lldap/server/src/infra/ldap_server.rs

use crate::{
    domain::{
        handler::{BackendHandler, LoginHandler},
        opaque_handler::OpaqueHandler,
    },
    infra::{configuration::Configuration, ldap_handler::LdapHandler},
};
use actix_rt::net::TcpStream;
use actix_server::ServerBuilder;
use actix_service::{fn_service, ServiceFactoryExt};
use anyhow::{anyhow, Context, Result};
use ldap3_proto::{proto::LdapMsg, LdapCodec};
use rustls::PrivateKey;
use tokio_rustls::TlsAcceptor as RustlsTlsAcceptor;
use tokio_util::codec::{FramedRead, FramedWrite};
use tracing::{debug, error, info, instrument};

#[instrument(skip_all, level = "info", name = "LDAP request")]
async fn handle_ldap_message<Backend, Writer>(
    msg: Result<LdapMsg, std::io::Error>,
    resp: &mut Writer,
    session: &mut LdapHandler<Backend>,
) -> Result<bool>
where
    Backend: BackendHandler + LoginHandler + OpaqueHandler,
    Writer: futures_util::Sink<LdapMsg> + Unpin,
    <Writer as futures_util::Sink<LdapMsg>>::Error: std::error::Error + Send + Sync + 'static,
{
    use futures_util::SinkExt;
    let msg = msg.context("while receiving LDAP op")?;
    debug!(?msg);
    match session.handle_ldap_message(msg.op).await {
        None => return Ok(false),
        Some(result) => {
            if result.is_empty() {
                debug!("No response");
            }
            for response in result.into_iter() {
                debug!(?response);
                resp.send(LdapMsg {
                    msgid: msg.msgid,
                    op: response,
                    ctrl: vec![],
                })
                .await
                .context("while sending a response: {:#}")?
            }

            resp.flush()
                .await
                .context("while flushing responses: {:#}")?
        }
    }
    Ok(true)
}

#[instrument(skip_all, level = "info", name = "LDAP session")]
async fn handle_ldap_stream<Stream, Backend>(
    stream: Stream,
    backend_handler: Backend,
    ldap_base_dn: String,
    ignored_user_attributes: Vec<String>,
    ignored_group_attributes: Vec<String>,
) -> Result<Stream>
where
    Backend: BackendHandler + LoginHandler + OpaqueHandler + 'static,
    Stream: tokio::io::AsyncRead + tokio::io::AsyncWrite,
{
    use tokio_stream::StreamExt;
    let (r, w) = tokio::io::split(stream);
    // Configure the codec etc.
    let mut requests = FramedRead::new(r, LdapCodec);
    let mut resp = FramedWrite::new(w, LdapCodec);

    let mut session = LdapHandler::new(
        backend_handler,
        ldap_base_dn,
        ignored_user_attributes,
        ignored_group_attributes,
    );

    while let Some(msg) = requests.next().await {
        if !handle_ldap_message(msg, &mut resp, &mut session)
            .await
            .context("while handling incoming messages")?
        {
            break;
        }
    }
    Ok(requests.into_inner().unsplit(resp.into_inner()))
}

fn read_private_key(key_file: &str) -> Result<PrivateKey> {
    use rustls_pemfile::{pkcs8_private_keys, rsa_private_keys};
    use std::{fs::File, io::BufReader};
    pkcs8_private_keys(&mut BufReader::new(File::open(key_file)?))
        .map_err(anyhow::Error::from)
        .and_then(|keys| {
            keys.into_iter()
                .next()
                .ok_or_else(|| anyhow!("No PKCS8 key"))
        })
        .or_else(|_| {
            rsa_private_keys(&mut BufReader::new(File::open(key_file)?))
                .map_err(anyhow::Error::from)
                .and_then(|keys| {
                    keys.into_iter()
                        .next()
                        .ok_or_else(|| anyhow!("No PKCS1 key"))
                })
        })
        .with_context(|| {
            format!(
                "Cannot read either PKCS1 or PKCS8 private key from {}",
                key_file
            )
        })
        .map(rustls::PrivateKey)
}

fn get_tls_acceptor(config: &Configuration) -> Result<RustlsTlsAcceptor> {
    use rustls::{Certificate, ServerConfig};
    use rustls_pemfile::certs;
    use std::{fs::File, io::BufReader};
    // Load TLS key and cert files
    let certs = certs(&mut BufReader::new(File::open(
        &config.ldaps_options.cert_file,
    )?))?
    .into_iter()
    .map(Certificate)
    .collect::<Vec<_>>();
    let private_key = read_private_key(&config.ldaps_options.key_file)?;
    let server_config = std::sync::Arc::new(
        ServerConfig::builder()
            .with_safe_defaults()
            .with_no_client_auth()
            .with_single_cert(certs, private_key)?,
    );
    Ok(server_config.into())
}

pub fn build_ldap_server<Backend>(
    config: &Configuration,
    backend_handler: Backend,
    server_builder: ServerBuilder,
) -> Result<ServerBuilder>
where
    Backend: BackendHandler + LoginHandler + OpaqueHandler + 'static,
{
    let context = (
        backend_handler,
        config.ldap_base_dn.clone(),
        config.ignored_user_attributes.clone(),
        config.ignored_group_attributes.clone(),
    );

    let context_for_tls = context.clone();

    let binder = move || {
        let context = context.clone();
        fn_service(move |stream: TcpStream| {
            let context = context.clone();
            async move {
                let (handler, base_dn, ignored_user_attributes, ignored_group_attributes) = context;
                handle_ldap_stream(
                    stream,
                    handler,
                    base_dn,
                    ignored_user_attributes,
                    ignored_group_attributes,
                )
                .await
            }
        })
        .map_err(|err: anyhow::Error| error!("[LDAP] Service Error: {:#}", err))
    };

    info!("Starting the LDAP server on port {}", config.ldap_port);
    let server_builder = server_builder
        .bind("ldap", ("0.0.0.0", config.ldap_port), binder)
        .with_context(|| format!("while binding to the port {}", config.ldap_port));
    if config.ldaps_options.enabled {
        let tls_context = (
            context_for_tls,
            get_tls_acceptor(config).context("while setting up the SSL certificate")?,
        );
        let tls_binder = move || {
            let tls_context = tls_context.clone();
            fn_service(move |stream: TcpStream| {
                let tls_context = tls_context.clone();
                async move {
                    let (
                        (handler, base_dn, ignored_user_attributes, ignored_group_attributes),
                        tls_acceptor,
                    ) = tls_context;
                    let tls_stream = tls_acceptor.accept(stream).await?;
                    handle_ldap_stream(
                        tls_stream,
                        handler,
                        base_dn,
                        ignored_user_attributes,
                        ignored_group_attributes,
                    )
                    .await
                }
            })
            .map_err(|err: anyhow::Error| error!("[LDAPS] Service Error: {:#}", err))
        };

        info!(
            "Starting the LDAPS server on port {}",
            config.ldaps_options.port
        );
        server_builder.and_then(|s| {
            s.bind("ldaps", ("0.0.0.0", config.ldaps_options.port), tls_binder)
                .with_context(|| format!("while binding to the port {}", config.ldaps_options.port))
        })
    } else {
        server_builder
    }
}
ldap: Add support for password modify extension This allows other systems (e.g. Authelia) to reset passwords for users. 2021-10-28 16:04:09 +00:00			`use crate::{`
			`domain::{`
server, ldap: Use group membership for admin status 2022-05-08 18:12:06 +00:00			`handler::{BackendHandler, LoginHandler},`
ldap: Add support for password modify extension This allows other systems (e.g. Authelia) to reset passwords for users. 2021-10-28 16:04:09 +00:00			`opaque_handler::OpaqueHandler,`
			`},`
			`infra::{configuration::Configuration, ldap_handler::LdapHandler},`
			`};`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00			`use actix_rt::net::TcpStream;`
Fix the pipeline_factory We can now bring up the two servers 2021-03-07 11:36:12 +00:00			`use actix_server::ServerBuilder;`
Replace the echo server with an HTTP server 2021-05-08 11:27:48 +00:00			`use actix_service::{fn_service, ServiceFactoryExt};`
server: Add support for PKCS1 keys Fixes #288 2022-09-30 11:27:21 +00:00			`use anyhow::{anyhow, Context, Result};`
server: Change attribute values to bytes 2022-08-07 15:43:46 +00:00			`use ldap3_proto::{proto::LdapMsg, LdapCodec};`
server: Add support for PKCS1 keys Fixes #288 2022-09-30 11:27:21 +00:00			`use rustls::PrivateKey;`
server: switch from OpenSSL to Rustls 2022-07-15 12:59:15 +00:00			`use tokio_rustls::TlsAcceptor as RustlsTlsAcceptor;`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`use tokio_util::codec::{FramedRead, FramedWrite};`
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`use tracing::{debug, error, info, instrument};`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`#[instrument(skip_all, level = "info", name = "LDAP request")]`
			`async fn handle_ldap_message<Backend, Writer>(`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`msg: Result<LdapMsg, std::io::Error>,`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`resp: &mut Writer,`
Introduce BackendHandler trait and impl 2021-03-11 09:14:15 +00:00			`session: &mut LdapHandler<Backend>,`
Add a handler for OPAQUE messages 2021-06-16 20:04:11 +00:00			`) -> Result<bool>`
			`where`
ldap: Add support for password modify extension This allows other systems (e.g. Authelia) to reset passwords for users. 2021-10-28 16:04:09 +00:00			`Backend: BackendHandler + LoginHandler + OpaqueHandler,`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`Writer: futures_util::Sink<LdapMsg> + Unpin,`
			`<Writer as futures_util::Sink<LdapMsg>>::Error: std::error::Error + Send + Sync + 'static,`
Add a handler for OPAQUE messages 2021-06-16 20:04:11 +00:00			`{`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`use futures_util::SinkExt;`
server: Add a debug log for LDAP messages 2021-11-03 08:52:51 +00:00			`let msg = msg.context("while receiving LDAP op")?;`
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`debug!(?msg);`
ldap: Switch to using LdapOp instead of ServerOp This is in preparation of supporting the password change message, since this is from the Extended Operations that is not available in the simple ServerOp. 2021-10-24 09:03:09 +00:00			`match session.handle_ldap_message(msg.op).await {`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`None => return Ok(false),`
			`Some(result) => {`
ldap: Improve debug messages 2021-11-07 13:57:34 +00:00			`if result.is_empty() {`
			`debug!("No response");`
			`}`
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`for response in result.into_iter() {`
			`debug!(?response);`
server: Add a debug log for LDAP messages 2021-11-03 08:52:51 +00:00			`resp.send(LdapMsg {`
			`msgid: msg.msgid,`
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`op: response,`
server: Add a debug log for LDAP messages 2021-11-03 08:52:51 +00:00			`ctrl: vec![],`
			`})`
			`.await`
			`.context("while sending a response: {:#}")?`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`}`

server: improve error messages 2021-11-03 07:01:55 +00:00			`resp.flush()`
			`.await`
			`.context("while flushing responses: {:#}")?`
Implement SQL connection 2021-03-07 15:13:50 +00:00			`}`
			`}`
			`Ok(true)`
			`}`

server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`#[instrument(skip_all, level = "info", name = "LDAP session")]`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`async fn handle_ldap_stream<Stream, Backend>(`
			`stream: Stream,`
			`backend_handler: Backend,`
			`ldap_base_dn: String,`
ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`ignored_user_attributes: Vec<String>,`
			`ignored_group_attributes: Vec<String>,`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`) -> Result<Stream>`
			`where`
			`Backend: BackendHandler + LoginHandler + OpaqueHandler + 'static,`
			`Stream: tokio::io::AsyncRead + tokio::io::AsyncWrite,`
			`{`
			`use tokio_stream::StreamExt;`
			`let (r, w) = tokio::io::split(stream);`
			`// Configure the codec etc.`
			`let mut requests = FramedRead::new(r, LdapCodec);`
			`let mut resp = FramedWrite::new(w, LdapCodec);`

ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`let mut session = LdapHandler::new(`
			`backend_handler,`
			`ldap_base_dn,`
			`ignored_user_attributes,`
			`ignored_group_attributes,`
			`);`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00
			`while let Some(msg) = requests.next().await {`
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`if !handle_ldap_message(msg, &mut resp, &mut session)`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`.await`
			`.context("while handling incoming messages")?`
			`{`
			`break;`
			`}`
			`}`
			`Ok(requests.into_inner().unsplit(resp.into_inner()))`
			`}`

server: Add support for PKCS1 keys Fixes #288 2022-09-30 11:27:21 +00:00			`fn read_private_key(key_file: &str) -> Result<PrivateKey> {`
			`use rustls_pemfile::{pkcs8_private_keys, rsa_private_keys};`
			`use std::{fs::File, io::BufReader};`
			`pkcs8_private_keys(&mut BufReader::new(File::open(key_file)?))`
			`.map_err(anyhow::Error::from)`
			`.and_then(\|keys\| {`
			`keys.into_iter()`
			`.next()`
			`.ok_or_else(\|\| anyhow!("No PKCS8 key"))`
			`})`
			`.or_else(\|_\| {`
			`rsa_private_keys(&mut BufReader::new(File::open(key_file)?))`
			`.map_err(anyhow::Error::from)`
			`.and_then(\|keys\| {`
			`keys.into_iter()`
			`.next()`
			`.ok_or_else(\|\| anyhow!("No PKCS1 key"))`
			`})`
			`})`
			`.with_context(\|\| {`
			`format!(`
			`"Cannot read either PKCS1 or PKCS8 private key from {}",`
			`key_file`
			`)`
			`})`
			`.map(rustls::PrivateKey)`
			`}`

server: switch from OpenSSL to Rustls 2022-07-15 12:59:15 +00:00			`fn get_tls_acceptor(config: &Configuration) -> Result<RustlsTlsAcceptor> {`
server: Add support for PKCS1 keys Fixes #288 2022-09-30 11:27:21 +00:00			`use rustls::{Certificate, ServerConfig};`
			`use rustls_pemfile::certs;`
server: switch from OpenSSL to Rustls 2022-07-15 12:59:15 +00:00			`use std::{fs::File, io::BufReader};`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`// Load TLS key and cert files`
server: switch from OpenSSL to Rustls 2022-07-15 12:59:15 +00:00			`let certs = certs(&mut BufReader::new(File::open(`
			`&config.ldaps_options.cert_file,`
			`)?))?`
			`.into_iter()`
			`.map(Certificate)`
			`.collect::<Vec<_>>();`
server: Add support for PKCS1 keys Fixes #288 2022-09-30 11:27:21 +00:00			`let private_key = read_private_key(&config.ldaps_options.key_file)?;`
server: switch from OpenSSL to Rustls 2022-07-15 12:59:15 +00:00			`let server_config = std::sync::Arc::new(`
			`ServerConfig::builder()`
			`.with_safe_defaults()`
			`.with_no_client_auth()`
			`.with_single_cert(certs, private_key)?,`
			`);`
			`Ok(server_config.into())`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`}`

Introduce BackendHandler trait and impl 2021-03-11 09:14:15 +00:00			`pub fn build_ldap_server<Backend>(`
Fix the pipeline_factory We can now bring up the two servers 2021-03-07 11:36:12 +00:00			`config: &Configuration,`
Introduce BackendHandler trait and impl 2021-03-11 09:14:15 +00:00			`backend_handler: Backend,`
Fix the pipeline_factory We can now bring up the two servers 2021-03-07 11:36:12 +00:00			`server_builder: ServerBuilder,`
Introduce BackendHandler trait and impl 2021-03-11 09:14:15 +00:00			`) -> Result<ServerBuilder>`
			`where`
ldap: Add support for password modify extension This allows other systems (e.g. Authelia) to reset passwords for users. 2021-10-28 16:04:09 +00:00			`Backend: BackendHandler + LoginHandler + OpaqueHandler + 'static,`
Introduce BackendHandler trait and impl 2021-03-11 09:14:15 +00:00			`{`
ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`let context = (`
			`backend_handler,`
			`config.ldap_base_dn.clone(),`
			`config.ignored_user_attributes.clone(),`
			`config.ignored_group_attributes.clone(),`
			`);`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00
server: don't try to load the certificates if they're not needed 2022-05-07 12:46:45 +00:00			`let context_for_tls = context.clone();`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`let binder = move \|\| {`
			`let context = context.clone();`
			`fn_service(move \|stream: TcpStream\| {`
			`let context = context.clone();`
			`async move {`
ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`let (handler, base_dn, ignored_user_attributes, ignored_group_attributes) = context;`
			`handle_ldap_stream(`
			`stream,`
			`handler,`
			`base_dn,`
			`ignored_user_attributes,`
			`ignored_group_attributes,`
			`)`
			`.await`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`}`
			`})`
			`.map_err(\|err: anyhow::Error\| error!("[LDAP] Service Error: {:#}", err))`
			`};`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00
server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`info!("Starting the LDAP server on port {}", config.ldap_port);`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`let server_builder = server_builder`
			`.bind("ldap", ("0.0.0.0", config.ldap_port), binder)`
			`.with_context(\|\| format!("while binding to the port {}", config.ldap_port));`
			`if config.ldaps_options.enabled {`
server: don't try to load the certificates if they're not needed 2022-05-07 12:46:45 +00:00			`let tls_context = (`
			`context_for_tls,`
			`get_tls_acceptor(config).context("while setting up the SSL certificate")?,`
			`);`
			`let tls_binder = move \|\| {`
			`let tls_context = tls_context.clone();`
			`fn_service(move \|stream: TcpStream\| {`
			`let tls_context = tls_context.clone();`
			`async move {`
ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`let (`
			`(handler, base_dn, ignored_user_attributes, ignored_group_attributes),`
			`tls_acceptor,`
			`) = tls_context;`
server: don't try to load the certificates if they're not needed 2022-05-07 12:46:45 +00:00			`let tls_stream = tls_acceptor.accept(stream).await?;`
ldap: add an option to silence unknown fields in the config 2022-05-30 17:51:14 +00:00			`handle_ldap_stream(`
			`tls_stream,`
			`handler,`
			`base_dn,`
			`ignored_user_attributes,`
			`ignored_group_attributes,`
			`)`
			`.await`
server: don't try to load the certificates if they're not needed 2022-05-07 12:46:45 +00:00			`}`
			`})`
			`.map_err(\|err: anyhow::Error\| error!("[LDAPS] Service Error: {:#}", err))`
			`};`

server: Add tracing logging Fixes #17 2022-04-15 11:52:20 +00:00			`info!(`
			`"Starting the LDAPS server on port {}",`
			`config.ldaps_options.port`
			`);`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`server_builder.and_then(\|s\| {`
			`s.bind("ldaps", ("0.0.0.0", config.ldaps_options.port), tls_binder)`
			`.with_context(\|\| format!("while binding to the port {}", config.ldaps_options.port))`
server: improve error messages 2021-11-03 07:01:55 +00:00			`})`
server: Implement LDAPS support 2022-05-05 14:12:10 +00:00			`} else {`
			`server_builder`
			`}`
WIP: sorry this does not compiles 2021-03-06 22:39:34 +00:00			`}`