✨ Add simple bind authentication (#9)

camh- · web-flow · commit 4a27bfdff92c · 2025-09-01T13:08:32.000+10:00
Handle simple bind requests of the server using the username and password fields. The username is the DN of an entry that must be of an appropriate `objectClass` for authentication and contain a `userPassword` attribute containing a value with a supported hash scheme. The password passed to the bind method is hashed according to the scheme and compared to the stored hash, and if it matches, the bind method returns success. Pull-request: #9
diff --git a/db.go b/db.go
@@ -1,14 +1,29 @@
 package main
 
 import (
+	"bytes"
+	"cmp"
+	"crypto/sha1" //nolint:gosec // may be weak, but we use it
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
 	"errors"
 	"fmt"
+	"hash"
 	"iter"
 	"slices"
 	"strconv"
 	"strings"
 )
 
+var (
+	ErrInvalidEntryForAuth  = errors.New("invalid entry for authentication")
+	ErrAuthenticationFailed = errors.New("authentication failed")
+	ErrMalformedBase64      = errors.New("hashtext base64 encoding malformed")
+	ErrHashtextTooShort     = errors.New("hashtext too short")
+	ErrMissingSalt          = errors.New("hashtext has missing salt")
+)
+
 // DB is an LDAP database, which is just a collection of entries and indicies
 // over that collection. The DIT is the hierarchy of entries based on each
 // entries DN.
@@ -54,6 +69,94 @@ func (e *Entry) GetAttr(attr string) (Attr, bool) {
 	return v, ok
 }
 
+// Authenticate checks that the LDAP Entry is valid for authentication and that
+// the entry has a password that matches the given password. If so nil is
+// returned. Otherwise an error is returned.
+//
+// The form of hashed password in an entry is described by "[RFC 2307, 5.3]
+// Interpreting user and group entries" with the supported schemes being SSHA
+// (salted SHA-1), SSHA256 (salted SHA-256) and SSHA512 (salted SHA-512). This
+// is how [OpenLDAP passwords] are done, so this does it the same. e.g.
+// "{SSHA}<base64-encoded-hash+salt>".
+//
+// [RFC 2307, 5.3]: https://datatracker.ietf.org/doc/html/rfc2307#section-5.3
+// [OpenLDAP passwords]: https://www.openldap.org/faq/data/cache/347.html
+func (e *Entry) Authenticate(password string) error {
+	if !e.isValidForAuthentication() {
+		return ErrInvalidEntryForAuth
+	}
+
+	// hashSchemes is a list of supported password hashing schemes
+	// with their functions for creating a hash.Hash for that scheme.
+	hashSchemes := map[string]func() hash.Hash{
+		"{SSHA}":    sha1.New,
+		"{SSHA256}": sha256.New,
+		"{SSHA512}": sha512.New,
+	}
+
+	var firstErr error
+	hashedPasswords, _ := e.GetAttr("userPassword")
+	for _, hashedPassword := range hashedPasswords.Vals {
+		scheme, hashtext, ok := splitScheme(hashedPassword)
+		if !ok || hashSchemes[scheme] == nil {
+			continue
+		}
+		ok, err := pwCheckSaltedHash(password, hashtext, hashSchemes[scheme])
+		if ok {
+			return nil
+		}
+		firstErr = cmp.Or(firstErr, err)
+	}
+
+	return cmp.Or(firstErr, ErrAuthenticationFailed)
+}
+
+func (e *Entry) isValidForAuthentication() bool {
+	// authClasses is a list of objectClasses for entries that are
+	// valid for authentication. If an entry does not have one of
+	// these objectClasses, an attempt to authenticate with its DN
+	// will fail.
+	authClasses := []string{"posixAccount", "posixGroup", "shadowAccount"}
+
+	entryClasses, _ := e.GetAttr("objectClass")
+	for _, authClass := range authClasses {
+		if entryClasses.HasValue(authClass) {
+			return true
+		}
+	}
+	return false
+}
+
+func splitScheme(hashedPassword string) (string, string, bool) {
+	idx := strings.IndexRune(hashedPassword, '}')
+	if idx == -1 || (len(hashedPassword) > 0 && hashedPassword[0] != '{') {
+		return "", "", false
+	}
+	return hashedPassword[:idx+1], hashedPassword[idx+1:], true
+}
+
+func pwCheckSaltedHash(password string, hashtext string, newHash func() hash.Hash) (bool, error) {
+	h := newHash()
+	hps, err := base64.StdEncoding.DecodeString(hashtext)
+	if err != nil {
+		return false, ErrMalformedBase64
+	}
+	if len(hps) < h.Size() {
+		return false, ErrHashtextTooShort
+	}
+	if len(hps) == h.Size() {
+		return false, ErrMissingSalt
+	}
+
+	expected := hps[:h.Size()]
+	salt := hps[h.Size():]
+
+	h.Write([]byte(password))
+	h.Write(salt)
+
+	return bytes.Equal(h.Sum(nil), expected), nil
+}
+
 // HasValue returns true if val is one of the values of the attribute. The
 // value is compared case-sensitively, regardless of what an LDAP schema
 // may say for that attribute.
diff --git a/db_test.go b/db_test.go
@@ -1,6 +1,12 @@
 package main
 
 import (
+	"crypto/sha1" //nolint:gosec // may be weak, but we use it
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"hash"
+	"io"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -147,3 +153,142 @@ func Test_Entry_CaseInsensitiveAttrs(t *testing.T) {
 	require.Equal(t, "objectClass", a.Name)
 	require.Equal(t, emap["objectClass"], a.Vals[0])
 }
+
+func Test_Entry_Auth(t *testing.T) {
+	type testcase struct {
+		name         string
+		objectClass  string
+		scheme       string
+		userPassword string
+		expectErr    error
+	}
+
+	testfunc := func(t *testing.T, tt testcase) { //nolint:thelper // not a helper
+		password := "password"
+		entryMap := map[string]any{
+			"dn":          "uid=alice,dc=example,dc=com",
+			"objectClass": tt.objectClass,
+		}
+		var userPassword []any
+		if tt.userPassword != "" {
+			userPassword = append(userPassword, tt.userPassword)
+		}
+		if tt.scheme != "" {
+			hashedPassword := hashPassword(t, password, tt.scheme)
+			userPassword = append(userPassword, hashedPassword)
+		}
+		if userPassword != nil {
+			entryMap["userPassword"] = userPassword
+		}
+		e, err := NewEntryFromMap(entryMap)
+		require.NoError(t, err)
+		err = e.Authenticate(password)
+		if tt.expectErr != nil {
+			require.ErrorIs(t, err, tt.expectErr)
+		} else {
+			require.NoError(t, err)
+		}
+	}
+
+	testcases := []testcase{
+		{
+			name:        "Salted SHA-1",
+			objectClass: "posixAccount",
+			scheme:      "SSHA",
+		},
+		{
+			name:        "Salted SHA-256",
+			objectClass: "posixAccount",
+			scheme:      "SSHA256",
+		},
+		{
+			name:        "Salted SHA-512",
+			objectClass: "posixAccount",
+			scheme:      "SSHA512",
+		},
+		{
+			name:        "posixGroup entry",
+			objectClass: "posixGroup",
+			scheme:      "SSHA",
+		},
+		{
+			name:        "shadowAccount entry",
+			objectClass: "shadowAccount",
+			scheme:      "SSHA",
+		},
+		{
+			name:         "multiple schemes",
+			objectClass:  "posixAccount",
+			userPassword: "{UNKNOWN}R09BVCBpcyBteSBzaGVwaGFyZAo=",
+			scheme:       "SSHA",
+		},
+		{
+			name:        "invalid objectClass",
+			objectClass: "person",
+			expectErr:   ErrInvalidEntryForAuth,
+		},
+		{
+			name:         "unknown scheme in entry",
+			objectClass:  "posixAccount",
+			userPassword: "{UNKNOWN}R09BVCBpcyBteSBzaGVwaGFyZAo=",
+			expectErr:    ErrAuthenticationFailed,
+		},
+		{
+			name:         "missing scheme",
+			objectClass:  "posixAccount",
+			userPassword: "R09BVCBpcyBteSBzaGVwaGFyZAo=",
+			expectErr:    ErrAuthenticationFailed,
+		},
+		{
+			name:         "invalid scheme",
+			objectClass:  "posixAccount",
+			userPassword: "SSHA}R09BVCBpcyBteSBzaGVwaGFyZAo=",
+			expectErr:    ErrAuthenticationFailed,
+		},
+		{
+			name:         "malformed base64",
+			objectClass:  "posixAccount",
+			userPassword: "{SSHA}#$@!@#$",
+			expectErr:    ErrMalformedBase64,
+		},
+		{
+			name:        "short hash",
+			objectClass: "posixAccount",
+			// echo -n not-hashed | openssl base64
+			userPassword: "{SSHA}bm90LWhhc2hlZA==",
+			expectErr:    ErrHashtextTooShort,
+		},
+		{
+			name:        "missing salt",
+			objectClass: "posixAccount",
+			// echo -n password | openssl dgst -binary -sha1 | openssl base64
+			userPassword: "{SSHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=",
+			expectErr:    ErrMissingSalt,
+		},
+	}
+
+	for _, tt := range testcases {
+		t.Run(tt.name, func(t *testing.T) { testfunc(t, tt) })
+	}
+}
+
+func hashPassword(t *testing.T, password string, scheme string) string {
+	t.Helper()
+
+	newHash := map[string]func() hash.Hash{
+		"SSHA":    sha1.New,
+		"SSHA256": sha256.New,
+		"SSHA512": sha512.New,
+	}
+
+	require.Contains(t, newHash, scheme)
+
+	// Use a fixed salt in tests
+	salt := "0123456789ABCDEF"
+
+	h := newHash[scheme]()
+	io.WriteString(h, password) //nolint:errcheck,gosec // cannot error
+	io.WriteString(h, salt)     //nolint:errcheck,gosec // cannot error
+
+	return "{" + scheme + "}" + base64.StdEncoding.EncodeToString(append(h.Sum(nil), salt...))
+}
diff --git a/server.go b/server.go
@@ -44,6 +44,8 @@ func (s *Server) Run(listen string) error {
 }
 
 func (s *Server) handleBind(w *gldap.ResponseWriter, r *gldap.Request) {
+	// Set the default response to InvalidCredentials, so we only
+	// return success if explicitly overridden.
 	resp := r.NewBindResponse(gldap.WithResponseCode(gldap.ResultInvalidCredentials))
 	defer w.Write(resp) //nolint:errcheck // not much to do if it fails
 
@@ -53,14 +55,34 @@ func (s *Server) handleBind(w *gldap.ResponseWriter, r *gldap.Request) {
 		return
 	}
 
-	if m.UserName == "" && m.Password == "" {
+	switch {
+	case m.UserName == "" && m.Password == "":
 		slog.Info("anonymous bind")
-	} else if m.UserName != "" && m.Password != "" {
-		slog.Info("simple bind", "username", m.UserName, "password", m.Password)
-	} else {
-		slog.Error("invalid bind")
+	case m.UserName != "" && m.Password != "":
+		bindDN, err := NewDN(m.UserName)
+		if err != nil {
+			slog.Error("bind with invalid DN", "error", err.Error(), "username", m.UserName)
+			return
+		}
+		node := s.db.DIT.Find(bindDN)
+		if node == nil {
+			slog.Error("bind with unknown DN", "username", m.UserName)
+			return
+		}
+		err = node.Entry.Authenticate(string(m.Password))
+		if err != nil {
+			slog.Error("bind failed", "username", m.UserName, "error", err)
+			return
+		}
+		slog.Info("simple bind", "username", m.UserName)
+	case m.UserName == "":
+		slog.Error("invalid bind: missing username")
+		return
+	case m.Password == "":
+		slog.Error("invalid bind: missing password")
 		return
 	}
+	// Override InvalidCredentials set above.
 	resp.SetResultCode(gldap.ResultSuccess)
 }
 
