Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-09-13 14:31:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add nested group admin state resolution

Browse Source
This commit is contained in:
Fabian Schultis
2022-12-06 02:59:29 +01:00
parent fda3e7b2be
commit 6f463ac9a5
4 changed files with 59 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
internal/server/configuration.go
View File

@@ -114,6 +114,7 @@ func NewConfig() *Config {
cfg.LDAP.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
cfg.LDAP.LoginFilter = "(&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))"
cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))"
cfg.LDAP.SyncGroupFilter = "(&(objectCategory=group))"
cfg.WG.DeviceNames = []string{"wg0"}
cfg.WG.DefaultDeviceName = "wg0"

49
internal/server/ldapsync.go
View File

@@ -16,8 +16,25 @@ import (
func (s *Server) SyncLdapWithUserDatabase() {
logrus.Info("starting ldap user synchronization...")
running := true
for running {
// Main work here
logrus.Trace("syncing ldap users to database...")
ldapUsers, err := ldap.FindAllObjects(&s.config.LDAP, ldap.Users)
ldapGroups, errGroups := ldap.FindAllObjects(&s.config.LDAP, ldap.Groups)
if err != nil && errGroups != nil {
logrus.Errorf("failed to fetch users from ldap: %v", err)
continue
}
logrus.Tracef("found %d users in ldap", len(ldapUsers))
// Update existing LDAP users
s.updateLdapUsers(ldapUsers, ldapGroups)
// Disable missing LDAP users
s.disableMissingLdapUsers(ldapUsers)
// Select blocks until one of the cases happens
select {
case <-time.After(1 * time.Minute):
@@ -27,26 +44,11 @@ func (s *Server) SyncLdapWithUserDatabase() {
running = false
continue
}
// Main work here
logrus.Trace("syncing ldap users to database...")
ldapUsers, err := ldap.FindAllUsers(&s.config.LDAP)
if err != nil {
logrus.Errorf("failed to fetch users from ldap: %v", err)
continue
}
logrus.Tracef("found %d users in ldap", len(ldapUsers))
// Update existing LDAP users
s.updateLdapUsers(ldapUsers)
// Disable missing LDAP users
s.disableMissingLdapUsers(ldapUsers)
}
logrus.Info("ldap user synchronization stopped")
}
func (s Server) userIsInAdminGroup(ldapData *ldap.RawLdapData) bool {
func (s Server) userIsInAdminGroup(ldapData *ldap.RawLdapData, ldapGroupData []ldap.RawLdapData) bool {
if s.config.LDAP.EveryoneAdmin {
return true
}
@@ -58,11 +60,16 @@ func (s Server) userIsInAdminGroup(ldapData *ldap.RawLdapData) bool {
if s.config.LDAP.AdminLdapGroup_.Equal(dn) {
return true
}
for _, group2 := range ldapGroupData {
if group2.DN == string(group) {
return s.userIsInAdminGroup(&group2, ldapGroupData)
}
}
}
return false
}
func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData, ldapGroupData []ldap.RawLdapData) bool {
if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
return true
}
@@ -83,7 +90,7 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
return true
}
if user.IsAdmin != s.userIsInAdminGroup(ldapData) {
if user.IsAdmin != s.userIsInAdminGroup(ldapData, ldapGroupData) {
return true
}
@@ -126,7 +133,7 @@ func (s *Server) disableMissingLdapUsers(ldapUsers []ldap.RawLdapData) {
}
}
func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData, ldapGroups []ldap.RawLdapData) {
for i := range ldapUsers {
if ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] == "" {
logrus.Tracef("skipping sync of %s, empty email attribute", ldapUsers[i].DN)
@@ -152,13 +159,13 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
}
// Sync attributes from ldap
if s.userChangedInLdap(user, &ldapUsers[i]) {
if s.userChangedInLdap(user, &ldapUsers[i], ldapGroups) {
logrus.Debugf("updating ldap user %s", user.Email)
user.Firstname = ldapUsers[i].Attributes[s.config.LDAP.FirstNameAttribute]
user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i])
user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i], ldapGroups)
user.Source = users.UserSourceLdap
user.DeletedAt = gorm.DeletedAt{} // Not deleted