server: Add support for DN filters

This commit is contained in:
Luca Tagliavini 2023-01-17 14:21:57 +01:00 committed by GitHub
parent f979e16b95
commit 807fd10d13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 2 deletions

View File

@ -12,7 +12,8 @@ use crate::domain::{
use super::{ use super::{
error::LdapResult, error::LdapResult,
utils::{ utils::{
expand_attribute_wildcards, get_user_id_from_distinguished_name, map_group_field, LdapInfo, expand_attribute_wildcards, get_group_id_from_distinguished_name,
get_user_id_from_distinguished_name, map_group_field, LdapInfo,
}, },
}; };
@ -126,6 +127,19 @@ fn convert_group_filter(
vec![], vec![],
)))), )))),
}, },
"dn" => Ok(
match get_group_id_from_distinguished_name(
value.to_ascii_lowercase().as_str(),
&ldap_info.base_dn,
&ldap_info.base_dn_str,
) {
Ok(value) => GroupRequestFilter::DisplayName(value),
Err(_) => {
warn!("Invalid dn filter on group: {}", value);
GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(vec![])))
}
},
),
_ => match map_group_field(field) { _ => match map_group_field(field) {
Some(GroupColumn::DisplayName) => { Some(GroupColumn::DisplayName) => {
Ok(GroupRequestFilter::DisplayName(value.to_string())) Ok(GroupRequestFilter::DisplayName(value.to_string()))

View File

@ -6,7 +6,10 @@ use tracing::{debug, info, instrument, warn};
use crate::domain::{ use crate::domain::{
handler::{BackendHandler, UserRequestFilter}, handler::{BackendHandler, UserRequestFilter},
ldap::{error::LdapError, utils::expand_attribute_wildcards}, ldap::{
error::LdapError,
utils::{expand_attribute_wildcards, get_user_id_from_distinguished_name},
},
types::{GroupDetails, User, UserColumn, UserId}, types::{GroupDetails, User, UserColumn, UserId},
}; };
@ -147,6 +150,19 @@ fn convert_user_filter(ldap_info: &LdapInfo, filter: &LdapFilter) -> LdapResult<
vec![], vec![],
)))), )))),
}, },
"dn" => Ok(
match get_user_id_from_distinguished_name(
value.to_ascii_lowercase().as_str(),
&ldap_info.base_dn,
&ldap_info.base_dn_str,
) {
Ok(value) => UserRequestFilter::UserId(value),
Err(_) => {
warn!("Invalid dn filter on user: {}", value);
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![])))
}
},
),
_ => match map_user_field(field) { _ => match map_user_field(field) {
Some(UserColumn::UserId) => Ok(UserRequestFilter::UserId(UserId::new(value))), Some(UserColumn::UserId) => Ok(UserRequestFilter::UserId(UserId::new(value))),
Some(field) => Ok(UserRequestFilter::Equality(field, value.clone())), Some(field) => Ok(UserRequestFilter::Equality(field, value.clone())),

View File

@ -1217,6 +1217,7 @@ mod tests {
.with(eq(Some(GroupRequestFilter::And(vec![ .with(eq(Some(GroupRequestFilter::And(vec![
GroupRequestFilter::DisplayName("group_1".to_string()), GroupRequestFilter::DisplayName("group_1".to_string()),
GroupRequestFilter::Member(UserId::new("bob")), GroupRequestFilter::Member(UserId::new("bob")),
GroupRequestFilter::DisplayName("rockstars".to_string()),
GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]),
GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]),
GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]),
@ -1245,6 +1246,10 @@ mod tests {
"uniqueMember".to_string(), "uniqueMember".to_string(),
"uid=bob,ou=peopLe,Dc=eXample,dc=com".to_string(), "uid=bob,ou=peopLe,Dc=eXample,dc=com".to_string(),
), ),
LdapFilter::Equality(
"dn".to_string(),
"uid=rockstars,ou=groups,dc=example,dc=com".to_string(),
),
LdapFilter::Equality("obJEctclass".to_string(), "groupofUniqueNames".to_string()), LdapFilter::Equality("obJEctclass".to_string(), "groupofUniqueNames".to_string()),
LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()),
LdapFilter::Present("objectclass".to_string()), LdapFilter::Present("objectclass".to_string()),
@ -1403,6 +1408,7 @@ mod tests {
UserRequestFilter::Not(Box::new(UserRequestFilter::UserId(UserId::new( UserRequestFilter::Not(Box::new(UserRequestFilter::UserId(UserId::new(
"bob", "bob",
)))), )))),
UserRequestFilter::UserId("bob_1".to_string().into()),
UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]),
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]),
@ -1422,6 +1428,10 @@ mod tests {
"uid".to_string(), "uid".to_string(),
"bob".to_string(), "bob".to_string(),
))), ))),
LdapFilter::Equality(
"dn".to_string(),
"uid=bob_1,ou=people,dc=example,dc=com".to_string(),
),
LdapFilter::Equality("objectclass".to_string(), "persOn".to_string()), LdapFilter::Equality("objectclass".to_string(), "persOn".to_string()),
LdapFilter::Equality("objectclass".to_string(), "other".to_string()), LdapFilter::Equality("objectclass".to_string(), "other".to_string()),
LdapFilter::Present("objectClass".to_string()), LdapFilter::Present("objectClass".to_string()),