validator: add LDAP auth
This commit is contained in:
parent
a750e2d7ce
commit
23ab4264f9
2 changed files with 99 additions and 5 deletions
|
|
@ -1,13 +1,30 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
"text/template"
|
||||
|
||||
"gopkg.in/ldap.v2"
|
||||
)
|
||||
|
||||
type loginChecker struct{
|
||||
students []Student
|
||||
type loginChecker struct {
|
||||
students []Student
|
||||
ldapAddr string
|
||||
ldapPort int
|
||||
ldapIsTLS bool
|
||||
ldapBase string
|
||||
ldapBindUsername string
|
||||
ldapBindPassword string
|
||||
}
|
||||
|
||||
type loginUpload struct {
|
||||
|
|
@ -15,6 +32,65 @@ type loginUpload struct {
|
|||
Password string
|
||||
}
|
||||
|
||||
func (l loginChecker) ldapAuth(username, password string) (res bool, err error) {
|
||||
tlsCnf := tls.Config{InsecureSkipVerify: true}
|
||||
|
||||
var c *ldap.Conn
|
||||
|
||||
if l.ldapIsTLS {
|
||||
c, err = ldap.DialTLS("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort), &tlsCnf)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
} else {
|
||||
c, err = ldap.Dial("tcp", fmt.Sprintf("%s:%d", l.ldapAddr, l.ldapPort))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
// Reconnect with TLS
|
||||
err = c.StartTLS(&tlsCnf)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
defer c.Close()
|
||||
|
||||
if l.ldapBindUsername != "" {
|
||||
err = c.Bind(l.ldapBindUsername, l.ldapBindPassword)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
|
||||
// Search for the given username
|
||||
searchRequest := ldap.NewSearchRequest(
|
||||
l.ldapBase,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=person)(uid=%s))", username),
|
||||
[]string{"dn"},
|
||||
nil,
|
||||
)
|
||||
|
||||
sr, err := c.Search(searchRequest)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
if len(sr.Entries) != 1 {
|
||||
return false, errors.New("User does not exist or too many entries returned")
|
||||
}
|
||||
|
||||
userdn := sr.Entries[0].DN
|
||||
|
||||
err = c.Bind(userdn, password)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if addr := r.Header.Get("X-Forwarded-For"); addr != "" {
|
||||
r.RemoteAddr = addr
|
||||
|
|
@ -59,6 +135,16 @@ func (l loginChecker) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if ok, err := l.ldapAuth(lu.Username, lu.Password); err != nil {
|
||||
log.Println("Unable to perform authentication for", lu.Username, ":", err, "at", r.RemoteAddr)
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
return
|
||||
} else if !ok {
|
||||
log.Println("Login failed:", lu.Username, "at", r.RemoteAddr)
|
||||
http.Error(w, "Invalid password", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
if err := l.lateLoginAction(lu.Username, r.RemoteAddr); err != nil {
|
||||
log.Println("Error on late login action:", err)
|
||||
http.Error(w, "Internal server error. Please retry in a few minutes", http.StatusInternalServerError)
|
||||
|
|
|
|||
Reference in a new issue