1 files changed, 516 insertions, 0 deletions
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
new file mode 100644
index 0000000..2a61386
--- /dev/null
+++ b/services/auth/source/ldap/source_search.go
@@ -0,0 +1,516 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package ldap
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+
+	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/log"
+
+	"github.com/go-ldap/ldap/v3"
+)
+
+// SearchResult : user data
+type SearchResult struct {
+	Username     string   // Username
+	Name         string   // Name
+	Surname      string   // Surname
+	Mail         string   // E-mail address
+	SSHPublicKey []string // SSH Public Key
+	IsAdmin      bool     // if user is administrator
+	IsRestricted bool     // if user is restricted
+	LowerName    string   // LowerName
+	Avatar       []byte
+	Groups       container.Set[string]
+}
+
+func (source *Source) sanitizedUserQuery(username string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4515
+	badCharacters := "\x00()*\\"
+	if strings.ContainsAny(username, badCharacters) {
+		log.Debug("'%s' contains invalid query characters. Aborting.", username)
+		return "", false
+	}
+
+	return fmt.Sprintf(source.Filter, username), true
+}
+
+func (source *Source) sanitizedUserDN(username string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4514: "special characters"
+	badCharacters := "\x00()*\\,='\"#+;<>"
+	if strings.ContainsAny(username, badCharacters) {
+		log.Debug("'%s' contains invalid DN characters. Aborting.", username)
+		return "", false
+	}
+
+	return fmt.Sprintf(source.UserDN, username), true
+}
+
+func (source *Source) sanitizedGroupFilter(group string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4515
+	badCharacters := "\x00*\\"
+	if strings.ContainsAny(group, badCharacters) {
+		log.Trace("Group filter invalid query characters: %s", group)
+		return "", false
+	}
+
+	return group, true
+}
+
+func (source *Source) sanitizedGroupDN(groupDn string) (string, bool) {
+	// See http://tools.ietf.org/search/rfc4514: "special characters"
+	badCharacters := "\x00()*\\'\"#+;<>"
+	if strings.ContainsAny(groupDn, badCharacters) || strings.HasPrefix(groupDn, " ") || strings.HasSuffix(groupDn, " ") {
+		log.Trace("Group DN contains invalid query characters: %s", groupDn)
+		return "", false
+	}
+
+	return groupDn, true
+}
+
+func (source *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
+	log.Trace("Search for LDAP user: %s", name)
+
+	// A search for the user.
+	userFilter, ok := source.sanitizedUserQuery(name)
+	if !ok {
+		return "", false
+	}
+
+	log.Trace("Searching for DN using filter %s and base %s", userFilter, source.UserBase)
+	search := ldap.NewSearchRequest(
+		source.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
+		false, userFilter, []string{}, nil)
+
+	// Ensure we found a user
+	sr, err := l.Search(search)
+	if err != nil || len(sr.Entries) < 1 {
+		log.Debug("Failed search using filter[%s]: %v", userFilter, err)
+		return "", false
+	} else if len(sr.Entries) > 1 {
+		log.Debug("Filter '%s' returned more than one user.", userFilter)
+		return "", false
+	}
+
+	userDN := sr.Entries[0].DN
+	if userDN == "" {
+		log.Error("LDAP search was successful, but found no DN!")
+		return "", false
+	}
+
+	return userDN, true
+}
+
+func dial(source *Source) (*ldap.Conn, error) {
+	log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", source.SecurityProtocol, source.SkipVerify)
+
+	tlsConfig := &tls.Config{
+		ServerName:         source.Host,
+		InsecureSkipVerify: source.SkipVerify,
+	}
+
+	if source.SecurityProtocol == SecurityProtocolLDAPS {
+		return ldap.DialTLS("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port)), tlsConfig)
+	}
+
+	conn, err := ldap.Dial("tcp", net.JoinHostPort(source.Host, strconv.Itoa(source.Port)))
+	if err != nil {
+		return nil, fmt.Errorf("error during Dial: %w", err)
+	}
+
+	if source.SecurityProtocol == SecurityProtocolStartTLS {
+		if err = conn.StartTLS(tlsConfig); err != nil {
+			conn.Close()
+			return nil, fmt.Errorf("error during StartTLS: %w", err)
+		}
+	}
+
+	return conn, nil
+}
+
+func bindUser(l *ldap.Conn, userDN, passwd string) error {
+	log.Trace("Binding with userDN: %s", userDN)
+	err := l.Bind(userDN, passwd)
+	if err != nil {
+		log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
+		return err
+	}
+	log.Trace("Bound successfully with userDN: %s", userDN)
+	return err
+}
+
+func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {
+	if len(ls.AdminFilter) == 0 {
+		return false
+	}
+	log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
+	search := ldap.NewSearchRequest(
+		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
+		[]string{ls.AttributeName},
+		nil)
+
+	sr, err := l.Search(search)
+
+	if err != nil {
+		log.Error("LDAP Admin Search with filter %s for %s failed unexpectedly! (%v)", ls.AdminFilter, userDN, err)
+	} else if len(sr.Entries) < 1 {
+		log.Trace("LDAP Admin Search found no matching entries.")
+	} else {
+		return true
+	}
+	return false
+}
+
+func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
+	if len(ls.RestrictedFilter) == 0 {
+		return false
+	}
+	if ls.RestrictedFilter == "*" {
+		return true
+	}
+	log.Trace("Checking restricted with filter %s and base %s", ls.RestrictedFilter, userDN)
+	search := ldap.NewSearchRequest(
+		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.RestrictedFilter,
+		[]string{ls.AttributeName},
+		nil)
+
+	sr, err := l.Search(search)
+
+	if err != nil {
+		log.Error("LDAP Restrictred Search with filter %s for %s failed unexpectedly! (%v)", ls.RestrictedFilter, userDN, err)
+	} else if len(sr.Entries) < 1 {
+		log.Trace("LDAP Restricted Search found no matching entries.")
+	} else {
+		return true
+	}
+	return false
+}
+
+// List all group memberships of a user
+func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGroupFilter bool) container.Set[string] {
+	ldapGroups := make(container.Set[string])
+
+	groupFilter, ok := source.sanitizedGroupFilter(source.GroupFilter)
+	if !ok {
+		return ldapGroups
+	}
+
+	groupDN, ok := source.sanitizedGroupDN(source.GroupDN)
+	if !ok {
+		return ldapGroups
+	}
+
+	var searchFilter string
+	if applyGroupFilter && groupFilter != "" {
+		searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
+	} else {
+		searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
+	}
+	result, err := l.Search(ldap.NewSearchRequest(
+		groupDN,
+		ldap.ScopeWholeSubtree,
+		ldap.NeverDerefAliases,
+		0,
+		0,
+		false,
+		searchFilter,
+		[]string{},
+		nil,
+	))
+	if err != nil {
+		log.Error("Failed group search in LDAP with filter [%s]: %v", searchFilter, err)
+		return ldapGroups
+	}
+
+	for _, entry := range result.Entries {
+		if entry.DN == "" {
+			log.Error("LDAP search was successful, but found no DN!")
+			continue
+		}
+		ldapGroups.Add(entry.DN)
+	}
+
+	return ldapGroups
+}
+
+func (source *Source) getUserAttributeListedInGroup(entry *ldap.Entry) string {
+	if strings.ToLower(source.UserUID) == "dn" {
+		return entry.DN
+	}
+
+	return entry.GetAttributeValue(source.UserUID)
+}
+
+// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
+func (source *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {
+	// See https://tools.ietf.org/search/rfc4513#section-5.1.2
+	if len(passwd) == 0 {
+		log.Debug("Auth. failed for %s, password cannot be empty", name)
+		return nil
+	}
+	l, err := dial(source)
+	if err != nil {
+		log.Error("LDAP Connect error, %s:%v", source.Host, err)
+		source.Enabled = false
+		return nil
+	}
+	defer l.Close()
+
+	var userDN string
+	if directBind {
+		log.Trace("LDAP will bind directly via UserDN template: %s", source.UserDN)
+
+		var ok bool
+		userDN, ok = source.sanitizedUserDN(name)
+
+		if !ok {
+			return nil
+		}
+
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+
+		if source.UserBase != "" {
+			// not everyone has a CN compatible with input name so we need to find
+			// the real userDN in that case
+
+			userDN, ok = source.findUserDN(l, name)
+			if !ok {
+				return nil
+			}
+		}
+	} else {
+		log.Trace("LDAP will use BindDN.")
+
+		var found bool
+
+		if source.BindDN != "" && source.BindPassword != "" {
+			err := l.Bind(source.BindDN, source.BindPassword)
+			if err != nil {
+				log.Debug("Failed to bind as BindDN[%s]: %v", source.BindDN, err)
+				return nil
+			}
+			log.Trace("Bound as BindDN %s", source.BindDN)
+		} else {
+			log.Trace("Proceeding with anonymous LDAP search.")
+		}
+
+		userDN, found = source.findUserDN(l, name)
+		if !found {
+			return nil
+		}
+	}
+
+	if !source.AttributesInBind {
+		// binds user (checking password) before looking-up attributes in user context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+	}
+
+	userFilter, ok := source.sanitizedUserQuery(name)
+	if !ok {
+		return nil
+	}
+
+	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
+	isAtributeAvatarSet := len(strings.TrimSpace(source.AttributeAvatar)) > 0
+
+	attribs := []string{source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail}
+	if len(strings.TrimSpace(source.UserUID)) > 0 {
+		attribs = append(attribs, source.UserUID)
+	}
+	if isAttributeSSHPublicKeySet {
+		attribs = append(attribs, source.AttributeSSHPublicKey)
+	}
+	if isAtributeAvatarSet {
+		attribs = append(attribs, source.AttributeAvatar)
+	}
+
+	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'", source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.AttributeSSHPublicKey, source.AttributeAvatar, source.UserUID, userFilter, userDN)
+	search := ldap.NewSearchRequest(
+		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
+		attribs, nil)
+
+	sr, err := l.Search(search)
+	if err != nil {
+		log.Error("LDAP Search failed unexpectedly! (%v)", err)
+		return nil
+	} else if len(sr.Entries) < 1 {
+		if directBind {
+			log.Trace("User filter inhibited user login.")
+		} else {
+			log.Trace("LDAP Search found no matching entries.")
+		}
+
+		return nil
+	}
+
+	var sshPublicKey []string
+	var Avatar []byte
+
+	username := sr.Entries[0].GetAttributeValue(source.AttributeUsername)
+	firstname := sr.Entries[0].GetAttributeValue(source.AttributeName)
+	surname := sr.Entries[0].GetAttributeValue(source.AttributeSurname)
+	mail := sr.Entries[0].GetAttributeValue(source.AttributeMail)
+
+	if isAttributeSSHPublicKeySet {
+		sshPublicKey = sr.Entries[0].GetAttributeValues(source.AttributeSSHPublicKey)
+	}
+
+	isAdmin := checkAdmin(l, source, userDN)
+
+	var isRestricted bool
+	if !isAdmin {
+		isRestricted = checkRestricted(l, source, userDN)
+	}
+
+	if isAtributeAvatarSet {
+		Avatar = sr.Entries[0].GetRawAttributeValue(source.AttributeAvatar)
+	}
+
+	// Check group membership
+	var usersLdapGroups container.Set[string]
+	if source.GroupsEnabled {
+		userAttributeListedInGroup := source.getUserAttributeListedInGroup(sr.Entries[0])
+		usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
+
+		if source.GroupFilter != "" && len(usersLdapGroups) == 0 {
+			return nil
+		}
+	}
+
+	if !directBind && source.AttributesInBind {
+		// binds user (checking password) after looking-up attributes in BindDN context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+	}
+
+	return &SearchResult{
+		LowerName:    strings.ToLower(username),
+		Username:     username,
+		Name:         firstname,
+		Surname:      surname,
+		Mail:         mail,
+		SSHPublicKey: sshPublicKey,
+		IsAdmin:      isAdmin,
+		IsRestricted: isRestricted,
+		Avatar:       Avatar,
+		Groups:       usersLdapGroups,
+	}
+}
+
+// UsePagedSearch returns if need to use paged search
+func (source *Source) UsePagedSearch() bool {
+	return source.SearchPageSize > 0
+}
+
+// SearchEntries : search an LDAP source for all users matching userFilter
+func (source *Source) SearchEntries() ([]*SearchResult, error) {
+	l, err := dial(source)
+	if err != nil {
+		log.Error("LDAP Connect error, %s:%v", source.Host, err)
+		source.Enabled = false
+		return nil, err
+	}
+	defer l.Close()
+
+	if source.BindDN != "" && source.BindPassword != "" {
+		err := l.Bind(source.BindDN, source.BindPassword)
+		if err != nil {
+			log.Debug("Failed to bind as BindDN[%s]: %v", source.BindDN, err)
+			return nil, err
+		}
+		log.Trace("Bound as BindDN %s", source.BindDN)
+	} else {
+		log.Trace("Proceeding with anonymous LDAP search.")
+	}
+
+	userFilter := fmt.Sprintf(source.Filter, "*")
+
+	isAttributeSSHPublicKeySet := len(strings.TrimSpace(source.AttributeSSHPublicKey)) > 0
+	isAtributeAvatarSet := len(strings.TrimSpace(source.AttributeAvatar)) > 0
+
+	attribs := []string{source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.UserUID}
+	if isAttributeSSHPublicKeySet {
+		attribs = append(attribs, source.AttributeSSHPublicKey)
+	}
+	if isAtributeAvatarSet {
+		attribs = append(attribs, source.AttributeAvatar)
+	}
+
+	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.AttributeSSHPublicKey, source.AttributeAvatar, userFilter, source.UserBase)
+	search := ldap.NewSearchRequest(
+		source.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
+		attribs, nil)
+
+	var sr *ldap.SearchResult
+	if source.UsePagedSearch() {
+		sr, err = l.SearchWithPaging(search, source.SearchPageSize)
+	} else {
+		sr, err = l.Search(search)
+	}
+	if err != nil {
+		log.Error("LDAP Search failed unexpectedly! (%v)", err)
+		return nil, err
+	}
+
+	result := make([]*SearchResult, 0, len(sr.Entries))
+
+	for _, v := range sr.Entries {
+		var usersLdapGroups container.Set[string]
+		if source.GroupsEnabled {
+			userAttributeListedInGroup := source.getUserAttributeListedInGroup(v)
+
+			if source.GroupFilter != "" {
+				usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
+				if len(usersLdapGroups) == 0 {
+					continue
+				}
+			}
+
+			if source.GroupTeamMap != "" || source.GroupTeamMapRemoval {
+				usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, false)
+			}
+		}
+
+		user := &SearchResult{
+			Username: v.GetAttributeValue(source.AttributeUsername),
+			Name:     v.GetAttributeValue(source.AttributeName),
+			Surname:  v.GetAttributeValue(source.AttributeSurname),
+			Mail:     v.GetAttributeValue(source.AttributeMail),
+			IsAdmin:  checkAdmin(l, source, v.DN),
+			Groups:   usersLdapGroups,
+		}
+
+		if !user.IsAdmin {
+			user.IsRestricted = checkRestricted(l, source, v.DN)
+		}
+
+		if isAttributeSSHPublicKeySet {
+			user.SSHPublicKey = v.GetAttributeValues(source.AttributeSSHPublicKey)
+		}
+
+		if isAtributeAvatarSet {
+			user.Avatar = v.GetRawAttributeValue(source.AttributeAvatar)
+		}
+
+		user.LowerName = strings.ToLower(user.Username)
+
+		result = append(result, user)
+	}
+
+	return result, nil
+}