Use explicit ssl peer verification when connecting to LDAP

nulib · Sep 27, 2023 · 36f2a67 · 36f2a67
1 parent 282024e
commit 36f2a67
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/app/lib/meadow/accounts/ldap.ex b/app/lib/meadow/accounts/ldap.ex
@@ -11,22 +11,28 @@ defmodule Meadow.Accounts.Ldap do
   @connect_timeout 1500
   @retries 3
   @ldap_matching_rule_in_chain "1.2.840.113556.1.4.1941"
+  # Don't validate LDAP SSL connection because the cert doesn't validate under certifi's CA chain
+  # @sslopts [cacertfile: :certifi.cacertfile(), verify: :verify_peer]
+  @sslopts [verify: :verify_none]
 
   def connection(force_new \\ false) do
     if force_new, do: Meadow.Cache |> Cachex.del(:ldap_address)
 
-    settings =
-      with config <- Application.get_env(:exldap, :settings) do
-        Keyword.put(config, :server, connection_address(config))
-      end
-
-    case {Exldap.connect(settings, @connect_timeout), force_new} do
+    case {connection_settings() |> Exldap.connect(@connect_timeout), force_new} do
       {{:ok, result}, _} -> result
       {_, false} -> connection(true)
       {other, true} -> other
     end
   end
 
+  def connection_settings do
+    with config <- Application.get_env(:exldap, :settings) |> address_to_ip() do
+      if Keyword.get(config, :ssl, false),
+        do: Keyword.put(config, :sslopts, @sslopts),
+        else: config
+    end
+  end
+
   @doc "Find a user entry by its common name (NetID)"
   def find_user(cn) do
     find_user_func = fn ->
@@ -172,7 +178,7 @@ defmodule Meadow.Accounts.Ldap do
 
   @doc "Add a member to a group"
   def add_member(group_dn, member_dn) do
-    with operation <- :eldap.mod_add('member', [to_charlist(member_dn)]) do
+    with operation <- :eldap.mod_add(~c"member", [to_charlist(member_dn)]) do
       case modify_entry(group_dn, operation) do
         {:ok, _} -> :ok
         {:exists, _} -> :exists
@@ -183,7 +189,7 @@ defmodule Meadow.Accounts.Ldap do
 
   @doc "Remove a member from a group"
   def remove_member(group_dn, member_dn) do
-    with operation <- :eldap.mod_delete('member', [to_charlist(member_dn)]) do
+    with operation <- :eldap.mod_delete(~c"member", [to_charlist(member_dn)]) do
       case modify_entry(group_dn, operation) do
         {:ok, _} -> :ok
         other -> other
@@ -207,6 +213,8 @@ defmodule Meadow.Accounts.Ldap do
     end
   end
 
+  defp address_to_ip(config), do: Keyword.put(config, :server, connection_address(config))
+
   defp connection_address(config) do
     find_connection = fn tuple ->
       case tuple |> :gen_tcp.connect(config[:port], [:inet]) do

diff --git a/app/lib/mix/tasks/pipeline.ex b/app/lib/mix/tasks/pipeline.ex
@@ -9,7 +9,7 @@ defmodule Mix.Tasks.Meadow.Pipeline.Setup do
   @shortdoc @moduledoc
   def run(_) do
     if Meadow.Config.environment?(:prod) or System.get_env("AWS_DEV_ENVIRONMENT") do
-      Logger.warn("Not in localstack environment – queue creation skipped")
+      Logger.warning("Not in localstack environment – queue creation skipped")
     else
       [:ex_aws, :hackney] |> Enum.each(&Application.ensure_all_started/1)