ldap-proxy/internal/ldap/search.go

package ldap

import (
	"context"
	"strconv"
	"strings"

	"github.com/ps78674/goldap/message"
	ldap "github.com/ps78674/ldapserver"

	"github.com/netauth/ldap/internal/buildinfo"

	pb "github.com/netauth/protocol"
)

func (s *server) handleSearchDSE(w ldap.ResponseWriter, m *ldap.Message) {
	nc := strings.Join(s.nc, ", ")

	e := ldap.NewSearchResultEntry("")
	e.AddAttribute("vendorName", "NetAuth")
	e.AddAttribute("vendorVersion", message.AttributeValue(buildinfo.Version))
	e.AddAttribute("objectClass", "top", "extensibleObject")
	e.AddAttribute("supportedLDAPVersion", "3")
	e.AddAttribute("namingContexts", message.AttributeValue(nc))
	w.Write(e)

	res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
	w.Write(res)
}

func (s *server) handleSearchEntities(w ldap.ResponseWriter, m *ldap.Message) {
	ctx := context.Background()
	s.l.Debug("Search Entities")

	r := m.GetSearchRequest()
	expr, _, err := s.buildBleveQuery(r.Filter())
	if err != nil {
		// If err is non-nil at this point it must mean that
		// the above match didn't find a supported filter.
		s.l.Warn("Unsupported Search Filter, this is a bug, please file a report", "filter", r.Filter())
		res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultUnwillingToPerform)
		res.SetDiagnosticMessage("Filter type not supported")
		w.Write(res)
		return
	}

	s.l.Debug("Searching entities", "query", expr)

	ents, err := s.c.EntitySearch(ctx, expr)
	if err != nil {
		res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)
		res.SetDiagnosticMessage(err.Error())
		w.Write(res)
		return
	}

	for i := range ents {
		e, err := s.entitySearchResult(ctx, ents[i], r.BaseObject(), r.Attributes())
		if err != nil {
			res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)
			res.SetDiagnosticMessage(err.Error())
			w.Write(res)
			return
		}
		w.Write(e)
	}

	s.l.Debug("Entities", "res", ents)

	res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
	w.Write(res)
}

// entitySearchResult maps an entity onto a SearchResultEntry,
// performing the additional lookup for groups to populate the
// memberOf attribute.  Though not implemented, the attrs list is
// plumbed down to this level to permit attribute filtering in the
// future.
func (s *server) entitySearchResult(ctx context.Context, e *pb.Entity, dn message.LDAPDN, attrs message.AttributeSelection) (message.SearchResultEntry, error) {
	s.l.Debug("Attr selection: ", "attrs", attrs, len(attrs))
	res := ldap.NewSearchResultEntry("uid=" + e.GetID() + "," + string(dn))
	res.AddAttribute("uid", message.AttributeValue(e.GetID()))
	res.AddAttribute("uidNumber", message.AttributeValue(strconv.Itoa(int(e.GetNumber()))))

	mail, err := s.c.EntityKVGet(ctx, e.GetID(), "mail")
	//if err != nil {
	//	return res, err
	//}
	if len(mail["mail"]) > 0 {
		res.AddAttribute("mail", message.AttributeValue(mail["mail"][0]))
	}

	grps, err := s.c.EntityGroups(ctx, e.GetID())
	if err != nil {
		return res, err
	}

	memberOf := []message.AttributeValue{}
	for i := range grps {
		g := "cn=" + grps[i].GetName() + ",ou=groups," + strings.Join(s.nc, ",")
		memberOf = append(memberOf, message.AttributeValue(g))
	}
	res.AddAttribute("memberOf", memberOf...)

        entitySearchDN := "uid=" + e.GetID() + ",ou=entities," + strings.Join(s.nc, ",")
	s.routes.Search(s.handleSearchEntities).
		BaseDn(entitySearchDN).
		Scope(ldap.SearchRequestHomeSubtree).
		Label("Search - Entities (" + e.GetID() + ")")

	return res, nil
}

func (s *server) handleSearchGroups(w ldap.ResponseWriter, m *ldap.Message) {
	ctx := context.Background()
	s.l.Debug("Search Groups")

	r := m.GetSearchRequest()

	expr, exprAnd, err := s.buildBleveQuery(r.Filter())
	if err != nil {
		// If err is non-nil at this point it must mean that
		// the above match didn't find a supported filter.
		s.l.Warn("Unsupported Search Filter, this is a bug, please file a report", "filter", r.Filter())
		res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultUnwillingToPerform)
		res.SetDiagnosticMessage("Filter type not supported")
		w.Write(res)
		return
	}

	s.l.Debug("Searching groups", "expr", expr)

	var matchUid string
	if exprAnd {
		s.l.Debug("Filtering by AND...")
		exprSlice := strings.Split(expr, " ")
		for i := range exprSlice {
			if !strings.Contains(exprSlice[i], "Name") && !strings.Contains(exprSlice[i], "ID") {
				matchUid = exprSlice[i]
				if (i+1) == len(exprSlice){
					exprSlice = exprSlice[:i]
				} else {
					exprSlice = append(exprSlice[:i], exprSlice[i+1:]...)
				}
				break
			}
		}
		expr = strings.Join(exprSlice, " ")
		s.l.Debug("Filtered by AND", "expr", expr, "matchUid", matchUid)
	}

	groups, err := s.c.GroupSearch(ctx, expr)
	if err != nil {
		res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)
		res.SetDiagnosticMessage(err.Error())
		w.Write(res)
		return
	}

	for i := range groups {
		s.l.Debug("Found group", "group", groups[i].GetName())
		var e message.SearchResultEntry
		var complete bool
		var err error
		if exprAnd {
			s.l.Debug("Match UID: ", matchUid)
			e, complete, err = s.groupSearchResultWithMatch(ctx, groups[i], r.BaseObject(), r.Attributes(), matchUid)
			if !complete {
				res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
				w.Write(res)
				return
			}
		} else {
			e, err = s.groupSearchResult(ctx, groups[i], r.BaseObject(), r.Attributes())
		}
		if err != nil {
			res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)
			res.SetDiagnosticMessage(err.Error())
			w.Write(res)
			return
		}
		w.Write(e)
	}

	res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
	w.Write(res)
}

// groupSearchResult maps a group onto a SearchResultEntry, performing
// the additional lookup for groups to populate the member attribute.
// Though not implemented, the attrs list is plumbed down to this
// level to permit attribute filtering in the future.
func (s *server) groupSearchResult(ctx context.Context, g *pb.Group, dn message.LDAPDN, attrs message.AttributeSelection) (message.SearchResultEntry, error) {
	res := ldap.NewSearchResultEntry("cn=" + g.GetName() + "," + string(dn))
	res.AddAttribute("cn", message.AttributeValue(g.GetName()))
	res.AddAttribute("gidNumber", message.AttributeValue(strconv.Itoa(int(g.GetNumber()))))

	members, err := s.c.GroupMembers(ctx, g.GetName())
	if err != nil {
		return res, err
	}

	memberList := []message.AttributeValue{}
	for i := range members {
		g := "uid=" + members[i].GetID() + ",ou=entities," + strings.Join(s.nc, ",")
		memberList = append(memberList, message.AttributeValue(g))
	}
	res.AddAttribute("member", memberList...)

	return res, nil
}

func (s *server) groupSearchResultWithMatch(ctx context.Context, g *pb.Group, dn message.LDAPDN, attrs message.AttributeSelection, matchUid string) (message.SearchResultEntry, bool, error) {
	res := ldap.NewSearchResultEntry("cn=" + g.GetName() + "," + string(dn))
	res.AddAttribute("cn", message.AttributeValue(g.GetName()))
	res.AddAttribute("gidNumber", message.AttributeValue(strconv.Itoa(int(g.GetNumber()))))

	members, err := s.c.GroupMembers(ctx, g.GetName())
	if err != nil {
		return res, true, err
	}

	var complete bool = false
	memberList := []message.AttributeValue{}
	for i := range members {
		if members[i].GetID() == matchUid {
			g := "uid=" + members[i].GetID() + ",ou=entities," + strings.Join(s.nc, ",")
			memberList = append(memberList, message.AttributeValue(g))
			complete = true
		}
	}
	res.AddAttribute("member", memberList...)

	return res, complete, nil
}
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`package ldap`

			`import (`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`"context"`
			`"strconv"`
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00			`"strings"`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00			`"github.com/ps78674/goldap/message"`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`ldap "github.com/ps78674/ldapserver"`
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00
			`"github.com/netauth/ldap/internal/buildinfo"`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00
			`pb "github.com/netauth/protocol"`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`)`

			`func (s server) handleSearchDSE(w ldap.ResponseWriter, m ldap.Message) {`
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00			`nc := strings.Join(s.nc, ", ")`

internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`e := ldap.NewSearchResultEntry("")`
			`e.AddAttribute("vendorName", "NetAuth")`
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00			`e.AddAttribute("vendorVersion", message.AttributeValue(buildinfo.Version))`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`e.AddAttribute("objectClass", "top", "extensibleObject")`
			`e.AddAttribute("supportedLDAPVersion", "3")`
internal/ldap: Handle bind 2020-08-22 22:49:54 -05:00			`e.AddAttribute("namingContexts", message.AttributeValue(nc))`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`w.Write(e)`

			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)`
			`w.Write(res)`
			`}`

internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`func (s server) handleSearchEntities(w ldap.ResponseWriter, m ldap.Message) {`
			`ctx := context.Background()`
			`s.l.Debug("Search Entities")`

internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`r := m.GetSearchRequest()`
Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`expr, _, err := s.buildBleveQuery(r.Filter())`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`if err != nil {`
			`// If err is non-nil at this point it must mean that`
			`// the above match didn't find a supported filter.`
internal/ldap: Log unsupported search filters 2021-10-16 18:01:02 -05:00			`s.l.Warn("Unsupported Search Filter, this is a bug, please file a report", "filter", r.Filter())`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultUnwillingToPerform)`
			`res.SetDiagnosticMessage("Filter type not supported")`
			`w.Write(res)`
			`return`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00			`}`

internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`s.l.Debug("Searching entities", "query", expr)`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`ents, err := s.c.EntitySearch(ctx, expr)`
			`if err != nil {`
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)`
			`res.SetDiagnosticMessage(err.Error())`
			`w.Write(res)`
			`return`
			`}`

			`for i := range ents {`
			`e, err := s.entitySearchResult(ctx, ents[i], r.BaseObject(), r.Attributes())`
			`if err != nil {`
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)`
			`res.SetDiagnosticMessage(err.Error())`
			`w.Write(res)`
			`return`
			`}`
			`w.Write(e)`
			`}`

			`s.l.Debug("Entities", "res", ents)`
internal/ldap: Initial boilerplate 2020-08-21 02:03:53 -05:00
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)`
			`w.Write(res)`
			`}`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00
			`// entitySearchResult maps an entity onto a SearchResultEntry,`
			`// performing the additional lookup for groups to populate the`
			`// memberOf attribute. Though not implemented, the attrs list is`
			`// plumbed down to this level to permit attribute filtering in the`
			`// future.`
			`func (s server) entitySearchResult(ctx context.Context, e pb.Entity, dn message.LDAPDN, attrs message.AttributeSelection) (message.SearchResultEntry, error) {`
Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`s.l.Debug("Attr selection: ", "attrs", attrs, len(attrs))`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`res := ldap.NewSearchResultEntry("uid=" + e.GetID() + "," + string(dn))`
			`res.AddAttribute("uid", message.AttributeValue(e.GetID()))`
			`res.AddAttribute("uidNumber", message.AttributeValue(strconv.Itoa(int(e.GetNumber()))))`

Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`mail, err := s.c.EntityKVGet(ctx, e.GetID(), "mail")`
			`//if err != nil {`
			`// return res, err`
			`//}`
			`if len(mail["mail"]) > 0 {`
			`res.AddAttribute("mail", message.AttributeValue(mail["mail"][0]))`
			`}`

internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`grps, err := s.c.EntityGroups(ctx, e.GetID())`
			`if err != nil {`
			`return res, err`
			`}`

internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`memberOf := []message.AttributeValue{}`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`for i := range grps {`
			`g := "cn=" + grps[i].GetName() + ",ou=groups," + strings.Join(s.nc, ",")`
internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`memberOf = append(memberOf, message.AttributeValue(g))`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`}`
internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`res.AddAttribute("memberOf", memberOf...)`
internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00
Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`entitySearchDN := "uid=" + e.GetID() + ",ou=entities," + strings.Join(s.nc, ",")`
			`s.routes.Search(s.handleSearchEntities).`
			`BaseDn(entitySearchDN).`
			`Scope(ldap.SearchRequestHomeSubtree).`
			`Label("Search - Entities (" + e.GetID() + ")")`

internal/ldap: Implement search for entities 2020-08-23 02:14:41 -05:00			`return res, nil`
			`}`

internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`func (s server) handleSearchGroups(w ldap.ResponseWriter, m ldap.Message) {`
			`ctx := context.Background()`
			`s.l.Debug("Search Groups")`

			`r := m.GetSearchRequest()`

Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`expr, exprAnd, err := s.buildBleveQuery(r.Filter())`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`if err != nil {`
			`// If err is non-nil at this point it must mean that`
			`// the above match didn't find a supported filter.`
internal/ldap: Log unsupported search filters 2021-10-16 18:01:02 -05:00			`s.l.Warn("Unsupported Search Filter, this is a bug, please file a report", "filter", r.Filter())`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultUnwillingToPerform)`
			`res.SetDiagnosticMessage("Filter type not supported")`
			`w.Write(res)`
			`return`
			`}`

			`s.l.Debug("Searching groups", "expr", expr)`

Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`var matchUid string`
			`if exprAnd {`
			`s.l.Debug("Filtering by AND...")`
			`exprSlice := strings.Split(expr, " ")`
			`for i := range exprSlice {`
			`if !strings.Contains(exprSlice[i], "Name") && !strings.Contains(exprSlice[i], "ID") {`
			`matchUid = exprSlice[i]`
			`if (i+1) == len(exprSlice){`
			`exprSlice = exprSlice[:i]`
			`} else {`
			`exprSlice = append(exprSlice[:i], exprSlice[i+1:]...)`
			`}`
			`break`
			`}`
			`}`
			`expr = strings.Join(exprSlice, " ")`
			`s.l.Debug("Filtered by AND", "expr", expr, "matchUid", matchUid)`
			`}`

internal/ldap: Fix search equivalence translation 2020-08-25 20:58:56 -05:00			`groups, err := s.c.GroupSearch(ctx, expr)`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`if err != nil {`
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)`
			`res.SetDiagnosticMessage(err.Error())`
			`w.Write(res)`
			`return`
			`}`

internal/ldap: Fix search equivalence translation 2020-08-25 20:58:56 -05:00			`for i := range groups {`
			`s.l.Debug("Found group", "group", groups[i].GetName())`
Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00			`var e message.SearchResultEntry`
			`var complete bool`
			`var err error`
			`if exprAnd {`
			`s.l.Debug("Match UID: ", matchUid)`
			`e, complete, err = s.groupSearchResultWithMatch(ctx, groups[i], r.BaseObject(), r.Attributes(), matchUid)`
			`if !complete {`
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)`
			`w.Write(res)`
			`return`
			`}`
			`} else {`
			`e, err = s.groupSearchResult(ctx, groups[i], r.BaseObject(), r.Attributes())`
			`}`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`if err != nil {`
			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultOperationsError)`
			`res.SetDiagnosticMessage(err.Error())`
			`w.Write(res)`
			`return`
			`}`
			`w.Write(e)`
			`}`

			`res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)`
			`w.Write(res)`
			`}`

			`// groupSearchResult maps a group onto a SearchResultEntry, performing`
			`// the additional lookup for groups to populate the member attribute.`
			`// Though not implemented, the attrs list is plumbed down to this`
			`// level to permit attribute filtering in the future.`
			`func (s server) groupSearchResult(ctx context.Context, g pb.Group, dn message.LDAPDN, attrs message.AttributeSelection) (message.SearchResultEntry, error) {`
			`res := ldap.NewSearchResultEntry("cn=" + g.GetName() + "," + string(dn))`
			`res.AddAttribute("cn", message.AttributeValue(g.GetName()))`
			`res.AddAttribute("gidNumber", message.AttributeValue(strconv.Itoa(int(g.GetNumber()))))`

			`members, err := s.c.GroupMembers(ctx, g.GetName())`
			`if err != nil {`
			`return res, err`
			`}`

internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`memberList := []message.AttributeValue{}`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`for i := range members {`
			`g := "uid=" + members[i].GetID() + ",ou=entities," + strings.Join(s.nc, ",")`
internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`memberList = append(memberList, message.AttributeValue(g))`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00			`}`
internal/ldap: Correctly handle multi-valued attributes 2020-11-08 21:33:21 -06:00			`res.AddAttribute("member", memberList...)`
internal/ldap: Implement search for groups 2020-08-23 02:50:43 -05:00
			`return res, nil`
			`}`
Add gitea/forgejo sepcific queries support 2024-07-04 10:07:25 -05:00
			`func (s server) groupSearchResultWithMatch(ctx context.Context, g pb.Group, dn message.LDAPDN, attrs message.AttributeSelection, matchUid string) (message.SearchResultEntry, bool, error) {`
			`res := ldap.NewSearchResultEntry("cn=" + g.GetName() + "," + string(dn))`
			`res.AddAttribute("cn", message.AttributeValue(g.GetName()))`
			`res.AddAttribute("gidNumber", message.AttributeValue(strconv.Itoa(int(g.GetNumber()))))`

			`members, err := s.c.GroupMembers(ctx, g.GetName())`
			`if err != nil {`
			`return res, true, err`
			`}`

			`var complete bool = false`
			`memberList := []message.AttributeValue{}`
			`for i := range members {`
			`if members[i].GetID() == matchUid {`
			`g := "uid=" + members[i].GetID() + ",ou=entities," + strings.Join(s.nc, ",")`
			`memberList = append(memberList, message.AttributeValue(g))`
			`complete = true`
			`}`
			`}`
			`res.AddAttribute("member", memberList...)`

			`return res, complete, nil`
			`}`