Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-11-03 23:56:18 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

ldap - compare DNs using DN.Equal (#60)

Browse Source 
* ldap - compare DNs using DN.Equal

* ldap/isAdmin- restructure & remove code duplication

Co-authored-by: Markus Koetter <koetter@cispa.de>
This commit is contained in:
commonism
2021-10-14 08:57:03 +02:00
committed by GitHub
parent 04bc0b7a81
commit d7b52eba1c
3 changed files with 29 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/ldap/config.go
View File

@@ -1,5 +1,10 @@
package ldap package ldap
import (
gldap "github.com/go-ldap/ldap/v3"
)
type Type string type Type string
const ( const (
@@ -24,4 +29,5 @@ type Config struct {
LoginFilter string `yaml:"loginFilter" envconfig:"LDAP_LOGIN_FILTER"` // {{login_identifier}} gets replaced with the login email address LoginFilter string `yaml:"loginFilter" envconfig:"LDAP_LOGIN_FILTER"` // {{login_identifier}} gets replaced with the login email address
SyncFilter string `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"` SyncFilter string `yaml:"syncFilter" envconfig:"LDAP_SYNC_FILTER"`
AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal AdminLdapGroup string `yaml:"adminGroup" envconfig:"LDAP_ADMIN_GROUP"` // Members of this group receive admin rights in WG-Portal
AdminLdapGroup_ *gldap.DN `yaml:"-"`
} }

6
internal/server/configuration.go
View File

@@ -12,6 +12,8 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"gopkg.in/yaml.v3" "gopkg.in/yaml.v3"
gldap "github.com/go-ldap/ldap/v3"
) )
var ErrInvalidSpecification = errors.New("specification must be a struct pointer") var ErrInvalidSpecification = errors.New("specification must be a struct pointer")
@@ -130,6 +132,10 @@ func NewConfig() *Config {
if err != nil { if err != nil {
logrus.Warnf("unable to load environment config: %v", err) logrus.Warnf("unable to load environment config: %v", err)
} }
cfg.LDAP.AdminLdapGroup_, err = gldap.ParseDN(cfg.LDAP.AdminLdapGroup)
if err != nil {
logrus.Warnf("Parsing AdminLDAPGroup failed: %v", err)
}
if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" { if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" {
logrus.Warnf("managing IP addresses only works on linux, feature disabled...") logrus.Warnf("managing IP addresses only works on linux, feature disabled...")

33
internal/server/ldapsync.go
View File

@@ -8,6 +8,8 @@ import (
"github.com/h44z/wg-portal/internal/users" "github.com/h44z/wg-portal/internal/users"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"gorm.io/gorm" "gorm.io/gorm"
gldap "github.com/go-ldap/ldap/v3"
) )
func (s *Server) SyncLdapWithUserDatabase() { func (s *Server) SyncLdapWithUserDatabase() {
@@ -42,6 +44,19 @@ func (s *Server) SyncLdapWithUserDatabase() {
logrus.Info("ldap user synchronization stopped") logrus.Info("ldap user synchronization stopped")
} }
func (s Server)userIsInAdminGroup(ldapData *ldap.RawLdapData) bool {
if s.config.LDAP.AdminLdapGroup_ == nil {
return false
}
for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
var dn,_ = gldap.ParseDN(string(group))
if s.config.LDAP.AdminLdapGroup_.Equal(dn) {
return true
}
}
return false
}
func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool { func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData) bool {
if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] { if user.Firstname != ldapData.Attributes[s.config.LDAP.FirstNameAttribute] {
return true return true
@@ -63,14 +78,7 @@ func (s Server) userChangedInLdap(user *users.User, ldapData *ldap.RawLdapData)
return true return true
} }
ldapAdmin := false if user.IsAdmin != s.userIsInAdminGroup(ldapData) {
for _, group := range ldapData.RawAttributes[s.config.LDAP.GroupMemberAttribute] {
if string(group) == s.config.LDAP.AdminLdapGroup {
ldapAdmin = true
break
}
}
if user.IsAdmin != ldapAdmin {
return true return true
} }
@@ -143,17 +151,10 @@ func (s *Server) updateLdapUsers(ldapUsers []ldap.RawLdapData) {
user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute] user.Lastname = ldapUsers[i].Attributes[s.config.LDAP.LastNameAttribute]
user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute] user.Email = ldapUsers[i].Attributes[s.config.LDAP.EmailAttribute]
user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute] user.Phone = ldapUsers[i].Attributes[s.config.LDAP.PhoneAttribute]
user.IsAdmin = false user.IsAdmin = s.userIsInAdminGroup(&ldapUsers[i])
user.Source = users.UserSourceLdap user.Source = users.UserSourceLdap
user.DeletedAt = gorm.DeletedAt{} // Not deleted user.DeletedAt = gorm.DeletedAt{} // Not deleted
for _, group := range ldapUsers[i].RawAttributes[s.config.LDAP.GroupMemberAttribute] {
if string(group) == s.config.LDAP.AdminLdapGroup {
user.IsAdmin = true
break
}
}
if err = s.users.UpdateUser(user); err != nil { if err = s.users.UpdateUser(user); err != nil {
logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err) logrus.Errorf("failed to update ldap user %s in database: %v", user.Email, err)
continue continue