nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity
chldapasswd/main.go
Pierre-Olivier Mercier 3e6b95bf40 refactor: separate SMTP config from LDAP struct 
The LDAP struct was mixing LDAP connection settings with unrelated mail
settings. Extract mail fields into a dedicated SMTPConfig struct with
its own global (mySMTP), keeping concerns cleanly separated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 17:02:52 +07:00

270 lines
7.2 KiB
Go
Raw Blame History

package main
import (
"context"
"encoding/json"
"flag"
"fmt"
"io"
"log"
"net/http"
"net/url"
"os"
"os/signal"
"path"
"strconv"
"strings"
"syscall"
)
var myPublicURL = ""
var devMode bool
var brandName = "chldapasswd"
var brandLogo = ""
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
// If empty, the feature is disabled.
var dockerRegistrySecret string
// allowedAliasDomains is the allowlist of domains users may create aliases under.
// If empty, alias creation is disabled.
var allowedAliasDomains []string
var myLDAP = LDAP{
Host: "localhost",
Port: 389,
BaseDN: "dc=example,dc=com",
}
var mySMTP = SMTPConfig{
MailPort: 587,
MailFrom: "noreply@example.com",
}
type ResponseWriterPrefix struct {
real http.ResponseWriter
prefix string
}
func (r ResponseWriterPrefix) Header() http.Header {
return r.real.Header()
}
func (r ResponseWriterPrefix) WriteHeader(s int) {
if v, exists := r.real.Header()["Location"]; exists {
r.real.Header().Set("Location", r.prefix+v[0])
}
r.real.WriteHeader(s)
}
func (r ResponseWriterPrefix) Write(z []byte) (int, error) {
return r.real.Write(z)
}
func StripPrefix(prefix string, h http.Handler) http.Handler {
if prefix == "" {
return h
}
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if prefix != "/" && r.URL.Path == "/" {
http.Redirect(w, r, prefix+"/", http.StatusFound)
} else if p := strings.TrimPrefix(r.URL.Path, prefix); len(p) < len(r.URL.Path) {
r2 := new(http.Request)
*r2 = *r
r2.URL = new(url.URL)
*r2.URL = *r.URL
r2.URL.Path = p
h.ServeHTTP(ResponseWriterPrefix{w, prefix}, r2)
} else {
h.ServeHTTP(w, r)
}
})
}
func main() {
baseURL := "/"
bind := "127.0.0.1:8080"
if val, ok := os.LookupEnv("BRAND_NAME"); ok {
brandName = val
}
if val, ok := os.LookupEnv("BRAND_LOGO"); ok {
brandLogo = val
}
var configfile = flag.String("config", "", "path to the configuration file")
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
flag.StringVar(&bind, "bind", bind, "Bind port/socket")
flag.StringVar(&brandName, "brand-name", brandName, "Brand name displayed in the UI")
flag.StringVar(&brandLogo, "brand-logo", brandLogo, "URL of brand logo displayed in the UI (added to CSP img-src)")
flag.BoolVar(&devMode, "dev", devMode, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
flag.StringVar(&myPublicURL, "public-url", myPublicURL, "Public base URL used in password reset emails")
flag.Parse()
if devMode {
log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
}
// Sanitize options
if baseURL != "/" {
baseURL = path.Clean(baseURL)
} else {
baseURL = ""
}
// Load config file
if configfile != nil && *configfile != "" {
if fd, err := os.Open(*configfile); err != nil {
log.Fatal(err)
} else if cnt, err := io.ReadAll(fd); err != nil {
log.Fatal(err)
} else {
if err := json.Unmarshal(cnt, &myLDAP); err != nil {
log.Fatal(err)
}
if err := json.Unmarshal(cnt, &mySMTP); err != nil {
log.Fatal(err)
}
}
}
// Read configuration from environment
if val, ok := os.LookupEnv("LDAP_HOST"); ok {
myLDAP.Host = val
}
if val, ok := os.LookupEnv("LDAP_PORT"); ok {
if port, err := strconv.Atoi(val); err == nil {
myLDAP.Port = port
} else {
log.Println("Invalid value for LDAP_PORT:", val)
}
}
if val, ok := os.LookupEnv("LDAP_STARTTLS"); ok {
myLDAP.Starttls = val == "1" || val == "on" || val == "true"
}
if val, ok := os.LookupEnv("LDAP_SSL"); ok {
myLDAP.Ssl = val == "1" || val == "on" || val == "true"
}
if val, ok := os.LookupEnv("LDAP_BASEDN"); ok {
myLDAP.BaseDN = val
}
if val, ok := os.LookupEnv("LDAP_SERVICEDN"); ok {
myLDAP.ServiceDN = val
}
if val, ok := os.LookupEnv("LDAP_SERVICE_PASSWORD_FILE"); ok {
if fd, err := os.Open(val); err != nil {
log.Fatal(err)
} else if cnt, err := io.ReadAll(fd); err != nil {
log.Fatal(err)
} else {
myLDAP.ServicePassword = string(cnt)
}
} else if val, ok := os.LookupEnv("LDAP_SERVICE_PASSWORD"); ok {
myLDAP.ServicePassword = val
}
if val, ok := os.LookupEnv("SMTP_HOST"); ok {
mySMTP.MailHost = val
}
if val, ok := os.LookupEnv("SMTP_PORT"); ok {
if port, err := strconv.Atoi(val); err == nil {
mySMTP.MailPort = port
} else {
log.Println("Invalid value for SMTP_PORT:", val)
}
}
if val, ok := os.LookupEnv("SMTP_USER"); ok {
mySMTP.MailUser = val
}
if val, ok := os.LookupEnv("SMTP_PASSWORD_FILE"); ok {
if fd, err := os.Open(val); err != nil {
log.Fatal(err)
} else if cnt, err := os.ReadFile(val); err != nil {
fd.Close()
log.Fatal(err)
} else {
fd.Close()
mySMTP.MailPassword = string(cnt)
}
} else if val, ok := os.LookupEnv("SMTP_PASSWORD"); ok {
mySMTP.MailPassword = val
}
if val, ok := os.LookupEnv("SMTP_FROM"); ok {
mySMTP.MailFrom = val
}
if val, ok := os.LookupEnv("PUBLIC_URL"); ok {
myPublicURL = val
}
if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
dockerRegistrySecret = val
}
if val, ok := os.LookupEnv("ALIAS_ALLOWED_DOMAINS"); ok && val != "" {
allowedAliasDomains = strings.Split(val, ",")
}
if flag.NArg() > 0 {
switch flag.Arg(0) {
case "generate-lost-password-link":
if flag.NArg() != 2 {
log.Fatal("Need a second argument: email of the user to reset")
}
login := flag.Arg(1)
conn, err := myLDAP.Connect()
if err != nil || conn == nil {
log.Fatalf("Unable to connect to LDAP: %s", err.Error())
}
defer conn.Close()
token, dn, err := lostPasswordToken(conn, login)
if err != nil {
log.Fatal(err.Error())
}
fmt.Printf("Reset link for %s: %s/reset?l=%s&t=%s", dn, myPublicURL, login, token)
return
case "serve":
case "server":
break
default:
log.Fatalf("%q is not a valid command", flag.Arg(0))
}
}
// Prepare graceful shutdown
interrupt := make(chan os.Signal, 1)
signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
// Register handlers
http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", baseURL), serveAltchaJS)
http.HandleFunc(fmt.Sprintf("GET %s/style.css", baseURL), serveStyleCSS)
http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", baseURL), serveAltchaChallenge)
http.HandleFunc(fmt.Sprintf("%s/{$}", baseURL), changePassword)
http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", baseURL), addyAliasAPI)
http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", baseURL), addyAliasAPIDelete)
http.HandleFunc(fmt.Sprintf("%s/auth", baseURL), httpBasicAuth)
http.HandleFunc(fmt.Sprintf("%s/login", baseURL), tryLogin)
http.HandleFunc(fmt.Sprintf("%s/change", baseURL), changePassword)
http.HandleFunc(fmt.Sprintf("%s/reset", baseURL), resetPassword)
http.HandleFunc(fmt.Sprintf("%s/lost", baseURL), lostPassword)
srv := &http.Server{
Addr: bind,
Handler: securityHeaders(http.DefaultServeMux),
}
// Serve content
go func() {
log.Fatal(srv.ListenAndServe())
}()
log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN)
log.Printf("Ready, listening on %s", bind)
// Wait shutdown signal
<-interrupt
log.Print("The service is shutting down...")
srv.Shutdown(context.Background())
log.Println("done")
}
Reference in a new issue View git blame Copy permalink