debianize-mobilizon/lib/service/auth/ldap_authenticator.ex

# Portions of this file are derived from Pleroma:
# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
  @moduledoc """
  Authenticate Mobilizon users through LDAP accounts
  """
  alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
  alias Mobilizon.Users
  alias Mobilizon.Users.User

  require Logger

  import Authenticator,
    only: [fetch_user: 1]

  @behaviour Authenticator
  @base MobilizonAuthenticator

  @connection_timeout 10_000
  @search_timeout 10_000

  def login(email, password) do
    with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
         %User{} = user <- ldap_user(email, password) do
      {:ok, user}
    else
      {:error, {:ldap_connection_error, _}} ->
        # When LDAP is unavailable, try default authenticator
        @base.login(email, password)

      {:ldap, _} ->
        @base.login(email, password)

      error ->
        error
    end
  end

  def can_change_email?(%User{provider: provider}), do: provider != "ldap"

  def can_change_password?(%User{provider: provider}), do: provider != "ldap"

  defp ldap_user(email, password) do
    ldap = Mobilizon.Config.get(:ldap, [])
    host = Keyword.get(ldap, :host, "localhost")
    port = Keyword.get(ldap, :port, 389)
    ssl = Keyword.get(ldap, :ssl, false)
    sslopts = Keyword.get(ldap, :sslopts, [])

    options =
      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
        if sslopts != [], do: [{:sslopts, sslopts}], else: []

    case :eldap.open([to_charlist(host)], options) do
      {:ok, connection} ->
        try do
          ensure_eventual_tls(connection, ldap)

          base = Keyword.get(ldap, :base)
          uid_field = Keyword.get(ldap, :uid, "cn")

          # We first need to find the LDAP UID/CN for this specif email
          with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
               # Then we can verify the user's password
               :ok <- bind_user(connection, base, uid_field, uid, password) do
            case fetch_user(email) do
              %User{} = user ->
                user

              _ ->
                register_user(email)
            end
          else
            {:error, error} ->
              {:error, error}

            error ->
              {:error, error}
          end
        after
          :eldap.close(connection)
        end

      {:error, error} ->
        Logger.error("Could not open LDAP connection: #{inspect(error)}")
        {:error, {:ldap_connection_error, error}}
    end
  end

  @spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
          User.t() | any()
  defp bind_user(connection, base, uid, field, password) do
    bind = "#{uid}=#{field},#{base}"
    Logger.debug("Binding to LDAP with \"#{bind}\"")
    :eldap.simple_bind(connection, bind, password)
  end

  @spec search_user(any(), Keyword.t(), String.t(), String.t(), String.t()) ::
          String.t() | {:error, :ldap_registration_missing_attributes} | any()
  defp search_user(connection, ldap, base, uid, email) do
    # We may need to bind before performing the search
    res =
      if Keyword.get(ldap, :require_bind_for_search, true) do
        admin_field = Keyword.get(ldap, :bind_uid)
        admin_password = Keyword.get(ldap, :bind_password)
        bind_user(connection, base, uid, admin_field, admin_password)
      else
        :ok
      end

    if res == :ok do
      do_search_user(connection, base, uid, email)
    else
      res
    end
  end

  # Search an user by uid to find their CN
  @spec do_search_user(any(), String.t(), String.t(), String.t()) ::
          String.t() | {:error, :ldap_registration_missing_attributes} | any()
  defp do_search_user(connection, base, uid, email) do
    with {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} <-
           :eldap.search(connection, [
             {:base, to_charlist(base)},
             {:filter, :eldap.equalityMatch(to_charlist("mail"), to_charlist(email))},
             {:scope, :eldap.wholeSubtree()},
             {:attributes, [to_charlist(uid)]},
             {:timeout, @search_timeout}
           ]),
         {:uid, {_, [uid]}} <- {:uid, List.keyfind(attributes, to_charlist(uid), 0)} do
      :erlang.list_to_binary(uid)
    else
      {:ok, {:eldap_search_result, [], []}} ->
        Logger.info("Unable to find user with email #{email}")
        {:error, :ldap_search_email_not_found}

      {:cn, err} ->
        Logger.error("Could not find LDAP attribute CN: #{inspect(err)}")
        {:error, :ldap_searcy_missing_attributes}

      error ->
        error
    end
  end

  @spec register_user(String.t()) :: User.t() | any()
  defp register_user(email) do
    case Users.create_external(email, "ldap") do
      {:ok, %User{} = user} ->
        user

      error ->
        error
    end
  end

  @spec ensure_eventual_tls(any(), Keyword.t()) :: :ok
  defp ensure_eventual_tls(connection, ldap) do
    if Keyword.get(ldap, :tls, false) do
      :application.ensure_all_started(:ssl)

      case :eldap.start_tls(
             connection,
             Keyword.get(ldap, :tlsopts, []),
             @connection_timeout
           ) do
        :ok ->
          :ok

        error ->
          Logger.error("Could not start TLS: #{inspect(error)}")
      end
    end

    :ok
  end
end
Introduce support for 3rd-party auth (OAuth2 & LDAP) Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2020-06-27 19:12:45 +02:00			`# Portions of this file are derived from Pleroma:`
			`# Pleroma: A lightweight social networking server`
			`# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>`
			`# SPDX-License-Identifier: AGPL-3.0-only`

			`defmodule Mobilizon.Service.Auth.LDAPAuthenticator do`
			`@moduledoc """`
			`Authenticate Mobilizon users through LDAP accounts`
			`"""`
			`alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}`
			`alias Mobilizon.Users`
			`alias Mobilizon.Users.User`

			`require Logger`

			`import Authenticator,`
			`only: [fetch_user: 1]`

			`@behaviour Authenticator`
			`@base MobilizonAuthenticator`

			`@connection_timeout 10_000`
			`@search_timeout 10_000`

			`def login(email, password) do`
			`with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},`
			`%User{} = user <- ldap_user(email, password) do`
			`{:ok, user}`
			`else`
			`{:error, {:ldap_connection_error, _}} ->`
			`# When LDAP is unavailable, try default authenticator`
			`@base.login(email, password)`

			`{:ldap, _} ->`
			`@base.login(email, password)`

			`error ->`
			`error`
			`end`
			`end`

			`def can_change_email?(%User{provider: provider}), do: provider != "ldap"`

			`def can_change_password?(%User{provider: provider}), do: provider != "ldap"`

			`defp ldap_user(email, password) do`
			`ldap = Mobilizon.Config.get(:ldap, [])`
			`host = Keyword.get(ldap, :host, "localhost")`
			`port = Keyword.get(ldap, :port, 389)`
			`ssl = Keyword.get(ldap, :ssl, false)`
			`sslopts = Keyword.get(ldap, :sslopts, [])`

			`options =`
			`[{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++`
			`if sslopts != [], do: [{:sslopts, sslopts}], else: []`

			`case :eldap.open([to_charlist(host)], options) do`
			`{:ok, connection} ->`
			`try do`
			`ensure_eventual_tls(connection, ldap)`

			`base = Keyword.get(ldap, :base)`
			`uid_field = Keyword.get(ldap, :uid, "cn")`

			`# We first need to find the LDAP UID/CN for this specif email`
			`with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),`
			`# Then we can verify the user's password`
			`:ok <- bind_user(connection, base, uid_field, uid, password) do`
			`case fetch_user(email) do`
			`%User{} = user ->`
			`user`

			`_ ->`
			`register_user(email)`
			`end`
			`else`
			`{:error, error} ->`
			`{:error, error}`

			`error ->`
			`{:error, error}`
			`end`
			`after`
			`:eldap.close(connection)`
			`end`

			`{:error, error} ->`
			`Logger.error("Could not open LDAP connection: #{inspect(error)}")`
			`{:error, {:ldap_connection_error, error}}`
			`end`
			`end`

			`@spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::`
			`User.t() \| any()`
			`defp bind_user(connection, base, uid, field, password) do`
			`bind = "#{uid}=#{field},#{base}"`
			`Logger.debug("Binding to LDAP with \"#{bind}\"")`
			`:eldap.simple_bind(connection, bind, password)`
			`end`

			`@spec search_user(any(), Keyword.t(), String.t(), String.t(), String.t()) ::`
			`String.t() \| {:error, :ldap_registration_missing_attributes} \| any()`
			`defp search_user(connection, ldap, base, uid, email) do`
			`# We may need to bind before performing the search`
			`res =`
			`if Keyword.get(ldap, :require_bind_for_search, true) do`
			`admin_field = Keyword.get(ldap, :bind_uid)`
			`admin_password = Keyword.get(ldap, :bind_password)`
			`bind_user(connection, base, uid, admin_field, admin_password)`
			`else`
			`:ok`
			`end`

			`if res == :ok do`
			`do_search_user(connection, base, uid, email)`
			`else`
			`res`
			`end`
			`end`

			`# Search an user by uid to find their CN`
			`@spec do_search_user(any(), String.t(), String.t(), String.t()) ::`
			`String.t() \| {:error, :ldap_registration_missing_attributes} \| any()`
			`defp do_search_user(connection, base, uid, email) do`
			`with {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} <-`
			`:eldap.search(connection, [`
			`{:base, to_charlist(base)},`
			`{:filter, :eldap.equalityMatch(to_charlist("mail"), to_charlist(email))},`
			`{:scope, :eldap.wholeSubtree()},`
			`{:attributes, [to_charlist(uid)]},`
			`{:timeout, @search_timeout}`
			`]),`
			`{:uid, {_, [uid]}} <- {:uid, List.keyfind(attributes, to_charlist(uid), 0)} do`
			`:erlang.list_to_binary(uid)`
			`else`
			`{:ok, {:eldap_search_result, [], []}} ->`
			`Logger.info("Unable to find user with email #{email}")`
			`{:error, :ldap_search_email_not_found}`

			`{:cn, err} ->`
			`Logger.error("Could not find LDAP attribute CN: #{inspect(err)}")`
			`{:error, :ldap_searcy_missing_attributes}`

			`error ->`
			`error`
			`end`
			`end`

			`@spec register_user(String.t()) :: User.t() \| any()`
			`defp register_user(email) do`
			`case Users.create_external(email, "ldap") do`
			`{:ok, %User{} = user} ->`
			`user`

			`error ->`
			`error`
			`end`
			`end`

			`@spec ensure_eventual_tls(any(), Keyword.t()) :: :ok`
			`defp ensure_eventual_tls(connection, ldap) do`
			`if Keyword.get(ldap, :tls, false) do`
			`:application.ensure_all_started(:ssl)`

			`case :eldap.start_tls(`
			`connection,`
			`Keyword.get(ldap, :tlsopts, []),`
			`@connection_timeout`
			`) do`
			`:ok ->`
			`:ok`

			`error ->`
			`Logger.error("Could not start TLS: #{inspect(error)}")`
			`end`
			`end`

			`:ok`
			`end`
			`end`