|
| 1 | +package api |
| 2 | + |
| 3 | +import ( |
| 4 | + "crypto/tls" |
| 5 | + "fmt" |
| 6 | + "strings" |
| 7 | + |
| 8 | + "github.com/gin-contrib/sessions" |
| 9 | + "github.com/gin-gonic/gin" |
| 10 | + "github.com/go-ldap/ldap/v3" |
| 11 | +) |
| 12 | + |
| 13 | +func Authorize(username string, password string) (ok bool) { |
| 14 | + config := context.Config() |
| 15 | + |
| 16 | + if config.Auth.Type != "" { |
| 17 | + switch strings.ToLower(config.Auth.Type) { |
| 18 | + case "ldap": |
| 19 | + ok = doLdapAuth(username, password) |
| 20 | + default: |
| 21 | + return false |
| 22 | + } |
| 23 | + if ok != true { |
| 24 | + return false |
| 25 | + } |
| 26 | + } |
| 27 | + return true |
| 28 | +} |
| 29 | + |
| 30 | +func doLdapAuth(username string, password string) bool { |
| 31 | + config := context.Config() |
| 32 | + attributes := []string{"DN", "CN"} |
| 33 | + |
| 34 | + server := config.Auth.Server |
| 35 | + dn := config.Auth.LdapDN |
| 36 | + filter := fmt.Sprintf(config.Auth.LdapFilter, username) |
| 37 | + |
| 38 | + // connect to ldap server |
| 39 | + conn, err := ldap.Dial("tcp", server) |
| 40 | + if err != nil { |
| 41 | + return false |
| 42 | + } |
| 43 | + defer conn.Close() |
| 44 | + |
| 45 | + // reconnect via tls |
| 46 | + err = conn.StartTLS(&tls.Config{InsecureSkipVerify: config.Auth.SecureTLS}) |
| 47 | + if err != nil { |
| 48 | + return false |
| 49 | + } |
| 50 | + |
| 51 | + // format our request and then fire it off |
| 52 | + request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, attributes, nil) |
| 53 | + search, err := conn.Search(request) |
| 54 | + if err != nil { |
| 55 | + return false |
| 56 | + } |
| 57 | + // get our modified dn and then check our user for auth |
| 58 | + udn := search.Entries[0].DN |
| 59 | + err = conn.Bind(udn, password) |
| 60 | + if err != nil { |
| 61 | + return false |
| 62 | + } |
| 63 | + return true |
| 64 | +} |
| 65 | + |
| 66 | +func getGroups(c *gin.Context, username string) { |
| 67 | + |
| 68 | + var groups []string |
| 69 | + config := context.Config() |
| 70 | + dn := fmt.Sprintf("%s", config.Auth.LdapDN) |
| 71 | + session := sessions.Default(c) |
| 72 | + // connect to ldap server |
| 73 | + server := fmt.Sprintf("%s", config.Auth.Server) |
| 74 | + conn, err := ldap.Dial("tcp", server) |
| 75 | + if err != nil { |
| 76 | + return |
| 77 | + } |
| 78 | + // reconnect via tls |
| 79 | + err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true}) |
| 80 | + if err != nil { |
| 81 | + return |
| 82 | + } |
| 83 | + filter := fmt.Sprintf("(|(member=uid=%s,ou=people,dc=llnw,dc=com)(member=uid=%s,ou=people,dc=llnw,dc=com))", username, username) |
| 84 | + request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"dn", "cn"}, nil) |
| 85 | + search, err := conn.Search(request) |
| 86 | + if err != nil { |
| 87 | + return |
| 88 | + } |
| 89 | + if len(search.Entries) < 1 { |
| 90 | + return |
| 91 | + } |
| 92 | + for _, v := range search.Entries { |
| 93 | + value := strings.Split(strings.TrimLeft(v.DN, "cn="), ",")[0] |
| 94 | + groups = append(groups, fmt.Sprintf("%s,", value)) |
| 95 | + } |
| 96 | + session.Set("Groups", groups) |
| 97 | + return |
| 98 | +} |
| 99 | + |
| 100 | +func checkGroup(c *gin.Context, ldgroup string) bool { |
| 101 | + session := sessions.Default(c) |
| 102 | + groups := session.Get("Groups") |
| 103 | + if ldgroup == "" { |
| 104 | + return true |
| 105 | + } |
| 106 | + for _, v := range groups.([]string) { |
| 107 | + if strings.Contains(v, ldgroup) { |
| 108 | + return true |
| 109 | + } |
| 110 | + } |
| 111 | + return false |
| 112 | +} |
| 113 | + |
| 114 | +func CheckGroup(c *gin.Context, ldgroup string) (err error) { |
| 115 | + if !checkGroup(c, ldgroup) { |
| 116 | + err = fmt.Errorf("Authorisation Failred") |
| 117 | + } |
| 118 | + return err |
| 119 | +} |
0 commit comments