From 807fd10d13a700c5d7507e2113748b95d6c7bf9e Mon Sep 17 00:00:00 2001 From: Luca Tagliavini Date: Tue, 17 Jan 2023 14:21:57 +0100 Subject: [PATCH] server: Add support for DN filters --- server/src/domain/ldap/group.rs | 16 +++++++++++++++- server/src/domain/ldap/user.rs | 18 +++++++++++++++++- server/src/infra/ldap_handler.rs | 10 ++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/server/src/domain/ldap/group.rs b/server/src/domain/ldap/group.rs index 2ab5b64..2a4e37f 100644 --- a/server/src/domain/ldap/group.rs +++ b/server/src/domain/ldap/group.rs @@ -12,7 +12,8 @@ use crate::domain::{ use super::{ error::LdapResult, utils::{ - expand_attribute_wildcards, get_user_id_from_distinguished_name, map_group_field, LdapInfo, + expand_attribute_wildcards, get_group_id_from_distinguished_name, + get_user_id_from_distinguished_name, map_group_field, LdapInfo, }, }; @@ -126,6 +127,19 @@ fn convert_group_filter( vec![], )))), }, + "dn" => Ok( + match get_group_id_from_distinguished_name( + value.to_ascii_lowercase().as_str(), + &ldap_info.base_dn, + &ldap_info.base_dn_str, + ) { + Ok(value) => GroupRequestFilter::DisplayName(value), + Err(_) => { + warn!("Invalid dn filter on group: {}", value); + GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(vec![]))) + } + }, + ), _ => match map_group_field(field) { Some(GroupColumn::DisplayName) => { Ok(GroupRequestFilter::DisplayName(value.to_string())) diff --git a/server/src/domain/ldap/user.rs b/server/src/domain/ldap/user.rs index 6903aa4..20b06c9 100644 --- a/server/src/domain/ldap/user.rs +++ b/server/src/domain/ldap/user.rs @@ -6,7 +6,10 @@ use tracing::{debug, info, instrument, warn}; use crate::domain::{ handler::{BackendHandler, UserRequestFilter}, - ldap::{error::LdapError, utils::expand_attribute_wildcards}, + ldap::{ + error::LdapError, + utils::{expand_attribute_wildcards, get_user_id_from_distinguished_name}, + }, types::{GroupDetails, User, UserColumn, UserId}, }; @@ -147,6 +150,19 @@ fn convert_user_filter(ldap_info: &LdapInfo, filter: &LdapFilter) -> LdapResult< vec![], )))), }, + "dn" => Ok( + match get_user_id_from_distinguished_name( + value.to_ascii_lowercase().as_str(), + &ldap_info.base_dn, + &ldap_info.base_dn_str, + ) { + Ok(value) => UserRequestFilter::UserId(value), + Err(_) => { + warn!("Invalid dn filter on user: {}", value); + UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))) + } + }, + ), _ => match map_user_field(field) { Some(UserColumn::UserId) => Ok(UserRequestFilter::UserId(UserId::new(value))), Some(field) => Ok(UserRequestFilter::Equality(field, value.clone())), diff --git a/server/src/infra/ldap_handler.rs b/server/src/infra/ldap_handler.rs index 8ae3e1c..6287573 100644 --- a/server/src/infra/ldap_handler.rs +++ b/server/src/infra/ldap_handler.rs @@ -1217,6 +1217,7 @@ mod tests { .with(eq(Some(GroupRequestFilter::And(vec![ GroupRequestFilter::DisplayName("group_1".to_string()), GroupRequestFilter::Member(UserId::new("bob")), + GroupRequestFilter::DisplayName("rockstars".to_string()), GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]), @@ -1245,6 +1246,10 @@ mod tests { "uniqueMember".to_string(), "uid=bob,ou=peopLe,Dc=eXample,dc=com".to_string(), ), + LdapFilter::Equality( + "dn".to_string(), + "uid=rockstars,ou=groups,dc=example,dc=com".to_string(), + ), LdapFilter::Equality("obJEctclass".to_string(), "groupofUniqueNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()), LdapFilter::Present("objectclass".to_string()), @@ -1403,6 +1408,7 @@ mod tests { UserRequestFilter::Not(Box::new(UserRequestFilter::UserId(UserId::new( "bob", )))), + UserRequestFilter::UserId("bob_1".to_string().into()), UserRequestFilter::And(vec![]), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::And(vec![]), @@ -1422,6 +1428,10 @@ mod tests { "uid".to_string(), "bob".to_string(), ))), + LdapFilter::Equality( + "dn".to_string(), + "uid=bob_1,ou=people,dc=example,dc=com".to_string(), + ), LdapFilter::Equality("objectclass".to_string(), "persOn".to_string()), LdapFilter::Equality("objectclass".to_string(), "other".to_string()), LdapFilter::Present("objectClass".to_string()),