2022-10-08 18:52:11 +02:00
|
|
|
// Go Ldap Api
|
|
|
|
// Copyright (c) 2022 yo000 <johan@nosd.in>
|
|
|
|
//
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"os"
|
|
|
|
"fmt"
|
|
|
|
"flag"
|
|
|
|
"time"
|
|
|
|
"strings"
|
2022-11-11 13:00:57 +01:00
|
|
|
"net/http"
|
2022-10-08 18:52:11 +02:00
|
|
|
"encoding/json"
|
|
|
|
|
|
|
|
"github.com/spf13/viper"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"github.com/go-ldap/ldap/v3"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2022-11-11 13:00:57 +01:00
|
|
|
gVersion = "0.5.1"
|
2022-10-08 18:52:11 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
func marshalResultToText(res *ldap.SearchResult, delimiter string, showValueName, showDN bool) string {
|
|
|
|
var txtRes string
|
|
|
|
for _, e := range res.Entries {
|
|
|
|
if showDN {
|
|
|
|
if showValueName {
|
|
|
|
txtRes = fmt.Sprintf("%s%s\n", txtRes, e.DN)
|
|
|
|
} else {
|
|
|
|
txtRes = fmt.Sprintf("%sdn%s%s\n", txtRes, delimiter, e.DN)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, a := range e.Attributes {
|
|
|
|
for _, v := range a.Values {
|
|
|
|
if showValueName {
|
|
|
|
txtRes = fmt.Sprintf("%s%s\n", txtRes, v)
|
|
|
|
} else {
|
|
|
|
txtRes = fmt.Sprintf("%s%s%s%s\n", txtRes, a.Name, delimiter, v)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// No DN = No linefeed between entries
|
|
|
|
if showDN {
|
|
|
|
txtRes = fmt.Sprintf("%s\n", txtRes)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return txtRes
|
|
|
|
}
|
|
|
|
|
|
|
|
func sendResponse(c *gin.Context, res *ldap.SearchResult, format string) {
|
|
|
|
// 404 Not found
|
|
|
|
if len(res.Entries) == 0 {
|
|
|
|
if strings.EqualFold(format, "json") {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.JSON(http.StatusNotFound, gin.H{"error": "No result"})
|
2022-10-08 18:52:11 +02:00
|
|
|
} else {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusNotFound, "No result")
|
2022-10-08 18:52:11 +02:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Debugf("Got %d results", len(res.Entries))
|
|
|
|
|
|
|
|
if strings.EqualFold(format, "json") {
|
|
|
|
jsonRes, err := json.Marshal(res.Entries)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error marshalling result to json: %v", err)
|
|
|
|
}
|
|
|
|
log.Debugf("%v\n", string(jsonRes))
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusOK, string(jsonRes))
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
} else if strings.EqualFold(format, "text") {
|
|
|
|
txtRes := marshalResultToText(res, "=", false, true)
|
|
|
|
log.Debugf("%v\n", string(txtRes))
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusOK, string(txtRes))
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
} else if strings.EqualFold(format, "ldif") {
|
|
|
|
txtRes := marshalResultToText(res, ": ", false, true)
|
|
|
|
log.Debugf("%v\n", string(txtRes))
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusOK, string(txtRes))
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
} else if strings.EqualFold(format, "textvalue") {
|
|
|
|
txtRes := marshalResultToText(res, "", true, true)
|
|
|
|
log.Debugf("%v\n", string(txtRes))
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusOK, string(txtRes))
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
} else if strings.EqualFold(format, "textvalue-nodn") {
|
|
|
|
txtRes := marshalResultToText(res, "", true, false)
|
|
|
|
log.Debugf("%v\n", string(txtRes))
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusOK, string(txtRes))
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkIfModifiedSince(c *gin.Context, myldap *MyLdap, baseDn, cn, class, attributes string) (bool, error) {
|
|
|
|
|
|
|
|
// FIXME: We need to cache the last result, because if an item is deleted from LDAP we won't see it and
|
|
|
|
// we will return 304. So deletions will never make their way to Rspamd
|
|
|
|
// For now, lets always return "Modified"
|
|
|
|
return true, nil
|
|
|
|
|
|
|
|
if len(c.Request.Header["If-Modified-Since"]) > 0 {
|
|
|
|
t := strings.Replace(c.Request.Header["If-Modified-Since"][0], "GMT", "+0000", 1)
|
|
|
|
ifModifiedSince, _ := time.Parse(time.RFC1123Z, t)
|
|
|
|
|
|
|
|
log.Debugf("ifModifiedSince: %s", ifModifiedSince)
|
|
|
|
|
|
|
|
res, err := doLdapSearch(myldap, baseDn, cn, class, "modifyTimestamp")
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error searching modifyTimestamp for %s in %s : %v", cn, baseDn, err)
|
|
|
|
return true, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// modifyTimestamp format
|
|
|
|
mtFmt := "20060102150405Z"
|
|
|
|
// Compare each object timestamp
|
|
|
|
hasNewer := false
|
|
|
|
for _, e := range res.Entries {
|
|
|
|
for _, a := range e.Attributes {
|
|
|
|
if strings.EqualFold(a.Name, "modifyTimestamp") {
|
|
|
|
mt, _ := time.Parse(mtFmt, a.Values[0])
|
|
|
|
log.Debugf("%s modifyTimestamp: %s", e.DN, mt)
|
|
|
|
if mt.Unix() > ifModifiedSince.Unix() {
|
|
|
|
log.Debugf("%s is newer than %s: %s", e.DN, ifModifiedSince, mt)
|
|
|
|
hasNewer = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if hasNewer {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if false == hasNewer {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Basic Authentication handler
|
|
|
|
// TODO: Where to store accounts?
|
|
|
|
func basicAuth(c *gin.Context) {
|
|
|
|
user, password, hasAuth := c.Request.BasicAuth()
|
|
|
|
if hasAuth && user == "admin" && password == "admin" {
|
|
|
|
log.Infof("[%s]: User %s successfully authenticated", c.Request.RemoteAddr, user)
|
|
|
|
} else {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithStatus(http.StatusUnauthorized)
|
2022-10-08 18:52:11 +02:00
|
|
|
c.Writer.Header().Set("WWW-Authenticate", "Basic realm=Restricted")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func initRouter(r *gin.Engine, myldap *MyLdap) {
|
|
|
|
r.GET("/ping", func(c *gin.Context) {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.JSON(http.StatusOK, gin.H{
|
2022-10-08 18:52:11 +02:00
|
|
|
"message": "pong",
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
// All following routes need authentication
|
|
|
|
r.GET("/:ou/:cn/:class", basicAuth, func(c *gin.Context) {
|
|
|
|
ou := c.Param("ou")
|
|
|
|
cn := c.Param("cn")
|
|
|
|
class := c.Param("class")
|
|
|
|
|
|
|
|
// json format is the default
|
|
|
|
format := c.DefaultQuery("format", "json")
|
|
|
|
log.Printf("Format : %s", format)
|
|
|
|
|
|
|
|
res, err := doLdapSearch(myldap, ou, cn, class, "ALL")
|
|
|
|
|
|
|
|
// If OU does not exist, we'll get err='LDAP Result Code 32 "No Such Object"'
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
sendResponse(c, res, format)
|
|
|
|
return
|
|
|
|
})
|
|
|
|
|
|
|
|
r.HEAD("/:ou/:cn/:class", basicAuth, func(c *gin.Context) {
|
|
|
|
ou := c.Param("ou")
|
|
|
|
cn := c.Param("cn")
|
|
|
|
class := c.Param("class")
|
|
|
|
|
|
|
|
format := c.DefaultQuery("format", "json")
|
|
|
|
log.Printf("Format : %s", format)
|
|
|
|
|
|
|
|
modified, err := checkIfModifiedSince(c, myldap, ou, cn, class, "ALL")
|
|
|
|
if err != nil {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if modified {
|
|
|
|
res, err := doLdapSearch(myldap, ou, cn, class, "ALL")
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
sendResponse(c, res, format)
|
|
|
|
} else {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusNotModified, "")
|
2022-10-08 18:52:11 +02:00
|
|
|
}
|
|
|
|
return
|
|
|
|
})
|
|
|
|
|
|
|
|
r.GET("/:ou/:cn/:class/:attribute", basicAuth, func(c *gin.Context) {
|
|
|
|
ou := c.Param("ou")
|
|
|
|
cn := c.Param("cn")
|
|
|
|
attr := c.Param("attribute")
|
|
|
|
class := c.Param("class")
|
|
|
|
|
|
|
|
format := c.DefaultQuery("format", "json")
|
|
|
|
log.Printf("Format : %s", format)
|
|
|
|
|
|
|
|
res, err := doLdapSearch(myldap, ou, cn, class, attr)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
sendResponse(c, res, format)
|
|
|
|
return
|
|
|
|
})
|
|
|
|
|
|
|
|
r.HEAD("/:ou/:cn/:class/:attribute", basicAuth, func(c *gin.Context) {
|
|
|
|
ou := c.Param("ou")
|
|
|
|
cn := c.Param("cn")
|
|
|
|
attr := c.Param("attribute")
|
|
|
|
class := c.Param("class")
|
|
|
|
|
|
|
|
format := c.DefaultQuery("format", "json")
|
|
|
|
log.Printf("Format : %s", format)
|
|
|
|
|
|
|
|
modified, err := checkIfModifiedSince(c, myldap, ou, cn, class, attr)
|
|
|
|
if err != nil {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if modified {
|
|
|
|
res, err := doLdapSearch(myldap, ou, cn, class, attr)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("Error searching %s in %s : %v", cn, ou, err)
|
2022-11-11 13:00:57 +01:00
|
|
|
c.AbortWithError(http.StatusInternalServerError, err)
|
2022-10-08 18:52:11 +02:00
|
|
|
return
|
|
|
|
}
|
|
|
|
sendResponse(c, res, format)
|
|
|
|
} else {
|
2022-11-11 13:00:57 +01:00
|
|
|
c.String(http.StatusNotModified, "")
|
2022-10-08 18:52:11 +02:00
|
|
|
}
|
|
|
|
return
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
var confFile string
|
|
|
|
var listen string
|
|
|
|
var ldapHost string
|
|
|
|
var ldapUser string
|
|
|
|
var ldapPass string
|
|
|
|
var ldapBaseDN string
|
2022-10-09 09:16:23 +02:00
|
|
|
var tlsPrivKey string
|
|
|
|
var tlsCert string
|
|
|
|
var doTls bool
|
2022-10-08 18:52:11 +02:00
|
|
|
var debug bool
|
|
|
|
|
|
|
|
flag.StringVar(&confFile, "config", "", "Path to the config file (optional)")
|
|
|
|
flag.StringVar(&listen, "listen-addr", "0.0.0.0:8080", "listen address for server")
|
|
|
|
flag.StringVar(&ldapHost, "ldap-host", "", "ldap host to connect to")
|
|
|
|
flag.StringVar(&ldapUser, "ldap-user", "", "ldap username")
|
|
|
|
flag.StringVar(&ldapPass, "ldap-pass", "", "ldap password")
|
|
|
|
flag.StringVar(&ldapBaseDN, "ldap-base-dn", "", "ldap base DN")
|
2022-10-09 09:16:23 +02:00
|
|
|
flag.BoolVar(&doTls, "https", false, "Serve over TLS")
|
|
|
|
flag.StringVar(&tlsPrivKey, "ssl-private-key", "", "SSL Private key")
|
|
|
|
flag.StringVar(&tlsCert, "ssl-certificate", "", "SSL certificate (PEM format)")
|
2022-10-08 18:52:11 +02:00
|
|
|
flag.BoolVar(&debug, "debug", false, "Set log level to debug")
|
|
|
|
|
|
|
|
flag.Parse()
|
|
|
|
|
|
|
|
if len(confFile) > 0 {
|
|
|
|
viper.SetConfigFile(confFile)
|
|
|
|
if err := viper.ReadInConfig(); err != nil {
|
|
|
|
log.Fatalf("Could not open config file: %v", err)
|
|
|
|
os.Exit(1)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.EqualFold(listen, "0.0.0.0:8080") && len(confFile) > 0 {
|
|
|
|
l := viper.GetString("LISTEN")
|
|
|
|
if len(l) > 0 {
|
|
|
|
listen = l
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(ldapHost) == 0 {
|
|
|
|
l := viper.GetString("LDAP_HOST")
|
|
|
|
if len(l) > 0 {
|
|
|
|
ldapHost = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("No ldap-host defined!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(ldapUser) == 0 {
|
|
|
|
l := viper.GetString("LDAP_USER")
|
|
|
|
if len(l) > 0 {
|
|
|
|
ldapUser = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("No ldap-user defined!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(ldapPass) == 0 {
|
|
|
|
l := viper.GetString("LDAP_PASS")
|
|
|
|
if len(l) > 0 {
|
|
|
|
ldapPass = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("No ldap-pass defined!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(ldapBaseDN) == 0 {
|
|
|
|
l := viper.GetString("LDAP_BASE_DN")
|
|
|
|
if len(l) > 0 {
|
|
|
|
ldapBaseDN = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("No ldap-base-dn defined!")
|
|
|
|
}
|
|
|
|
}
|
2022-10-09 09:16:23 +02:00
|
|
|
if false == doTls {
|
2022-11-11 13:00:57 +01:00
|
|
|
doTls = viper.GetBool("HTTPS")
|
2022-10-09 09:16:23 +02:00
|
|
|
}
|
|
|
|
if doTls && len(tlsCert) == 0 {
|
|
|
|
l := viper.GetString("SSL_CERTIFICATE")
|
|
|
|
if len(l) > 0 {
|
|
|
|
tlsCert = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("SSL certificate must be set to use https!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if doTls && len(tlsPrivKey) == 0 {
|
|
|
|
l := viper.GetString("SSL_PRIVATE_KEY")
|
|
|
|
if len(l) > 0 {
|
|
|
|
tlsPrivKey = l
|
|
|
|
} else {
|
|
|
|
log.Fatal("SSL private key must be set to use https!")
|
|
|
|
}
|
|
|
|
}
|
2022-10-08 18:52:11 +02:00
|
|
|
|
|
|
|
log.Println("Starting Go Ldap API v.", gVersion)
|
|
|
|
if debug {
|
|
|
|
log.SetLevel(log.DebugLevel)
|
|
|
|
}
|
|
|
|
|
|
|
|
r := gin.Default()
|
|
|
|
|
|
|
|
ldap := MyLdap{Host: ldapHost, User: ldapUser, Pass: ldapPass, BaseDN: ldapBaseDN}
|
|
|
|
|
|
|
|
initRouter(r, &ldap)
|
|
|
|
|
2022-10-09 09:16:23 +02:00
|
|
|
if doTls {
|
|
|
|
r.RunTLS(listen, tlsCert, tlsPrivKey)
|
|
|
|
} else {
|
|
|
|
r.Run(listen)
|
|
|
|
}
|
2022-10-08 18:52:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|