use LDAP filter strings

2025-08-25 14:31:14 +00:00 · 2021-05-10 10:31:56 +02:00
parent 3ecb0925d6
commit 27de6e8b8c
8 changed files with 157 additions and 225 deletions
--- a/internal/server/configuration.go
+++ b/internal/server/configuration.go
@@ -97,15 +97,14 @@ func NewConfig() *Config {
 	cfg.LDAP.StartTLS = true
 	cfg.LDAP.BindUser = "company\\\\ldap_wireguard"
 	cfg.LDAP.BindPass = "SuperSecret"
-	cfg.LDAP.Type = "AD"
-	cfg.LDAP.UserClass = "organizationalPerson"
 	cfg.LDAP.EmailAttribute = "mail"
 	cfg.LDAP.FirstNameAttribute = "givenName"
 	cfg.LDAP.LastNameAttribute = "sn"
 	cfg.LDAP.PhoneAttribute = "telephoneNumber"
 	cfg.LDAP.GroupMemberAttribute = "memberOf"
-	cfg.LDAP.DisabledAttribute = "userAccountControl"
 	cfg.LDAP.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
+	cfg.LDAP.LoginFilter = "(&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))"
+	cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

 	cfg.WG.DeviceNames = []string{"wg0"}
 	cfg.WG.DefaultDeviceName = "wg0"
--- a/internal/server/handlers_auth.go
+++ b/internal/server/handlers_auth.go
@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"

+	"github.com/pkg/errors"
+
 	"github.com/gin-gonic/gin"
 	"github.com/h44z/wg-portal/internal/authentication"
 	"github.com/h44z/wg-portal/internal/users"
@@ -53,65 +55,15 @@ func (s *Server) PostLogin(c *gin.Context) {
 		return
 	}

-	// Check user database for an matching entry
-	var loginProvider authentication.AuthProvider
-	email := ""
-	user := s.users.GetUser(username) // retrieve active candidate user from db
-	if user != nil {                  // existing user
-		loginProvider = s.auth.GetProvider(string(user.Source))
-		if loginProvider == nil {
-			s.GetHandleError(c, http.StatusInternalServerError, "login error", "login provider unavailable")
-			return
-		}
-		authEmail, err := loginProvider.Login(&authentication.AuthContext{
-			Username: username,
-			Password: password,
-		})
-		if err == nil {
-			email = authEmail
-		}
-	} else { // possible new user
-		// Check all available auth backends
-		for _, provider := range s.auth.GetProvidersForType(authentication.AuthProviderTypePassword) {
-			// try to log in to the given provider
-			authEmail, err := provider.Login(&authentication.AuthContext{
-				Username: username,
-				Password: password,
-			})
-			if err != nil {
-				continue
-			}
-
-			email = authEmail
-			loginProvider = provider
-
-			// create new user in the database (or reactivate him)
-			userData, err := loginProvider.GetUserModel(&authentication.AuthContext{
-				Username: email,
-			})
-			if err != nil {
-				s.GetHandleError(c, http.StatusInternalServerError, "login error", err.Error())
-				return
-			}
-			if err := s.CreateUser(users.User{
-				Email:     userData.Email,
-				Source:    users.UserSource(loginProvider.GetName()),
-				IsAdmin:   userData.IsAdmin,
-				Firstname: userData.Firstname,
-				Lastname:  userData.Lastname,
-				Phone:     userData.Phone,
-			}, s.wg.Cfg.GetDefaultDeviceName()); err != nil {
-				s.GetHandleError(c, http.StatusInternalServerError, "login error", "failed to update user data")
-				return
-			}
-
-			user = s.users.GetUser(username)
-			break
-		}
+	// Check all available auth backends
+	user, err := s.checkAuthentication(username, password)
+	if err != nil {
+		s.GetHandleError(c, http.StatusInternalServerError, "login error", err.Error())
+		return
 	}

 	// Check if user is authenticated
-	if email == "" || loginProvider == nil || user == nil {
+	if user == nil {
 		c.Redirect(http.StatusSeeOther, "/auth/login?err=authfail")
 		return
 	}
@@ -152,3 +104,48 @@ func (s *Server) GetLogout(c *gin.Context) {
 	}
 	c.Redirect(http.StatusSeeOther, "/")
 }
+
+func (s *Server) checkAuthentication(username, password string) (*users.User, error) {
+	var user *users.User
+
+	// Check all available auth backends
+	for _, provider := range s.auth.GetProvidersForType(authentication.AuthProviderTypePassword) {
+		// try to log in to the given provider
+		authEmail, err := provider.Login(&authentication.AuthContext{
+			Username: username,
+			Password: password,
+		})
+		if err != nil {
+			continue
+		}
+
+		// Login succeeded
+		user = s.users.GetUser(authEmail)
+		if user != nil {
+			break // user exists, nothing more to do...
+		}
+
+		// create new user in the database (or reactivate him)
+		userData, err := provider.GetUserModel(&authentication.AuthContext{
+			Username: username,
+		})
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get user model")
+		}
+		if err := s.CreateUser(users.User{
+			Email:     userData.Email,
+			Source:    users.UserSource(provider.GetName()),
+			IsAdmin:   userData.IsAdmin,
+			Firstname: userData.Firstname,
+			Lastname:  userData.Lastname,
+			Phone:     userData.Phone,
+		}, s.wg.Cfg.GetDefaultDeviceName()); err != nil {
+			return nil, errors.Wrap(err, "failed to update user data")
+		}
+
+		user = s.users.GetUser(authEmail)
+		break
+	}
+
+	return user, nil
+}
--- a/internal/server/ldapsync.go
+++ b/internal/server/ldapsync.go
@@ -32,86 +32,16 @@ func (s *Server) SyncLdapWithUserDatabase() {
 			continue
 		}

-		for i := range ldapUsers {
-			// prefilter
-			if ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] == "" ||
-				ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute] == "" ||
-				ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] == "" {
-				continue
-			}
+		// Update existing LDAP users
+		s.updateLdapUsers(ldapUsers)

-			user, err := s.users.GetOrCreateUserUnscoped(ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute])
-			if err != nil {
-				logrus.Errorf("failed to get/create user %s in database: %v", ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute], err)
-			}
-
-			// check if user should be deactivated
-			ldapDeactivated := false
-			switch s.config.LDAP.Type {
-			case ldap.TypeActiveDirectory:
-				ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
-			case ldap.TypeOpenLDAP:
-				ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapUsers[i].Attributes[s.config.LDAP.DisabledAttribute])
-			}
-
-			// check if user has been disabled in ldap, update peers accordingly
-			if ldapDeactivated != user.DeletedAt.Valid {
-				if ldapDeactivated {
-					// disable all peers for the given user
-					for _, peer := range s.peers.GetPeersByMail(user.Email) {
-						now := time.Now()
-						peer.DeactivatedAt = &now
-						if err = s.UpdatePeer(peer, now); err != nil {
-							logrus.Errorf("failed to update deactivated peer %s: %v", peer.PublicKey, err)
-						}
-					}
-				} else {
-					// enable all peers for the given user
-					for _, peer := range s.peers.GetPeersByMail(user.Email) {
-						now := time.Now()
-						peer.DeactivatedAt = nil
-						if err = s.UpdatePeer(peer, now); err != nil {
-							logrus.Errorf("failed to update activated peer %s: %v", peer.PublicKey, err)
-						}
-					}
-				}
-			}
-
-			// Sync attributes from ldap
-			if s.UserChangedInLdap(user, &ldapUsers[i]) {
-				user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
-				user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
-				user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
-				user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
-				user.IsAdmin = false
-				user.Source = users.UserSourceLdap
-				user.DeletedAt = gorm.DeletedAt{} // Not deleted
-
-				for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
-					if string(group) == s.config.LDAP.AdminLdapGroup {
-						user.IsAdmin = true
-						break
-					}
-				}
-
-				if err = s.users.UpdateUser(user); err != nil {
-					logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
-					continue
-				}
-
-				if ldapDeactivated {
-					if err = s.users.DeleteUser(user); err != nil {
-						logrus.Errorf("failed to delete deactivated user %s in database: %v", user.Email, err)
-						continue
-					}
-				}
-			}
-		}
+		// Disable missing LDAP users
+		s.disableMissingLdapUsers(ldapUsers)
 	}
 	logrus.Info("ldap user synchronization stopped")
 }

-func (s Server) UserChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
+func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
 	if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
 		return true
 	}
@@ -125,14 +55,7 @@ func (s Server) UserChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
 		return true
 	}

-	ldapDeactivated := false
-	switch s.config.LDAP.Type {
-	case ldap.TypeActiveDirectory:
-		ldapDeactivated = ldap.IsActiveDirectoryUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
-	case ldap.TypeOpenLDAP:
-		ldapDeactivated = ldap.IsOpenLdapUserDisabled(ldapData.Attributes[s.config.LDAP.DisabledAttribute])
-	}
-	if ldapDeactivated != user.DeletedAt.Valid {
+	if user.DeletedAt.Valid {
 		return true
 	}

@@ -149,3 +72,82 @@ func (s Server) UserChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)

 	return false
 }
+
+func (s *Server) disableMissingLdapUsers(ldapUsers []ldap.RawLdapData) {
+	// Disable missing LDAP users
+	activeUsers := s.users.GetUsers()
+	for i := range activeUsers {
+		if activeUsers[i].Source != users.UserSourceLdap {
+			continue
+		}
+
+		existsInLDAP := false
+		for j := range ldapUsers {
+			if activeUsers[i].Email == ldapUsers[j].Attributes[s.config.LDAP.EmailAttribute] {
+				existsInLDAP = true
+				break
+			}
+		}
+
+		if existsInLDAP {
+			continue
+		}
+
+		// disable all peers for the given user
+		for _, peer := range s.peers.GetPeersByMail(activeUsers[i].Email) {
+			now := time.Now()
+			peer.DeactivatedAt = &now
+			if err := s.UpdatePeer(peer, now); err != nil {
+				logrus.Errorf("failed to update deactivated peer %s: %v", peer.PublicKey, err)
+			}
+		}
+
+		if err := s.users.DeleteUser(&activeUsers[i]); err != nil {
+			logrus.Errorf("failed to delete deactivated user %s in database: %v", activeUsers[i].Email, err)
+		}
+	}
+}
+
+func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
+	for i := range ldapUsers {
+		user, err := s.users.GetOrCreateUserUnscoped(ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute])
+		if err != nil {
+			logrus.Errorf("failed to get/create user %s in database: %v", ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute], err)
+		}
+
+		// re-enable LDAP user if the user was disabled
+		if user.DeletedAt.Valid {
+			// enable all peers for the given user
+			for _, peer := range s.peers.GetPeersByMail(user.Email) {
+				now := time.Now()
+				peer.DeactivatedAt = nil
+				if err = s.UpdatePeer(peer, now); err != nil {
+					logrus.Errorf("failed to update activated peer %s: %v", peer.PublicKey, err)
+				}
+			}
+		}
+
+		// Sync attributes from ldap
+		if s.userChangedInLdap(user, &ldapUsers[i]) {
+			user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
+			user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
+			user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
+			user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
+			user.IsAdmin = false
+			user.Source = users.UserSourceLdap
+			user.DeletedAt = gorm.DeletedAt{} // Not deleted
+
+			for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
+				if string(group) == s.config.LDAP.AdminLdapGroup {
+					user.IsAdmin = true
+					break
+				}
+			}
+
+			if err = s.users.UpdateUser(user); err != nil {
+				logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
+				continue
+			}
+		}
+	}
+}
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -6,7 +6,6 @@ import (

 	"github.com/gin-gonic/gin"
 	wgportal "github.com/h44z/wg-portal"
-	"github.com/h44z/wg-portal/internal/authentication"
 	_ "github.com/h44z/wg-portal/internal/server/docs" // docs is generated by Swag CLI, you have to import it.
 	ginSwagger "github.com/swaggo/gin-swagger"
 	"github.com/swaggo/gin-swagger/swaggerFiles"
@@ -162,28 +161,16 @@ func (s *Server) RequireApiAuthentication(scope string) gin.HandlerFunc {
 			return
 		}

-		// Check user database for an matching entry
-		var loginProvider authentication.AuthProvider
-		user := s.users.GetUser(username) // retrieve active candidate user from db
-		if user == nil || user.Email == "" {
+		// Check all available auth backends
+		user, err := s.checkAuthentication(username, password)
+		if err != nil {
 			c.Abort()
-			c.JSON(http.StatusUnauthorized, ApiError{Message: "unauthorized"})
+			c.JSON(http.StatusInternalServerError, ApiError{Message: "login error"})
 			return
 		}

-		loginProvider = s.auth.GetProvider(string(user.Source))
-		if loginProvider == nil {
-			c.Abort()
-			c.JSON(http.StatusUnauthorized, ApiError{Message: "unauthorized"})
-			return
-		}
-		authEmail, err := loginProvider.Login(&authentication.AuthContext{
-			Username: username,
-			Password: password,
-		})
-
-		// Test if authentication succeeded
-		if err != nil || authEmail == "" {
+		// Check if user is authenticated
+		if user == nil {
 			c.Abort()
 			c.JSON(http.StatusUnauthorized, ApiError{Message: "unauthorized"})
 			return