thelounge/src/plugins/auth/ldap.js

"use strict";

const Helper = require("../../helper");

// Forked ldapjs for 2 reasons:
// 1. Removed bunyan https://github.com/joyent/node-ldapjs/pull/399
// 2. Remove dtrace-provider dependency
const ldap = require("thelounge-ldapjs-non-maintained-fork");

function ldapAuthCommon(user, bindDN, password, callback) {
	const config = Helper.config;

	const ldapclient = ldap.createClient({
		url: config.ldap.url,
		tlsOptions: config.ldap.tlsOptions,
	});

	ldapclient.on("error", function(err) {
		log.error(`Unable to connect to LDAP server: ${err}`);
		callback(!err);
	});

	ldapclient.bind(bindDN, password, function(err) {
		ldapclient.unbind();
		callback(!err);
	});
}

function simpleLdapAuth(user, password, callback) {
	if (!user || !password) {
		return callback(false);
	}

	const config = Helper.config;

	const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
	const bindDN = `${config.ldap.primaryKey}=${userDN},${config.ldap.baseDN}`;

	log.info(`Auth against LDAP ${config.ldap.url} with provided bindDN ${bindDN}`);

	ldapAuthCommon(user, bindDN, password, callback);
}

/**
 * LDAP auth using initial DN search (see config comment for ldap.searchDN)
 */
function advancedLdapAuth(user, password, callback) {
	if (!user || !password) {
		return callback(false);
	}

	const config = Helper.config;
	const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");

	const ldapclient = ldap.createClient({
		url: config.ldap.url,
		tlsOptions: config.ldap.tlsOptions,
	});

	const base = config.ldap.searchDN.base;
	const searchOptions = {
		scope: config.ldap.searchDN.scope,
		filter: `(&(${config.ldap.primaryKey}=${userDN})${config.ldap.searchDN.filter})`,
		attributes: ["dn"],
	};

	ldapclient.on("error", function(err) {
		log.error(`Unable to connect to LDAP server: ${err}`);
		callback(!err);
	});

	ldapclient.bind(config.ldap.searchDN.rootDN, config.ldap.searchDN.rootPassword, function(err) {
		if (err) {
			log.error("Invalid LDAP root credentials");
			ldapclient.unbind();
			callback(false);
		} else {
			ldapclient.search(base, searchOptions, function(err2, res) {
				if (err2) {
					log.warning(`User not found: ${userDN}`);
					ldapclient.unbind();
					callback(false);
				} else {
					let found = false;
					res.on("searchEntry", function(entry) {
						found = true;
						const bindDN = entry.objectName;
						log.info(`Auth against LDAP ${config.ldap.url} with found bindDN ${bindDN}`);
						ldapclient.unbind();

						ldapAuthCommon(user, bindDN, password, callback);
					});
					res.on("error", function(err3) {
						log.error(`LDAP error: ${err3}`);
						callback(false);
					});
					res.on("end", function() {
						ldapclient.unbind();

						if (!found) {
							callback(false);
						}
					});
				}
			});
		}
	});
}

function ldapAuth(manager, client, user, password, callback) {
	// TODO: Enable the use of starttls() as an alternative to ldaps

	// TODO: move this out of here and get rid of `manager` and `client` in
	// auth plugin API
	function callbackWrapper(valid) {
		if (valid && !client) {
			manager.addUser(user, null);
		}

		callback(valid);
	}

	let auth;

	if ("baseDN" in Helper.config.ldap) {
		auth = simpleLdapAuth;
	} else {
		auth = advancedLdapAuth;
	}

	return auth(user, password, callbackWrapper);
}

function isLdapEnabled() {
	return !Helper.config.public && Helper.config.ldap.enable;
}

module.exports = {
	auth: ldapAuth,
	isEnabled: isLdapEnabled,
};
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00			`"use strict";`

			`const Helper = require("../../helper");`
Use forked ldapjs to remove dtrace Fixes #1756 2018-01-30 20:57:44 +01:00
			`// Forked ldapjs for 2 reasons:`
			`// 1. Removed bunyan https://github.com/joyent/node-ldapjs/pull/399`
			`// 2. Remove dtrace-provider dependency`
			`const ldap = require("thelounge-ldapjs-non-maintained-fork");`
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`function ldapAuthCommon(user, bindDN, password, callback) {`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`const config = Helper.config;`

			`const ldapclient = ldap.createClient({`
			`url: config.ldap.url,`
Enforce dangling commas with ESLint ¯\_(ツ)_/¯ 2017-11-15 07:35:15 +01:00			`tlsOptions: config.ldap.tlsOptions,`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`});`

			`ldapclient.on("error", function(err) {`
Change string formatting style 2017-09-01 11:29:52 +02:00			log.error(`Unable to connect to LDAP server: ${err}`);
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`callback(!err);`
			`});`

			`ldapclient.bind(bindDN, password, function(err) {`
			`ldapclient.unbind();`
			`callback(!err);`
			`});`
			`}`

Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`function simpleLdapAuth(user, password, callback) {`
Stop LDAP Auth from succeeding without password 2017-11-22 01:19:24 +01:00			`if (!user \|\| !password) {`
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00			`return callback(false);`
			`}`

			`const config = Helper.config;`

			`const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");`
Change string formatting style 2017-09-01 11:29:52 +02:00			const bindDN = `${config.ldap.primaryKey}=${userDN},${config.ldap.baseDN}`;
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00
Change string formatting style 2017-09-01 11:29:52 +02:00			log.info(`Auth against LDAP ${config.ldap.url} with provided bindDN ${bindDN}`);
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`ldapAuthCommon(user, bindDN, password, callback);`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`}`

			`/**`
			`* LDAP auth using initial DN search (see config comment for ldap.searchDN)`
			`*/`
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`function advancedLdapAuth(user, password, callback) {`
Stop LDAP Auth from succeeding without password 2017-11-22 01:19:24 +01:00			`if (!user \|\| !password) {`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`return callback(false);`
			`}`

			`const config = Helper.config;`
			`const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");`

			`const ldapclient = ldap.createClient({`
			`url: config.ldap.url,`
Enforce dangling commas with ESLint ¯\_(ツ)_/¯ 2017-11-15 07:35:15 +01:00			`tlsOptions: config.ldap.tlsOptions,`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`});`

			`const base = config.ldap.searchDN.base;`
			`const searchOptions = {`
			`scope: config.ldap.searchDN.scope,`
Change string formatting style 2017-09-01 11:29:52 +02:00			filter: `(&(${config.ldap.primaryKey}=${userDN})${config.ldap.searchDN.filter})`,
Enforce dangling commas with ESLint ¯\_(ツ)_/¯ 2017-11-15 07:35:15 +01:00			`attributes: ["dn"],`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`};`

			`ldapclient.on("error", function(err) {`
Change string formatting style 2017-09-01 11:29:52 +02:00			log.error(`Unable to connect to LDAP server: ${err}`);
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`callback(!err);`
			`});`

			`ldapclient.bind(config.ldap.searchDN.rootDN, config.ldap.searchDN.rootPassword, function(err) {`
			`if (err) {`
			`log.error("Invalid LDAP root credentials");`
			`ldapclient.unbind();`
			`callback(false);`
			`} else {`
			`ldapclient.search(base, searchOptions, function(err2, res) {`
			`if (err2) {`
Change string formatting style 2017-09-01 11:29:52 +02:00			log.warning(`User not found: ${userDN}`);
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`ldapclient.unbind();`
			`callback(false);`
			`} else {`
			`let found = false;`
			`res.on("searchEntry", function(entry) {`
			`found = true;`
			`const bindDN = entry.objectName;`
Change string formatting style 2017-09-01 11:29:52 +02:00			log.info(`Auth against LDAP ${config.ldap.url} with found bindDN ${bindDN}`);
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`ldapclient.unbind();`

Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`ldapAuthCommon(user, bindDN, password, callback);`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`});`
			`res.on("error", function(err3) {`
Change string formatting style 2017-09-01 11:29:52 +02:00			log.error(`LDAP error: ${err3}`);
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`callback(false);`
			`});`
			`res.on("end", function() {`
Teardown sockets in tests 2017-10-06 11:53:08 +02:00			`ldapclient.unbind();`
Auto-fix code for padding-line-between-statements rule 2018-02-20 08:28:04 +01:00
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`if (!found) {`
			`callback(false);`
			`}`
			`});`
			`}`
			`});`
			`}`
			`});`
			`}`

			`function ldapAuth(manager, client, user, password, callback) {`
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`// TODO: Enable the use of starttls() as an alternative to ldaps`

			// TODO: move this out of here and get rid of `manager` and `client` in
			`// auth plugin API`
			`function callbackWrapper(valid) {`
			`if (valid && !client) {`
			`manager.addUser(user, null);`
			`}`
Auto-fix code for padding-line-between-statements rule 2018-02-20 08:28:04 +01:00
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`callback(valid);`
			`}`

			`let auth;`
Auto-fix code for padding-line-between-statements rule 2018-02-20 08:28:04 +01:00
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`if ("baseDN" in Helper.config.ldap) {`
			`auth = simpleLdapAuth;`
			`} else {`
			`auth = advancedLdapAuth;`
			`}`
Auto-fix code for padding-line-between-statements rule 2018-02-20 08:28:04 +01:00
Add tests for LDAP auth plugin 2017-08-30 11:49:21 +02:00			`return auth(user, password, callbackWrapper);`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`}`

			`function isLdapEnabled() {`
			`return !Helper.config.public && Helper.config.ldap.enable;`
Make new LDAP options backward compatible Also draft some kind of plugin system for auth, although it essentially consists in writing a function and there is no mechanism to automatically fallback from one auth to another 2017-08-29 18:05:06 +02:00			`}`

Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`module.exports = {`
			`auth: ldapAuth,`
Enforce dangling commas with ESLint ¯\_(ツ)_/¯ 2017-11-15 07:35:15 +01:00			`isEnabled: isLdapEnabled,`
Reorganize auth plugins 2017-08-29 19:11:06 +02:00			`};`