git.squeep.com Git - akkoma/blob - lib/pleroma/web/auth/ldap_authenticator.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Auth.LDAPAuthenticator do
   6   alias Pleroma.User
   7
   8   require Logger
   9
  10   @behaviour Pleroma.Web.Auth.Authenticator
  11   @base Pleroma.Web.Auth.PleromaAuthenticator
  12
  13   @connection_timeout 10_000
  14   @search_timeout 10_000
  15
  16   defdelegate get_registration(conn, params), to: @base
  17
  18   defdelegate create_from_registration(conn, params, registration), to: @base
  19
  20   def get_user(%Plug.Conn{} = conn, params) do
  21     if Pleroma.Config.get([:ldap, :enabled]) do
  22       {name, password} =
  23         case params do
  24           %{"authorization" => %{"name" => name, "password" => password}} ->
  25             {name, password}
  26
  27           %{"grant_type" => "password", "username" => name, "password" => password} ->
  28             {name, password}
  29         end
  30
  31       case ldap_user(name, password) do
  32         %User{} = user ->
  33           {:ok, user}
  34
  35         {:error, {:ldap_connection_error, _}} ->
  36           # When LDAP is unavailable, try default authenticator
  37           @base.get_user(conn, params)
  38
  39         error ->
  40           error
  41       end
  42     else
  43       # Fall back to default authenticator
  44       @base.get_user(conn, params)
  45     end
  46   end
  47
  48   def handle_error(%Plug.Conn{} = _conn, error) do
  49     error
  50   end
  51
  52   def auth_template, do: nil
  53
  54   def oauth_consumer_template, do: nil
  55
  56   defp ldap_user(name, password) do
  57     ldap = Pleroma.Config.get(:ldap, [])
  58     host = Keyword.get(ldap, :host, "localhost")
  59     port = Keyword.get(ldap, :port, 389)
  60     ssl = Keyword.get(ldap, :ssl, false)
  61     sslopts = Keyword.get(ldap, :sslopts, [])
  62
  63     options =
  64       [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
  65         if sslopts != [], do: [{:sslopts, sslopts}], else: []
  66
  67     case :eldap.open([to_charlist(host)], options) do
  68       {:ok, connection} ->
  69         try do
  70           if Keyword.get(ldap, :tls, false) do
  71             :application.ensure_all_started(:ssl)
  72
  73             case :eldap.start_tls(
  74                    connection,
  75                    Keyword.get(ldap, :tlsopts, []),
  76                    @connection_timeout
  77                  ) do
  78               :ok ->
  79                 :ok
  80
  81               error ->
  82                 Logger.error("Could not start TLS: #{inspect(error)}")
  83             end
  84           end
  85
  86           bind_user(connection, ldap, name, password)
  87         after
  88           :eldap.close(connection)
  89         end
  90
  91       {:error, error} ->
  92         Logger.error("Could not open LDAP connection: #{inspect(error)}")
  93         {:error, {:ldap_connection_error, error}}
  94     end
  95   end
  96
  97   defp bind_user(connection, ldap, name, password) do
  98     uid = Keyword.get(ldap, :uid, "cn")
  99     base = Keyword.get(ldap, :base)
 100
 101     case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do
 102       :ok ->
 103         case User.get_by_nickname_or_email(name) do
 104           %User{} = user ->
 105             user
 106
 107           _ ->
 108             register_user(connection, base, uid, name, password)
 109         end
 110
 111       error ->
 112         error
 113     end
 114   end
 115
 116   defp register_user(connection, base, uid, name, password) do
 117     case :eldap.search(connection, [
 118            {:base, to_charlist(base)},
 119            {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
 120            {:scope, :eldap.wholeSubtree()},
 121            {:attributes, ['mail', 'email']},
 122            {:timeout, @search_timeout}
 123          ]) do
 124       {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} ->
 125         with {_, [mail]} <- List.keyfind(attributes, 'mail', 0) do
 126           params = %{
 127             email: :erlang.list_to_binary(mail),
 128             name: name,
 129             nickname: name,
 130             password: password,
 131             password_confirmation: password
 132           }
 133
 134           changeset = User.register_changeset(%User{}, params)
 135
 136           case User.register(changeset) do
 137             {:ok, user} -> user
 138             error -> error
 139           end
 140         else
 141           _ ->
 142             Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}")
 143             {:error, :ldap_registration_missing_attributes}
 144         end
 145
 146       error ->
 147         error
 148     end
 149   end
 150 end