zishuo/golib
1
0
Fork 0
mirror of https://github.com/nabbar/golib.git synced 2025-09-27 04:06:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
golib/ldap/ldap.go
Nicolas JUHEL a79e6616fc Package LDAP: fix & optimize ldap group filtering attribute 
Signed-off-by: Nicolas JUHEL <githubatcom@nabbar.com>
2025-07-30 16:26:15 +02:00

744 lines
18 KiB
Go
Raw Permalink Blame History

/*
* MIT License
*
* Copyright (c) 2019 Nicolas JUHEL
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
*/
package ldap
import (
"context"
"crypto/tls"
"fmt"
"net"
"slices"
"strings"
"github.com/go-ldap/ldap/v3"
libcrt "github.com/nabbar/golib/certificates"
libctx "github.com/nabbar/golib/context"
liberr "github.com/nabbar/golib/errors"
liblog "github.com/nabbar/golib/logger"
logent "github.com/nabbar/golib/logger/entry"
loglvl "github.com/nabbar/golib/logger/level"
)
type FuncLogger liblog.FuncLog
// HelperLDAP struct use to manage connection to server and request it.
type HelperLDAP struct {
Attributes []string
conn *ldap.Conn
config *Config
tlsConfig *tls.Config
tlsMode TLSMode
bindDN string
bindPass string
ctx context.Context
log liblog.FuncLog
}
// NewLDAP build a new LDAP helper based on config struct given.
func NewLDAP(ctx context.Context, cnf *Config, attributes []string) (*HelperLDAP, liberr.Error) {
if cnf == nil {
return nil, ErrorParamEmpty.Error(nil)
}
return &HelperLDAP{
Attributes: attributes,
//nolint #staticcheck
tlsConfig: libcrt.GetTLSConfig(cnf.Uri),
tlsMode: _TLSModeInit,
config: cnf.Clone(),
ctx: libctx.IsolateParent(ctx),
}, nil
}
func (lc *HelperLDAP) Clone() *HelperLDAP {
var att = make([]string, 0)
copy(att, lc.Attributes)
return &HelperLDAP{
Attributes: att,
conn: nil,
config: lc.config.Clone(),
tlsConfig: lc.tlsConfig.Clone(),
tlsMode: lc.tlsMode,
bindDN: lc.bindDN,
bindPass: lc.bindPass,
ctx: lc.ctx,
log: lc.log,
}
}
// SetLogger is used to specify the logger to be used for debug messgae
func (lc *HelperLDAP) SetLogger(fct liblog.FuncLog) {
lc.log = fct
}
func (lc *HelperLDAP) getLogDefault() liblog.Logger {
return liblog.New(func() context.Context {
return lc.ctx
})
}
func (lc *HelperLDAP) getLogEntry(lvl loglvl.Level, msg string, args ...interface{}) logent.Entry {
var log liblog.Logger
if lc.log == nil {
log = lc.getLogDefault()
lc.log = func() liblog.Logger {
return log
}
}
if l := lc.log(); l != nil {
log = l
}
if log == nil {
return logent.New(lvl)
}
return log.Entry(lvl, msg, args...).FieldAdd("ldap.host", lc.config.ServerAddr(lc.tlsMode == TLSModeTLS)).FieldAdd("ldap.tlsMode", lc.tlsMode.String())
}
func (lc *HelperLDAP) getLogEntryErr(lvlKO loglvl.Level, err error, msg string, args ...interface{}) logent.Entry {
var log liblog.Logger
if lc.log == nil {
log = lc.getLogDefault()
lc.log = func() liblog.Logger {
return log
}
}
if l := lc.log(); l != nil {
log = l
}
if log == nil {
return logent.New(lvlKO).ErrorAdd(true, err)
}
return log.Entry(lvlKO, msg, args...).FieldAdd("ldap.host", lc.config.ServerAddr(lc.tlsMode == TLSModeTLS)).ErrorAdd(true, err)
}
// SetCredentials used to defined the BindDN and password for connection.
func (lc *HelperLDAP) SetCredentials(user, pass string) {
lc.bindDN = user
lc.bindPass = pass
}
func (lc *HelperLDAP) GetTLSMode() TLSMode {
if lc.tlsMode == TLSModeTLS || lc.tlsMode == TLSModeStarttls {
if lc.tlsConfig == nil {
return TLSModeNone
}
}
return lc.tlsMode
}
// ForceTLSMode used to force tls mode and defined tls condition.
func (lc *HelperLDAP) ForceTLSMode(tlsMode TLSMode, tlsConfig *tls.Config) {
if tlsConfig != nil {
lc.tlsConfig = tlsConfig
} else {
//nolint #nosec
/* #nosec */
lc.tlsConfig = &tls.Config{}
}
switch tlsMode {
case TLSModeTLS:
lc.tlsMode = TLSModeTLS
case TLSModeStarttls:
lc.tlsMode = TLSModeStarttls
case TLSModeNone:
lc.tlsConfig = nil
lc.tlsMode = TLSModeNone
case _TLSModeInit:
lc.tlsMode = _TLSModeInit
}
}
func (lc *HelperLDAP) dialTLS() (*ldap.Conn, liberr.Error) {
d := net.Dialer{}
adr := lc.config.ServerAddr(true)
if len(adr) < 3 {
return nil, ErrorLDAPServerTLS.Error(fmt.Errorf("invalid port for LDAPS"))
}
c, err := d.DialContext(lc.ctx, "tcp", adr)
if err != nil {
if c != nil {
_ = c.Close()
}
return nil, ErrorLDAPServerTLS.Error(err)
}
c = tls.Client(c, lc.tlsConfig)
if c == nil {
return nil, ErrorLDAPServerTLS.Error(ErrorLDAPServerConnection.Error(nil))
}
l := ldap.NewConn(c, true)
if l == nil {
return nil, ErrorLDAPServerTLS.Error(ErrorLDAPServerConnection.Error(nil))
}
l.Start()
if l.IsClosing() {
return nil, ErrorLDAPServerTLS.Error(ErrorLDAPServerDialClosing.Error(nil))
}
if _, tlsOk := l.TLSConnectionState(); !tlsOk {
return nil, ErrorLDAPServerTLS.Error(nil)
}
return l, nil
}
func (lc *HelperLDAP) dial() (*ldap.Conn, liberr.Error) {
d := net.Dialer{}
adr := lc.config.ServerAddr(false)
if len(adr) < 3 {
return nil, ErrorLDAPServerTLS.Error(fmt.Errorf("invalid port for LDAP / LDAP+STARTLS"))
}
c, err := d.DialContext(lc.ctx, "tcp", adr)
if err != nil {
if c != nil {
_ = c.Close()
}
return nil, ErrorLDAPServerDial.Error(err)
}
l := ldap.NewConn(c, false)
if l == nil {
return nil, ErrorLDAPServerDial.Error(ErrorLDAPServerConnection.Error(nil))
}
l.Start()
if l.IsClosing() {
return nil, ErrorLDAPServerDial.Error(ErrorLDAPServerDialClosing.Error(nil))
}
return l, nil
}
func (lc *HelperLDAP) starttls(l *ldap.Conn) liberr.Error {
err := l.StartTLS(lc.tlsConfig)
if err != nil {
return ErrorLDAPServerStartTLS.Error(err)
}
if _, tlsOk := l.TLSConnectionState(); !tlsOk {
return ErrorLDAPServerStartTLS.Error(nil)
}
return nil
}
func (lc *HelperLDAP) tryConnect() (TLSMode, liberr.Error) {
if lc == nil {
return TLSModeNone, ErrorParamEmpty.Error(nil)
}
var (
l *ldap.Conn
err liberr.Error
)
defer func() {
if l != nil {
_ = l.Close()
}
}()
if lc.config.Portldaps != 0 {
l, err = lc.dialTLS()
lc.getLogEntryErr(loglvl.DebugLevel, err, "connecting ldap with tls mode '%s'", TLSModeTLS.String()).Check(loglvl.DebugLevel)
if err == nil {
return TLSModeTLS, nil
}
}
if lc.config.PortLdap == 0 {
return _TLSModeInit, ErrorLDAPServerConfig.Error(nil)
}
l, err = lc.dial()
lc.getLogEntryErr(loglvl.DebugLevel, err, "connecting ldap with tls mode '%s'", TLSModeNone.String()).Check(loglvl.DebugLevel)
if err != nil {
return _TLSModeInit, err
}
err = lc.starttls(l)
lc.getLogEntryErr(loglvl.DebugLevel, err, "connecting ldap with tls mode '%s'", TLSModeStarttls.String()).Check(loglvl.DebugLevel)
if err == nil {
return TLSModeStarttls, nil
}
return TLSModeNone, nil
}
func (lc *HelperLDAP) connect() liberr.Error {
if lc == nil || lc.ctx == nil {
return ErrorLDAPContext.Error(ErrorParamEmpty.Error(nil))
}
if err := lc.ctx.Err(); err != nil {
return ErrorLDAPContext.Error(err)
}
if lc.conn == nil {
var (
l *ldap.Conn
err liberr.Error
)
if lc.tlsMode == _TLSModeInit {
m, e := lc.tryConnect()
if e != nil {
return e
}
lc.tlsMode = m
}
if lc.tlsMode == TLSModeTLS {
l, err = lc.dialTLS()
if err != nil {
if l != nil {
_ = l.Close()
}
return err
}
}
if lc.tlsMode == TLSModeNone || lc.tlsMode == TLSModeStarttls {
l, err = lc.dial()
if err != nil {
if l != nil {
_ = l.Close()
}
return err
}
}
if lc.tlsMode == TLSModeStarttls {
err = lc.starttls(l)
if err != nil {
if l != nil {
_ = l.Close()
}
return err
}
}
lc.getLogEntry(loglvl.DebugLevel, "ldap connected").Log()
lc.conn = l
}
return nil
}
// Check used to check if connection success (without any bind).
func (lc *HelperLDAP) Check() liberr.Error {
if lc == nil {
return ErrorParamEmpty.Error(nil)
}
if lc.conn == nil {
defer func() {
if lc.conn != nil {
_ = lc.conn.Close()
lc.conn = nil
}
}()
}
if err := lc.connect(); err != nil {
lc.Close()
return err
}
return nil
}
// Close used to close connection object.
func (lc *HelperLDAP) Close() {
if lc == nil {
return
}
if lc.conn != nil {
_ = lc.conn.Close()
lc.conn = nil
}
}
// AuthUser used to test bind given user uid and password.
func (lc *HelperLDAP) AuthUser(username, password string) liberr.Error {
if lc == nil {
return ErrorParamEmpty.Error(nil)
}
if err := lc.connect(); err != nil {
return err
}
if username == "" || password == "" {
return ErrorParamEmpty.Error(nil)
}
err := lc.conn.Bind(username, password)
return ErrorLDAPBind.IfError(err)
}
// Connect used to connect and bind to server.
func (lc *HelperLDAP) Connect() liberr.Error {
if lc == nil {
return ErrorParamEmpty.Error(nil)
}
if err := lc.AuthUser(lc.bindDN, lc.bindPass); err != nil {
return err
}
lc.getLogEntry(loglvl.DebugLevel, "ldap bind success").FieldAdd("bind.dn", lc.bindDN).Log()
return nil
}
func (lc *HelperLDAP) runSearch(filter string, attributes []string) (*ldap.SearchResult, liberr.Error) {
var (
err error
src *ldap.SearchResult
)
if e := lc.Connect(); e != nil {
return nil, e
}
defer lc.Close()
searchRequest := ldap.NewSearchRequest(
lc.config.Basedn,
ldap.ScopeWholeSubtree,
ldap.NeverDerefAliases,
0, 0, false,
filter,
attributes,
nil,
)
if src, err = lc.conn.Search(searchRequest); err != nil {
return nil, ErrorLDAPSearch.Error(err)
}
lc.getLogEntry(loglvl.DebugLevel, "ldap search success").FieldAdd("ldap.filter", filter).FieldAdd("ldap.attributes", attributes).Log()
return src, nil
}
func (lc *HelperLDAP) getUserName(username string) (string, liberr.Error) {
username = strings.TrimSpace(username)
if username == "" {
if usr := lc.ParseEntries(lc.bindDN); len(usr) == 0 {
return "", ErrorLDAPInvalidUID.Error(ErrorLDAPInvalidDN.Error(nil))
} else if _, ok := usr["uid"]; !ok {
return "", ErrorLDAPInvalidUID.Error(ErrorLDAPAttributeNotFound.Error(nil))
} else if len(usr["uid"]) < 1 {
return "", ErrorLDAPInvalidUID.Error(ErrorLDAPAttributeEmpty.Error(nil))
} else {
username = usr["uid"][0]
}
username = strings.TrimSpace(username)
}
if username == "" {
return "", ErrorLDAPInvalidUID.Error(ErrorLDAPAttributeEmpty.Error(nil))
}
return username, nil
}
// UserInfo used to retrieve the information of a given username.
func (lc *HelperLDAP) UserInfo(username string) (map[string]string, liberr.Error) {
return lc.UserInfoByField(username, userFieldUid)
}
// UserInfoByField used to retrieve the information of a given username but use a given field to make the search.
func (lc *HelperLDAP) UserInfoByField(username string, fieldOfUnicValue string) (map[string]string, liberr.Error) {
var (
err liberr.Error
src *ldap.SearchResult
userRes map[string]string
)
if username, err = lc.getUserName(username); err != nil {
return nil, err
}
userRes = make(map[string]string)
attributes := append(lc.Attributes, "cn")
src, err = lc.runSearch(fmt.Sprintf(lc.config.FilterUser, fieldOfUnicValue, username), attributes)
if err != nil {
return userRes, err
}
if len(src.Entries) != 1 {
if len(src.Entries) > 1 {
return userRes, ErrorLDAPUserNotUniq.Error(nil)
} else {
return userRes, ErrorLDAPUserNotFound.Error(nil)
}
}
for _, attr := range attributes {
userRes[attr] = src.Entries[0].GetAttributeValue(attr)
}
if _, ok := userRes["DN"]; !ok {
userRes["DN"] = src.Entries[0].DN
}
lc.getLogEntry(loglvl.DebugLevel, "ldap user find success").FieldAdd("ldap.user", username).FieldAdd("ldap.map", userRes).Log()
return userRes, nil
}
// GroupInfo used to retrieve the information of a given group cn.
func (lc *HelperLDAP) GroupInfo(groupname string) (map[string]interface{}, liberr.Error) {
return lc.GroupInfoByField(groupname, groupFieldCN)
}
func (lc *HelperLDAP) AttributeFilter(search string, filter string, allAttribute bool, attribute ...string) (map[string]map[string]string, liberr.Error) {
var (
err liberr.Error
src *ldap.SearchResult
grpInfo = make(map[string]map[string]string, 0)
)
if !slices.Contains(attribute, "cn") {
attribute = append(append(make([]string, 0, len(attribute)+1), "cn"), attribute...)
}
if len(filter) > 0 && len(search) > 0 {
src, err = lc.runSearch(fmt.Sprintf("(&(objectClass~=groupOfNames)(%s=%s))", filter, search), attribute)
} else {
src, err = lc.runSearch("(&(objectClass~=groupOfNames))", attribute)
}
if err != nil {
return grpInfo, err
} else if len(src.Entries) == 0 {
return nil, ErrorLDAPGroupNotFound.Error(nil)
}
for i := range src.Entries {
if src.Entries[i] == nil {
continue
} else if len(src.Entries[i].Attributes) < 1 {
continue
}
var g = make(map[string]string, 0)
for j := range src.Entries[i].Attributes {
if src.Entries[i].Attributes[j] == nil {
continue
} else if len(src.Entries[i].Attributes[j].Name) < 1 {
continue
} else if len(src.Entries[i].Attributes[j].Values) < 1 {
continue
} else if slices.Contains(attribute, src.Entries[i].Attributes[j].Name) {
g[src.Entries[i].Attributes[j].Name] = strings.Join(src.Entries[i].Attributes[j].Values, " ")
}
}
if len(g) < 1 {
continue
} else if allAttribute && len(g) != len(attribute) {
continue
}
if _, k := g["cn"]; k {
grpInfo[g["cn"]] = g
continue
}
}
lc.getLogEntry(loglvl.DebugLevel, "ldap group find success").FieldAdd("ldap.group", search).FieldAdd("ldap.attributes", strings.Join(attribute, ",")).FieldAdd("ldap.result.len", len(grpInfo)).Log()
return grpInfo, nil
}
// GroupInfoByField used to retrieve the information of a given group cn, but use a given field to make the search.
func (lc *HelperLDAP) GroupInfoByField(groupname string, fieldForUnicValue string) (map[string]interface{}, liberr.Error) {
var (
err liberr.Error
src *ldap.SearchResult
grpInfo map[string]interface{}
)
src, err = lc.runSearch(fmt.Sprintf(lc.config.FilterGroup, fieldForUnicValue, groupname), []string{})
if err != nil {
return grpInfo, err
}
if len(src.Entries) == 0 {
return nil, ErrorLDAPGroupNotFound.Error(nil)
}
grpInfo = make(map[string]interface{}, len(src.Entries[0].Attributes))
for _, entry := range src.Entries {
for _, entryAttribute := range entry.Attributes {
grpInfo[entryAttribute.Name] = entryAttribute.Values
}
}
lc.getLogEntry(loglvl.DebugLevel, "ldap group find success").FieldAdd("ldap.group", groupname).FieldAdd("ldap.map", grpInfo).Log()
return grpInfo, nil
}
// UserMemberOf returns the group list of a given user.
func (lc *HelperLDAP) UserMemberOf(username string) ([]string, liberr.Error) {
var (
err liberr.Error
src *ldap.SearchResult
grp []string
)
if username, err = lc.getUserName(username); err != nil {
return nil, err
}
grp = make([]string, 0)
src, err = lc.runSearch(fmt.Sprintf(lc.config.FilterUser, userFieldUid, username), []string{"memberOf"})
if err != nil {
return grp, err
}
for _, entry := range src.Entries {
for _, mmb := range entry.GetAttributeValues("memberOf") {
lc.getLogEntry(loglvl.DebugLevel, "ldap find user group list building").FieldAdd("ldap.user", username).FieldAdd("ldap.raw.groups", mmb).Log()
mmo := lc.ParseEntries(mmb)
grp = append(grp, mmo["cn"]...)
}
}
lc.getLogEntry(loglvl.DebugLevel, "ldap user group list success").FieldAdd("ldap.user", username).FieldAdd("ldap.grouplist", grp).Log()
return grp, nil
}
// UserIsInGroup used to check if a given username is a group member of a list of reference group name.
func (lc *HelperLDAP) UserIsInGroup(username string, groupname []string) (bool, liberr.Error) {
var (
err liberr.Error
grpMmbr []string
)
if username, err = lc.getUserName(username); err != nil {
return false, err
} else if grpMmbr, err = lc.UserMemberOf(username); err != nil {
return false, err
}
for _, grpSrch := range groupname {
for _, grpItem := range grpMmbr {
if strings.EqualFold(grpSrch, grpItem) {
return true, nil
}
}
}
return false, nil
}
// UsersOfGroup used to retrieve the member list of a given group name.
func (lc *HelperLDAP) UsersOfGroup(groupname string) ([]string, liberr.Error) {
var (
err liberr.Error
src *ldap.SearchResult
grp []string
)
grp = make([]string, 0)
src, err = lc.runSearch(fmt.Sprintf(lc.config.FilterGroup, groupFieldCN, groupname), []string{"member"})
if err != nil {
return grp, err
}
for _, entry := range src.Entries {
for _, mmb := range entry.GetAttributeValues("member") {
member := lc.ParseEntries(mmb)
grp = append(grp, member["uid"]...)
}
}
lc.getLogEntry(loglvl.DebugLevel, "ldap group user list success").FieldAdd("ldap.group", groupname).FieldAdd("ldap.userlist", grp).Log()
return grp, nil
}
// ParseEntries used to clean attributes of an object class.
func (lc *HelperLDAP) ParseEntries(entry string) map[string][]string {
var listEntries = make(map[string][]string)
for _, ent := range strings.Split(entry, ",") {
key := strings.SplitN(ent, "=", 2)
if len(key) != 2 || len(key[0]) < 1 || len(key[1]) < 1 {
continue
}
key[0] = strings.TrimSpace(key[0])
key[1] = strings.TrimSpace(key[1])
if _, ok := listEntries[key[0]]; !ok {
listEntries[key[0]] = []string{}
}
listEntries[key[0]] = append(listEntries[key[0]], key[1])
}
return listEntries
}
Reference in New Issue View Git Blame Copy Permalink