mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-06 04:01:05 +09:00
89a49de0fd
| go | from | to | | --- | --- | --- | | connectrpc.com/connect | `1.19.1 ` | `1.19.2` | | github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` | | github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` | `1.33.14` | | github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` | | github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` | | github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` | | github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` | | github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` | | github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` | | github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` | | github.com/klauspost/compress | `1.18.5` | `1.18.6` | | github.com/mattn/go-isatty | `0.0.21` | `0.0.22` | | github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` | | github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` | | github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` | | google.golang.org/grpc | `1.80.0` | `1.81.0` | | gopkg.in/ini.v1 | `1.67.1` | `1.67.2` | | js | from | to | | --- | --- | --- | | @codemirror/search | `6.6.0` | `6.7.0` | | @primer/octicons | `19.24.1` | `19.25.0` | | clippie | `4.1.14` | `4.1.15` | | easymde | `2.20.0` | `2.21.0` | | postcss | `8.5.10` | `8.5.13` | | rolldown-license-plugin | `3.0.1` | `3.0.4` | | swagger-ui-dist | `5.32.4` | `5.32.5` | | vite | `8.0.9` | `8.0.10` | | vite-string-plugin | `2.0.2` | `2.0.4` | | vue | `3.5.32` | `3.5.33` | | @typescript-eslint/parser | `8.59.0` | `8.59.1` | | eslint | `10.2.1` | `10.3.0` | | eslint-plugin-vue | `10.8.0` | `10.9.0` | | globals | `17.5.0` | `17.6.0` | | material-icon-theme | `5.33.1` | `5.34.0` | | spectral-cli-bundle | `1.0.7` | `1.0.8` | | stylelint | `17.8.0` | `17.10.0` | | typescript-eslint | `8.59.0` | `8.59.1` | | updates | `17.16.3` | `17.16.8` | | vitest | `4.1.4` | `4.1.5` | | vue-tsc | `3.2.7` | `3.2.8` | | pnpm | `10.33.0` | `10.33.2` | | py | from | to | | --- | --- | --- | | click | `8.3.2` | `8.3.3` | | pathspec | `1.0.4` | `1.1.1` | --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
527 lines
15 KiB
Go
527 lines
15 KiB
Go
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// Copyright 2020 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package ldap
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/container"
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"github.com/go-ldap/ldap/v3"
|
|
)
|
|
|
|
// SearchResult : user data
|
|
type SearchResult struct {
|
|
Username string // Username
|
|
Name string // Name
|
|
Surname string // Surname
|
|
Mail string // E-mail address
|
|
SSHPublicKey []string // SSH Public Key
|
|
IsAdmin bool // if user is administrator
|
|
IsRestricted bool // if user is restricted
|
|
LowerName string // LowerName
|
|
Avatar []byte
|
|
Groups container.Set[string]
|
|
}
|
|
|
|
func (source *Source) sanitizedUserQuery(username string) (string, bool) {
|
|
// See http://tools.ietf.org/search/rfc4515
|
|
badCharacters := "\x00()*\\"
|
|
if strings.ContainsAny(username, badCharacters) {
|
|
log.Debug("'%s' contains invalid query characters. Aborting.", username)
|
|
return "", false
|
|
}
|
|
|
|
return fmt.Sprintf(source.Filter, username), true
|
|
}
|
|
|
|
func (source *Source) sanitizedUserDN(username string) (string, bool) {
|
|
// See http://tools.ietf.org/search/rfc4514: "special characters"
|
|
badCharacters := "\x00()*\\,='\"#+;<>"
|
|
if strings.ContainsAny(username, badCharacters) {
|
|
log.Debug("'%s' contains invalid DN characters. Aborting.", username)
|
|
return "", false
|
|
}
|
|
|
|
return fmt.Sprintf(source.UserDN, username), true
|
|
}
|
|
|
|
func (source *Source) sanitizedGroupFilter(group string) (string, bool) {
|
|
// See http://tools.ietf.org/search/rfc4515
|
|
badCharacters := "\x00*\\"
|
|
if strings.ContainsAny(group, badCharacters) {
|
|
log.Trace("Group filter invalid query characters: %s", group)
|
|
return "", false
|
|
}
|
|
|
|
return group, true
|
|
}
|
|
|
|
func (source *Source) sanitizedGroupDN(groupDn string) (string, bool) {
|
|
// See http://tools.ietf.org/search/rfc4514: "special characters"
|
|
badCharacters := "\x00()*\\'\"#+;<>"
|
|
if strings.ContainsAny(groupDn, badCharacters) || strings.HasPrefix(groupDn, " ") || strings.HasSuffix(groupDn, " ") {
|
|
log.Trace("Group DN contains invalid query characters: %s", groupDn)
|
|
return "", false
|
|
}
|
|
|
|
return groupDn, true
|
|
}
|
|
|
|
func (source *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
|
|
log.Trace("Search for LDAP user: %s", name)
|
|
|
|
// A search for the user.
|
|
userFilter, ok := source.sanitizedUserQuery(name)
|
|
if !ok {
|
|
return "", false
|
|
}
|
|
|
|
log.Trace("Searching for DN using filter %s and base %s", userFilter, source.UserBase)
|
|
search := ldap.NewSearchRequest(
|
|
source.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0,
|
|
false, userFilter, []string{}, nil)
|
|
|
|
// Ensure we found a user
|
|
sr, err := l.Search(search)
|
|
if err != nil || len(sr.Entries) < 1 {
|
|
log.Debug("Failed search using filter[%s]: %v", userFilter, err)
|
|
return "", false
|
|
} else if len(sr.Entries) > 1 {
|
|
log.Debug("Filter '%s' returned more than one user.", userFilter)
|
|
return "", false
|
|
}
|
|
|
|
userDN := sr.Entries[0].DN
|
|
if userDN == "" {
|
|
log.Error("LDAP search was successful, but found no DN!")
|
|
return "", false
|
|
}
|
|
|
|
return userDN, true
|
|
}
|
|
|
|
func dial(source *Source) (*ldap.Conn, error) {
|
|
log.Trace("Dialing LDAP with security protocol (%v) without verifying: %v", source.SecurityProtocol, source.SkipVerify)
|
|
|
|
tlsConfig := &tls.Config{
|
|
ServerName: source.Host,
|
|
InsecureSkipVerify: source.SkipVerify,
|
|
}
|
|
|
|
hostPort := net.JoinHostPort(source.Host, strconv.Itoa(source.Port))
|
|
if source.SecurityProtocol == SecurityProtocolLDAPS {
|
|
return ldap.DialURL("ldaps://"+hostPort, ldap.DialWithTLSConfig(tlsConfig))
|
|
}
|
|
|
|
conn, err := ldap.DialURL("ldap://" + hostPort)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error during Dial: %w", err)
|
|
}
|
|
|
|
if source.SecurityProtocol == SecurityProtocolStartTLS {
|
|
if err = conn.StartTLS(tlsConfig); err != nil {
|
|
conn.Close()
|
|
return nil, fmt.Errorf("error during StartTLS: %w", err)
|
|
}
|
|
}
|
|
|
|
return conn, nil
|
|
}
|
|
|
|
func bindUser(l *ldap.Conn, userDN, passwd string) error {
|
|
log.Trace("Binding with userDN: %s", userDN)
|
|
err := l.Bind(userDN, passwd)
|
|
if err != nil {
|
|
log.Debug("LDAP auth. failed for %s, reason: %v", userDN, err)
|
|
return err
|
|
}
|
|
log.Trace("Bound successfully with userDN: %s", userDN)
|
|
return err
|
|
}
|
|
|
|
func checkAdmin(l *ldap.Conn, ls *Source, userDN string) bool {
|
|
if ls.AdminFilter == "" {
|
|
return false
|
|
}
|
|
log.Trace("Checking admin with filter %s and base %s", ls.AdminFilter, userDN)
|
|
search := ldap.NewSearchRequest(
|
|
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.AdminFilter,
|
|
[]string{ls.AttributeName},
|
|
nil)
|
|
|
|
sr, err := l.Search(search)
|
|
|
|
if err != nil {
|
|
log.Error("LDAP Admin Search with filter %s for %s failed unexpectedly! (%v)", ls.AdminFilter, userDN, err)
|
|
} else if len(sr.Entries) < 1 {
|
|
log.Trace("LDAP Admin Search found no matching entries.")
|
|
} else {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
func checkRestricted(l *ldap.Conn, ls *Source, userDN string) bool {
|
|
if ls.RestrictedFilter == "" {
|
|
return false
|
|
}
|
|
if ls.RestrictedFilter == "*" {
|
|
return true
|
|
}
|
|
log.Trace("Checking restricted with filter %s and base %s", ls.RestrictedFilter, userDN)
|
|
search := ldap.NewSearchRequest(
|
|
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, ls.RestrictedFilter,
|
|
[]string{ls.AttributeName},
|
|
nil)
|
|
|
|
sr, err := l.Search(search)
|
|
|
|
if err != nil {
|
|
log.Error("LDAP Restrictred Search with filter %s for %s failed unexpectedly! (%v)", ls.RestrictedFilter, userDN, err)
|
|
} else if len(sr.Entries) < 1 {
|
|
log.Trace("LDAP Restricted Search found no matching entries.")
|
|
} else {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// List all group memberships of a user
|
|
func (source *Source) listLdapGroupMemberships(l *ldap.Conn, uid string, applyGroupFilter bool) container.Set[string] {
|
|
ldapGroups := make(container.Set[string])
|
|
|
|
groupFilter, ok := source.sanitizedGroupFilter(source.GroupFilter)
|
|
if !ok {
|
|
return ldapGroups
|
|
}
|
|
|
|
groupDN, ok := source.sanitizedGroupDN(source.GroupDN)
|
|
if !ok {
|
|
return ldapGroups
|
|
}
|
|
|
|
var searchFilter string
|
|
if applyGroupFilter && groupFilter != "" {
|
|
searchFilter = fmt.Sprintf("(&(%s)(%s=%s))", groupFilter, source.GroupMemberUID, ldap.EscapeFilter(uid))
|
|
} else {
|
|
searchFilter = fmt.Sprintf("(%s=%s)", source.GroupMemberUID, ldap.EscapeFilter(uid))
|
|
}
|
|
result, err := l.Search(ldap.NewSearchRequest(
|
|
groupDN,
|
|
ldap.ScopeWholeSubtree,
|
|
ldap.NeverDerefAliases,
|
|
0,
|
|
0,
|
|
false,
|
|
searchFilter,
|
|
[]string{},
|
|
nil,
|
|
))
|
|
if err != nil {
|
|
log.Error("Failed group search in LDAP with filter [%s]: %v", searchFilter, err)
|
|
return ldapGroups
|
|
}
|
|
|
|
for _, entry := range result.Entries {
|
|
if entry.DN == "" {
|
|
log.Error("LDAP search was successful, but found no DN!")
|
|
continue
|
|
}
|
|
ldapGroups.Add(entry.DN)
|
|
}
|
|
|
|
return ldapGroups
|
|
}
|
|
|
|
func (source *Source) getUserAttributeListedInGroup(entry *ldap.Entry) string {
|
|
if strings.EqualFold(source.UserUID, "dn") {
|
|
return entry.DN
|
|
}
|
|
|
|
return entry.GetAttributeValue(source.UserUID)
|
|
}
|
|
|
|
// SearchEntry : search an LDAP source if an entry (name, passwd) is valid and in the specific filter
|
|
func (source *Source) SearchEntry(name, passwd string, directBind bool) *SearchResult {
|
|
if MockedSearchEntry != nil {
|
|
return MockedSearchEntry(source, name, passwd, directBind)
|
|
}
|
|
return realSearchEntry(source, name, passwd, directBind)
|
|
}
|
|
|
|
var MockedSearchEntry func(source *Source, name, passwd string, directBind bool) *SearchResult
|
|
|
|
func realSearchEntry(source *Source, name, passwd string, directBind bool) *SearchResult {
|
|
// See https://tools.ietf.org/search/rfc4513#section-5.1.2
|
|
if passwd == "" {
|
|
log.Debug("Auth. failed for %s, password cannot be empty", name)
|
|
return nil
|
|
}
|
|
l, err := dial(source)
|
|
if err != nil {
|
|
log.Error("LDAP Connect error, %s:%v", source.Host, err)
|
|
source.Enabled = false
|
|
return nil
|
|
}
|
|
defer l.Close()
|
|
|
|
var userDN string
|
|
if directBind {
|
|
log.Trace("LDAP will bind directly via UserDN template: %s", source.UserDN)
|
|
|
|
var ok bool
|
|
userDN, ok = source.sanitizedUserDN(name)
|
|
|
|
if !ok {
|
|
return nil
|
|
}
|
|
|
|
err = bindUser(l, userDN, passwd)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
if source.UserBase != "" {
|
|
// not everyone has a CN compatible with input name so we need to find
|
|
// the real userDN in that case
|
|
|
|
userDN, ok = source.findUserDN(l, name)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
}
|
|
} else {
|
|
log.Trace("LDAP will use BindDN.")
|
|
|
|
var found bool
|
|
|
|
if source.BindDN != "" && source.BindPassword != "" {
|
|
err := l.Bind(source.BindDN, source.BindPassword)
|
|
if err != nil {
|
|
log.Debug("Failed to bind as BindDN[%s]: %v", source.BindDN, err)
|
|
return nil
|
|
}
|
|
log.Trace("Bound as BindDN %s", source.BindDN)
|
|
} else {
|
|
log.Trace("Proceeding with anonymous LDAP search.")
|
|
}
|
|
|
|
userDN, found = source.findUserDN(l, name)
|
|
if !found {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
if !source.AttributesInBind {
|
|
// binds user (checking password) before looking-up attributes in user context
|
|
err = bindUser(l, userDN, passwd)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
userFilter, ok := source.sanitizedUserQuery(name)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
|
|
isAttributeSSHPublicKeySet := strings.TrimSpace(source.AttributeSSHPublicKey) != ""
|
|
isAttributeAvatarSet := strings.TrimSpace(source.AttributeAvatar) != ""
|
|
|
|
attribs := []string{source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail}
|
|
if strings.TrimSpace(source.UserUID) != "" {
|
|
attribs = append(attribs, source.UserUID)
|
|
}
|
|
if isAttributeSSHPublicKeySet {
|
|
attribs = append(attribs, source.AttributeSSHPublicKey)
|
|
}
|
|
if isAttributeAvatarSet {
|
|
attribs = append(attribs, source.AttributeAvatar)
|
|
}
|
|
|
|
log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v', '%v' with filter '%s' and base '%s'", source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.AttributeSSHPublicKey, source.AttributeAvatar, source.UserUID, userFilter, userDN)
|
|
search := ldap.NewSearchRequest(
|
|
userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
|
|
attribs, nil)
|
|
|
|
sr, err := l.Search(search)
|
|
if err != nil {
|
|
log.Error("LDAP Search failed unexpectedly! (%v)", err)
|
|
return nil
|
|
} else if len(sr.Entries) < 1 {
|
|
if directBind {
|
|
log.Trace("User filter inhibited user login.")
|
|
} else {
|
|
log.Trace("LDAP Search found no matching entries.")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
var sshPublicKey []string
|
|
var Avatar []byte
|
|
|
|
username := sr.Entries[0].GetAttributeValue(source.AttributeUsername)
|
|
firstname := sr.Entries[0].GetAttributeValue(source.AttributeName)
|
|
surname := sr.Entries[0].GetAttributeValue(source.AttributeSurname)
|
|
mail := sr.Entries[0].GetAttributeValue(source.AttributeMail)
|
|
|
|
if isAttributeSSHPublicKeySet {
|
|
sshPublicKey = sr.Entries[0].GetAttributeValues(source.AttributeSSHPublicKey)
|
|
}
|
|
|
|
isAdmin := checkAdmin(l, source, userDN)
|
|
|
|
var isRestricted bool
|
|
if !isAdmin {
|
|
isRestricted = checkRestricted(l, source, userDN)
|
|
}
|
|
|
|
if isAttributeAvatarSet {
|
|
Avatar = sr.Entries[0].GetRawAttributeValue(source.AttributeAvatar)
|
|
}
|
|
|
|
// Check group membership
|
|
var usersLdapGroups container.Set[string]
|
|
if source.GroupsEnabled {
|
|
userAttributeListedInGroup := source.getUserAttributeListedInGroup(sr.Entries[0])
|
|
usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
|
|
|
|
if source.GroupFilter != "" && len(usersLdapGroups) == 0 {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
if !directBind && source.AttributesInBind {
|
|
// binds user (checking password) after looking-up attributes in BindDN context
|
|
err = bindUser(l, userDN, passwd)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
}
|
|
|
|
return &SearchResult{
|
|
LowerName: strings.ToLower(username),
|
|
Username: username,
|
|
Name: firstname,
|
|
Surname: surname,
|
|
Mail: mail,
|
|
SSHPublicKey: sshPublicKey,
|
|
IsAdmin: isAdmin,
|
|
IsRestricted: isRestricted,
|
|
Avatar: Avatar,
|
|
Groups: usersLdapGroups,
|
|
}
|
|
}
|
|
|
|
// UsePagedSearch returns if need to use paged search
|
|
func (source *Source) UsePagedSearch() bool {
|
|
return source.SearchPageSize > 0
|
|
}
|
|
|
|
// SearchEntries : search an LDAP source for all users matching userFilter
|
|
func (source *Source) SearchEntries() ([]*SearchResult, error) {
|
|
l, err := dial(source)
|
|
if err != nil {
|
|
log.Error("LDAP Connect error, %s:%v", source.Host, err)
|
|
source.Enabled = false
|
|
return nil, err
|
|
}
|
|
defer l.Close()
|
|
|
|
if source.BindDN != "" && source.BindPassword != "" {
|
|
err := l.Bind(source.BindDN, source.BindPassword)
|
|
if err != nil {
|
|
log.Debug("Failed to bind as BindDN[%s]: %v", source.BindDN, err)
|
|
return nil, err
|
|
}
|
|
log.Trace("Bound as BindDN %s", source.BindDN)
|
|
} else {
|
|
log.Trace("Proceeding with anonymous LDAP search.")
|
|
}
|
|
|
|
userFilter := fmt.Sprintf(source.Filter, "*")
|
|
|
|
isAttributeSSHPublicKeySet := strings.TrimSpace(source.AttributeSSHPublicKey) != ""
|
|
isAttributeAvatarSet := strings.TrimSpace(source.AttributeAvatar) != ""
|
|
|
|
attribs := []string{source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.UserUID}
|
|
if isAttributeSSHPublicKeySet {
|
|
attribs = append(attribs, source.AttributeSSHPublicKey)
|
|
}
|
|
if isAttributeAvatarSet {
|
|
attribs = append(attribs, source.AttributeAvatar)
|
|
}
|
|
|
|
log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", source.AttributeUsername, source.AttributeName, source.AttributeSurname, source.AttributeMail, source.AttributeSSHPublicKey, source.AttributeAvatar, userFilter, source.UserBase)
|
|
search := ldap.NewSearchRequest(
|
|
source.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
|
|
attribs, nil)
|
|
|
|
var sr *ldap.SearchResult
|
|
if source.UsePagedSearch() {
|
|
sr, err = l.SearchWithPaging(search, source.SearchPageSize)
|
|
} else {
|
|
sr, err = l.Search(search)
|
|
}
|
|
if err != nil {
|
|
log.Error("LDAP Search failed unexpectedly! (%v)", err)
|
|
return nil, err
|
|
}
|
|
|
|
result := make([]*SearchResult, 0, len(sr.Entries))
|
|
|
|
for _, v := range sr.Entries {
|
|
var usersLdapGroups container.Set[string]
|
|
if source.GroupsEnabled {
|
|
userAttributeListedInGroup := source.getUserAttributeListedInGroup(v)
|
|
|
|
if source.GroupFilter != "" {
|
|
usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, true)
|
|
if len(usersLdapGroups) == 0 {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if source.GroupTeamMap != "" || source.GroupTeamMapRemoval {
|
|
usersLdapGroups = source.listLdapGroupMemberships(l, userAttributeListedInGroup, false)
|
|
}
|
|
}
|
|
|
|
user := &SearchResult{
|
|
Username: v.GetAttributeValue(source.AttributeUsername),
|
|
Name: v.GetAttributeValue(source.AttributeName),
|
|
Surname: v.GetAttributeValue(source.AttributeSurname),
|
|
Mail: v.GetAttributeValue(source.AttributeMail),
|
|
IsAdmin: checkAdmin(l, source, v.DN),
|
|
Groups: usersLdapGroups,
|
|
}
|
|
|
|
if !user.IsAdmin {
|
|
user.IsRestricted = checkRestricted(l, source, v.DN)
|
|
}
|
|
|
|
if isAttributeSSHPublicKeySet {
|
|
user.SSHPublicKey = v.GetAttributeValues(source.AttributeSSHPublicKey)
|
|
}
|
|
|
|
if isAttributeAvatarSet {
|
|
user.Avatar = v.GetRawAttributeValue(source.AttributeAvatar)
|
|
}
|
|
|
|
user.LowerName = strings.ToLower(user.Username)
|
|
|
|
result = append(result, user)
|
|
}
|
|
|
|
return result, nil
|
|
}
|