git.squeep.com Git - akkoma/blob - lib/pleroma/web/auth/ldap_authenticator.ex

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Web.Auth.LDAPAuthenticator do
   6   alias Pleroma.User
   7
   8   require Logger
   9
  10   @behaviour Pleroma.Web.Auth.Authenticator
  11   @base Pleroma.Web.Auth.PleromaAuthenticator
  12
  13   @connection_timeout 10_000
  14   @search_timeout 10_000
  15
  16   defdelegate get_registration(conn), to: @base
  17   defdelegate create_from_registration(conn, registration), to: @base
  18   defdelegate handle_error(conn, error), to: @base
  19   defdelegate auth_template, to: @base
  20   defdelegate oauth_consumer_template, to: @base
  21
  22   def get_user(%Plug.Conn{} = conn) do
  23     if Pleroma.Config.get([:ldap, :enabled]) do
  24       {name, password} =
  25         case conn.params do
  26           %{"authorization" => %{"name" => name, "password" => password}} ->
  27             {name, password}
  28
  29           %{"grant_type" => "password", "username" => name, "password" => password} ->
  30             {name, password}
  31         end
  32
  33       case ldap_user(name, password) do
  34         %User{} = user ->
  35           {:ok, user}
  36
  37         {:error, {:ldap_connection_error, _}} ->
  38           # When LDAP is unavailable, try default authenticator
  39           @base.get_user(conn)
  40
  41         error ->
  42           error
  43       end
  44     else
  45       # Fall back to default authenticator
  46       @base.get_user(conn)
  47     end
  48   end
  49
  50   defp ldap_user(name, password) do
  51     ldap = Pleroma.Config.get(:ldap, [])
  52     host = Keyword.get(ldap, :host, "localhost")
  53     port = Keyword.get(ldap, :port, 389)
  54     ssl = Keyword.get(ldap, :ssl, false)
  55     sslopts = Keyword.get(ldap, :sslopts, [])
  56
  57     options =
  58       [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
  59         if sslopts != [], do: [{:sslopts, sslopts}], else: []
  60
  61     case :eldap.open([to_charlist(host)], options) do
  62       {:ok, connection} ->
  63         try do
  64           if Keyword.get(ldap, :tls, false) do
  65             :application.ensure_all_started(:ssl)
  66
  67             case :eldap.start_tls(
  68                    connection,
  69                    Keyword.get(ldap, :tlsopts, []),
  70                    @connection_timeout
  71                  ) do
  72               :ok ->
  73                 :ok
  74
  75               error ->
  76                 Logger.error("Could not start TLS: #{inspect(error)}")
  77             end
  78           end
  79
  80           bind_user(connection, ldap, name, password)
  81         after
  82           :eldap.close(connection)
  83         end
  84
  85       {:error, error} ->
  86         Logger.error("Could not open LDAP connection: #{inspect(error)}")
  87         {:error, {:ldap_connection_error, error}}
  88     end
  89   end
  90
  91   defp bind_user(connection, ldap, name, password) do
  92     uid = Keyword.get(ldap, :uid, "cn")
  93     base = Keyword.get(ldap, :base)
  94
  95     case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do
  96       :ok ->
  97         case User.get_by_nickname_or_email(name) do
  98           %User{} = user ->
  99             user
 100
 101           _ ->
 102             register_user(connection, base, uid, name, password)
 103         end
 104
 105       error ->
 106         error
 107     end
 108   end
 109
 110   defp register_user(connection, base, uid, name, password) do
 111     case :eldap.search(connection, [
 112            {:base, to_charlist(base)},
 113            {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
 114            {:scope, :eldap.wholeSubtree()},
 115            {:attributes, ['mail', 'email']},
 116            {:timeout, @search_timeout}
 117          ]) do
 118       {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} ->
 119         with {_, [mail]} <- List.keyfind(attributes, 'mail', 0) do
 120           params = %{
 121             email: :erlang.list_to_binary(mail),
 122             name: name,
 123             nickname: name,
 124             password: password,
 125             password_confirmation: password
 126           }
 127
 128           changeset = User.register_changeset(%User{}, params)
 129
 130           case User.register(changeset) do
 131             {:ok, user} -> user
 132             error -> error
 133           end
 134         else
 135           _ ->
 136             Logger.error("Could not find LDAP attribute mail: #{inspect(attributes)}")
 137             {:error, :ldap_registration_missing_attributes}
 138         end
 139
 140       error ->
 141         error
 142     end
 143   end
 144 end