mirror/lldap
1
0
Fork 0
mirror of https://github.com/nitnelave/lldap.git synced 2023-04-12 14:25:13 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into authentik

Browse Source
This commit is contained in:
arcoast 2023-02-13 20:24:34 +00:00 committed by GitHub
commit 1ccd6e3817
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 791 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Cargo.lock generated
View File

@ -2185,13 +2185,16 @@ dependencies = [
[[package]] [[package]]
name = "ldap3_proto" name = "ldap3_proto"
version = "0.2.3" version = "0.3.1"
source = "git+https://github.com/nitnelave/ldap3_server/?rev=7b50b2b82c383f5f70e02e11072bb916629ed2bc#7b50b2b82c383f5f70e02e11072bb916629ed2bc" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4162706b6f3b3d58f577990e22e9a0e03e2f9bedc2b8181d8abab2498da32003"
dependencies = [ dependencies = [
"bytes", "bytes",
"lber", "lber",
"peg",
"tokio-util 0.7.3", "tokio-util 0.7.3",
"tracing", "tracing",
"uuid 1.2.2",
] ]
[[package]] [[package]]
@ -2864,6 +2867,33 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "peg"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a07f2cafdc3babeebc087e499118343442b742cc7c31b4d054682cc598508554"
dependencies = [
"peg-macros",
"peg-runtime",
]
[[package]]
name = "peg-macros"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a90084dc05cf0428428e3d12399f39faad19b0909f64fb9170c9fdd6d9cd49b"
dependencies = [
"peg-runtime",
"proc-macro2",
"quote",
]
[[package]]
name = "peg-runtime"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9fa00462b37ead6d11a82c9d568b26682d78e0477dc02d1966c013af80969739"
[[package]] [[package]]
name = "pem-rfc7468" name = "pem-rfc7468"
version = "0.3.1" version = "0.3.1"

5
Cargo.toml
View File

@ -8,11 +8,6 @@ members = [
default-members = ["server"] default-members = ["server"]
# Remove once https://github.com/kanidm/ldap3_proto/pull/8 is merged.
[patch.crates-io.ldap3_proto]
git = 'https://github.com/nitnelave/ldap3_server/'
rev = '7b50b2b82c383f5f70e02e11072bb916629ed2bc'
[patch.crates-io.opaque-ke] [patch.crates-io.opaque-ke]
git = 'https://github.com/nitnelave/opaque-ke/' git = 'https://github.com/nitnelave/opaque-ke/'
branch = 'zeroize_1.5' branch = 'zeroize_1.5'

62
app/src/components/app.rs
View File

@ -13,10 +13,13 @@ use crate::{
user_details::UserDetails, user_details::UserDetails,
user_table::UserTable, user_table::UserTable,
}, },
infra::cookies::get_cookie, infra::{api::HostService, cookies::get_cookie},
};
use yew::{
prelude::*,
services::{fetch::FetchTask, ConsoleService},
}; };
use yew::prelude::*;
use yew::services::ConsoleService;
use yew_router::{ use yew_router::{
agent::{RouteAgentDispatcher, RouteRequest}, agent::{RouteAgentDispatcher, RouteRequest},
route::Route, route::Route,
@ -29,11 +32,14 @@ pub struct App {
user_info: Option<(String, bool)>, user_info: Option<(String, bool)>,
redirect_to: Option<AppRoute>, redirect_to: Option<AppRoute>,
route_dispatcher: RouteAgentDispatcher, route_dispatcher: RouteAgentDispatcher,
password_reset_enabled: bool,
task: Option<FetchTask>,
} }
pub enum Msg { pub enum Msg {
Login((String, bool)), Login((String, bool)),
Logout, Logout,
PasswordResetProbeFinished(anyhow::Result<bool>),
} }
impl Component for App { impl Component for App {
@ -58,7 +64,15 @@ impl Component for App {
}), }),
redirect_to: Self::get_redirect_route(), redirect_to: Self::get_redirect_route(),
route_dispatcher: RouteAgentDispatcher::new(), route_dispatcher: RouteAgentDispatcher::new(),
password_reset_enabled: false,
task: None,
}; };
app.task = Some(
HostService::probe_password_reset(
app.link.callback_once(Msg::PasswordResetProbeFinished),
)
.unwrap(),
);
app.apply_initial_redirections(); app.apply_initial_redirections();
app app
} }
@ -82,6 +96,16 @@ impl Component for App {
self.user_info = None; self.user_info = None;
self.redirect_to = None; self.redirect_to = None;
} }
Msg::PasswordResetProbeFinished(Ok(enabled)) => {
self.task = None;
self.password_reset_enabled = enabled;
}
Msg::PasswordResetProbeFinished(Err(err)) => {
self.task = None;
ConsoleService::error(&format!(
"Could not probe for password reset support: {err:#}"
));
}
} }
if self.user_info.is_none() { if self.user_info.is_none() {
self.route_dispatcher self.route_dispatcher
@ -97,6 +121,7 @@ impl Component for App {
fn view(&self) -> Html { fn view(&self) -> Html {
let link = self.link.clone(); let link = self.link.clone();
let is_admin = self.is_admin(); let is_admin = self.is_admin();
let password_reset_enabled = self.password_reset_enabled;
html! { html! {
<div> <div>
{self.view_banner()} {self.view_banner()}
@ -104,7 +129,7 @@ impl Component for App {
<div class="row justify-content-center" style="padding-bottom: 80px;"> <div class="row justify-content-center" style="padding-bottom: 80px;">
<div class="py-3" style="max-width: 1000px"> <div class="py-3" style="max-width: 1000px">
<Router<AppRoute> <Router<AppRoute>
render = Router::render(move |s| Self::dispatch_route(s, &link, is_admin)) render = Router::render(move |s| Self::dispatch_route(s, &link, is_admin, password_reset_enabled))
/> />
</div> </div>
</div> </div>
@ -135,6 +160,10 @@ impl App {
let route_service = RouteService::<()>::new(); let route_service = RouteService::<()>::new();
let current_route = route_service.get_path(); let current_route = route_service.get_path();
if current_route.contains("reset-password") { if current_route.contains("reset-password") {
if !self.password_reset_enabled {
self.route_dispatcher
.send(RouteRequest::ReplaceRoute(Route::from(AppRoute::Login)));
}
return; return;
} }
match &self.user_info { match &self.user_info {
@ -162,10 +191,15 @@ impl App {
} }
} }
fn dispatch_route(switch: AppRoute, link: &ComponentLink<Self>, is_admin: bool) -> Html { fn dispatch_route(
switch: AppRoute,
link: &ComponentLink<Self>,
is_admin: bool,
password_reset_enabled: bool,
) -> Html {
match switch { match switch {
AppRoute::Login => html! { AppRoute::Login => html! {
<LoginForm on_logged_in=link.callback(Msg::Login)/> <LoginForm on_logged_in=link.callback(Msg::Login) password_reset_enabled=password_reset_enabled/>
}, },
AppRoute::CreateUser => html! { AppRoute::CreateUser => html! {
<CreateUserForm/> <CreateUserForm/>
@ -200,11 +234,23 @@ impl App {
AppRoute::ChangePassword(username) => html! { AppRoute::ChangePassword(username) => html! {
<ChangePasswordForm username=username is_admin=is_admin /> <ChangePasswordForm username=username is_admin=is_admin />
}, },
AppRoute::StartResetPassword => html! { AppRoute::StartResetPassword => {
if password_reset_enabled {
html! {
<ResetPasswordStep1Form /> <ResetPasswordStep1Form />
}, }
} else {
App::dispatch_route(AppRoute::Login, link, is_admin, password_reset_enabled)
}
}
AppRoute::FinishResetPassword(token) => html! { AppRoute::FinishResetPassword(token) => html! {
if password_reset_enabled {
html! {
<ResetPasswordStep2Form token=token /> <ResetPasswordStep2Form token=token />
}
} else {
App::dispatch_route(AppRoute::Login, link, is_admin, password_reset_enabled)
}
}, },
} }
} }

8
app/src/components/login.rs
View File

@ -30,6 +30,7 @@ pub struct FormModel {
#[derive(Clone, PartialEq, Properties)] #[derive(Clone, PartialEq, Properties)]
pub struct Props { pub struct Props {
pub on_logged_in: Callback<(String, bool)>, pub on_logged_in: Callback<(String, bool)>,
pub password_reset_enabled: bool,
} }
pub enum Msg { pub enum Msg {
@ -147,6 +148,7 @@ impl Component for LoginForm {
fn view(&self) -> Html { fn view(&self) -> Html {
type Field = yew_form::Field<FormModel>; type Field = yew_form::Field<FormModel>;
let password_reset_enabled = self.common.password_reset_enabled;
if self.refreshing { if self.refreshing {
html! { html! {
<div> <div>
@ -198,12 +200,18 @@ impl Component for LoginForm {
<i class="bi-box-arrow-in-right me-2"/> <i class="bi-box-arrow-in-right me-2"/>
{"Login"} {"Login"}
</button> </button>
{ if password_reset_enabled {
html! {
<NavButton <NavButton
classes="btn-link btn" classes="btn-link btn"
disabled=self.common.is_task_running() disabled=self.common.is_task_running()
route=AppRoute::StartResetPassword> route=AppRoute::StartResetPassword>
{"Forgot your password?"} {"Forgot your password?"}
</NavButton> </NavButton>
}
} else {
html!{}
}}
</div> </div>
<div class="form-group"> <div class="form-group">
{ if let Some(e) = &self.common.error { { if let Some(e) = &self.common.error {

21
app/src/infra/api.rs
View File

@ -3,9 +3,11 @@ use anyhow::{anyhow, Context, Result};
use graphql_client::GraphQLQuery; use graphql_client::GraphQLQuery;
use lldap_auth::{login, registration, JWTClaims}; use lldap_auth::{login, registration, JWTClaims};
use yew::callback::Callback; use yew::{
use yew::format::Json; callback::Callback,
use yew::services::fetch::{Credentials, FetchOptions, FetchService, FetchTask, Request, Response}; format::Json,
services::fetch::{Credentials, FetchOptions, FetchService, FetchTask, Request, Response},
};
#[derive(Default)] #[derive(Default)]
pub struct HostService {} pub struct HostService {}
@ -286,4 +288,17 @@ impl HostService {
"Could not validate token", "Could not validate token",
) )
} }
pub fn probe_password_reset(callback: Callback<Result<bool>>) -> Result<FetchTask> {
let request = Request::get("/auth/reset/step1/lldap_unlikely_very_long_user_name")
.header("Content-Type", "application/json")
.body(yew::format::Nothing)?;
FetchService::fetch_with_options(
request,
get_default_options(),
create_handler(callback, move |status: http::StatusCode, _data: String| {
Ok(status != http::StatusCode::NOT_FOUND)
}),
)
}
} }

2
server/Cargo.toml
View File

@ -28,7 +28,7 @@ itertools = "0.10.1"
juniper = "0.15.10" juniper = "0.15.10"
juniper_actix = "0.4.0" juniper_actix = "0.4.0"
jwt = "0.13" jwt = "0.13"
ldap3_proto = "*" ldap3_proto = ">=0.3.1"
log = "*" log = "*"
orion = "0.16" orion = "0.16"
rustls = "0.20" rustls = "0.20"

34
server/src/domain/handler.rs
View File

@ -14,13 +14,46 @@ pub struct BindRequest {
pub password: String, pub password: String,
} }
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
pub struct SubStringFilter {
pub initial: Option<String>,
pub any: Vec<String>,
pub final_: Option<String>,
}
impl SubStringFilter {
pub fn to_sql_filter(&self) -> String {
let mut filter = String::with_capacity(
self.initial.as_ref().map(String::len).unwrap_or_default()
+ 1
+ self.any.iter().map(String::len).sum::<usize>()
+ self.any.len()
+ self.final_.as_ref().map(String::len).unwrap_or_default(),
);
if let Some(f) = &self.initial {
filter.push_str(&f.to_ascii_lowercase());
}
filter.push('%');
for part in self.any.iter() {
filter.push_str(&part.to_ascii_lowercase());
filter.push('%');
}
if let Some(f) = &self.final_ {
filter.push_str(&f.to_ascii_lowercase());
}
filter
}
}
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)] #[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
pub enum UserRequestFilter { pub enum UserRequestFilter {
And(Vec<UserRequestFilter>), And(Vec<UserRequestFilter>),
Or(Vec<UserRequestFilter>), Or(Vec<UserRequestFilter>),
Not(Box<UserRequestFilter>), Not(Box<UserRequestFilter>),
UserId(UserId), UserId(UserId),
UserIdSubString(SubStringFilter),
Equality(UserColumn, String), Equality(UserColumn, String),
SubString(UserColumn, SubStringFilter),
// Check if a user belongs to a group identified by name. // Check if a user belongs to a group identified by name.
MemberOf(String), MemberOf(String),
// Same, by id. // Same, by id.
@ -43,6 +76,7 @@ pub enum GroupRequestFilter {
Or(Vec<GroupRequestFilter>), Or(Vec<GroupRequestFilter>),
Not(Box<GroupRequestFilter>), Not(Box<GroupRequestFilter>),
DisplayName(String), DisplayName(String),
DisplayNameSubString(SubStringFilter),
Uuid(Uuid), Uuid(Uuid),
GroupId(GroupId), GroupId(GroupId),
// Check if the group contains a user identified by uid. // Check if the group contains a user identified by uid.

48
server/src/domain/ldap/group.rs
View File

@ -17,7 +17,7 @@ use super::{
}, },
}; };
fn get_group_attribute( pub fn get_group_attribute(
group: &Group, group: &Group,
base_dn_str: &str, base_dn_str: &str,
attribute: &str, attribute: &str,
@ -29,8 +29,8 @@ fn get_group_attribute(
"objectclass" => vec![b"groupOfUniqueNames".to_vec()], "objectclass" => vec![b"groupOfUniqueNames".to_vec()],
// Always returned as part of the base response. // Always returned as part of the base response.
"dn" | "distinguishedname" => return None, "dn" | "distinguishedname" => return None,
"cn" | "uid" => vec![group.display_name.clone().into_bytes()], "cn" | "uid" | "id" => vec![group.display_name.clone().into_bytes()],
"entryuuid" => vec![group.uuid.to_string().into_bytes()], "entryuuid" | "uuid" => vec![group.uuid.to_string().into_bytes()],
"member" | "uniquemember" => group "member" | "uniquemember" => group
.users .users
.iter() .iter()
@ -73,6 +73,10 @@ const ALL_GROUP_ATTRIBUTE_KEYS: &[&str] = &[
"entryuuid", "entryuuid",
]; ];
fn expand_group_attribute_wildcards(attributes: &[String]) -> Vec<&str> {
expand_attribute_wildcards(attributes, ALL_GROUP_ATTRIBUTE_KEYS)
}
fn make_ldap_search_group_result_entry( fn make_ldap_search_group_result_entry(
group: Group, group: Group,
base_dn_str: &str, base_dn_str: &str,
@ -80,7 +84,7 @@ fn make_ldap_search_group_result_entry(
user_filter: &Option<&UserId>, user_filter: &Option<&UserId>,
ignored_group_attributes: &[String], ignored_group_attributes: &[String],
) -> LdapSearchResultEntry { ) -> LdapSearchResultEntry {
let expanded_attributes = expand_attribute_wildcards(attributes, ALL_GROUP_ATTRIBUTE_KEYS); let expanded_attributes = expand_group_attribute_wildcards(attributes);
LdapSearchResultEntry { LdapSearchResultEntry {
dn: format!("cn={},ou=groups,{}", group.display_name, base_dn_str), dn: format!("cn={},ou=groups,{}", group.display_name, base_dn_str),
@ -174,6 +178,21 @@ fn convert_group_filter(
|| map_group_field(field).is_some(), || map_group_field(field).is_some(),
)) ))
} }
LdapFilter::Substring(field, substring_filter) => {
let field = &field.to_ascii_lowercase();
match map_group_field(field.as_str()) {
Some(GroupColumn::DisplayName) => Ok(GroupRequestFilter::DisplayNameSubString(
substring_filter.clone().into(),
)),
_ => Err(LdapError {
code: LdapResultCode::UnwillingToPerform,
message: format!(
"Unsupported group attribute for substring filter: {:?}",
field
),
}),
}
}
_ => Err(LdapError { _ => Err(LdapError {
code: LdapResultCode::UnwillingToPerform, code: LdapResultCode::UnwillingToPerform,
message: format!("Unsupported group filter: {:?}", filter), message: format!("Unsupported group filter: {:?}", filter),
@ -185,11 +204,10 @@ fn convert_group_filter(
pub async fn get_groups_list<Backend: BackendHandler>( pub async fn get_groups_list<Backend: BackendHandler>(
ldap_info: &LdapInfo, ldap_info: &LdapInfo,
ldap_filter: &LdapFilter, ldap_filter: &LdapFilter,
attributes: &[String],
base: &str, base: &str,
user_filter: &Option<&UserId>, user_filter: &Option<&UserId>,
backend: &mut Backend, backend: &mut Backend,
) -> LdapResult<Vec<LdapOp>> { ) -> LdapResult<Vec<Group>> {
debug!(?ldap_filter); debug!(?ldap_filter);
let filter = convert_group_filter(ldap_info, ldap_filter)?; let filter = convert_group_filter(ldap_info, ldap_filter)?;
let parsed_filters = match user_filter { let parsed_filters = match user_filter {
@ -200,24 +218,28 @@ pub async fn get_groups_list<Backend: BackendHandler>(
} }
}; };
debug!(?parsed_filters); debug!(?parsed_filters);
let groups = backend backend
.list_groups(Some(parsed_filters)) .list_groups(Some(parsed_filters))
.await .await
.map_err(|e| LdapError { .map_err(|e| LdapError {
code: LdapResultCode::Other, code: LdapResultCode::Other,
message: format!(r#"Error while listing groups "{}": {:#}"#, base, e), message: format!(r#"Error while listing groups "{}": {:#}"#, base, e),
})?; })
}
Ok(groups pub fn convert_groups_to_ldap_op<'a>(
.into_iter() groups: Vec<Group>,
.map(|u| { attributes: &'a [String],
ldap_info: &'a LdapInfo,
user_filter: &'a Option<&'a UserId>,
) -> impl Iterator<Item = LdapOp> + 'a {
groups.into_iter().map(move |g| {
LdapOp::SearchResultEntry(make_ldap_search_group_result_entry( LdapOp::SearchResultEntry(make_ldap_search_group_result_entry(
u, g,
&ldap_info.base_dn_str, &ldap_info.base_dn_str,
attributes, attributes,
user_filter, user_filter,
&ldap_info.ignored_group_attributes, &ldap_info.ignored_group_attributes,
)) ))
}) })
.collect::<Vec<_>>())
} }

81
server/src/domain/ldap/user.rs
View File

@ -10,7 +10,7 @@ use crate::domain::{
error::LdapError, error::LdapError,
utils::{expand_attribute_wildcards, get_user_id_from_distinguished_name}, utils::{expand_attribute_wildcards, get_user_id_from_distinguished_name},
}, },
types::{GroupDetails, User, UserColumn, UserId}, types::{GroupDetails, User, UserAndGroups, UserColumn, UserId},
}; };
use super::{ use super::{
@ -18,7 +18,7 @@ use super::{
utils::{get_group_id_from_distinguished_name, map_user_field, LdapInfo}, utils::{get_group_id_from_distinguished_name, map_user_field, LdapInfo},
}; };
fn get_user_attribute( pub fn get_user_attribute(
user: &User, user: &User,
attribute: &str, attribute: &str,
base_dn_str: &str, base_dn_str: &str,
@ -35,12 +35,12 @@ fn get_user_attribute(
], ],
// dn is always returned as part of the base response. // dn is always returned as part of the base response.
"dn" | "distinguishedname" => return None, "dn" | "distinguishedname" => return None,
"uid" => vec![user.user_id.to_string().into_bytes()], "uid" | "user_id" | "id" => vec![user.user_id.to_string().into_bytes()],
"entryuuid" => vec![user.uuid.to_string().into_bytes()], "entryuuid" | "uuid" => vec![user.uuid.to_string().into_bytes()],
"mail" => vec![user.email.clone().into_bytes()], "mail" | "email" => vec![user.email.clone().into_bytes()],
"givenname" => vec![user.first_name.clone()?.into_bytes()], "givenname" | "first_name" | "firstname" => vec![user.first_name.clone()?.into_bytes()],
"sn" => vec![user.last_name.clone()?.into_bytes()], "sn" | "last_name" | "lastname" => vec![user.last_name.clone()?.into_bytes()],
"jpegphoto" => vec![user.avatar.clone()?.into_bytes()], "jpegphoto" | "avatar" => vec![user.avatar.clone()?.into_bytes()],
"memberof" => groups "memberof" => groups
.into_iter() .into_iter()
.flatten() .flatten()
@ -53,10 +53,12 @@ fn get_user_attribute(
}) })
.collect(), .collect(),
"cn" | "displayname" => vec![user.display_name.clone()?.into_bytes()], "cn" | "displayname" => vec![user.display_name.clone()?.into_bytes()],
"createtimestamp" | "modifytimestamp" => vec![chrono::Utc "creationdate" | "creation_date" | "createtimestamp" | "modifytimestamp" => {
vec![chrono::Utc
.from_utc_datetime(&user.creation_date) .from_utc_datetime(&user.creation_date)
.to_rfc3339() .to_rfc3339()
.into_bytes()], .into_bytes()]
}
"1.1" => return None, "1.1" => return None,
// We ignore the operational attribute wildcard. // We ignore the operational attribute wildcard.
"+" => return None, "+" => return None,
@ -99,15 +101,15 @@ const ALL_USER_ATTRIBUTE_KEYS: &[&str] = &[
fn make_ldap_search_user_result_entry( fn make_ldap_search_user_result_entry(
user: User, user: User,
base_dn_str: &str, base_dn_str: &str,
attributes: &[&str], attributes: &[String],
groups: Option<&[GroupDetails]>, groups: Option<&[GroupDetails]>,
ignored_user_attributes: &[String], ignored_user_attributes: &[String],
) -> LdapSearchResultEntry { ) -> LdapSearchResultEntry {
let expanded_attributes = expand_user_attribute_wildcards(attributes);
let dn = format!("uid={},ou=people,{}", user.user_id.as_str(), base_dn_str); let dn = format!("uid={},ou=people,{}", user.user_id.as_str(), base_dn_str);
LdapSearchResultEntry { LdapSearchResultEntry {
dn, dn,
attributes: attributes attributes: expanded_attributes
.iter() .iter()
.filter_map(|a| { .filter_map(|a| {
let values = let values =
@ -181,6 +183,28 @@ fn convert_user_filter(ldap_info: &LdapInfo, filter: &LdapFilter) -> LdapResult<
|| map_user_field(field).is_some(), || map_user_field(field).is_some(),
)) ))
} }
LdapFilter::Substring(field, substring_filter) => {
let field = &field.to_ascii_lowercase();
match map_user_field(field.as_str()) {
Some(UserColumn::UserId) => Ok(UserRequestFilter::UserIdSubString(
substring_filter.clone().into(),
)),
None
| Some(UserColumn::CreationDate)
| Some(UserColumn::Avatar)
| Some(UserColumn::Uuid) => Err(LdapError {
code: LdapResultCode::UnwillingToPerform,
message: format!(
"Unsupported user attribute for substring filter: {:?}",
field
),
}),
Some(field) => Ok(UserRequestFilter::SubString(
field,
substring_filter.clone().into(),
)),
}
}
_ => Err(LdapError { _ => Err(LdapError {
code: LdapResultCode::UnwillingToPerform, code: LdapResultCode::UnwillingToPerform,
message: format!("Unsupported user filter: {:?}", filter), message: format!("Unsupported user filter: {:?}", filter),
@ -188,15 +212,19 @@ fn convert_user_filter(ldap_info: &LdapInfo, filter: &LdapFilter) -> LdapResult<
} }
} }
fn expand_user_attribute_wildcards(attributes: &[String]) -> Vec<&str> {
expand_attribute_wildcards(attributes, ALL_USER_ATTRIBUTE_KEYS)
}
#[instrument(skip_all, level = "debug")] #[instrument(skip_all, level = "debug")]
pub async fn get_user_list<Backend: BackendHandler>( pub async fn get_user_list<Backend: BackendHandler>(
ldap_info: &LdapInfo, ldap_info: &LdapInfo,
ldap_filter: &LdapFilter, ldap_filter: &LdapFilter,
attributes: &[String], request_groups: bool,
base: &str, base: &str,
user_filter: &Option<&UserId>, user_filter: &Option<&UserId>,
backend: &mut Backend, backend: &mut Backend,
) -> LdapResult<Vec<LdapOp>> { ) -> LdapResult<Vec<UserAndGroups>> {
debug!(?ldap_filter); debug!(?ldap_filter);
let filters = convert_user_filter(ldap_info, ldap_filter)?; let filters = convert_user_filter(ldap_info, ldap_filter)?;
let parsed_filters = match user_filter { let parsed_filters = match user_filter {
@ -207,28 +235,27 @@ pub async fn get_user_list<Backend: BackendHandler>(
} }
}; };
debug!(?parsed_filters); debug!(?parsed_filters);
let expanded_attributes = expand_attribute_wildcards(attributes, ALL_USER_ATTRIBUTE_KEYS); backend
let need_groups = expanded_attributes .list_users(Some(parsed_filters), request_groups)
.iter()
.any(|s| s.to_ascii_lowercase() == "memberof");
let users = backend
.list_users(Some(parsed_filters), need_groups)
.await .await
.map_err(|e| LdapError { .map_err(|e| LdapError {
code: LdapResultCode::Other, code: LdapResultCode::Other,
message: format!(r#"Error while searching user "{}": {:#}"#, base, e), message: format!(r#"Error while searching user "{}": {:#}"#, base, e),
})?; })
}
Ok(users pub fn convert_users_to_ldap_op<'a>(
.into_iter() users: Vec<UserAndGroups>,
.map(|u| { attributes: &'a [String],
ldap_info: &'a LdapInfo,
) -> impl Iterator<Item = LdapOp> + 'a {
users.into_iter().map(move |u| {
LdapOp::SearchResultEntry(make_ldap_search_user_result_entry( LdapOp::SearchResultEntry(make_ldap_search_user_result_entry(
u.user, u.user,
&ldap_info.base_dn_str, &ldap_info.base_dn_str,
&expanded_attributes, attributes,
u.groups.as_deref(), u.groups.as_deref(),
&ldap_info.ignored_user_attributes, &ldap_info.ignored_user_attributes,
)) ))
}) })
.collect::<Vec<_>>())
} }

25
server/src/domain/ldap/utils.rs
View File

@ -1,12 +1,29 @@
use itertools::Itertools; use itertools::Itertools;
use ldap3_proto::LdapResultCode; use ldap3_proto::{proto::LdapSubstringFilter, LdapResultCode};
use tracing::{debug, instrument, warn}; use tracing::{debug, instrument, warn};
use crate::domain::{ use crate::domain::{
handler::SubStringFilter,
ldap::error::{LdapError, LdapResult}, ldap::error::{LdapError, LdapResult},
types::{GroupColumn, UserColumn, UserId}, types::{GroupColumn, UserColumn, UserId},
}; };
impl From<LdapSubstringFilter> for SubStringFilter {
fn from(
LdapSubstringFilter {
initial,
any,
final_,
}: LdapSubstringFilter,
) -> Self {
Self {
initial,
any,
final_,
}
}
}
fn make_dn_pair<I>(mut iter: I) -> LdapResult<(String, String)> fn make_dn_pair<I>(mut iter: I) -> LdapResult<(String, String)>
where where
I: Iterator<Item = String>, I: Iterator<Item = String>,
@ -141,9 +158,9 @@ pub fn map_user_field(field: &str) -> Option<UserColumn> {
"uid" | "user_id" | "id" => UserColumn::UserId, "uid" | "user_id" | "id" => UserColumn::UserId,
"mail" | "email" => UserColumn::Email, "mail" | "email" => UserColumn::Email,
"cn" | "displayname" | "display_name" => UserColumn::DisplayName, "cn" | "displayname" | "display_name" => UserColumn::DisplayName,
"givenname" | "first_name" => UserColumn::FirstName, "givenname" | "first_name" | "firstname" => UserColumn::FirstName,
"sn" | "last_name" => UserColumn::LastName, "sn" | "last_name" | "lastname" => UserColumn::LastName,
"avatar" => UserColumn::Avatar, "avatar" | "jpegphoto" => UserColumn::Avatar,
"creationdate" | "createtimestamp" | "modifytimestamp" | "creation_date" => { "creationdate" | "createtimestamp" | "modifytimestamp" | "creation_date" => {
UserColumn::CreationDate UserColumn::CreationDate
} }

29
server/src/domain/sql_group_backend_handler.rs
View File

@ -7,7 +7,7 @@ use crate::domain::{
}; };
use async_trait::async_trait; use async_trait::async_trait;
use sea_orm::{ use sea_orm::{
sea_query::{Cond, IntoCondition, SimpleExpr}, sea_query::{Alias, Cond, Expr, Func, IntoCondition, SimpleExpr},
ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter, QueryOrder, QuerySelect, ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, QueryFilter, QueryOrder, QuerySelect,
QueryTrait, QueryTrait,
}; };
@ -15,6 +15,7 @@ use tracing::{debug, instrument};
fn get_group_filter_expr(filter: GroupRequestFilter) -> Cond { fn get_group_filter_expr(filter: GroupRequestFilter) -> Cond {
use GroupRequestFilter::*; use GroupRequestFilter::*;
let group_table = Alias::new("groups");
match filter { match filter {
And(fs) => { And(fs) => {
if fs.is_empty() { if fs.is_empty() {
@ -46,6 +47,12 @@ fn get_group_filter_expr(filter: GroupRequestFilter) -> Cond {
.into_query(), .into_query(),
) )
.into_condition(), .into_condition(),
DisplayNameSubString(filter) => SimpleExpr::FunctionCall(Func::lower(Expr::col((
group_table,
GroupColumn::DisplayName,
))))
.like(filter.to_sql_filter())
.into_condition(),
} }
} }
@ -146,7 +153,7 @@ impl GroupBackendHandler for SqlBackendHandler {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use crate::domain::{sql_backend_handler::tests::*, types::UserId}; use crate::domain::{handler::SubStringFilter, sql_backend_handler::tests::*, types::UserId};
async fn get_group_ids( async fn get_group_ids(
handler: &SqlBackendHandler, handler: &SqlBackendHandler,
@ -221,6 +228,24 @@ mod tests {
); );
} }
#[tokio::test]
async fn test_list_groups_substring_filter() {
let fixture = TestFixture::new().await;
assert_eq!(
get_group_ids(
&fixture.handler,
Some(GroupRequestFilter::DisplayNameSubString(SubStringFilter {
initial: Some("be".to_owned()),
any: vec!["sT".to_owned()],
final_: Some("P".to_owned()),
})),
)
.await,
// Best group
vec![fixture.groups[0]]
);
}
#[tokio::test] #[tokio::test]
async fn test_get_group_details() { async fn test_get_group_details() {
let fixture = TestFixture::new().await; let fixture = TestFixture::new().await;

35
server/src/domain/sql_user_backend_handler.rs
View File

@ -8,7 +8,7 @@ use super::{
use async_trait::async_trait; use async_trait::async_trait;
use sea_orm::{ use sea_orm::{
entity::IntoActiveValue, entity::IntoActiveValue,
sea_query::{Alias, Cond, Expr, IntoColumnRef, IntoCondition, SimpleExpr}, sea_query::{Alias, Cond, Expr, Func, IntoColumnRef, IntoCondition, SimpleExpr},
ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, ModelTrait, QueryFilter, QueryOrder, ActiveModelTrait, ActiveValue, ColumnTrait, EntityTrait, ModelTrait, QueryFilter, QueryOrder,
QuerySelect, QueryTrait, Set, QuerySelect, QueryTrait, Set,
}; };
@ -49,8 +49,15 @@ fn get_user_filter_expr(filter: UserRequestFilter) -> Cond {
MemberOfId(group_id) => Expr::col((group_table, GroupColumn::GroupId)) MemberOfId(group_id) => Expr::col((group_table, GroupColumn::GroupId))
.eq(group_id) .eq(group_id)
.into_condition(), .into_condition(),
UserIdSubString(filter) => UserColumn::UserId
.like(&filter.to_sql_filter())
.into_condition(),
SubString(col, filter) => SimpleExpr::FunctionCall(Func::lower(Expr::col(col)))
.like(filter.to_sql_filter())
.into_condition(),
} }
} }
fn to_value(opt_name: &Option<String>) -> ActiveValue<Option<String>> { fn to_value(opt_name: &Option<String>) -> ActiveValue<Option<String>> {
match opt_name { match opt_name {
None => ActiveValue::NotSet, None => ActiveValue::NotSet,
@ -236,6 +243,7 @@ impl UserBackendHandler for SqlBackendHandler {
mod tests { mod tests {
use super::*; use super::*;
use crate::domain::{ use crate::domain::{
handler::SubStringFilter,
sql_backend_handler::tests::*, sql_backend_handler::tests::*,
types::{JpegPhoto, UserColumn}, types::{JpegPhoto, UserColumn},
}; };
@ -286,6 +294,31 @@ mod tests {
assert_eq!(users, vec!["bob"]); assert_eq!(users, vec!["bob"]);
} }
#[tokio::test]
async fn test_list_users_substring_filter() {
let fixture = TestFixture::new().await;
let users = get_user_names(
&fixture.handler,
Some(UserRequestFilter::And(vec![
UserRequestFilter::UserIdSubString(SubStringFilter {
initial: Some("Pa".to_owned()),
any: vec!["rI".to_owned()],
final_: Some("K".to_owned()),
}),
UserRequestFilter::SubString(
UserColumn::FirstName,
SubStringFilter {
initial: None,
any: vec!["r".to_owned(), "t".to_owned()],
final_: None,
},
),
])),
)
.await;
assert_eq!(users, vec!["patrick"]);
}
#[tokio::test] #[tokio::test]
async fn test_list_users_false_filter() { async fn test_list_users_false_filter() {
let fixture = TestFixture::new().await; let fixture = TestFixture::new().await;

20
server/src/infra/auth_service.rs
View File

@ -677,7 +677,7 @@ pub(crate) fn check_if_token_is_valid<Backend>(
}) })
} }
pub fn configure_server<Backend>(cfg: &mut web::ServiceConfig) pub fn configure_server<Backend>(cfg: &mut web::ServiceConfig, enable_password_reset: bool)
where where
Backend: TcpBackendHandler + LoginHandler + OpaqueHandler + BackendHandler + 'static, Backend: TcpBackendHandler + LoginHandler + OpaqueHandler + BackendHandler + 'static,
{ {
@ -694,14 +694,6 @@ where
web::resource("/simple/login").route(web::post().to(simple_login_handler::<Backend>)), web::resource("/simple/login").route(web::post().to(simple_login_handler::<Backend>)),
) )
.service(web::resource("/refresh").route(web::get().to(get_refresh_handler::<Backend>))) .service(web::resource("/refresh").route(web::get().to(get_refresh_handler::<Backend>)))
.service(
web::resource("/reset/step1/{user_id}")
.route(web::get().to(get_password_reset_step1_handler::<Backend>)),
)
.service(
web::resource("/reset/step2/{token}")
.route(web::get().to(get_password_reset_step2_handler::<Backend>)),
)
.service(web::resource("/logout").route(web::get().to(get_logout_handler::<Backend>))) .service(web::resource("/logout").route(web::get().to(get_logout_handler::<Backend>)))
.service( .service(
web::scope("/opaque/register") web::scope("/opaque/register")
@ -715,4 +707,14 @@ where
.route(web::post().to(opaque_register_finish_handler::<Backend>)), .route(web::post().to(opaque_register_finish_handler::<Backend>)),
), ),
); );
if enable_password_reset {
cfg.service(
web::resource("/reset/step1/{user_id}")
.route(web::get().to(get_password_reset_step1_handler::<Backend>)),
)
.service(
web::resource("/reset/step2/{token}")
.route(web::get().to(get_password_reset_step2_handler::<Backend>)),
);
}
} }

537
server/src/infra/ldap_handler.rs
View File

@ -3,23 +3,23 @@ use crate::{
handler::{BackendHandler, BindRequest, CreateUserRequest, LoginHandler}, handler::{BackendHandler, BindRequest, CreateUserRequest, LoginHandler},
ldap::{ ldap::{
error::{LdapError, LdapResult}, error::{LdapError, LdapResult},
group::get_groups_list, group::{convert_groups_to_ldap_op, get_groups_list},
user::get_user_list, user::{convert_users_to_ldap_op, get_user_list},
utils::{ utils::{
get_user_id_from_distinguished_name, is_subtree, parse_distinguished_name, LdapInfo, get_user_id_from_distinguished_name, is_subtree, parse_distinguished_name, LdapInfo,
}, },
}, },
opaque_handler::OpaqueHandler, opaque_handler::OpaqueHandler,
types::{JpegPhoto, UserId}, types::{Group, JpegPhoto, UserAndGroups, UserId},
}, },
infra::auth_service::{Permission, ValidationResults}, infra::auth_service::{Permission, ValidationResults},
}; };
use anyhow::Result; use anyhow::Result;
use ldap3_proto::proto::{ use ldap3_proto::proto::{
LdapAddRequest, LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapAddRequest, LdapBindCred, LdapBindRequest, LdapBindResponse, LdapCompareRequest,
LdapExtendedResponse, LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapDerefAliases, LdapExtendedRequest, LdapExtendedResponse, LdapFilter, LdapOp,
LdapResult as LdapResultOp, LdapResultCode, LdapSearchRequest, LdapSearchResultEntry, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult as LdapResultOp, LdapResultCode,
LdapSearchScope, LdapSearchRequest, LdapSearchResultEntry, LdapSearchScope,
}; };
use std::collections::HashMap; use std::collections::HashMap;
use tracing::{debug, instrument, warn}; use tracing::{debug, instrument, warn};
@ -71,6 +71,23 @@ fn get_search_scope(base_dn: &[(String, String)], dn_parts: &[(String, String)])
} }
} }
fn make_search_request<S: Into<String>>(
base: &str,
filter: LdapFilter,
attrs: Vec<S>,
) -> LdapSearchRequest {
LdapSearchRequest {
base: base.to_string(),
scope: LdapSearchScope::Base,
aliases: LdapDerefAliases::Never,
sizelimit: 0,
timelimit: 0,
typesonly: false,
filter,
attrs: attrs.into_iter().map(Into::into).collect(),
}
}
fn make_search_success() -> LdapOp { fn make_search_success() -> LdapOp {
make_search_error(LdapResultCode::Success, "".to_string()) make_search_error(LdapResultCode::Success, "".to_string())
} }
@ -334,6 +351,18 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
} }
} }
fn get_user_permission_filter(&self) -> LdapResult<Option<UserId>> {
let user_info = self.user_info.as_ref().ok_or_else(|| LdapError {
code: LdapResultCode::InsufficentAccessRights,
message: "No user currently bound".to_string(),
})?;
Ok(if user_info.is_admin_or_readonly() {
None
} else {
Some(user_info.user.clone())
})
}
pub async fn do_search_or_dse( pub async fn do_search_or_dse(
&mut self, &mut self,
request: &LdapSearchRequest, request: &LdapSearchRequest,
@ -349,30 +378,19 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
} }
} }
} }
let user_info = self.user_info.as_ref().ok_or_else(|| LdapError { self.do_search(request).await
code: LdapResultCode::InsufficentAccessRights,
message: "No user currently bound".to_string(),
})?;
let user_filter = if user_info.is_admin_or_readonly() {
None
} else {
Some(user_info.user.clone())
};
self.do_search(request, user_filter).await
} }
#[instrument(skip_all, level = "debug")] async fn do_search_internal(
pub async fn do_search(
&mut self, &mut self,
request: &LdapSearchRequest, request: &LdapSearchRequest,
user_filter: Option<UserId>, user_filter: &Option<&UserId>,
) -> LdapResult<Vec<LdapOp>> { ) -> LdapResult<(Option<Vec<UserAndGroups>>, Option<Vec<Group>>)> {
let user_filter = user_filter.as_ref();
let dn_parts = parse_distinguished_name(&request.base.to_ascii_lowercase())?; let dn_parts = parse_distinguished_name(&request.base.to_ascii_lowercase())?;
let scope = get_search_scope(&self.ldap_info.base_dn, &dn_parts); let scope = get_search_scope(&self.ldap_info.base_dn, &dn_parts);
debug!(?request.base, ?scope); debug!(?request.base, ?scope);
// Disambiguate the lifetimes. // Disambiguate the lifetimes.
fn cast<T, R, B: 'a, 'a>(x: T) -> T fn cast<'a, T, R, B: 'a>(x: T) -> T
where where
T: Fn(&'a mut B, &'a LdapFilter) -> R + 'a, T: Fn(&'a mut B, &'a LdapFilter) -> R + 'a,
{ {
@ -380,12 +398,16 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
} }
let get_user_list = cast(|backend_handler: &mut Backend, filter: &LdapFilter| async { let get_user_list = cast(|backend_handler: &mut Backend, filter: &LdapFilter| async {
let need_groups = request
.attrs
.iter()
.any(|s| s.to_ascii_lowercase() == "memberof");
get_user_list( get_user_list(
&self.ldap_info, &self.ldap_info,
filter, filter,
&request.attrs, need_groups,
&request.base, &request.base,
&user_filter, user_filter,
backend_handler, backend_handler,
) )
.await .await
@ -394,38 +416,45 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
get_groups_list( get_groups_list(
&self.ldap_info, &self.ldap_info,
filter, filter,
&request.attrs,
&request.base, &request.base,
&user_filter, user_filter,
backend_handler, backend_handler,
) )
.await .await
}); });
let mut results: Vec<_> = match scope { Ok(match scope {
SearchScope::Global => { SearchScope::Global => (
let mut results = Vec::new(); Some(get_user_list(&mut self.backend_handler, &request.filter).await?),
results.extend(get_user_list(&mut self.backend_handler, &request.filter).await?); Some(get_group_list(&mut self.backend_handler, &request.filter).await?),
results.extend(get_group_list(&mut self.backend_handler, &request.filter).await?); ),
results SearchScope::Users => (
} Some(get_user_list(&mut self.backend_handler, &request.filter).await?),
SearchScope::Users => get_user_list(&mut self.backend_handler, &request.filter).await?, None,
SearchScope::Groups => { ),
get_group_list(&mut self.backend_handler, &request.filter).await? SearchScope::Groups => (
} None,
Some(get_group_list(&mut self.backend_handler, &request.filter).await?),
),
SearchScope::User(filter) => { SearchScope::User(filter) => {
let filter = LdapFilter::And(vec![request.filter.clone(), filter]); let filter = LdapFilter::And(vec![request.filter.clone(), filter]);
get_user_list(&mut self.backend_handler, &filter).await? (
Some(get_user_list(&mut self.backend_handler, &filter).await?),
None,
)
} }
SearchScope::Group(filter) => { SearchScope::Group(filter) => {
let filter = LdapFilter::And(vec![request.filter.clone(), filter]); let filter = LdapFilter::And(vec![request.filter.clone(), filter]);
get_group_list(&mut self.backend_handler, &filter).await? (
None,
Some(get_group_list(&mut self.backend_handler, &filter).await?),
)
} }
SearchScope::Unknown => { SearchScope::Unknown => {
warn!( warn!(
r#"The requested search tree "{}" matches neither the user subtree "ou=people,{}" nor the group subtree "ou=groups,{}""#, r#"The requested search tree "{}" matches neither the user subtree "ou=people,{}" nor the group subtree "ou=groups,{}""#,
&request.base, &self.ldap_info.base_dn_str, &self.ldap_info.base_dn_str &request.base, &self.ldap_info.base_dn_str, &self.ldap_info.base_dn_str
); );
Vec::new() (None, None)
} }
SearchScope::Invalid => { SearchScope::Invalid => {
// Search path is not in our tree, just return an empty success. // Search path is not in our tree, just return an empty success.
@ -433,9 +462,33 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
"The specified search tree {:?} is not under the common subtree {:?}", "The specified search tree {:?} is not under the common subtree {:?}",
&dn_parts, &self.ldap_info.base_dn &dn_parts, &self.ldap_info.base_dn
); );
Vec::new() (None, None)
}
})
}
#[instrument(skip_all, level = "debug")]
pub async fn do_search(&mut self, request: &LdapSearchRequest) -> LdapResult<Vec<LdapOp>> {
let user_filter = self.get_user_permission_filter()?;
let user_filter = user_filter.as_ref();
let (users, groups) = self.do_search_internal(request, &user_filter).await?;
let mut results = Vec::new();
if let Some(users) = users {
results.extend(convert_users_to_ldap_op(
users,
&request.attrs,
&self.ldap_info,
));
}
if let Some(groups) = groups {
results.extend(convert_groups_to_ldap_op(
groups,
&request.attrs,
&self.ldap_info,
&user_filter,
));
} }
};
if results.is_empty() || matches!(results[results.len() - 1], LdapOp::SearchResultEntry(_)) if results.is_empty() || matches!(results[results.len() - 1], LdapOp::SearchResultEntry(_))
{ {
results.push(make_search_success()); results.push(make_search_success());
@ -527,6 +580,55 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
Ok(vec![make_add_error(LdapResultCode::Success, String::new())]) Ok(vec![make_add_error(LdapResultCode::Success, String::new())])
} }
pub async fn do_compare(&mut self, request: LdapCompareRequest) -> LdapResult<Vec<LdapOp>> {
let req = make_search_request::<String>(
&self.ldap_info.base_dn_str,
LdapFilter::Equality("dn".to_string(), request.dn.to_string()),
vec![request.atype.clone()],
);
let entries = self.do_search(&req).await?;
if entries.len() > 2 {
// SearchResultEntry + SearchResultDone
return Err(LdapError {
code: LdapResultCode::OperationsError,
message: "Too many search results".to_string(),
});
}
match entries.first() {
Some(LdapOp::SearchResultEntry(entry)) => {
let available = entry
.attributes
.iter()
.any(|attr| attr.atype == request.atype && attr.vals.contains(&request.val));
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: if available {
LdapResultCode::CompareTrue
} else {
LdapResultCode::CompareFalse
},
matcheddn: request.dn,
message: "".to_string(),
referral: vec![],
})])
}
Some(LdapOp::SearchResultDone(_)) => Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::NoSuchObject,
matcheddn: self.ldap_info.base_dn_str.clone(),
message: "".to_string(),
referral: vec![],
})]),
None => Err(LdapError {
code: LdapResultCode::OperationsError,
message: "Search request returned nothing".to_string(),
}),
_ => Err(LdapError {
code: LdapResultCode::OperationsError,
message: "Unexpected results from search".to_string(),
}),
}
}
pub async fn handle_ldap_message(&mut self, ldap_op: LdapOp) -> Option<Vec<LdapOp>> { pub async fn handle_ldap_message(&mut self, ldap_op: LdapOp) -> Option<Vec<LdapOp>> {
Some(match ldap_op { Some(match ldap_op {
LdapOp::BindRequest(request) => { LdapOp::BindRequest(request) => {
@ -555,6 +657,10 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
.do_create_user(request) .do_create_user(request)
.await .await
.unwrap_or_else(|e: LdapError| vec![make_add_error(e.code, e.message)]), .unwrap_or_else(|e: LdapError| vec![make_add_error(e.code, e.message)]),
LdapOp::CompareRequest(request) => self
.do_compare(request)
.await
.unwrap_or_else(|e: LdapError| vec![make_search_error(e.code, e.message)]),
op => vec![make_extended_response( op => vec![make_extended_response(
LdapResultCode::UnwillingToPerform, LdapResultCode::UnwillingToPerform,
format!("Unsupported operation: {:#?}", op), format!("Unsupported operation: {:#?}", op),
@ -572,7 +678,7 @@ mod tests {
}; };
use async_trait::async_trait; use async_trait::async_trait;
use chrono::TimeZone; use chrono::TimeZone;
use ldap3_proto::proto::{LdapDerefAliases, LdapSearchScope}; use ldap3_proto::proto::{LdapDerefAliases, LdapSearchScope, LdapSubstringFilter};
use mockall::predicate::eq; use mockall::predicate::eq;
use std::collections::HashSet; use std::collections::HashSet;
use tokio; use tokio;
@ -625,23 +731,6 @@ mod tests {
} }
} }
fn make_search_request<S: Into<String>>(
base: &str,
filter: LdapFilter,
attrs: Vec<S>,
) -> LdapSearchRequest {
LdapSearchRequest {
base: base.to_string(),
scope: LdapSearchScope::Base,
aliases: LdapDerefAliases::Never,
sizelimit: 0,
timelimit: 0,
typesonly: false,
filter,
attrs: attrs.into_iter().map(Into::into).collect(),
}
}
fn make_user_search_request<S: Into<String>>( fn make_user_search_request<S: Into<String>>(
filter: LdapFilter, filter: LdapFilter,
attrs: Vec<S>, attrs: Vec<S>,
@ -649,6 +738,13 @@ mod tests {
make_search_request::<S>("ou=people,Dc=example,dc=com", filter, attrs) make_search_request::<S>("ou=people,Dc=example,dc=com", filter, attrs)
} }
fn make_group_search_request<S: Into<String>>(
filter: LdapFilter,
attrs: Vec<S>,
) -> LdapSearchRequest {
make_search_request::<S>("ou=groups,dc=example,dc=com", filter, attrs)
}
async fn setup_bound_handler_with_group( async fn setup_bound_handler_with_group(
mut mock: MockTestBackendHandler, mut mock: MockTestBackendHandler,
group: &str, group: &str,
@ -778,7 +874,7 @@ mod tests {
mock.expect_list_users() mock.expect_list_users()
.with( .with(
eq(Some(UserRequestFilter::And(vec![ eq(Some(UserRequestFilter::And(vec![
UserRequestFilter::from(true), true.into(),
UserRequestFilter::UserId(UserId::new("test")), UserRequestFilter::UserId(UserId::new("test")),
]))), ]))),
eq(false), eq(false),
@ -813,7 +909,7 @@ mod tests {
async fn test_search_readonly_user() { async fn test_search_readonly_user() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_users() mock.expect_list_users()
.with(eq(Some(UserRequestFilter::from(true))), eq(false)) .with(eq(Some(true.into())), eq(false))
.times(1) .times(1)
.return_once(|_, _| Ok(vec![])); .return_once(|_, _| Ok(vec![]));
let mut ldap_handler = setup_bound_readonly_handler(mock).await; let mut ldap_handler = setup_bound_readonly_handler(mock).await;
@ -830,7 +926,7 @@ mod tests {
async fn test_search_member_of() { async fn test_search_member_of() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_users() mock.expect_list_users()
.with(eq(Some(UserRequestFilter::from(true))), eq(true)) .with(eq(Some(true.into())), eq(true))
.times(1) .times(1)
.return_once(|_, _| { .return_once(|_, _| {
Ok(vec![UserAndGroups { Ok(vec![UserAndGroups {
@ -873,7 +969,7 @@ mod tests {
mock.expect_list_users() mock.expect_list_users()
.with( .with(
eq(Some(UserRequestFilter::And(vec![ eq(Some(UserRequestFilter::And(vec![
UserRequestFilter::from(true), true.into(),
UserRequestFilter::UserId(UserId::new("bob")), UserRequestFilter::UserId(UserId::new("bob")),
]))), ]))),
eq(false), eq(false),
@ -1131,7 +1227,7 @@ mod tests {
async fn test_search_groups() { async fn test_search_groups() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_groups() mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::from(true)))) .with(eq(Some(true.into())))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![ Ok(vec![
@ -1152,8 +1248,7 @@ mod tests {
]) ])
}); });
let mut ldap_handler = setup_bound_admin_handler(mock).await; let mut ldap_handler = setup_bound_admin_handler(mock).await;
let request = make_search_request( let request = make_group_search_request(
"ou=groups,dc=example,dc=cOm",
LdapFilter::And(vec![]), LdapFilter::And(vec![]),
vec!["objectClass", "dn", "cn", "uniqueMember", "entryUuid"], vec!["objectClass", "dn", "cn", "uniqueMember", "entryUuid"],
); );
@ -1218,12 +1313,18 @@ mod tests {
GroupRequestFilter::DisplayName("group_1".to_string()), GroupRequestFilter::DisplayName("group_1".to_string()),
GroupRequestFilter::Member(UserId::new("bob")), GroupRequestFilter::Member(UserId::new("bob")),
GroupRequestFilter::DisplayName("rockstars".to_string()), GroupRequestFilter::DisplayName("rockstars".to_string()),
GroupRequestFilter::from(true), false.into(),
GroupRequestFilter::from(true), true.into(),
GroupRequestFilter::from(true), true.into(),
GroupRequestFilter::from(true), true.into(),
GroupRequestFilter::Not(Box::new(GroupRequestFilter::from(false))), true.into(),
GroupRequestFilter::from(false), GroupRequestFilter::Not(Box::new(false.into())),
false.into(),
GroupRequestFilter::DisplayNameSubString(SubStringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
}),
])))) ]))))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
@ -1236,8 +1337,7 @@ mod tests {
}]) }])
}); });
let mut ldap_handler = setup_bound_admin_handler(mock).await; let mut ldap_handler = setup_bound_admin_handler(mock).await;
let request = make_search_request( let request = make_group_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::And(vec![ LdapFilter::And(vec![
LdapFilter::Equality("cN".to_string(), "Group_1".to_string()), LdapFilter::Equality("cN".to_string(), "Group_1".to_string()),
LdapFilter::Equality( LdapFilter::Equality(
@ -1248,6 +1348,10 @@ mod tests {
"dn".to_string(), "dn".to_string(),
"uid=rockstars,ou=groups,dc=example,dc=com".to_string(), "uid=rockstars,ou=groups,dc=example,dc=com".to_string(),
), ),
LdapFilter::Equality(
"dn".to_string(),
"uid=rockstars,ou=people,dc=example,dc=com".to_string(),
),
LdapFilter::Equality("obJEctclass".to_string(), "groupofUniqueNames".to_string()), LdapFilter::Equality("obJEctclass".to_string(), "groupofUniqueNames".to_string()),
LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()),
LdapFilter::Present("objectclass".to_string()), LdapFilter::Present("objectclass".to_string()),
@ -1256,6 +1360,14 @@ mod tests {
"random_attribUte".to_string(), "random_attribUte".to_string(),
))), ))),
LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()), LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()),
LdapFilter::Substring(
"cn".to_owned(),
LdapSubstringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
},
),
]), ]),
vec!["1.1"], vec!["1.1"],
); );
@ -1291,8 +1403,7 @@ mod tests {
}]) }])
}); });
let mut ldap_handler = setup_bound_admin_handler(mock).await; let mut ldap_handler = setup_bound_admin_handler(mock).await;
let request = make_search_request( let request = make_group_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality( LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
"displayname".to_string(), "displayname".to_string(),
"group_2".to_string(), "group_2".to_string(),
@ -1319,7 +1430,7 @@ mod tests {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_groups() mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::And(vec![ .with(eq(Some(GroupRequestFilter::And(vec![
GroupRequestFilter::from(true), true.into(),
GroupRequestFilter::DisplayName("rockstars".to_string()), GroupRequestFilter::DisplayName("rockstars".to_string()),
])))) ]))))
.times(1) .times(1)
@ -1342,6 +1453,22 @@ mod tests {
); );
} }
#[tokio::test]
async fn test_search_groups_unsupported_substring() {
let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await;
let request = make_group_search_request(
LdapFilter::Substring("member".to_owned(), LdapSubstringFilter::default()),
vec!["cn"],
);
assert_eq!(
ldap_handler.do_search_or_dse(&request).await,
Err(LdapError {
code: LdapResultCode::UnwillingToPerform,
message: r#"Unsupported group attribute for substring filter: "member""#.to_owned()
})
);
}
#[tokio::test] #[tokio::test]
async fn test_search_groups_error() { async fn test_search_groups_error() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
@ -1358,8 +1485,7 @@ mod tests {
)) ))
}); });
let mut ldap_handler = setup_bound_admin_handler(mock).await; let mut ldap_handler = setup_bound_admin_handler(mock).await;
let request = make_search_request( let request = make_group_search_request(
"ou=groups,dc=example,dc=com",
LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality( LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality(
"displayname".to_string(), "displayname".to_string(),
"group_2".to_string(), "group_2".to_string(),
@ -1378,20 +1504,18 @@ mod tests {
#[tokio::test] #[tokio::test]
async fn test_search_groups_filter_error() { async fn test_search_groups_filter_error() {
let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await;
let request = make_search_request( let request = make_group_search_request(
"ou=groups,dc=example,dc=com", LdapFilter::And(vec![LdapFilter::Approx(
LdapFilter::And(vec![LdapFilter::Substring( "whatever".to_owned(),
"whatever".to_string(), "value".to_owned(),
ldap3_proto::proto::LdapSubstringFilter::default(),
)]), )]),
vec!["cn"], vec!["cn"],
); );
assert_eq!( assert_eq!(
ldap_handler.do_search_or_dse(&request).await, ldap_handler.do_search_or_dse(&request).await,
Err(LdapError{ Err(LdapError {
code: LdapResultCode::UnwillingToPerform, code: LdapResultCode::UnwillingToPerform,
message: r#"Unsupported group filter: Substring("whatever", LdapSubstringFilter { initial: None, any: [], final_: None })"# message: r#"Unsupported group filter: Approx("whatever", "value")"#.to_string()
.to_string()
}) })
); );
} }
@ -1407,12 +1531,26 @@ mod tests {
"bob", "bob",
)))), )))),
UserRequestFilter::UserId("bob_1".to_string().into()), UserRequestFilter::UserId("bob_1".to_string().into()),
UserRequestFilter::from(true), false.into(),
UserRequestFilter::from(false), true.into(),
UserRequestFilter::from(true), false.into(),
UserRequestFilter::from(true), true.into(),
UserRequestFilter::from(false), true.into(),
UserRequestFilter::from(false), false.into(),
false.into(),
UserRequestFilter::UserIdSubString(SubStringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
}),
UserRequestFilter::SubString(
UserColumn::FirstName,
SubStringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
},
),
], ],
)]))), )]))),
eq(false), eq(false),
@ -1430,12 +1568,32 @@ mod tests {
"dn".to_string(), "dn".to_string(),
"uid=bob_1,ou=people,dc=example,dc=com".to_string(), "uid=bob_1,ou=people,dc=example,dc=com".to_string(),
), ),
LdapFilter::Equality(
"dn".to_string(),
"uid=bob_1,ou=groups,dc=example,dc=com".to_string(),
),
LdapFilter::Equality("objectclass".to_string(), "persOn".to_string()), LdapFilter::Equality("objectclass".to_string(), "persOn".to_string()),
LdapFilter::Equality("objectclass".to_string(), "other".to_string()), LdapFilter::Equality("objectclass".to_string(), "other".to_string()),
LdapFilter::Present("objectClass".to_string()), LdapFilter::Present("objectClass".to_string()),
LdapFilter::Present("uid".to_string()), LdapFilter::Present("uid".to_string()),
LdapFilter::Present("unknown".to_string()), LdapFilter::Present("unknown".to_string()),
LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()), LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()),
LdapFilter::Substring(
"uid".to_owned(),
LdapSubstringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
},
),
LdapFilter::Substring(
"firstName".to_owned(),
LdapSubstringFilter {
initial: Some("iNIt".to_owned()),
any: vec!["1".to_owned(), "2aA".to_owned()],
final_: Some("finAl".to_owned()),
},
),
])]), ])]),
vec!["objectClass"], vec!["objectClass"],
); );
@ -1560,7 +1718,7 @@ mod tests {
}]) }])
}); });
mock.expect_list_groups() mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::from(true)))) .with(eq(Some(true.into())))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
Ok(vec![Group { Ok(vec![Group {
@ -1635,7 +1793,7 @@ mod tests {
}]) }])
}); });
mock.expect_list_groups() mock.expect_list_groups()
.with(eq(Some(GroupRequestFilter::from(true)))) .with(eq(Some(true.into())))
.returning(|_| { .returning(|_| {
Ok(vec![Group { Ok(vec![Group {
id: GroupId(1), id: GroupId(1),
@ -1807,17 +1965,14 @@ mod tests {
async fn test_search_unsupported_filters() { async fn test_search_unsupported_filters() {
let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await;
let request = make_user_search_request( let request = make_user_search_request(
LdapFilter::Substring( LdapFilter::Approx("uid".to_owned(), "value".to_owned()),
"uid".to_string(),
ldap3_proto::proto::LdapSubstringFilter::default(),
),
vec!["objectClass"], vec!["objectClass"],
); );
assert_eq!( assert_eq!(
ldap_handler.do_search_or_dse(&request).await, ldap_handler.do_search_or_dse(&request).await,
Err(LdapError{ Err(LdapError {
code: LdapResultCode::UnwillingToPerform, code: LdapResultCode::UnwillingToPerform,
message: r#"Unsupported user filter: Substring("uid", LdapSubstringFilter { initial: None, any: [], final_: None })"#.to_string() message: r#"Unsupported user filter: Approx("uid", "value")"#.to_string()
}) })
); );
} }
@ -2091,7 +2246,7 @@ mod tests {
async fn test_search_filter_non_attribute() { async fn test_search_filter_non_attribute() {
let mut mock = MockTestBackendHandler::new(); let mut mock = MockTestBackendHandler::new();
mock.expect_list_users() mock.expect_list_users()
.with(eq(Some(UserRequestFilter::from(true))), eq(false)) .with(eq(Some(true.into())), eq(false))
.times(1) .times(1)
.return_once(|_, _| Ok(vec![])); .return_once(|_, _| Ok(vec![]));
let mut ldap_handler = setup_bound_admin_handler(mock).await; let mut ldap_handler = setup_bound_admin_handler(mock).await;
@ -2104,4 +2259,178 @@ mod tests {
Ok(vec![make_search_success()]) Ok(vec![make_search_success()])
); );
} }
#[tokio::test]
async fn test_compare_user() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users().returning(|f, g| {
assert_eq!(f, Some(UserRequestFilter::UserId(UserId::new("bob"))));
assert!(!g);
Ok(vec![UserAndGroups {
user: User {
user_id: UserId::new("bob"),
email: "bob@bobmail.bob".to_string(),
..Default::default()
},
groups: None,
}])
});
mock.expect_list_groups().returning(|_| Ok(vec![]));
let mut ldap_handler = setup_bound_admin_handler(mock).await;
let dn = "uid=bob,ou=people,dc=example,dc=com";
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "uid".to_owned(),
val: b"bob".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::CompareTrue,
matcheddn: dn.to_string(),
message: "".to_string(),
referral: vec![],
})])
);
// Non-canonical attribute.
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "eMail".to_owned(),
val: b"bob@bobmail.bob".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::CompareTrue,
matcheddn: dn.to_string(),
message: "".to_string(),
referral: vec![],
})])
);
}
#[tokio::test]
async fn test_compare_group() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users().returning(|_, _| Ok(vec![]));
mock.expect_list_groups().returning(|f| {
assert_eq!(f, Some(GroupRequestFilter::DisplayName("group".to_owned())));
Ok(vec![Group {
id: GroupId(1),
display_name: "group".to_string(),
creation_date: chrono::Utc.timestamp_opt(42, 42).unwrap().naive_utc(),
users: vec![UserId::new("bob")],
uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"),
}])
});
let mut ldap_handler = setup_bound_admin_handler(mock).await;
let dn = "uid=group,ou=groups,dc=example,dc=com";
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "uid".to_owned(),
val: b"group".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::CompareTrue,
matcheddn: dn.to_string(),
message: "".to_string(),
referral: vec![],
})])
);
}
#[tokio::test]
async fn test_compare_not_found() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users().returning(|f, g| {
assert_eq!(f, Some(UserRequestFilter::UserId(UserId::new("bob"))));
assert!(!g);
Ok(vec![])
});
mock.expect_list_groups().returning(|_| Ok(vec![]));
let mut ldap_handler = setup_bound_admin_handler(mock).await;
let dn = "uid=bob,ou=people,dc=example,dc=com";
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "uid".to_owned(),
val: b"bob".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::NoSuchObject,
matcheddn: "dc=example,dc=com".to_owned(),
message: "".to_string(),
referral: vec![],
})])
);
}
#[tokio::test]
async fn test_compare_no_match() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users().returning(|f, g| {
assert_eq!(f, Some(UserRequestFilter::UserId(UserId::new("bob"))));
assert!(!g);
Ok(vec![UserAndGroups {
user: User {
user_id: UserId::new("bob"),
email: "bob@bobmail.bob".to_string(),
..Default::default()
},
groups: None,
}])
});
mock.expect_list_groups().returning(|_| Ok(vec![]));
let mut ldap_handler = setup_bound_admin_handler(mock).await;
let dn = "uid=bob,ou=people,dc=example,dc=com";
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "mail".to_owned(),
val: b"bob@bob".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::CompareFalse,
matcheddn: dn.to_string(),
message: "".to_string(),
referral: vec![],
})])
);
}
#[tokio::test]
async fn test_compare_group_member() {
let mut mock = MockTestBackendHandler::new();
mock.expect_list_users().returning(|_, _| Ok(vec![]));
mock.expect_list_groups().returning(|f| {
assert_eq!(f, Some(GroupRequestFilter::DisplayName("group".to_owned())));
Ok(vec![Group {
id: GroupId(1),
display_name: "group".to_string(),
creation_date: chrono::Utc.timestamp_opt(42, 42).unwrap().naive_utc(),
users: vec![UserId::new("bob")],
uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"),
}])
});
let mut ldap_handler = setup_bound_admin_handler(mock).await;
let dn = "uid=group,ou=groups,dc=example,dc=com";
let request = LdapCompareRequest {
dn: dn.to_string(),
atype: "uniqueMember".to_owned(),
val: b"uid=bob,ou=people,dc=example,dc=com".to_vec(),
};
assert_eq!(
ldap_handler.do_compare(request).await,
Ok(vec![LdapOp::CompareResult(LdapResultOp {
code: LdapResultCode::CompareTrue,
matcheddn: dn.to_owned(),
message: "".to_string(),
referral: vec![],
})])
);
}
} }

6
server/src/infra/tcp_server.rs
View File

@ -73,6 +73,7 @@ fn http_config<Backend>(
) where ) where
Backend: TcpBackendHandler + BackendHandler + LoginHandler + OpaqueHandler + Sync + 'static, Backend: TcpBackendHandler + BackendHandler + LoginHandler + OpaqueHandler + Sync + 'static,
{ {
let enable_password_reset = mail_options.enable_password_reset;
cfg.app_data(web::Data::new(AppState::<Backend> { cfg.app_data(web::Data::new(AppState::<Backend> {
backend_handler, backend_handler,
jwt_key: Hmac::new_varkey(jwt_secret.unsecure().as_bytes()).unwrap(), jwt_key: Hmac::new_varkey(jwt_secret.unsecure().as_bytes()).unwrap(),
@ -81,7 +82,10 @@ fn http_config<Backend>(
mail_options, mail_options,
})) }))
.route("/health", web::get().to(|| HttpResponse::Ok().finish())) .route("/health", web::get().to(|| HttpResponse::Ok().finish()))
.service(web::scope("/auth").configure(auth_service::configure_server::<Backend>)) .service(
web::scope("/auth")
.configure(|cfg| auth_service::configure_server::<Backend>(cfg, enable_password_reset)),
)
// API endpoint. // API endpoint.
.service( .service(
web::scope("/api") web::scope("/api")