portainer/api/ldap/ldap.go

package ldap

import (
	"fmt"
	"strings"

	"github.com/portainer/portainer/api"
	"github.com/portainer/portainer/api/crypto"

	"gopkg.in/ldap.v2"
)

const (
	// ErrUserNotFound defines an error raised when the user is not found via LDAP search
	// or that too many entries (> 1) are returned.
	ErrUserNotFound = portainer.Error("User not found or too many entries returned")
)

// Service represents a service used to authenticate users against a LDAP/AD.
type Service struct{}

func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearchSettings) (string, error) {
	var userDN string
	found := false
	usernameEscaped := ldap.EscapeFilter(username)

	for _, searchSettings := range settings {
		searchRequest := ldap.NewSearchRequest(
			searchSettings.BaseDN,
			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
			fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, usernameEscaped),
			[]string{"dn"},
			nil,
		)

		// Deliberately skip errors on the search request so that we can jump to other search settings
		// if any issue arise with the current one.
		sr, err := conn.Search(searchRequest)
		if err != nil {
			continue
		}

		if len(sr.Entries) == 1 {
			found = true
			userDN = sr.Entries[0].DN
			break
		}
	}

	if !found {
		return "", ErrUserNotFound
	}

	return userDN, nil
}

func createConnection(settings *portainer.LDAPSettings) (*ldap.Conn, error) {

	if settings.TLSConfig.TLS || settings.StartTLS {
		config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig.TLSCACertPath, settings.TLSConfig.TLSCertPath, settings.TLSConfig.TLSKeyPath, settings.TLSConfig.TLSSkipVerify)
		if err != nil {
			return nil, err
		}
		config.ServerName = strings.Split(settings.URL, ":")[0]

		if settings.TLSConfig.TLS {
			return ldap.DialTLS("tcp", settings.URL, config)
		}

		conn, err := ldap.Dial("tcp", settings.URL)
		if err != nil {
			return nil, err
		}

		err = conn.StartTLS(config)
		if err != nil {
			return nil, err
		}

		return conn, nil
	}

	return ldap.Dial("tcp", settings.URL)
}

// AuthenticateUser is used to authenticate a user against a LDAP/AD.
func (*Service) AuthenticateUser(username, password string, settings *portainer.LDAPSettings) error {

	connection, err := createConnection(settings)
	if err != nil {
		return err
	}
	defer connection.Close()

	err = connection.Bind(settings.ReaderDN, settings.Password)
	if err != nil {
		return err
	}

	userDN, err := searchUser(username, connection, settings.SearchSettings)
	if err != nil {
		return err
	}

	err = connection.Bind(userDN, password)
	if err != nil {
		return portainer.ErrUnauthorized
	}

	return nil
}

// GetUserGroups is used to retrieve user groups from LDAP/AD.
func (*Service) GetUserGroups(username string, settings *portainer.LDAPSettings) ([]string, error) {
	connection, err := createConnection(settings)
	if err != nil {
		return nil, err
	}
	defer connection.Close()

	err = connection.Bind(settings.ReaderDN, settings.Password)
	if err != nil {
		return nil, err
	}

	userDN, err := searchUser(username, connection, settings.SearchSettings)
	if err != nil {
		return nil, err
	}

	userGroups := getGroups(userDN, connection, settings.GroupSearchSettings)

	return userGroups, nil
}

// Get a list of group names for specified user from LDAP/AD
func getGroups(userDN string, conn *ldap.Conn, settings []portainer.LDAPGroupSearchSettings) []string {
	groups := make([]string, 0)
	userDNEscaped := ldap.EscapeFilter(userDN)

	for _, searchSettings := range settings {
		searchRequest := ldap.NewSearchRequest(
			searchSettings.GroupBaseDN,
			ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
			fmt.Sprintf("(&%s(%s=%s))", searchSettings.GroupFilter, searchSettings.GroupAttribute, userDNEscaped),
			[]string{"cn"},
			nil,
		)

		// Deliberately skip errors on the search request so that we can jump to other search settings
		// if any issue arise with the current one.
		sr, err := conn.Search(searchRequest)
		if err != nil {
			continue
		}

		for _, entry := range sr.Entries {
			for _, attr := range entry.Attributes {
				groups = append(groups, attr.Values[0])
			}
		}
	}

	return groups
}

// TestConnectivity is used to test a connection against the LDAP server using the credentials
// specified in the LDAPSettings.
func (*Service) TestConnectivity(settings *portainer.LDAPSettings) error {

	connection, err := createConnection(settings)
	if err != nil {
		return err
	}
	defer connection.Close()

	err = connection.Bind(settings.ReaderDN, settings.Password)
	if err != nil {
		return err
	}
	return nil
}
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`package ldap`

			`import (`
			`"fmt"`
			`"strings"`

refactor(api): refactor base import path (#2788) * refactor(api): refactor base import path * fix(build-system): update build_binary_devops * fix(build-system): fix build_binary_devops for linux * fix(build-system): fix build_binary_devops for Windows 6 years ago			`"github.com/portainer/portainer/api"`
			`"github.com/portainer/portainer/api/crypto"`
feat(authentication): add LDAP authentication support (#1093) 7 years ago
			`"gopkg.in/ldap.v2"`
			`)`

			`const (`
			`// ErrUserNotFound defines an error raised when the user is not found via LDAP search`
			`// or that too many entries (> 1) are returned.`
			`ErrUserNotFound = portainer.Error("User not found or too many entries returned")`
			`)`

			`// Service represents a service used to authenticate users against a LDAP/AD.`
			`type Service struct{}`

			`func searchUser(username string, conn *ldap.Conn, settings []portainer.LDAPSearchSettings) (string, error) {`
			`var userDN string`
			`found := false`
fix(authentication): escape LDAP filters (#2209) 6 years ago			`usernameEscaped := ldap.EscapeFilter(username)`

feat(authentication): add LDAP authentication support (#1093) 7 years ago			`for _, searchSettings := range settings {`
			`searchRequest := ldap.NewSearchRequest(`
			`searchSettings.BaseDN,`
			`ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,`
fix(authentication): escape LDAP filters (#2209) 6 years ago			`fmt.Sprintf("(&%s(%s=%s))", searchSettings.Filter, searchSettings.UserNameAttribute, usernameEscaped),`
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`[]string{"dn"},`
			`nil,`
			`)`

			`// Deliberately skip errors on the search request so that we can jump to other search settings`
			`// if any issue arise with the current one.`
fix(ldap): prevent panic if search error arise (#1216) 7 years ago			`sr, err := conn.Search(searchRequest)`
			`if err != nil {`
			`continue`
			`}`
feat(authentication): add LDAP authentication support (#1093) 7 years ago
			`if len(sr.Entries) == 1 {`
			`found = true`
			`userDN = sr.Entries[0].DN`
			`break`
			`}`
			`}`

			`if !found {`
			`return "", ErrUserNotFound`
			`}`

			`return userDN, nil`
			`}`

			`func createConnection(settings portainer.LDAPSettings) (ldap.Conn, error) {`

			`if settings.TLSConfig.TLS \|\| settings.StartTLS {`
fix(api): refactor TLS support (#1909) * refactor(api): refactor TLS support * feat(api): migrate endpoint data * refactor(api): remove unused code and rename functions * refactor(app): remove console.log statement 7 years ago			`config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig.TLSCACertPath, settings.TLSConfig.TLSCertPath, settings.TLSConfig.TLSKeyPath, settings.TLSConfig.TLSSkipVerify)`
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`if err != nil {`
			`return nil, err`
			`}`
			`config.ServerName = strings.Split(settings.URL, ":")[0]`

			`if settings.TLSConfig.TLS {`
			`return ldap.DialTLS("tcp", settings.URL, config)`
			`}`

			`conn, err := ldap.Dial("tcp", settings.URL)`
			`if err != nil {`
			`return nil, err`
			`}`

			`err = conn.StartTLS(config)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return conn, nil`
			`}`

			`return ldap.Dial("tcp", settings.URL)`
			`}`

			`// AuthenticateUser is used to authenticate a user against a LDAP/AD.`
			`func (Service) AuthenticateUser(username, password string, settings portainer.LDAPSettings) error {`

			`connection, err := createConnection(settings)`
			`if err != nil {`
			`return err`
			`}`
			`defer connection.Close()`

			`err = connection.Bind(settings.ReaderDN, settings.Password)`
			`if err != nil {`
			`return err`
			`}`

			`userDN, err := searchUser(username, connection, settings.SearchSettings)`
			`if err != nil {`
			`return err`
			`}`

			`err = connection.Bind(userDN, password)`
			`if err != nil {`
feat(authentication/ldap): Auto create and assign LDAP users (#2042) 6 years ago			`return portainer.ErrUnauthorized`
feat(authentication): add LDAP authentication support (#1093) 7 years ago			`}`

			`return nil`
			`}`

feat(authentication/ldap): Auto create and assign LDAP users (#2042) 6 years ago			`// GetUserGroups is used to retrieve user groups from LDAP/AD.`
			`func (Service) GetUserGroups(username string, settings portainer.LDAPSettings) ([]string, error) {`
			`connection, err := createConnection(settings)`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer connection.Close()`

			`err = connection.Bind(settings.ReaderDN, settings.Password)`
			`if err != nil {`
			`return nil, err`
			`}`

			`userDN, err := searchUser(username, connection, settings.SearchSettings)`
			`if err != nil {`
			`return nil, err`
			`}`

			`userGroups := getGroups(userDN, connection, settings.GroupSearchSettings)`

			`return userGroups, nil`
			`}`

			`// Get a list of group names for specified user from LDAP/AD`
			`func getGroups(userDN string, conn *ldap.Conn, settings []portainer.LDAPGroupSearchSettings) []string {`
			`groups := make([]string, 0)`
fix(authentication): escape LDAP filters (#2209) 6 years ago			`userDNEscaped := ldap.EscapeFilter(userDN)`
feat(authentication/ldap): Auto create and assign LDAP users (#2042) 6 years ago
			`for _, searchSettings := range settings {`
			`searchRequest := ldap.NewSearchRequest(`
			`searchSettings.GroupBaseDN,`
			`ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,`
fix(authentication): escape LDAP filters (#2209) 6 years ago			`fmt.Sprintf("(&%s(%s=%s))", searchSettings.GroupFilter, searchSettings.GroupAttribute, userDNEscaped),`
feat(authentication/ldap): Auto create and assign LDAP users (#2042) 6 years ago			`[]string{"cn"},`
			`nil,`
			`)`

			`// Deliberately skip errors on the search request so that we can jump to other search settings`
			`// if any issue arise with the current one.`
			`sr, err := conn.Search(searchRequest)`
			`if err != nil {`
			`continue`
			`}`

			`for _, entry := range sr.Entries {`
			`for _, attr := range entry.Attributes {`
			`groups = append(groups, attr.Values[0])`
			`}`
			`}`
			`}`

			`return groups`
			`}`

feat(authentication): add LDAP authentication support (#1093) 7 years ago			`// TestConnectivity is used to test a connection against the LDAP server using the credentials`
			`// specified in the LDAPSettings.`
			`func (Service) TestConnectivity(settings portainer.LDAPSettings) error {`

			`connection, err := createConnection(settings)`
			`if err != nil {`
			`return err`
			`}`
			`defer connection.Close()`

			`err = connection.Bind(settings.ReaderDN, settings.Password)`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`