use crate::{ domain::{ handler::{ BackendHandler, BindRequest, Group, GroupDetails, GroupRequestFilter, LoginHandler, User, UserId, UserRequestFilter, Uuid, }, opaque_handler::OpaqueHandler, }, infra::auth_service::Permission, }; use anyhow::{bail, Context, Result}; use itertools::Itertools; use ldap3_server::proto::{ LdapBindCred, LdapBindRequest, LdapBindResponse, LdapExtendedRequest, LdapExtendedResponse, LdapFilter, LdapOp, LdapPartialAttribute, LdapPasswordModifyRequest, LdapResult, LdapResultCode, LdapSearchRequest, LdapSearchResultEntry, LdapSearchScope, }; use tracing::{debug, instrument, warn}; #[derive(Debug, PartialEq, Eq, Clone)] struct LdapDn(String); fn make_dn_pair(mut iter: I) -> Result<(String, String)> where I: Iterator, { let pair = ( iter.next() .ok_or_else(|| anyhow::Error::msg("Empty DN element"))?, iter.next() .ok_or_else(|| anyhow::Error::msg("Missing DN value"))?, ); if let Some(e) = iter.next() { bail!( r#"Too many elements in distinguished name: "{:?}", "{:?}", "{:?}""#, pair.0, pair.1, e ) } Ok(pair) } fn parse_distinguished_name(dn: &str) -> Result> { assert!(dn == dn.to_ascii_lowercase()); dn.split(',') .map(|s| make_dn_pair(s.split('=').map(str::trim).map(String::from))) .collect() } #[derive(Debug)] enum SearchScope { Global, Users, Groups, User(LdapFilter), Group(LdapFilter), Unknown, Invalid, } fn get_search_scope(base_dn: &[(String, String)], dn_parts: &[(String, String)]) -> SearchScope { let base_dn_len = base_dn.len(); if !is_subtree(dn_parts, base_dn) { SearchScope::Invalid } else if dn_parts.len() == base_dn_len { SearchScope::Global } else if dn_parts.len() == base_dn_len + 1 && dn_parts[0] == ("ou".to_string(), "people".to_string()) { SearchScope::Users } else if dn_parts.len() == base_dn_len + 1 && dn_parts[0] == ("ou".to_string(), "groups".to_string()) { SearchScope::Groups } else if dn_parts.len() == base_dn_len + 2 && dn_parts[1] == ("ou".to_string(), "people".to_string()) { SearchScope::User(LdapFilter::Equality( dn_parts[0].0.clone(), dn_parts[0].1.clone(), )) } else if dn_parts.len() == base_dn_len + 2 && dn_parts[1] == ("ou".to_string(), "groups".to_string()) { SearchScope::Group(LdapFilter::Equality( dn_parts[0].0.clone(), dn_parts[0].1.clone(), )) } else { SearchScope::Unknown } } fn get_group_id_from_distinguished_name( dn: &str, base_tree: &[(String, String)], base_dn_str: &str, ) -> Result { let parts = parse_distinguished_name(dn).context("while parsing a group ID")?; if !is_subtree(&parts, base_tree) { bail!("Not a subtree of the base tree"); } if parts.len() == base_tree.len() + 2 { if parts[1].0 != "ou" || parts[1].1 != "groups" || parts[0].0 != "cn" { bail!( r#"Unexpected group DN format. Got "{}", expected: "cn=groupname,ou=groups,{}""#, dn, base_dn_str ); } Ok(parts[0].1.to_string()) } else { bail!( r#"Unexpected group DN format. Got "{}", expected: "cn=groupname,ou=groups,{}""#, dn, base_dn_str ); } } fn get_user_id_from_distinguished_name( dn: &str, base_tree: &[(String, String)], base_dn_str: &str, ) -> Result { let parts = parse_distinguished_name(dn).context("while parsing a user ID")?; if !is_subtree(&parts, base_tree) { bail!("Not a subtree of the base tree"); } if parts.len() == base_tree.len() + 2 { if parts[1].0 != "ou" || parts[1].1 != "people" || (parts[0].0 != "cn" && parts[0].0 != "uid") { bail!( r#"Unexpected user DN format. Got "{}", expected: "uid=username,ou=people,{}""#, dn, base_dn_str ); } Ok(UserId::new(&parts[0].1)) } else { bail!( r#"Unexpected user DN format. Got "{}", expected: "uid=username,ou=people,{}""#, dn, base_dn_str ); } } fn get_user_attribute( user: &User, attribute: &str, dn: &str, base_dn_str: &str, groups: Option<&[GroupDetails]>, ignored_user_attributes: &[String], ) -> Result>> { let attribute = attribute.to_ascii_lowercase(); Ok(Some(match attribute.as_str() { "objectclass" => vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string(), ], "dn" | "distinguishedname" => vec![dn.to_string()], "uid" => vec![user.user_id.to_string()], "entryuuid" => vec![user.uuid.to_string()], "mail" => vec![user.email.clone()], "givenname" => vec![user.first_name.clone()], "sn" => vec![user.last_name.clone()], "memberof" => groups .into_iter() .flatten() .map(|id_and_name| { format!( "uid={},ou=groups,{}", &id_and_name.display_name, base_dn_str ) }) .collect(), "cn" | "displayname" => vec![user.display_name.clone()], "createtimestamp" | "modifytimestamp" => vec![user.creation_date.to_rfc3339()], "1.1" => return Ok(None), // We ignore the operational attribute wildcard. "+" => return Ok(None), "*" => { bail!( "Matched {}, * should have been expanded into attribute list and * removed", attribute ) } _ => { if !ignored_user_attributes.contains(&attribute) { warn!( r#"Ignoring unrecognized group attribute: {}\n\ To disable this warning, add it to "ignored_user_attributes" in the config."#, attribute ); } return Ok(None); } })) } #[instrument(skip_all, level = "debug")] fn expand_attribute_wildcards<'a>( ldap_attributes: &'a [String], all_attribute_keys: &'a [&'static str], ) -> Vec<&'a str> { let mut attributes_out = ldap_attributes .iter() .map(String::as_str) .collect::>(); if attributes_out.iter().any(|&x| x == "*") || attributes_out.is_empty() { // Remove occurrences of '*' attributes_out.retain(|&x| x != "*"); // Splice in all non-operational attributes attributes_out.extend(all_attribute_keys.iter()); } // Deduplicate, preserving order let resolved_attributes = attributes_out .into_iter() .unique_by(|a| a.to_ascii_lowercase()) .collect_vec(); debug!(?ldap_attributes, ?resolved_attributes); resolved_attributes } const ALL_USER_ATTRIBUTE_KEYS: &[&str] = &[ "objectclass", "dn", "uid", "mail", "givenname", "sn", "cn", "createtimestamp", ]; fn make_ldap_search_user_result_entry( user: User, base_dn_str: &str, attributes: &[&str], groups: Option<&[GroupDetails]>, ignored_user_attributes: &[String], ) -> Result { let dn = format!("uid={},ou=people,{}", user.user_id.as_str(), base_dn_str); Ok(LdapSearchResultEntry { dn: dn.clone(), attributes: attributes .iter() .filter_map(|a| { let values = match get_user_attribute( &user, a, &dn, base_dn_str, groups, ignored_user_attributes, ) { Err(e) => return Some(Err(e)), Ok(v) => v, }?; Some(Ok(LdapPartialAttribute { atype: a.to_string(), vals: values, })) }) .collect::>>()?, }) } fn get_group_attribute( group: &Group, base_dn_str: &str, attribute: &str, user_filter: &Option<&UserId>, ignored_group_attributes: &[String], ) -> Result>> { let attribute = attribute.to_ascii_lowercase(); Ok(Some(match attribute.as_str() { "objectclass" => vec!["groupOfUniqueNames".to_string()], "dn" | "distinguishedname" => vec![format!( "cn={},ou=groups,{}", group.display_name, base_dn_str )], "cn" | "uid" => vec![group.display_name.clone()], "entryuuid" => vec![group.uuid.to_string()], "member" | "uniquemember" => group .users .iter() .filter(|u| user_filter.map(|f| *u == f).unwrap_or(true)) .map(|u| format!("uid={},ou=people,{}", u, base_dn_str)) .collect(), "1.1" => return Ok(None), // We ignore the operational attribute wildcard "+" => return Ok(None), "*" => { bail!( "Matched {}, * should have been expanded into attribute list and * removed", attribute ) } _ => { if !ignored_group_attributes.contains(&attribute) { warn!( r#"Ignoring unrecognized group attribute: {}\n\ To disable this warning, add it to "ignored_group_attributes" in the config."#, attribute ); } return Ok(None); } })) } const ALL_GROUP_ATTRIBUTE_KEYS: &[&str] = &["objectclass", "dn", "uid", "cn", "member", "uniquemember"]; fn make_ldap_search_group_result_entry( group: Group, base_dn_str: &str, attributes: &[String], user_filter: &Option<&UserId>, ignored_group_attributes: &[String], ) -> Result { let expanded_attributes = expand_attribute_wildcards(attributes, ALL_GROUP_ATTRIBUTE_KEYS); Ok(LdapSearchResultEntry { dn: format!("cn={},ou=groups,{}", group.display_name, base_dn_str), attributes: expanded_attributes .iter() .filter_map(|a| { let values = match get_group_attribute( &group, base_dn_str, a, user_filter, ignored_group_attributes, ) { Err(e) => return Some(Err(e)), Ok(v) => v, }?; Some(Ok(LdapPartialAttribute { atype: a.to_string(), vals: values, })) }) .collect::>>()?, }) } fn is_subtree(subtree: &[(String, String)], base_tree: &[(String, String)]) -> bool { for (k, v) in subtree { assert!(k == &k.to_ascii_lowercase()); assert!(v == &v.to_ascii_lowercase()); } for (k, v) in base_tree { assert!(k == &k.to_ascii_lowercase()); assert!(v == &v.to_ascii_lowercase()); } if subtree.len() < base_tree.len() { return false; } let size_diff = subtree.len() - base_tree.len(); for i in 0..base_tree.len() { if subtree[size_diff + i] != base_tree[i] { return false; } } true } fn map_field(field: &str) -> Result<&'static str> { assert!(field == field.to_ascii_lowercase()); Ok(match field { "uid" => "user_id", "mail" => "email", "cn" | "displayname" => "display_name", "givenname" => "first_name", "sn" => "last_name", "avatar" => "avatar", "creationdate" | "createtimestamp" | "modifytimestamp" => "creation_date", "entryuuid" => "uuid", _ => bail!("Unknown field: {}", field), }) } fn make_search_success() -> LdapOp { make_search_error(LdapResultCode::Success, "".to_string()) } fn make_search_error(code: LdapResultCode, message: String) -> LdapOp { LdapOp::SearchResultDone(LdapResult { code, matcheddn: "".to_string(), message, referral: vec![], }) } fn make_extended_response(code: LdapResultCode, message: String) -> LdapOp { LdapOp::ExtendedResponse(LdapExtendedResponse { res: LdapResult { code, matcheddn: "".to_string(), message, referral: vec![], }, name: None, value: None, }) } fn root_dse_response(base_dn: &str) -> LdapOp { LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec!["top".to_string()], }, LdapPartialAttribute { atype: "vendorName".to_string(), vals: vec!["LLDAP".to_string()], }, LdapPartialAttribute { atype: "vendorVersion".to_string(), vals: vec!["lldap_0.2.0".to_string()], }, LdapPartialAttribute { atype: "supportedLDAPVersion".to_string(), vals: vec!["3".to_string()], }, LdapPartialAttribute { atype: "supportedExtension".to_string(), vals: vec!["1.3.6.1.4.1.4203.1.11.1".to_string()], }, LdapPartialAttribute { atype: "defaultnamingcontext".to_string(), vals: vec![base_dn.to_string()], }, ], }) } pub struct LdapHandler { user_info: Option<(UserId, Permission)>, backend_handler: Backend, pub base_dn: Vec<(String, String)>, base_dn_str: String, ignored_user_attributes: Vec, ignored_group_attributes: Vec, } impl LdapHandler { pub fn new( backend_handler: Backend, mut ldap_base_dn: String, ignored_user_attributes: Vec, ignored_group_attributes: Vec, ) -> Self { ldap_base_dn.make_ascii_lowercase(); Self { user_info: None, backend_handler, base_dn: parse_distinguished_name(&ldap_base_dn).unwrap_or_else(|_| { panic!( "Invalid value for ldap_base_dn in configuration: {}", ldap_base_dn ) }), base_dn_str: ldap_base_dn, ignored_user_attributes, ignored_group_attributes, } } #[instrument(skip_all, level = "debug")] pub async fn do_bind(&mut self, request: &LdapBindRequest) -> (LdapResultCode, String) { debug!("DN: {}", &request.dn); let user_id = match get_user_id_from_distinguished_name( &request.dn.to_ascii_lowercase(), &self.base_dn, &self.base_dn_str, ) { Ok(s) => s, Err(e) => return (LdapResultCode::NamingViolation, e.to_string()), }; let LdapBindCred::Simple(password) = &request.cred; match self .backend_handler .bind(BindRequest { name: user_id.clone(), password: password.clone(), }) .await { Ok(()) => { let user_groups = self.backend_handler.get_user_groups(&user_id).await; let is_in_group = |name| { user_groups .as_ref() .map(|groups| groups.iter().any(|g| g.display_name == name)) .unwrap_or(false) }; self.user_info = Some(( user_id, if is_in_group("lldap_admin") { Permission::Admin } else if is_in_group("lldap_readonly") { Permission::Readonly } else { Permission::Regular }, )); debug!("Success!"); (LdapResultCode::Success, "".to_string()) } Err(_) => (LdapResultCode::InvalidCredentials, "".to_string()), } } async fn change_password(&mut self, user: &UserId, password: &str) -> Result<()> { use lldap_auth::*; let mut rng = rand::rngs::OsRng; let registration_start_request = opaque::client::registration::start_registration(password, &mut rng)?; let req = registration::ClientRegistrationStartRequest { username: user.to_string(), registration_start_request: registration_start_request.message, }; let registration_start_response = self.backend_handler.registration_start(req).await?; let registration_finish = opaque::client::registration::finish_registration( registration_start_request.state, registration_start_response.registration_response, &mut rng, )?; let req = registration::ClientRegistrationFinishRequest { server_data: registration_start_response.server_data, registration_upload: registration_finish.message, }; self.backend_handler.registration_finish(req).await?; Ok(()) } async fn do_password_modification( &mut self, request: &LdapPasswordModifyRequest, ) -> Vec { let (user_id, permission) = match &self.user_info { Some(info) => info, _ => { return vec![make_search_error( LdapResultCode::InsufficentAccessRights, "No user currently bound".to_string(), )]; } }; match (&request.user_identity, &request.new_password) { (Some(user), Some(password)) => { match get_user_id_from_distinguished_name(user, &self.base_dn, &self.base_dn_str) { Ok(uid) => { let user_is_admin = match self.backend_handler.get_user_groups(&uid).await { Ok(groups) => groups.iter().any(|g| g.display_name == "lldap_admin"), Err(e) => { return vec![make_extended_response( LdapResultCode::OperationsError, format!( "Internal error while requesting user's groups: {:#?}", e ), )] } }; if !(*permission == Permission::Admin || user_id == &uid || (*permission == Permission::Readonly && !user_is_admin)) { return vec![make_extended_response( LdapResultCode::InsufficentAccessRights, format!( r#"User `{}` cannot modify the password of user `{}`"#, &user_id, &uid ), )]; } if let Err(e) = self.change_password(&uid, password).await { vec![make_extended_response( LdapResultCode::Other, format!("Error while changing the password: {:#?}", e), )] } else { vec![make_extended_response( LdapResultCode::Success, "".to_string(), )] } } Err(e) => vec![make_extended_response( LdapResultCode::InvalidDNSyntax, format!("Invalid username: {:#?}", e), )], } } _ => vec![make_extended_response( LdapResultCode::ConstraintViolation, "Missing either user_id or password".to_string(), )], } } async fn do_extended_request(&mut self, request: &LdapExtendedRequest) -> Vec { match LdapPasswordModifyRequest::try_from(request) { Ok(password_request) => self.do_password_modification(&password_request).await, Err(_) => vec![make_extended_response( LdapResultCode::UnwillingToPerform, format!("Unsupported extended operation: {}", &request.name), )], } } pub async fn do_search_or_dse(&mut self, request: &LdapSearchRequest) -> Vec { let user_filter = match self.user_info.clone() { Some((_, Permission::Admin)) | Some((_, Permission::Readonly)) => None, Some((user_id, Permission::Regular)) => Some(user_id), None => { return vec![make_search_error( LdapResultCode::InsufficentAccessRights, "No user currently bound".to_string(), )]; } }; if request.base.is_empty() && request.scope == LdapSearchScope::Base && request.filter == LdapFilter::Present("objectClass".to_string()) { debug!("rootDSE request"); return vec![root_dse_response(&self.base_dn_str), make_search_success()]; } self.do_search(request, user_filter).await } #[instrument(skip_all, level = "debug")] pub async fn do_search( &mut self, request: &LdapSearchRequest, user_filter: Option, ) -> Vec { let user_filter = user_filter.as_ref(); let dn_parts = match parse_distinguished_name(&request.base.to_ascii_lowercase()) { Ok(dn) => dn, Err(_) => { return vec![make_search_error( LdapResultCode::OperationsError, format!(r#"Could not parse base DN: "{}""#, request.base), )] } }; let scope = get_search_scope(&self.base_dn, &dn_parts); debug!(?request.base, ?scope); let get_user_list = || async { self.get_user_list(&request.filter, &request.attrs, &request.base, &user_filter) .await }; let get_group_list = || async { self.get_groups_list(&request.filter, &request.attrs, &request.base, &user_filter) .await }; let mut results = match scope { SearchScope::Global => { let mut results = Vec::new(); results.extend(get_user_list().await); results.extend(get_group_list().await); results } SearchScope::Users => get_user_list().await, SearchScope::Groups => get_group_list().await, SearchScope::User(filter) => { let filter = LdapFilter::And(vec![request.filter.clone(), filter]); self.get_user_list(&filter, &request.attrs, &request.base, &user_filter) .await } SearchScope::Group(filter) => { let filter = LdapFilter::And(vec![request.filter.clone(), filter]); self.get_groups_list(&filter, &request.attrs, &request.base, &user_filter) .await } SearchScope::Unknown => { warn!( r#"The requested search tree "{}" matches neither the user subtree "ou=people,{}" nor the group subtree "ou=groups,{}""#, &request.base, &self.base_dn_str, &self.base_dn_str ); Vec::new() } SearchScope::Invalid => { // Search path is not in our tree, just return an empty success. warn!( "The specified search tree {:?} is not under the common subtree {:?}", &dn_parts, &self.base_dn ); Vec::new() } }; if results.is_empty() || matches!(results[results.len() - 1], LdapOp::SearchResultEntry(_)) { results.push(make_search_success()); } results } #[instrument(skip_all, level = "debug")] async fn get_user_list( &self, ldap_filter: &LdapFilter, attributes: &[String], base: &str, user_filter: &Option<&UserId>, ) -> Vec { debug!(?ldap_filter); let filters = match self.convert_user_filter(ldap_filter) { Ok(f) => f, Err(e) => { return vec![make_search_error( LdapResultCode::UnwillingToPerform, format!("Unsupported user filter: {:#}", e), )] } }; let parsed_filters = match user_filter { None => filters, Some(u) => { UserRequestFilter::And(vec![filters, UserRequestFilter::UserId((*u).clone())]) } }; debug!(?parsed_filters); let expanded_attributes = expand_attribute_wildcards(attributes, ALL_USER_ATTRIBUTE_KEYS); let need_groups = expanded_attributes .iter() .any(|s| s.to_ascii_lowercase() == "memberof"); let users = match self .backend_handler .list_users(Some(parsed_filters), need_groups) .await { Ok(users) => users, Err(e) => { return vec![make_search_error( LdapResultCode::Other, format!(r#"Error while searching user "{}": {:#}"#, base, e), )] } }; users .into_iter() .map(|u| { make_ldap_search_user_result_entry( u.user, &self.base_dn_str, &expanded_attributes, u.groups.as_deref(), &self.ignored_user_attributes, ) }) .map(|entry| Ok(LdapOp::SearchResultEntry(entry?))) .collect::>>() .unwrap_or_else(|e| { vec![make_search_error( LdapResultCode::NoSuchAttribute, e.to_string(), )] }) } #[instrument(skip_all, level = "debug")] async fn get_groups_list( &self, ldap_filter: &LdapFilter, attributes: &[String], base: &str, user_filter: &Option<&UserId>, ) -> Vec { debug!(?ldap_filter); let filter = match self.convert_group_filter(ldap_filter) { Ok(f) => f, Err(e) => { return vec![make_search_error( LdapResultCode::UnwillingToPerform, format!("Unsupported group filter: {:#}", e), )] } }; let parsed_filters = match user_filter { None => filter, Some(u) => { GroupRequestFilter::And(vec![filter, GroupRequestFilter::Member((*u).clone())]) } }; debug!(?parsed_filters); let groups = match self.backend_handler.list_groups(Some(parsed_filters)).await { Ok(groups) => groups, Err(e) => { return vec![make_search_error( LdapResultCode::Other, format!(r#"Error while listing groups "{}": {:#}"#, base, e), )] } }; groups .into_iter() .map(|u| { make_ldap_search_group_result_entry( u, &self.base_dn_str, attributes, user_filter, &self.ignored_group_attributes, ) }) .map(|entry| Ok(LdapOp::SearchResultEntry(entry?))) .collect::>>() .unwrap_or_else(|e| { vec![make_search_error( LdapResultCode::NoSuchAttribute, e.to_string(), )] }) } pub async fn handle_ldap_message(&mut self, ldap_op: LdapOp) -> Option> { Some(match ldap_op { LdapOp::BindRequest(request) => { let (code, message) = self.do_bind(&request).await; vec![LdapOp::BindResponse(LdapBindResponse { res: LdapResult { code, matcheddn: "".to_string(), message, referral: vec![], }, saslcreds: None, })] } LdapOp::SearchRequest(request) => self.do_search_or_dse(&request).await, LdapOp::UnbindRequest => { self.user_info = None; // No need to notify on unbind (per rfc4511) return None; } LdapOp::ExtendedRequest(request) => self.do_extended_request(&request).await, op => vec![make_extended_response( LdapResultCode::UnwillingToPerform, format!("Unsupported operation: {:#?}", op), )], }) } fn convert_group_filter(&self, filter: &LdapFilter) -> Result { match filter { LdapFilter::Equality(field, value) => { let field = &field.to_ascii_lowercase(); let value = &value.to_ascii_lowercase(); match field.as_str() { "member" | "uniquemember" => { let user_name = get_user_id_from_distinguished_name( value, &self.base_dn, &self.base_dn_str, )?; Ok(GroupRequestFilter::Member(user_name)) } "objectclass" => { if value == "groupofuniquenames" || value == "groupofnames" { Ok(GroupRequestFilter::And(vec![])) } else { Ok(GroupRequestFilter::Not(Box::new(GroupRequestFilter::And( vec![], )))) } } _ => { match map_field(field) { Ok("display_name") | Ok("user_id") => { return Ok(GroupRequestFilter::DisplayName(value.clone())); } Ok("uuid") => { return Ok(GroupRequestFilter::Uuid(Uuid::try_from( value.as_str(), )?)); } _ => (), }; if !self.ignored_group_attributes.contains(field) { warn!( r#"Ignoring unknown group attribute "{:?}" in filter.\n\ To disable this warning, add it to "ignored_group_attributes" in the config."#, field ); } Ok(GroupRequestFilter::Not(Box::new(GroupRequestFilter::And( vec![], )))) } } } LdapFilter::And(filters) => Ok(GroupRequestFilter::And( filters .iter() .map(|f| self.convert_group_filter(f)) .collect::>()?, )), LdapFilter::Or(filters) => Ok(GroupRequestFilter::Or( filters .iter() .map(|f| self.convert_group_filter(f)) .collect::>()?, )), LdapFilter::Not(filter) => Ok(GroupRequestFilter::Not(Box::new( self.convert_group_filter(filter)?, ))), LdapFilter::Present(field) => { if ALL_GROUP_ATTRIBUTE_KEYS.contains(&field.to_ascii_lowercase().as_str()) { Ok(GroupRequestFilter::And(vec![])) } else { Ok(GroupRequestFilter::Not(Box::new(GroupRequestFilter::And( vec![], )))) } } _ => bail!("Unsupported group filter: {:?}", filter), } } fn convert_user_filter(&self, filter: &LdapFilter) -> Result { match filter { LdapFilter::And(filters) => Ok(UserRequestFilter::And( filters .iter() .map(|f| self.convert_user_filter(f)) .collect::>()?, )), LdapFilter::Or(filters) => Ok(UserRequestFilter::Or( filters .iter() .map(|f| self.convert_user_filter(f)) .collect::>()?, )), LdapFilter::Not(filter) => Ok(UserRequestFilter::Not(Box::new( self.convert_user_filter(filter)?, ))), LdapFilter::Equality(field, value) => { let field = &field.to_ascii_lowercase(); match field.as_str() { "memberof" => { let group_name = get_group_id_from_distinguished_name( &value.to_ascii_lowercase(), &self.base_dn, &self.base_dn_str, )?; Ok(UserRequestFilter::MemberOf(group_name)) } "objectclass" => { if value == "person" || value == "inetOrgPerson" || value == "posixAccount" || value == "mailAccount" { Ok(UserRequestFilter::And(vec![])) } else { Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And( vec![], )))) } } _ => match map_field(field) { Ok(field) => { if field == "user_id" { Ok(UserRequestFilter::UserId(UserId::new(value))) } else { Ok(UserRequestFilter::Equality( field.to_string(), value.clone(), )) } } Err(_) => { if !self.ignored_user_attributes.contains(field) { warn!( r#"Ignoring unknown user attribute "{}" in filter.\n\ To disable this warning, add it to "ignored_user_attributes" in the config"#, field ); } Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And( vec![], )))) } }, } } LdapFilter::Present(field) => { let field = &field.to_ascii_lowercase(); // Check that it's a field we support. if field == "objectclass" || map_field(field).is_ok() { Ok(UserRequestFilter::And(vec![])) } else { Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And( vec![], )))) } } _ => bail!("Unsupported user filter: {:?}", filter), } } } #[cfg(test)] mod tests { use super::*; use crate::{ domain::{error::Result, handler::*, opaque_handler::*}, uuid, }; use async_trait::async_trait; use chrono::TimeZone; use ldap3_server::proto::{LdapDerefAliases, LdapSearchScope}; use mockall::predicate::eq; use std::collections::HashSet; use tokio; mockall::mock! { pub TestBackendHandler{} impl Clone for TestBackendHandler { fn clone(&self) -> Self; } #[async_trait] impl LoginHandler for TestBackendHandler { async fn bind(&self, request: BindRequest) -> Result<()>; } #[async_trait] impl BackendHandler for TestBackendHandler { async fn list_users(&self, filters: Option, get_groups: bool) -> Result>; async fn list_groups(&self, filters: Option) -> Result>; async fn get_user_details(&self, user_id: &UserId) -> Result; async fn get_group_details(&self, group_id: GroupId) -> Result; async fn get_user_groups(&self, user: &UserId) -> Result>; async fn create_user(&self, request: CreateUserRequest) -> Result<()>; async fn update_user(&self, request: UpdateUserRequest) -> Result<()>; async fn update_group(&self, request: UpdateGroupRequest) -> Result<()>; async fn delete_user(&self, user_id: &UserId) -> Result<()>; async fn create_group(&self, group_name: &str) -> Result; async fn delete_group(&self, group_id: GroupId) -> Result<()>; async fn add_user_to_group(&self, user_id: &UserId, group_id: GroupId) -> Result<()>; async fn remove_user_from_group(&self, user_id: &UserId, group_id: GroupId) -> Result<()>; } #[async_trait] impl OpaqueHandler for TestBackendHandler { async fn login_start( &self, request: login::ClientLoginStartRequest ) -> Result; async fn login_finish(&self, request: login::ClientLoginFinishRequest) -> Result; async fn registration_start( &self, request: registration::ClientRegistrationStartRequest ) -> Result; async fn registration_finish( &self, request: registration::ClientRegistrationFinishRequest ) -> Result<()>; } } fn make_search_request>( base: &str, filter: LdapFilter, attrs: Vec, ) -> LdapSearchRequest { LdapSearchRequest { base: base.to_string(), scope: LdapSearchScope::Base, aliases: LdapDerefAliases::Never, sizelimit: 0, timelimit: 0, typesonly: false, filter, attrs: attrs.into_iter().map(Into::into).collect(), } } fn make_user_search_request>( filter: LdapFilter, attrs: Vec, ) -> LdapSearchRequest { make_search_request::("ou=people,Dc=example,dc=com", filter, attrs) } async fn setup_bound_handler_with_group( mut mock: MockTestBackendHandler, group: &str, ) -> LdapHandler { mock.expect_bind() .with(eq(BindRequest { name: UserId::new("test"), password: "pass".to_string(), })) .return_once(|_| Ok(())); let group = group.to_string(); mock.expect_get_user_groups() .with(eq(UserId::new("test"))) .return_once(|_| { let mut set = HashSet::new(); set.insert(GroupDetails { group_id: GroupId(42), display_name: group, creation_date: chrono::Utc.timestamp(42, 42), uuid: uuid!("a1a2a3a4b1b2c1c2d1d2d3d4d5d6d7d8"), }); Ok(set) }); let mut ldap_handler = LdapHandler::new(mock, "dc=Example,dc=com".to_string(), vec![], vec![]); let request = LdapBindRequest { dn: "uid=test,ou=people,dc=example,dc=coM".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::Success ); ldap_handler } async fn setup_bound_readonly_handler( mock: MockTestBackendHandler, ) -> LdapHandler { setup_bound_handler_with_group(mock, "lldap_readonly").await } async fn setup_bound_admin_handler( mock: MockTestBackendHandler, ) -> LdapHandler { setup_bound_handler_with_group(mock, "lldap_admin").await } #[tokio::test] async fn test_bind() { let mut mock = MockTestBackendHandler::new(); mock.expect_bind() .with(eq(crate::domain::handler::BindRequest { name: UserId::new("bob"), password: "pass".to_string(), })) .times(1) .return_once(|_| Ok(())); mock.expect_get_user_groups() .with(eq(UserId::new("bob"))) .return_once(|_| Ok(HashSet::new())); let mut ldap_handler = LdapHandler::new(mock, "dc=eXample,dc=com".to_string(), vec![], vec![]); let request = LdapOp::BindRequest(LdapBindRequest { dn: "uid=bob,ou=people,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![LdapOp::BindResponse(LdapBindResponse { res: LdapResult { code: LdapResultCode::Success, matcheddn: "".to_string(), message: "".to_string(), referral: vec![], }, saslcreds: None, })]), ); } #[tokio::test] async fn test_admin_bind() { let mut mock = MockTestBackendHandler::new(); mock.expect_bind() .with(eq(crate::domain::handler::BindRequest { name: UserId::new("test"), password: "pass".to_string(), })) .times(1) .return_once(|_| Ok(())); mock.expect_get_user_groups() .with(eq(UserId::new("test"))) .return_once(|_| { let mut set = HashSet::new(); set.insert(GroupDetails { group_id: GroupId(42), display_name: "lldap_admin".to_string(), creation_date: chrono::Utc.timestamp(42, 42), uuid: uuid!("a1a2a3a4b1b2c1c2d1d2d3d4d5d6d7d8"), }); Ok(set) }); let mut ldap_handler = LdapHandler::new(mock, "dc=example,dc=com".to_string(), vec![], vec![]); let request = LdapBindRequest { dn: "uid=test,ou=people,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::Success ); } #[tokio::test] async fn test_search_regular_user() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with( eq(Some(UserRequestFilter::And(vec![ UserRequestFilter::And(vec![]), UserRequestFilter::UserId(UserId::new("test")), ]))), eq(false), ) .times(1) .return_once(|_, _| { Ok(vec![UserAndGroups { user: User { user_id: UserId::new("test"), ..Default::default() }, groups: None, }]) }); let mut ldap_handler = setup_bound_handler_with_group(mock, "regular").await; let request = make_user_search_request::(LdapFilter::And(vec![]), vec!["1.1".to_string()]); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=test,ou=people,dc=example,dc=com".to_string(), attributes: vec![], }), make_search_success() ], ); } #[tokio::test] async fn test_search_readonly_user() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with(eq(Some(UserRequestFilter::And(vec![]))), eq(false)) .times(1) .return_once(|_, _| Ok(vec![])); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = make_user_search_request::(LdapFilter::And(vec![]), vec!["1.1".to_string()]); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()], ); } #[tokio::test] async fn test_search_member_of() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with(eq(Some(UserRequestFilter::And(vec![]))), eq(true)) .times(1) .return_once(|_, _| { Ok(vec![UserAndGroups { user: User { user_id: UserId::new("bob"), ..Default::default() }, groups: Some(vec![GroupDetails { group_id: GroupId(42), display_name: "rockstars".to_string(), creation_date: chrono::Utc.timestamp(42, 42), uuid: uuid!("a1a2a3a4b1b2c1c2d1d2d3d4d5d6d7d8"), }]), }]) }); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = make_user_search_request::( LdapFilter::And(vec![]), vec!["memberOf".to_string()], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=bob,ou=people,dc=example,dc=com".to_string(), attributes: vec![LdapPartialAttribute { atype: "memberOf".to_string(), vals: vec!["uid=rockstars,ou=groups,dc=example,dc=com".to_string()] }], }), make_search_success(), ], ); } #[tokio::test] async fn test_search_user_as_scope() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with( eq(Some(UserRequestFilter::And(vec![ UserRequestFilter::And(vec![]), UserRequestFilter::UserId(UserId::new("bob")), ]))), eq(false), ) .times(1) .return_once(|_, _| Ok(vec![])); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = LdapSearchRequest { base: "uid=bob,ou=people,Dc=example,dc=com".to_string(), scope: LdapSearchScope::Base, aliases: LdapDerefAliases::Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: LdapFilter::And(vec![]), attrs: vec!["1.1".to_string()], }; assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()], ); } #[tokio::test] async fn test_bind_invalid_dn() { let mock = MockTestBackendHandler::new(); let mut ldap_handler = LdapHandler::new(mock, "dc=example,dc=com".to_string(), vec![], vec![]); let request = LdapBindRequest { dn: "cn=bob,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::NamingViolation, ); let request = LdapBindRequest { dn: "uid=bob,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::NamingViolation, ); let request = LdapBindRequest { dn: "uid=bob,ou=groups,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::NamingViolation, ); let request = LdapBindRequest { dn: "uid=bob,ou=people,dc=example,dc=fr".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::NamingViolation, ); let request = LdapBindRequest { dn: "uid=bob=test,ou=people,dc=example,dc=com".to_string(), cred: LdapBindCred::Simple("pass".to_string()), }; assert_eq!( ldap_handler.do_bind(&request).await.0, LdapResultCode::NamingViolation, ); } #[test] fn test_is_subtree() { let subtree1 = &[ ("ou".to_string(), "people".to_string()), ("dc".to_string(), "example".to_string()), ("dc".to_string(), "com".to_string()), ]; let root = &[ ("dc".to_string(), "example".to_string()), ("dc".to_string(), "com".to_string()), ]; assert!(is_subtree(subtree1, root)); assert!(!is_subtree(&[], root)); } #[test] fn test_parse_distinguished_name() { let parsed_dn = &[ ("ou".to_string(), "people".to_string()), ("dc".to_string(), "example".to_string()), ("dc".to_string(), "com".to_string()), ]; assert_eq!( parse_distinguished_name("ou=people,dc=example,dc=com").expect("parsing failed"), parsed_dn ); assert_eq!( parse_distinguished_name(" ou = people , dc = example , dc = com ") .expect("parsing failed"), parsed_dn ); } #[tokio::test] async fn test_search_users() { use chrono::prelude::*; let mut mock = MockTestBackendHandler::new(); mock.expect_list_users().times(1).return_once(|_, _| { Ok(vec![ UserAndGroups { user: User { user_id: UserId::new("bob_1"), email: "bob@bobmail.bob".to_string(), display_name: "Bôb Böbberson".to_string(), first_name: "Bôb".to_string(), last_name: "Böbberson".to_string(), uuid: uuid!("698e1d5f-7a40-3151-8745-b9b8a37839da"), ..Default::default() }, groups: None, }, UserAndGroups { user: User { user_id: UserId::new("jim"), email: "jim@cricket.jim".to_string(), display_name: "Jimminy Cricket".to_string(), first_name: "Jim".to_string(), last_name: "Cricket".to_string(), uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), creation_date: Utc.ymd(2014, 7, 8).and_hms(9, 10, 11), }, groups: None, }, ]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_user_search_request( LdapFilter::And(vec![]), vec![ "objectClass", "dn", "uid", "mail", "givenName", "sn", "cn", "createTimestamp", "entryUuid", ], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string() ] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["uid=bob_1,ou=people,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "uid".to_string(), vals: vec!["bob_1".to_string()] }, LdapPartialAttribute { atype: "mail".to_string(), vals: vec!["bob@bobmail.bob".to_string()] }, LdapPartialAttribute { atype: "givenName".to_string(), vals: vec!["Bôb".to_string()] }, LdapPartialAttribute { atype: "sn".to_string(), vals: vec!["Böbberson".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["Bôb Böbberson".to_string()] }, LdapPartialAttribute { atype: "createTimestamp".to_string(), vals: vec!["1970-01-01T00:00:00+00:00".to_string()] }, LdapPartialAttribute { atype: "entryUuid".to_string(), vals: vec!["698e1d5f-7a40-3151-8745-b9b8a37839da".to_string()] }, ], }), LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=jim,ou=people,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string() ] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["uid=jim,ou=people,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "uid".to_string(), vals: vec!["jim".to_string()] }, LdapPartialAttribute { atype: "mail".to_string(), vals: vec!["jim@cricket.jim".to_string()] }, LdapPartialAttribute { atype: "givenName".to_string(), vals: vec!["Jim".to_string()] }, LdapPartialAttribute { atype: "sn".to_string(), vals: vec!["Cricket".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["Jimminy Cricket".to_string()] }, LdapPartialAttribute { atype: "createTimestamp".to_string(), vals: vec!["2014-07-08T09:10:11+00:00".to_string()] }, LdapPartialAttribute { atype: "entryUuid".to_string(), vals: vec!["04ac75e0-2900-3e21-926c-2f732c26b3fc".to_string()] }, ], }), make_search_success(), ] ); } #[tokio::test] async fn test_search_groups() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::And(vec![])))) .times(1) .return_once(|_| { Ok(vec![ Group { id: GroupId(1), display_name: "group_1".to_string(), creation_date: chrono::Utc.timestamp(42, 42), users: vec![UserId::new("bob"), UserId::new("john")], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }, Group { id: GroupId(3), display_name: "BestGroup".to_string(), creation_date: chrono::Utc.timestamp(42, 42), users: vec![UserId::new("john")], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }, ]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_search_request( "ou=groups,dc=example,dc=cOm", LdapFilter::And(vec![]), vec!["objectClass", "dn", "cn", "uniqueMember", "entryUuid"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec!["groupOfUniqueNames".to_string(),] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["cn=group_1,ou=groups,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["group_1".to_string()] }, LdapPartialAttribute { atype: "uniqueMember".to_string(), vals: vec![ "uid=bob,ou=people,dc=example,dc=com".to_string(), "uid=john,ou=people,dc=example,dc=com".to_string(), ] }, LdapPartialAttribute { atype: "entryUuid".to_string(), vals: vec!["04ac75e0-2900-3e21-926c-2f732c26b3fc".to_string()], }, ], }), LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=BestGroup,ou=groups,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec!["groupOfUniqueNames".to_string(),] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["cn=BestGroup,ou=groups,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["BestGroup".to_string()] }, LdapPartialAttribute { atype: "uniqueMember".to_string(), vals: vec!["uid=john,ou=people,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "entryUuid".to_string(), vals: vec!["04ac75e0-2900-3e21-926c-2f732c26b3fc".to_string()], }, ], }), make_search_success(), ] ); } #[tokio::test] async fn test_search_groups_filter() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::And(vec![ GroupRequestFilter::DisplayName("group_1".to_string()), GroupRequestFilter::Member(UserId::new("bob")), GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]), GroupRequestFilter::Not(Box::new(GroupRequestFilter::Not(Box::new( GroupRequestFilter::And(vec![]), )))), GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(vec![]))), ])))) .times(1) .return_once(|_| { Ok(vec![Group { display_name: "group_1".to_string(), id: GroupId(1), creation_date: chrono::Utc.timestamp(42, 42), users: vec![], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_search_request( "ou=groups,dc=example,dc=com", LdapFilter::And(vec![ LdapFilter::Equality("cN".to_string(), "Group_1".to_string()), LdapFilter::Equality( "uniqueMember".to_string(), "uid=bob,ou=peopLe,Dc=eXample,dc=com".to_string(), ), LdapFilter::Equality("obJEctclass".to_string(), "groupOfUniqueNames".to_string()), LdapFilter::Equality("objectclass".to_string(), "groupOfNames".to_string()), LdapFilter::Present("objectclass".to_string()), LdapFilter::Present("dn".to_string()), LdapFilter::Not(Box::new(LdapFilter::Present( "random_attribUte".to_string(), ))), LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()), ]), vec!["1.1"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(), attributes: vec![], }), make_search_success(), ] ); } #[tokio::test] async fn test_search_groups_filter_2() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::Or(vec![ GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName( "group_2".to_string(), ))), ])))) .times(1) .return_once(|_| { Ok(vec![Group { display_name: "group_1".to_string(), id: GroupId(1), creation_date: chrono::Utc.timestamp(42, 42), users: vec![], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_search_request( "ou=groups,dc=example,dc=com", LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality( "displayname".to_string(), "group_2".to_string(), )))]), vec!["cn"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(), attributes: vec![LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["group_1".to_string()] },], }), make_search_success(), ] ); } #[tokio::test] async fn test_search_group_as_scope() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::And(vec![ GroupRequestFilter::And(vec![]), GroupRequestFilter::DisplayName("rockstars".to_string()), ])))) .times(1) .return_once(|_| Ok(vec![])); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = LdapSearchRequest { base: "uid=rockstars,ou=groups,Dc=example,dc=com".to_string(), scope: LdapSearchScope::Base, aliases: LdapDerefAliases::Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: LdapFilter::And(vec![]), attrs: vec!["1.1".to_string()], }; assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()], ); } #[tokio::test] async fn test_search_groups_error() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::Or(vec![ GroupRequestFilter::Not(Box::new(GroupRequestFilter::DisplayName( "group_2".to_string(), ))), ])))) .times(1) .return_once(|_| { Err(crate::domain::error::DomainError::InternalError( "Error getting groups".to_string(), )) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_search_request( "ou=groups,dc=example,dc=com", LdapFilter::Or(vec![LdapFilter::Not(Box::new(LdapFilter::Equality( "displayname".to_string(), "group_2".to_string(), )))]), vec!["cn"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_error( LdapResultCode::Other, r#"Error while listing groups "ou=groups,dc=example,dc=com": Internal error: `Error getting groups`"#.to_string() )] ); } #[tokio::test] async fn test_search_groups_filter_error() { let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let request = make_search_request( "ou=groups,dc=example,dc=com", LdapFilter::And(vec![LdapFilter::Substring( "whatever".to_string(), ldap3_server::proto::LdapSubstringFilter::default(), )]), vec!["cn"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_error( LdapResultCode::UnwillingToPerform, r#"Unsupported group filter: Unsupported group filter: Substring("whatever", LdapSubstringFilter { initial: None, any: [], final_: None })"# .to_string() )] ); } #[tokio::test] async fn test_search_filters() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with( eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or( vec![ UserRequestFilter::Not(Box::new(UserRequestFilter::UserId(UserId::new( "bob", )))), UserRequestFilter::And(vec![]), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), ], )]))), eq(false), ) .times(1) .return_once(|_, _| Ok(vec![])); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_user_search_request( LdapFilter::And(vec![LdapFilter::Or(vec![ LdapFilter::Not(Box::new(LdapFilter::Equality( "uid".to_string(), "bob".to_string(), ))), LdapFilter::Equality("objectclass".to_string(), "person".to_string()), LdapFilter::Equality("objectclass".to_string(), "other".to_string()), LdapFilter::Present("objectClass".to_string()), LdapFilter::Present("uid".to_string()), LdapFilter::Present("unknown".to_string()), LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()), ])]), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()] ); } #[tokio::test] async fn test_search_member_of_filter() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with( eq(Some(UserRequestFilter::MemberOf("group_1".to_string()))), eq(false), ) .times(1) .return_once(|_, _| Ok(vec![])); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_user_search_request( LdapFilter::Equality( "memberOf".to_string(), "cn=group_1, ou=groups, dc=example,dc=com".to_string(), ), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()] ); let request = make_user_search_request( LdapFilter::Equality("memberOf".to_string(), "group_1".to_string()), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_error( LdapResultCode::UnwillingToPerform, "Unsupported user filter: while parsing a group ID: Missing DN value".to_string() )] ); let request = make_user_search_request( LdapFilter::Equality( "memberOf".to_string(), "cn=mygroup,dc=example,dc=com".to_string(), ), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_error( LdapResultCode::UnwillingToPerform, "Unsupported user filter: Unexpected group DN format. Got \"cn=mygroup,dc=example,dc=com\", expected: \"cn=groupname,ou=groups,dc=example,dc=com\"".to_string() )] ); } #[tokio::test] async fn test_search_filters_lowercase() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users() .with( eq(Some(UserRequestFilter::And(vec![UserRequestFilter::Or( vec![UserRequestFilter::Not(Box::new( UserRequestFilter::Equality("first_name".to_string(), "bob".to_string()), ))], )]))), eq(false), ) .times(1) .return_once(|_, _| { Ok(vec![UserAndGroups { user: User { user_id: UserId::new("bob_1"), ..Default::default() }, groups: None, }]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_user_search_request( LdapFilter::And(vec![LdapFilter::Or(vec![LdapFilter::Not(Box::new( LdapFilter::Equality("givenname".to_string(), "bob".to_string()), ))])]), vec!["objectclass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(), attributes: vec![LdapPartialAttribute { atype: "objectclass".to_string(), vals: vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string() ] },] }), make_search_success() ] ); } #[tokio::test] async fn test_search_both() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users().times(1).return_once(|_, _| { Ok(vec![UserAndGroups { user: User { user_id: UserId::new("bob_1"), email: "bob@bobmail.bob".to_string(), display_name: "Bôb Böbberson".to_string(), first_name: "Bôb".to_string(), last_name: "Böbberson".to_string(), ..Default::default() }, groups: None, }]) }); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::And(vec![])))) .times(1) .return_once(|_| { Ok(vec![Group { id: GroupId(1), display_name: "group_1".to_string(), creation_date: chrono::Utc.timestamp(42, 42), users: vec![UserId::new("bob"), UserId::new("john")], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = make_search_request( "dc=example,dc=com", LdapFilter::And(vec![]), vec!["objectClass", "dn", "cn"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string() ] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["uid=bob_1,ou=people,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["Bôb Böbberson".to_string()] }, ], }), LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectClass".to_string(), vals: vec!["groupOfUniqueNames".to_string(),] }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["cn=group_1,ou=groups,dc=example,dc=com".to_string()] }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["group_1".to_string()] }, ], }), make_search_success(), ] ); } #[tokio::test] async fn test_search_wildcards() { let mut mock = MockTestBackendHandler::new(); mock.expect_list_users().returning(|_, _| { Ok(vec![UserAndGroups { user: User { user_id: UserId::new("bob_1"), email: "bob@bobmail.bob".to_string(), display_name: "Bôb Böbberson".to_string(), first_name: "Bôb".to_string(), last_name: "Böbberson".to_string(), ..Default::default() }, groups: None, }]) }); mock.expect_list_groups() .with(eq(Some(GroupRequestFilter::And(vec![])))) .returning(|_| { Ok(vec![Group { id: GroupId(1), display_name: "group_1".to_string(), creation_date: chrono::Utc.timestamp(42, 42), users: vec![UserId::new("bob"), UserId::new("john")], uuid: uuid!("04ac75e0-2900-3e21-926c-2f732c26b3fc"), }]) }); let mut ldap_handler = setup_bound_admin_handler(mock).await; // Test simple wildcard let request = make_search_request("dc=example,dc=com", LdapFilter::And(vec![]), vec!["*", "+"]); // all: "objectclass", "dn", "uid", "mail", "givenname", "sn", "cn" // Operational: "createtimestamp" let expected_result = vec![ LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "uid=bob_1,ou=people,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectclass".to_string(), vals: vec![ "inetOrgPerson".to_string(), "posixAccount".to_string(), "mailAccount".to_string(), "person".to_string(), ], }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["uid=bob_1,ou=people,dc=example,dc=com".to_string()], }, LdapPartialAttribute { atype: "uid".to_string(), vals: vec!["bob_1".to_string()], }, LdapPartialAttribute { atype: "mail".to_string(), vals: vec!["bob@bobmail.bob".to_string()], }, LdapPartialAttribute { atype: "givenname".to_string(), vals: vec!["Bôb".to_string()], }, LdapPartialAttribute { atype: "sn".to_string(), vals: vec!["Böbberson".to_string()], }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["Bôb Böbberson".to_string()], }, LdapPartialAttribute { atype: "createtimestamp".to_string(), vals: vec![chrono::Utc.timestamp(0, 0).to_rfc3339()], }, ], }), // "objectclass", "dn", "uid", "cn", "member", "uniquemember" LdapOp::SearchResultEntry(LdapSearchResultEntry { dn: "cn=group_1,ou=groups,dc=example,dc=com".to_string(), attributes: vec![ LdapPartialAttribute { atype: "objectclass".to_string(), vals: vec!["groupOfUniqueNames".to_string()], }, LdapPartialAttribute { atype: "dn".to_string(), vals: vec!["cn=group_1,ou=groups,dc=example,dc=com".to_string()], }, // UID LdapPartialAttribute { atype: "uid".to_string(), vals: vec!["group_1".to_string()], }, LdapPartialAttribute { atype: "cn".to_string(), vals: vec!["group_1".to_string()], }, //member / uniquemember : "uid={},ou=people,{}" LdapPartialAttribute { atype: "member".to_string(), vals: vec![ "uid=bob,ou=people,dc=example,dc=com".to_string(), "uid=john,ou=people,dc=example,dc=com".to_string(), ], }, LdapPartialAttribute { atype: "uniquemember".to_string(), vals: vec![ "uid=bob,ou=people,dc=example,dc=com".to_string(), "uid=john,ou=people,dc=example,dc=com".to_string(), ], }, ], }), make_search_success(), ]; assert_eq!( ldap_handler.do_search_or_dse(&request).await, expected_result ); let request2 = make_search_request( "dc=example,dc=com", LdapFilter::And(vec![]), vec!["objectclass", "obJEctclaSS", "dn", "*", "*"], ); assert_eq!( ldap_handler.do_search_or_dse(&request2).await, expected_result ); let request3 = make_search_request( "dc=example,dc=com", LdapFilter::And(vec![]), vec!["*", "+", "+"], ); assert_eq!( ldap_handler.do_search_or_dse(&request3).await, expected_result ); let request4 = make_search_request("dc=example,dc=com", LdapFilter::And(vec![]), vec![""; 0]); assert_eq!( ldap_handler.do_search_or_dse(&request4).await, expected_result ); let request5 = make_search_request( "dc=example,dc=com", LdapFilter::And(vec![]), vec!["objectclass", "dn", "uid", "*"], ); assert_eq!( ldap_handler.do_search_or_dse(&request5).await, expected_result ); } #[tokio::test] async fn test_search_wrong_base() { let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let request = make_search_request( "ou=users,dc=example,dc=com", LdapFilter::And(vec![]), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_success()] ); } #[tokio::test] async fn test_search_unsupported_filters() { let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let request = make_user_search_request( LdapFilter::Substring( "uid".to_string(), ldap3_server::proto::LdapSubstringFilter::default(), ), vec!["objectClass"], ); assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![make_search_error( LdapResultCode::UnwillingToPerform, "Unsupported user filter: Unsupported user filter: Substring(\"uid\", LdapSubstringFilter { initial: None, any: [], final_: None })".to_string() )] ); } #[tokio::test] async fn test_password_change() { let mut mock = MockTestBackendHandler::new(); mock.expect_get_user_groups() .with(eq(UserId::new("bob"))) .returning(|_| Ok(HashSet::new())); use lldap_auth::*; let mut rng = rand::rngs::OsRng; let registration_start_request = opaque::client::registration::start_registration("password", &mut rng).unwrap(); let request = registration::ClientRegistrationStartRequest { username: "bob".to_string(), registration_start_request: registration_start_request.message, }; let start_response = opaque::server::registration::start_registration( &opaque::server::ServerSetup::new(&mut rng), request.registration_start_request, &request.username, ) .unwrap(); mock.expect_registration_start().times(1).return_once(|_| { Ok(registration::ServerRegistrationStartResponse { server_data: "".to_string(), registration_response: start_response.message, }) }); mock.expect_registration_finish() .times(1) .return_once(|_| Ok(())); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = LdapOp::ExtendedRequest( LdapPasswordModifyRequest { user_identity: Some("uid=bob,ou=people,dc=example,dc=com".to_string()), old_password: None, new_password: Some("password".to_string()), } .into(), ); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::Success, "".to_string(), )]) ); } #[tokio::test] async fn test_password_change_readonly() { let mut mock = MockTestBackendHandler::new(); mock.expect_get_user_groups() .with(eq(UserId::new("bob"))) .returning(|_| Ok(HashSet::new())); use lldap_auth::*; let mut rng = rand::rngs::OsRng; let registration_start_request = opaque::client::registration::start_registration("password", &mut rng).unwrap(); let request = registration::ClientRegistrationStartRequest { username: "bob".to_string(), registration_start_request: registration_start_request.message, }; let start_response = opaque::server::registration::start_registration( &opaque::server::ServerSetup::new(&mut rng), request.registration_start_request, &request.username, ) .unwrap(); mock.expect_registration_start().times(1).return_once(|_| { Ok(registration::ServerRegistrationStartResponse { server_data: "".to_string(), registration_response: start_response.message, }) }); mock.expect_registration_finish() .times(1) .return_once(|_| Ok(())); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = LdapOp::ExtendedRequest( LdapPasswordModifyRequest { user_identity: Some("uid=bob,ou=people,dc=example,dc=com".to_string()), old_password: None, new_password: Some("password".to_string()), } .into(), ); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::Success, "".to_string(), )]) ); } #[tokio::test] async fn test_password_change_errors() { let mut mock = MockTestBackendHandler::new(); mock.expect_get_user_groups() .with(eq(UserId::new("bob"))) .returning(|_| Ok(HashSet::new())); let mut ldap_handler = setup_bound_admin_handler(mock).await; let request = LdapOp::ExtendedRequest( LdapPasswordModifyRequest { user_identity: None, old_password: None, new_password: None, } .into(), ); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::ConstraintViolation, "Missing either user_id or password".to_string(), )]) ); let request = LdapOp::ExtendedRequest( LdapPasswordModifyRequest { user_identity: Some("uid=bob,ou=groups,ou=people,dc=example,dc=com".to_string()), old_password: None, new_password: Some("password".to_string()), } .into(), ); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::InvalidDNSyntax, r#"Invalid username: "Unexpected user DN format. Got \"uid=bob,ou=groups,ou=people,dc=example,dc=com\", expected: \"uid=username,ou=people,dc=example,dc=com\"""#.to_string(), )]) ); let request = LdapOp::ExtendedRequest(LdapExtendedRequest { name: "test".to_string(), value: None, }); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::UnwillingToPerform, "Unsupported extended operation: test".to_string(), )]) ); } #[tokio::test] async fn test_password_change_unauthorized_readonly() { let mut mock = MockTestBackendHandler::new(); let mut groups = HashSet::new(); groups.insert(GroupDetails { group_id: GroupId(0), display_name: "lldap_admin".to_string(), creation_date: chrono::Utc.timestamp(42, 42), uuid: uuid!("a1a2a3a4b1b2c1c2d1d2d3d4d5d6d7d8"), }); mock.expect_get_user_groups() .with(eq(UserId::new("bob"))) .times(1) .return_once(|_| Ok(groups)); let mut ldap_handler = setup_bound_readonly_handler(mock).await; let request = LdapOp::ExtendedRequest( LdapPasswordModifyRequest { user_identity: Some("uid=bob,ou=people,dc=example,dc=com".to_string()), old_password: Some("pass".to_string()), new_password: Some("password".to_string()), } .into(), ); assert_eq!( ldap_handler.handle_ldap_message(request).await, Some(vec![make_extended_response( LdapResultCode::InsufficentAccessRights, "User `test` cannot modify the password of user `bob`".to_string(), )]) ); } #[tokio::test] async fn test_search_root_dse() { let mut ldap_handler = setup_bound_admin_handler(MockTestBackendHandler::new()).await; let request = LdapSearchRequest { base: "".to_string(), scope: LdapSearchScope::Base, aliases: LdapDerefAliases::Never, sizelimit: 0, timelimit: 0, typesonly: false, filter: LdapFilter::Present("objectClass".to_string()), attrs: vec!["supportedExtension".to_string()], }; assert_eq!( ldap_handler.do_search_or_dse(&request).await, vec![ root_dse_response("dc=example,dc=com"), make_search_success() ] ); } }