From 36f2a672bb4c5aa9cf132bc18494253b5674fae9 Mon Sep 17 00:00:00 2001 From: "Michael B. Klein" Date: Wed, 27 Sep 2023 17:06:22 +0000 Subject: [PATCH] Use explicit ssl peer verification when connecting to LDAP --- app/lib/meadow/accounts/ldap.ex | 24 ++++++++++++++++-------- app/lib/mix/tasks/pipeline.ex | 2 +- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/app/lib/meadow/accounts/ldap.ex b/app/lib/meadow/accounts/ldap.ex index 318c48b93..8ec6f1717 100644 --- a/app/lib/meadow/accounts/ldap.ex +++ b/app/lib/meadow/accounts/ldap.ex @@ -11,22 +11,28 @@ defmodule Meadow.Accounts.Ldap do @connect_timeout 1500 @retries 3 @ldap_matching_rule_in_chain "1.2.840.113556.1.4.1941" + # Don't validate LDAP SSL connection because the cert doesn't validate under certifi's CA chain + # @sslopts [cacertfile: :certifi.cacertfile(), verify: :verify_peer] + @sslopts [verify: :verify_none] def connection(force_new \\ false) do if force_new, do: Meadow.Cache |> Cachex.del(:ldap_address) - settings = - with config <- Application.get_env(:exldap, :settings) do - Keyword.put(config, :server, connection_address(config)) - end - - case {Exldap.connect(settings, @connect_timeout), force_new} do + case {connection_settings() |> Exldap.connect(@connect_timeout), force_new} do {{:ok, result}, _} -> result {_, false} -> connection(true) {other, true} -> other end end + def connection_settings do + with config <- Application.get_env(:exldap, :settings) |> address_to_ip() do + if Keyword.get(config, :ssl, false), + do: Keyword.put(config, :sslopts, @sslopts), + else: config + end + end + @doc "Find a user entry by its common name (NetID)" def find_user(cn) do find_user_func = fn -> @@ -172,7 +178,7 @@ defmodule Meadow.Accounts.Ldap do @doc "Add a member to a group" def add_member(group_dn, member_dn) do - with operation <- :eldap.mod_add('member', [to_charlist(member_dn)]) do + with operation <- :eldap.mod_add(~c"member", [to_charlist(member_dn)]) do case modify_entry(group_dn, operation) do {:ok, _} -> :ok {:exists, _} -> :exists @@ -183,7 +189,7 @@ defmodule Meadow.Accounts.Ldap do @doc "Remove a member from a group" def remove_member(group_dn, member_dn) do - with operation <- :eldap.mod_delete('member', [to_charlist(member_dn)]) do + with operation <- :eldap.mod_delete(~c"member", [to_charlist(member_dn)]) do case modify_entry(group_dn, operation) do {:ok, _} -> :ok other -> other @@ -207,6 +213,8 @@ defmodule Meadow.Accounts.Ldap do end end + defp address_to_ip(config), do: Keyword.put(config, :server, connection_address(config)) + defp connection_address(config) do find_connection = fn tuple -> case tuple |> :gen_tcp.connect(config[:port], [:inet]) do diff --git a/app/lib/mix/tasks/pipeline.ex b/app/lib/mix/tasks/pipeline.ex index 0db6d9ce7..31870f98f 100644 --- a/app/lib/mix/tasks/pipeline.ex +++ b/app/lib/mix/tasks/pipeline.ex @@ -9,7 +9,7 @@ defmodule Mix.Tasks.Meadow.Pipeline.Setup do @shortdoc @moduledoc def run(_) do if Meadow.Config.environment?(:prod) or System.get_env("AWS_DEV_ENVIRONMENT") do - Logger.warn("Not in localstack environment – queue creation skipped") + Logger.warning("Not in localstack environment – queue creation skipped") else [:ex_aws, :hackney] |> Enum.each(&Application.ensure_all_started/1)