.v3"

  17. )

  18. 

  19. // SecurityProtocol protocol type

  20. type SecurityProtocol int

  21. 

  22. // Note: new type must be added at the end of list to maintain compatibility.

  23. const (

  24. 	SecurityProtocolUnencrypted SecurityProtocol = iota

  25. 	SecurityProtocolLDAPS

  26. 	SecurityProtocolStartTLS

  27. )

  28. 

  29. // Source Basic LDAP authentication service

  30. type Source struct {

  31. 	Name                  string // canonical name (ie. corporate.ad)

  32. 	Host                  string // LDAP host

  33. 	Port                  int    // port number

  34. 	SecurityProtocol      SecurityProtocol

  35. 	SkipVerify            bool

  36. 	BindDN                string // DN to bind with

  37. 	BindPassword          string // Bind DN password

  38. 	UserBase              string // Base search path for users

  39. 	UserDN                string // Template for the DN of the user for simple auth

  40. 	AttributeUsername     string // Username attribute

  41. 	AttributeName         string // First name attribute

  42. 	AttributeSurname      string // Surname attribute

  43. 	AttributeMail         string // E-mail attribute

  44. 	AttributesInBind      bool   // fetch attributes in bind context (not user)

  45. 	AttributeSSHPublicKey string // LDAP SSH Public Key attribute

  46. 	SearchPageSize        uint32 // Search with paging page size

  47. 	Filter                string // Query filter to validate entry

  48. 	AdminFilter           string // Query filter to check if user is admin

  49. 	Enabled               bool   // if this source is disabled

  50. }

  51. 

  52. // SearchResult : user data

  53. type SearchResult struct {

  54. 	Username     string   // Username

  55. 	Name         string   // Name

  56. 	Surname      string   // Surname

  57. 	Mail         string   // E-mail address

  58. 	SSHPublicKey []string // SSH Public Key

  59. 	IsAdmin      bool     // if user is administrator

  60. }

  61. 

  62. func (ls *Source) sanitizedUserQuery(username string) (string, bool) {

  63. 	// See http://tools.ietf.org/search/rfc4515

  64. 	badCharacters := "\x00()*\\"

  65. 	if strings.ContainsAny(username, badCharacters) {

  66. 		log.Debug("'%s' contains invalid query characters. Aborting.", username)

  67. 		return "", false

  68. 	}

  69. 

  70. 	return fmt.Sprintf(ls.Filter, username), true

  71. }

  72. 

  73. func (ls *Source) sanitizedUserDN(username string) (string, bool) {

  74. 	// See http://tools.ietf.org/search/rfc4514: "special characters"

  75. 	badCharacters := "\x00()*\\,='\"#+;<>"

  76. 	if strings.ContainsAny(username, badCharacters) {

  77. 		log.Debug("'%s' contains invalid DN characters. Aborting.", username)

  78. 		return "", false

  79. 	}

  80. 

  81. 	return fmt.Sprintf(ls.UserDN, username), true

  82. }

  83. 

  84. func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {

  85. 	log.Trace("Search for LDAP user: %s", name)

  86. 

  87. 	// A search for the user.

  88. 	userFilter, ok := ls.sanitizedUserQuery(name)

  89. 	if !ok {

  90. 		return "", false

  91. 	}

  92. 

  93. 	log.Trace("Searching for DN using filter %s and base %s", userFilter, ls.UserBase)

  94. 	search := ldap.NewSearchRequest(

  95. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,

  96. 		false, userFilter, []string{}, nil)

  97. 

  98. 	// Ensure we found a user

  99. 	sr, err := l.Search(search)

  100. 	if err != nil || len(sr.Entries) < 1 {

  101. 		log.Debug("Failed search using filter[%s]: %v", userFilter, err)

  102. 		return "", false

  103. 	} else if len(sr.Entries) > 1 {

  104. 		log.Debug("Filter '%s' returned more than one user.", userFilter)

  105. 		return "", false

  106. 	}

  107. 

  108. 	userDN := sr.Entries[0].DN

  109. 	if userDN == "" {

  110. 		log.Error("LDAP search was successful, but found no DN!")

  111. 		return "", false

  112. 	}

  113. 

  114. 	return userDN, true

  115. }

  116. 

  117. func dial(ls *Source) (*ldap.Conn, error) {

  118. 	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", ls.SecurityProtocol, ls.SkipVerify)

  119. 

  120. 	tlsCfg := &tls.Config{

  121. 		ServerName:         ls.Host,

  122. 		InsecureSkipVerify: ls.SkipVerify,

  123. 	}

  124. 	if ls.SecurityProtocol == SecurityProtocolLDAPS {

  125. 		return ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port), tlsCfg)

  126. 	}

  127. 

  128. 	conn, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ls.Host, ls.Port))

  129. 	if err != nil {

  130. 		return nil, fmt.Errorf("Dial: %v", err)

  131. 	}

  132. 

  133. 	if ls.SecurityProtocol == SecurityProtocolStartTLS {

  134. 		if err = conn.StartTLS(tlsCfg); err != nil {

  135. 			conn.Close()

  136. 			return nil, fmt.Errorf("StartTLS: %v", err)

  137. 		}

  138. 	}

  139. 

  140. 	return conn, nil

  141. }

  142. 

  143. func bindUser(l *ldap.Conn, userDN, passwd string) error {

  144. 	log.Trace("Binding with userDN: %s", userDN)

  145. 	err := l.Bind(userDN, passwd)

  146. 	if err != nil {

  147. 		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)

  148. 		return err

  149. 	}

  150. 	log.Trace("Bound successfully with userDN: %s", userDN)

  151. 	return err

  152. }

  153. 

  154. func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {

  155. 	if len(ls.AdminFilter) > 0 {

  156. 		log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)

  157. 		search := ldap.NewSearchRequest(

  158. 			userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,

  159. 			[]string{ls.AttributeName},

  160. 			nil)

  161. 

  162. 		sr, err := l.Search(search)

  163. 

  164. 		if err != nil {

  165. 			log.Error("LDAP Admin Search failed unexpectedly! (%v)", err)

  166. 		} else if len(sr.Entries) < 1 {

  167. 			log.Trace("LDAP Admin Search found no matching entries.")

  168. 		} else {

  169. 			return true

  170. 		}

  171. 	}

  172. 	return false

  173. }

  174. 

  175. // SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter

  176. func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {

  177. 	// See https://tools.ietf.org/search/rfc4513#section-5.1.2

  178. 	if len(passwd) == 0 {

  179. 		log.Debug("Auth. failed for %s, password cannot be empty", name)

  180. 		return nil

  181. 	}

  182. 	l, err := dial(ls)

  183. 	if err != nil {

  184. 		log.Error("LDAP Connect error, %s:%v", ls.Host, err)

  185. 		ls.Enabled = false

  186. 		return nil

  187. 	}

  188. 	defer l.Close()

  189. 

  190. 	var userDN string

  191. 	if directBind {

  192. 		log.Trace("LDAP will bind directly via UserDN template: %s", ls.UserDN)

  193. 

  194. 		var ok bool

  195. 		userDN, ok = ls.sanitizedUserDN(name)

  196. 

  197. 		if !ok {

  198. 			return nil

  199. 		}

  200. 

  201. 		err = bindUser(l, userDN, passwd)

  202. 		if err != nil {

  203. 			return nil

  204. 		}

  205. 

  206. 		if ls.UserBase != "" {

  207. 			// not everyone has a CN compatible with input name so we need to find

  208. 			// the real userDN in that case

  209. 

  210. 			userDN, ok = ls.findUserDN(l, name)

  211. 			if !ok {

  212. 				return nil

  213. 			}

  214. 		}

  215. 	} else {

  216. 		log.Trace("LDAP will use BindDN.")

  217. 

  218. 		var found bool

  219. 

  220. 		if ls.BindDN != "" && ls.BindPassword != "" {

  221. 			err := l.Bind(ls.BindDN, ls.BindPassword)

  222. 			if err != nil {

  223. 				log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  224. 				return nil

  225. 			}

  226. 			log.Trace("Bound as BindDN %s", ls.BindDN)

  227. 		} else {

  228. 			log.Trace("Proceeding with anonymous LDAP search.")

  229. 		}

  230. 

  231. 		userDN, found = ls.findUserDN(l, name)

  232. 		if !found {

  233. 			return nil

  234. 		}

  235. 	}

  236. 

  237. 	if !ls.AttributesInBind {

  238. 		// binds user (checking password) before looking-up attributes in user context

  239. 		err = bindUser(l, userDN, passwd)

  240. 		if err != nil {

  241. 			return nil

  242. 		}

  243. 	}

  244. 

  245. 	userFilter, ok := ls.sanitizedUserQuery(name)

  246. 	if !ok {

  247. 		return nil

  248. 	}

  249. 

  250. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0

  251. 

  252. 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}

  253. 	if isAttributeSSHPublicKeySet {

  254. 		attribs = append(attribs, ls.AttributeSSHPublicKey)

  255. 	}

  256. 

  257. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, userDN)

  258. 	search := ldap.NewSearchRequest(

  259. 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  260. 		attribs, nil)

  261. 

  262. 	sr, err := l.Search(search)

  263. 	if err != nil {

  264. 		log.Error("LDAP Search failed unexpectedly! (%v)", err)

  265. 		return nil

  266. 	} else if len(sr.Entries) < 1 {

  267. 		if directBind {

  268. 			log.Trace("User filter inhibited user login.")

  269. 		} else {

  270. 			log.Trace("LDAP Search found no matching entries.")

  271. 		}

  272. 

  273. 		return nil

  274. 	}

  275. 

  276. 	var sshPublicKey []string

  277. 

  278. 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)

  279. 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)

  280. 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)

  281. 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)

  282. 	if isAttributeSSHPublicKeySet {

  283. 		sshPublicKey = sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)

  284. 	}

  285. 	isAdmin := checkAdmin(l, ls, userDN)

  286. 

  287. 	if !directBind && ls.AttributesInBind {

  288. 		// binds user (checking password) after looking-up attributes in BindDN context

  289. 		err = bindUser(l, userDN, passwd)

  290. 		if err != nil {

  291. 			return nil

  292. 		}

  293. 	}

  294. 

  295. 	return &SearchResult{

  296. 		Username:     username,

  297. 		Name:         firstname,

  298. 		Surname:      surname,

  299. 		Mail:         mail,

  300. 		SSHPublicKey: sshPublicKey,

  301. 		IsAdmin:      isAdmin,

  302. 	}

  303. }

  304. 

  305. // UsePagedSearch returns if need to use paged search

  306. func (ls *Source) UsePagedSearch() bool {

  307. 	return ls.SearchPageSize > 0

  308. }

  309. 

  310. // SearchEntries : search an LDAP source for all users matching userFilter

  311. func (ls *Source) SearchEntries() ([]*SearchResult, error) {

  312. 	l, err := dial(ls)

  313. 	if err != nil {

  314. 		log.Error("LDAP Connect error, %s:%v", ls.Host, err)

  315. 		ls.Enabled = false

  316. 		return nil, err

  317. 	}

  318. 	defer l.Close()

  319. 

  320. 	if ls.BindDN != "" && ls.BindPassword != "" {

  321. 		err := l.Bind(ls.BindDN, ls.BindPassword)

  322. 		if err != nil {

  323. 			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)

  324. 			return nil, err

  325. 		}

  326. 		log.Trace("Bound as BindDN %s", ls.BindDN)

  327. 	} else {

  328. 		log.Trace("Proceeding with anonymous LDAP search.")

  329. 	}

  330. 

  331. 	userFilter := fmt.Sprintf(ls.Filter, "*")

  332. 

  333. 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0

  334. 

  335. 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}

  336. 	if isAttributeSSHPublicKeySet {

  337. 		attribs = append(attribs, ls.AttributeSSHPublicKey)

  338. 	}

  339. 

  340. 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase)

  341. 	search := ldap.NewSearchRequest(

  342. 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,

  343. 		attribs, nil)

  344. 

  345. 	var sr *ldap.SearchResult

  346. 	if ls.UsePagedSearch() {

  347. 		sr, err = l.SearchWithPaging(search, ls.SearchPageSize)

  348. 	} else {

  349. 		sr, err = l.Search(search)

  350. 	}

  351. 	if err != nil {

  352. 		log.Error("LDAP Search failed unexpectedly! (%v)", err)

  353. 		return nil, err

  354. 	}

  355. 

  356. 	result := make([]*SearchResult, len(sr.Entries))

  357. 

  358. 	for i, v := range sr.Entries {

  359. 		result[i] = &SearchResult{

  360. 			Username: v.GetAttributeValue(ls.AttributeUsername),

  361. 			Name:     v.GetAttributeValue(ls.AttributeName),

  362. 			Surname:  v.GetAttributeValue(ls.AttributeSurname),

  363. 			Mail:     v.GetAttributeValue(ls.AttributeMail),

  364. 			IsAdmin:  checkAdmin(l, ls, v.DN),

  365. 		}

  366. 		if isAttributeSSHPublicKeySet {

  367. 			result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey)

  368. 		}

  369. 	}

  370. 

  371. 	return result, nil

  372. }
上海开阖软件有限公司 沪ICP备12045867号-1