refacorting and ldaps

+ removed logs

+ using login.html

+ implemented ldaps: user can set a cert file for private ca

Author: broccoli

connector-ldap/ldap.go

@@ -1,10 +1,14 @@
 package ldap
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"embed"
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"os"
+	"strings"
 
 	"github.com/DanielAuerX/answer-plugins/connector-ldap/i18n"
 	"github.com/segmentfault/pacman/log"
@@ -34,21 +38,32 @@ type Connector struct {
 }
 
 type ConnectorConfig struct {
-	Name         string `json:"name"`
-	Server       string `json:"server"`
-	BaseDN       string `json:"base_dn"`
-	BindPrefix   string `json:"bind_prefix"`   // e.g., uid=
-	BindDN       string `json:"bind_dn"`       // service account DN
-	BindPassword string `json:"bind_password"` // service account password
-	UserAttr     string `json:"user_attr"`     // e.g., uid, sAMAccountName
+	Name          string `json:"name"`
+	Server        string `json:"server"`
+	BaseDN        string `json:"base_dn"`
+	BindDN        string `json:"bind_dn"`
+	BindPassword  string `json:"bind_password"`
+	UserAttr      string `json:"user_attr"`
+	TLSCACertPath string `json:"tls_ca_cert_path"`
 }
 
 var _ plugin.Connector = &Connector{}
 
+var loginHTMLContent string
+
 func init() {
 	plugin.Register(&Connector{
 		Config: &ConnectorConfig{},
 	})
+
+	htmlContent, err := loginHTML.ReadFile("login.html")
+	if err != nil {
+		log.Errorf("failed to read embedded html file: %v", err)
+	}
+	loginHTMLContent = string(htmlContent)
+	if "" == loginHTMLContent {
+		log.Error("html file is empty")
+	}
 }
 
 func (g *Connector) Info() plugin.Info {
@@ -74,115 +89,125 @@ func (g *Connector) ConnectorName() plugin.Translator {
 
 func (g *Connector) ConnectorSlugName() string {
 	return "ldap"
+
 }
 
 func (g *Connector) ConnectorLogoSVG() string {
 	return ""
 }
 
 func (g *Connector) ConnectorSender(ctx *plugin.GinContext, receiverURL string) string {
-	log.Info("LDAP connector ConnectorSender...")
-
-	htmlContent, err := loginHTML.ReadFile("login.html")
-	if err != nil {
-		log.Errorf("failed to read embedded html file: %v", err)
-		ctx.Writer.WriteHeader(500)
-		ctx.Writer.Write([]byte("Internal Server Error"))
-		return ""
-	}
 
 	ctx.Writer.WriteHeader(200)
 	ctx.Writer.Header().Set("Content-Type", "text/html")
-	_, _ = ctx.Writer.Write([]byte(fmt.Sprintf(string(htmlContent), receiverURL)))
 
-	return ctx.Request.Host
+	htmlContent := strings.Replace(loginHTMLContent, "RECEIVER_URL_PLACEHOLDER", receiverURL, -1)
+	_, err := ctx.Writer.Write([]byte(htmlContent))
+	if err != nil {
+		log.Errorf("failed to write HTML response: %v", err)
+	}
+
+	return ""
 }
 
 // TODO get from translator
 func (g *Connector) ConfigFields() []plugin.ConfigField {
 	return []plugin.ConfigField{
 		createTextInput("name", "LDAP", "LDAP connector name", g.Config.Name, true, false),
-		createTextInput("server", "LDAP Server", "e.g. ldap.example.com:389", g.Config.Server, true, false),
+		createTextInput("server", "LDAP Server", "e.g. ldaps://ldap.example.com:636", g.Config.Server, true, false),
 		createTextInput("base_dn", "Base DN", "e.g. dc=example,dc=com", g.Config.BaseDN, true, false),
-		createTextInput("bind_prefix", "Bind Prefix", "e.g. CN= or uid=", g.Config.BindPrefix, false, false), //TODO NOT USED YET
 		createTextInput("bind_dn", "Bind DN", "DN of LDAP bind user", g.Config.BindDN, true, false),
 		createTextInput("bind_password", "Bind Password", "Password for bind DN", g.Config.BindPassword, true, true),
 		createTextInput("user_attr", "User Attribute", "LDAP attribute for username (e.g., uid or sAMAccountName)", g.Config.UserAttr, true, false),
+		createTextInput("tls_ca_cert_path", "TLS CA Certificate Path", "Path to custom CA certificate file (optional)", g.Config.TLSCACertPath, false, false),
 	}
 }
 
 func (g *Connector) ConfigReceiver(config []byte) error {
 	c := &ConnectorConfig{}
 	if err := json.Unmarshal(config, c); err != nil {
-		return err
+		return fmt.Errorf("invalid config json: %w", err)
 	}
 	g.Config = c
 	return nil
 }
 
 func (c *Connector) ConnectorReceiver(ctx *plugin.GinContext, receiverURL string) (userInfo plugin.ExternalLoginUserInfo, err error) {
-	log.Info("ConnectorReceiver called!")
 
 	username, password, err := extractCredentials(ctx.Request)
 	if err != nil {
 		return userInfo, err
 	}
 
-	l, err := ldap.DialURL(c.Config.Server)
+	l, err := dialWithTLS(c.Config.Server, c.Config.TLSCACertPath)
 	if err != nil {
 		return userInfo, fmt.Errorf("failed to connect to LDAP server: %w", err)
 	}
 	defer l.Close()
 
-	err = l.Bind(c.Config.BindDN, c.Config.BindPassword)
+	if err := bindServiceAccount(l, c.Config.BindDN, c.Config.BindPassword); err != nil {
+		return userInfo, fmt.Errorf("service account bind failed: %w", err)
+	}
+
+	entry, err := searchUser(l, c.Config.BaseDN, c.Config.UserAttr, username)
 	if err != nil {
-		return userInfo, fmt.Errorf("bind failed: %w", err)
+		return userInfo, err
+	}
+
+	err = l.Bind(entry.DN, password)
+	if err != nil {
+		return userInfo, fmt.Errorf("invalid username or password")
+	}
+
+	userInfo, err = extractUserInfo(entry)
+	if err != nil {
+		return userInfo, err
 	}
 
+	return userInfo, nil
+}
+
+func bindServiceAccount(l *ldap.Conn, bindDN, bindPassword string) error {
+	return l.Bind(bindDN, bindPassword)
+}
+
+func searchUser(l *ldap.Conn, baseDN, userAttr, username string) (*ldap.Entry, error) {
 	searchRequest := ldap.NewSearchRequest(
-		c.Config.BaseDN,
+		baseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 1, 0, false,
-		fmt.Sprintf("(%s=%s)", c.Config.UserAttr, ldap.EscapeFilter(username)),
+		fmt.Sprintf("(%s=%s)", userAttr, ldap.EscapeFilter(username)),
 		[]string{LdapAttributeDn, LdapAttributeUid, LdapAttributeCn, LdapAttributeMail, LdapAttributeDisplayName, LdapAttributeSamAccountName},
 		nil,
 	)
 
 	sr, err := l.Search(searchRequest)
 	if err != nil || len(sr.Entries) == 0 {
-		return userInfo, fmt.Errorf("user not found: %w", err)
+		return nil, fmt.Errorf("user not found: %w", err)
 	}
 
-	entry := sr.Entries[0]
-
-	err = l.Bind(entry.DN, password)
-	if err != nil {
-		return userInfo, fmt.Errorf("invalid username or password")
-	}
-
-	userInfo = extractUserInfo(entry)
-
-	log.Infof("userInfo %s", &userInfo)
-
-	return userInfo, nil
+	return sr.Entries[0], nil
 }
 
 func extractCredentials(request *http.Request) (username string, password string, err error) {
-	queryParams := request.URL.Query()
+	err = request.ParseForm()
+	if err != nil {
+		log.Errorf("failed to parse form: %v", err)
+		return "", "", err
+	}
 
-	username = queryParams.Get("username")
-	password = queryParams.Get("password")
+	username = request.FormValue("username")
+	password = request.FormValue("password")
 
 	if username == "" || password == "" {
-		log.Errorf("missing username or password")
+		log.Errorf("missing username and/or password")
 		err = fmt.Errorf("missing username or password")
 	}
 	return
 }
 
-func extractUserInfo(entry *ldap.Entry) plugin.ExternalLoginUserInfo {
+func extractUserInfo(entry *ldap.Entry) (plugin.ExternalLoginUserInfo, error) {
 
 	displayName := entry.GetAttributeValue(LdapAttributeDisplayName)
-	log.Infof("displayName %s", displayName)
 
 	if displayName == "" {
 		displayName = entry.GetAttributeValue(LdapAttributeCn)
@@ -192,28 +217,24 @@ func extractUserInfo(entry *ldap.Entry) plugin.ExternalLoginUserInfo {
 	if username == "" {
 		username = entry.GetAttributeValue(LdapAttributeSamAccountName)
 	}
-	log.Infof("username %s", &username)
 
 	externalID := username
 	if externalID == "" {
 		externalID = entry.DN // fallback
 	}
 
-	/*
-	 email is used to login, therefore required.
-	 wether the email is correct, is not important for our use case
-	*/
+	//email is used to login, therefore required
 	email := entry.GetAttributeValue(LdapAttributeMail)
 	if email == "" {
-		email = username + "@dummymail.xyz"
+		return nil, fmt.Errorf("email is required")
 	}
 
 	return plugin.ExternalLoginUserInfo{
 		ExternalID:  externalID,
 		DisplayName: displayName,
 		Username:    username,
 		Email:       email,
-	}
+	}, nil
 }
 
 func createTextInput(name, title, desc, value string, require bool, password bool) plugin.ConfigField {
@@ -235,3 +256,58 @@ func createTextInput(name, title, desc, value string, require bool, password boo
 		Value:       value,
 	}
 }
+
+func createBoolInput(name, title, desc string, value bool, require bool) plugin.ConfigField {
+	return plugin.ConfigField{
+
+		Name:        name,
+		Type:        plugin.ConfigTypeCheckbox,
+		Title:       plugin.MakeTranslator(title),
+		Description: plugin.MakeTranslator(desc),
+		Required:    require,
+		UIOptions:   plugin.ConfigFieldUIOptions{},
+		Value:       value,
+	}
+
+}
+
+func dialWithTLS(server string, certPath string) (*ldap.Conn, error) {
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: false,
+	}
+
+	if certPath != "" {
+		certPool := x509.NewCertPool()
+		certData, err := os.ReadFile(certPath)
+		if err != nil {
+			log.Errorf("Failed to read cert file: %v", err)
+			return nil, fmt.Errorf("failed to read LDAP cert: %w", err)
+		}
+
+		if !certPool.AppendCertsFromPEM(certData) {
+			log.Errorf("Failed to append cert from %s", certPath)
+			return nil, fmt.Errorf("failed to append cert")
+		}
+
+		tlsConfig.RootCAs = certPool
+	}
+
+	if strings.HasPrefix(server, "ldaps://") {
+		return ldap.DialURL(server, ldap.DialWithTLSConfig(tlsConfig))
+	}
+
+	conn, err := ldap.DialURL(server)
+	if err != nil {
+		log.Errorf("Initial plain connection failed: %v", err)
+		return nil, err
+	}
+
+	if err := conn.StartTLS(tlsConfig); err != nil {
+		log.Errorf("StartTLS failed: %v", err)
+		conn.Close()
+		return nil, err
+	}
+
+	return conn, nil
+}

connector-ldap/login.html

@@ -1,14 +1,21 @@
-<html>
-<head><title>LDAP Login</title></head>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>LDAP Login</title>
+</head>
 <body>
-    <h3>LDAP Login</h3>
-    <form method="get" action="%s">
-        <label>Username:</label><br/>
-        <input name="username" type="text"/><br/>
-        <label>Password:</label><br/>
-        <input name="password" type="password"/><br/>
-        <br/>
-        <input type="submit" value="Login"/>
-    </form>
+    <div class="container">
+        <h3>LDAP Login</h3>
+        <form method="post" action="RECEIVER_URL_PLACEHOLDER">
+            <label>Username:</label>
+            <input name="username" type="text" required/>
+            <label>Password:</label>
+            <input name="password" type="password" required/>
+            <br/>
+            <input type="submit" value="Login"/>
+        </form>
+    </div>
 </body>
 </html>