Skip to content

Commit

Permalink
fix: ldap filters (ajnart#2033)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SeDemal
SeDemal authored May 7, 2024
1 parent 452304b commit f12dd52
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 13 deletions.
8 changes: 7 additions & 1 deletion src/env.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,12 @@ const env = createEnv({
AUTH_LDAP_BASE: z.string(),
AUTH_LDAP_SEARCH_SCOPE: z.enum(['base', 'one', 'sub']).default('base'),
AUTH_LDAP_USERNAME_ATTRIBUTE: z.string().default('uid'),
AUTH_LDAP_USER_MAIL_ATTRIBUTE: z.string().default('mail'),
AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: z.string().optional(),
AUTH_LDAP_GROUP_CLASS: z.string().default('groupOfUniqueNames'),
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: z.string().default('member'),
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: z.string().default('dn'),
AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: z.string().optional(),
AUTH_LDAP_ADMIN_GROUP: z.string().default('admin'),
AUTH_LDAP_OWNER_GROUP: z.string().default('admin'),
}
Expand All @@ -102,7 +105,7 @@ const env = createEnv({
AUTH_OIDC_OWNER_GROUP: z.string().default('admin'),
AUTH_OIDC_AUTO_LOGIN: zodParsedBoolean(),
AUTH_OIDC_SCOPE_OVERWRITE: z.string().default('openid email profile groups'),
AUTH_OIDC_TIMEOUT: numberSchema.default('3500'),
AUTH_OIDC_TIMEOUT: numberSchema.default(3500),
}
: {}),
},
Expand Down Expand Up @@ -149,9 +152,12 @@ const env = createEnv({
AUTH_LDAP_BASE: process.env.AUTH_LDAP_BASE,
AUTH_LDAP_SEARCH_SCOPE: process.env.AUTH_LDAP_SEARCH_SCOPE?.toLowerCase(),
AUTH_LDAP_USERNAME_ATTRIBUTE: process.env.AUTH_LDAP_USERNAME_ATTRIBUTE,
AUTH_LDAP_USER_MAIL_ATTRIBUTE: process.env.AUTH_LDAP_USER_MAIL_ATTRIBUTE,
AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG,
AUTH_LDAP_GROUP_CLASS: process.env.AUTH_LDAP_GROUP_CLASS,
AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE: process.env.AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE,
AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE: process.env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE,
AUTH_LDAP_GROUP_FILTER_EXTRA_ARG: process.env.AUTH_LDAP_GROUP_FILTER_EXTRA_ARG,
AUTH_LDAP_ADMIN_GROUP: process.env.AUTH_LDAP_ADMIN_GROUP,
AUTH_LDAP_OWNER_GROUP: process.env.AUTH_LDAP_OWNER_GROUP,
AUTH_OIDC_CLIENT_ID: process.env.AUTH_OIDC_CLIENT_ID,
Expand Down
57 changes: 45 additions & 12 deletions src/utils/auth/ldap.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import Consola from 'consola';
import ldap from 'ldapjs';
import Credentials from 'next-auth/providers/credentials';
import { z } from 'zod';
import { env } from '~/env';
import { signInSchema } from '~/validations/user';

Expand Down Expand Up @@ -61,6 +62,15 @@ const ldapSearch = async <
reject('error: ' + err.message);
});
res.on('searchEntry', (entry) => {
let userDn;
try {
//dn is the only attribute returned with special characters formatted in UTF-8 (Bad for any letters with an accent)
//Regex replaces any backslash followed by 2 hex characters with a percentage unless said backslash is preceded by another backslash.
//That can then be processed by decodeURIComponent which will turn back characters to normal.
userDn = decodeURIComponent(
entry.pojo.objectName.replace(/(?<!\\)\\([0-9a-fA-F]{2})/g, '%$1')
)
} catch { reject(new Error ('Cannot resolve distinguishedName for the user')) }
results.push(
entry.pojo.attributes.reduce<Record<string, string | string[]>>(
(obj, attr) => {
Expand All @@ -70,7 +80,10 @@ const ldapSearch = async <
: attr.values[0];
return obj;
},
{ dn: entry.pojo.objectName }
{
// Assume userDn since there's a reject if not set
dn: userDn!,
}
) as SearchResult<Attributes, ArrayAttributes>
);
});
Expand All @@ -95,27 +108,47 @@ export default Credentials({
try {
const data = await signInSchema.parseAsync(credentials);

Consola.log(`user ${data.name} is trying to log in using LDAP. Signing in...`);
Consola.log(`user ${data.name} is trying to log in using LDAP. Connecting to LDAP server...`);
const client = await ldapLogin(env.AUTH_LDAP_BIND_DN, env.AUTH_LDAP_BIND_PASSWORD);

Consola.log(`Connection established. Searching User...`);
const ldapUser = (
await ldapSearch(client, env.AUTH_LDAP_BASE, {
filter: `(uid=${data.name})`,
filter: env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG
? `(&(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${data.name})${env.AUTH_LDAP_USERNAME_FILTER_EXTRA_ARG})`
: `(${env.AUTH_LDAP_USERNAME_ATTRIBUTE}=${data.name})`,
scope: env.AUTH_LDAP_SEARCH_SCOPE,
// as const for inference
attributes: ['uid', 'mail'] as const,
attributes: [
env.AUTH_LDAP_USERNAME_ATTRIBUTE,
env.AUTH_LDAP_USER_MAIL_ATTRIBUTE,
] as const,
})
)[0];

if (!ldapUser) throw new Error('User not found in LDAP');

try {
z.string().email().parse(ldapUser[env.AUTH_LDAP_USER_MAIL_ATTRIBUTE]);
} catch {
throw new Error(
`User found but with invalid or non-existing Email. Not Supported: "${
ldapUser[env.AUTH_LDAP_USER_MAIL_ATTRIBUTE] ?? ' '
}"`
);
}

Consola.log(`User found. Logging in...`);
await ldapLogin(ldapUser.dn, data.password).then((client) => client.destroy());

Consola.log(`User logged in. Retrieving groups...`);
const userGroups = (
await ldapSearch(client, env.AUTH_LDAP_BASE, {
filter: `(&(objectclass=${env.AUTH_LDAP_GROUP_CLASS})(${
filter: `(&(objectClass=${env.AUTH_LDAP_GROUP_CLASS})(${
env.AUTH_LDAP_GROUP_MEMBER_ATTRIBUTE
}=${ldapUser[env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE as 'dn' | 'uid']}))`,
}=${ldapUser[env.AUTH_LDAP_GROUP_MEMBER_USER_ATTRIBUTE as 'dn' | 'uid']})${
env.AUTH_LDAP_GROUP_FILTER_EXTRA_ARG ?? ''
})`,
scope: env.AUTH_LDAP_SEARCH_SCOPE,
// as const for inference
attributes: 'cn',
Expand All @@ -126,15 +159,15 @@ export default Credentials({

Consola.log(`user ${data.name} successfully authorized`);

let user = await adapter.getUserByEmail!(ldapUser.mail);
const isAdmin = userGroups.includes(env.AUTH_LDAP_ADMIN_GROUP);
let user = await adapter.getUserByEmail!(ldapUser[env.AUTH_LDAP_USER_MAIL_ATTRIBUTE]);
const isOwner = userGroups.includes(env.AUTH_LDAP_OWNER_GROUP);
const isAdmin = isOwner || userGroups.includes(env.AUTH_LDAP_ADMIN_GROUP);

if (!user) {
// CreateUser will create settings in event
user = await adapter.createUser({
name: ldapUser.uid,
email: ldapUser.mail,
user = adapter.createUser({
name: ldapUser[env.AUTH_LDAP_USERNAME_ATTRIBUTE],
email: ldapUser[env.AUTH_LDAP_USER_MAIL_ATTRIBUTE],
emailVerified: new Date(), // assume ldap email is verified
isAdmin: isAdmin,
isOwner: isOwner,
Expand All @@ -153,7 +186,7 @@ export default Credentials({

return {
id: user?.id || ldapUser.dn,
name: user?.name || ldapUser.uid,
name: user?.name || ldapUser[env.AUTH_LDAP_USERNAME_ATTRIBUTE],
isAdmin: isAdmin,
isOwner: isOwner,
};
Expand Down

0 comments on commit f12dd52

Please sign in to comment.