outposts/ldap: save user DN to determine who can search

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-04 21:49:15 +02:00
parent 99d161e212
commit 08451c15f4
10 changed files with 87 additions and 30 deletions
--- a/outpost/pkg/ldap/api.go
+++ b/outpost/pkg/ldap/api.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"sync"

 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/outpost/pkg/client/outposts"
@ -22,13 +23,15 @@ func (ls *LDAPServer) Refresh() error {
 		userDN := strings.ToLower(fmt.Sprintf("cn=users,%s", provider.BaseDn))
 		groupDN := strings.ToLower(fmt.Sprintf("cn=groups,%s", provider.BaseDn))
 		providers[idx] = &ProviderInstance{
-			BaseDN:   provider.BaseDn,
-			GroupDN:  groupDN,
-			UserDN:   userDN,
-			appSlug:  *provider.ApplicationSlug,
-			flowSlug: *provider.BindFlowSlug,
-			s:        ls,
-			log:      log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
+			BaseDN:          provider.BaseDn,
+			GroupDN:         groupDN,
+			UserDN:          userDN,
+			appSlug:         *provider.ApplicationSlug,
+			flowSlug:        *provider.BindFlowSlug,
+			s:               ls,
+			log:             log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
+			boundUsersMutex: sync.RWMutex{},
+			boundUsers:      make(map[string]UserFlags),
 		}
 	}
 	ls.providers = providers
--- a/outpost/pkg/ldap/bind.go
+++ b/outpost/pkg/ldap/bind.go
@ -1,18 +1,17 @@
 package ldap

 import (
-	"context"
 	"net"

-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 )

-func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn, ctx context.Context) (ldap.LDAPResultCode, error) {
+func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
 	ls.log.WithField("boundDN", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
-			return instance.Bind(username, bindPW, conn, ctx)
+			return instance.Bind(username, bindPW, conn)
 		}
 	}
 	ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request")
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@ -8,10 +8,11 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"strings"
+	"time"

 	goldap "github.com/go-ldap/ldap/v3"
 	httptransport "github.com/go-openapi/runtime/client"
-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 	"goauthentik.io/outpost/pkg/client/core"
 	"goauthentik.io/outpost/pkg/client/flows"
 )
@ -44,7 +45,7 @@ func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	return "", errors.New("failed to find dn")
 }

-func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn, ctx context.Context) (ldap.LDAPResultCode, error) {
+func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
 	jar, err := cookiejar.New(nil)
 	if err != nil {
 		pi.log.WithError(err).Warning("Failed to create cookiejar")
@ -77,17 +78,42 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn,
 	pi.log.WithField("boundDN", username).Info("User has access")
 	// Get user info to store in context
 	userInfo, err := pi.s.ac.Client.Core.CoreUsersMe(&core.CoreUsersMeParams{
-		Context:    ctx,
+		Context:    context.Background(),
 		HTTPClient: client,
 	}, httptransport.PassThroughAuth)
 	if err != nil {
 		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	ctx = context.WithValue(ctx, ContextUserKey, userInfo.Payload.User)
+	pi.boundUsersMutex.Lock()
+	pi.boundUsers[username] = UserFlags{
+		UserInfo:  userInfo.Payload.User,
+		CanSearch: userInfo.Payload.User.Attributes.(map[string]bool)["goauthentik.io/ldap/can-search"],
+	}
+	pi.boundUsersMutex.Unlock()
+	pi.delayDeleteUserInfo(username)
 	return ldap.LDAPResultSuccess, nil
 }

+func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {
+	ticker := time.NewTicker(30 * time.Second)
+	quit := make(chan struct{})
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+				pi.boundUsersMutex.Lock()
+				delete(pi.boundUsers, dn)
+				pi.boundUsersMutex.Unlock()
+				close(quit)
+			case <-quit:
+				ticker.Stop()
+				return
+			}
+		}
+	}()
+}
+
 func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client) (bool, error) {
 	challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
 		FlowSlug:   pi.flowSlug,
--- a/outpost/pkg/ldap/instance_search.go
+++ b/outpost/pkg/ldap/instance_search.go
@ -1,12 +1,13 @@
 package ldap

 import (
+	"errors"
 	"fmt"
 	"net"
 	"strconv"
 	"strings"

-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 	"goauthentik.io/outpost/pkg/client/core"
 )

@ -26,6 +27,16 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", bindDN, pi.BaseDN)
 	}

+	pi.boundUsersMutex.RLock()
+	defer pi.boundUsersMutex.RUnlock()
+	flags, ok := pi.boundUsers[bindDN]
+	if !ok {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("Access denied")
+	}
+	if !flags.CanSearch {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("Access denied")
+	}
+
 	switch filterEntity {
 	default:
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, searchReq.Filter)
--- a/outpost/pkg/ldap/ldap.go
+++ b/outpost/pkg/ldap/ldap.go
@ -1,10 +1,13 @@
 package ldap

 import (
+	"sync"
+
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/outpost/pkg/ak"
+	"goauthentik.io/outpost/pkg/models"

-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 )

 const GroupObjectClass = "group"
@ -16,10 +19,18 @@ type ProviderInstance struct {
 	UserDN  string
 	GroupDN string

-	appSlug  string
-	flowSlug string
-	s        *LDAPServer
-	log      *log.Entry
+	appSlug    string
+	flowSlug   string
+	s          *LDAPServer
+	log        *log.Entry
+
+	boundUsersMutex sync.RWMutex
+	boundUsers map[string]UserFlags
+}
+
+type UserFlags struct {
+	UserInfo  *models.User
+	CanSearch bool
 }

 type LDAPServer struct {
--- a/outpost/pkg/ldap/search.go
+++ b/outpost/pkg/ldap/search.go
@ -5,7 +5,7 @@ import (
 	"net"

 	goldap "github.com/go-ldap/ldap/v3"
-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 )

 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
--- a/outpost/pkg/ldap/utils.go
+++ b/outpost/pkg/ldap/utils.go
@ -3,7 +3,7 @@ package ldap
 import (
 	"fmt"

-	"github.com/goauthentik/ldap"
+	"github.com/nmcclain/ldap"
 	"goauthentik.io/outpost/pkg/models"
 )