add memberOf support for LDAP

Author: marle3003

providers/directory/config.go

@@ -8,6 +8,8 @@ import (
 	"net/url"
 	"path/filepath"
 	"strings"
+
+	log "github.com/sirupsen/logrus"
 )
 
 type Config struct {
@@ -34,7 +36,7 @@ type Info struct {
 }
 
 func (c *Config) Parse(config *dynamic.Config, reader dynamic.Reader) error {
-	c.Entries = &sortedmap.LinkedHashMap[string, Entry]{}
+	c.Entries = &sortedmap.LinkedHashMap[string, Entry]{KeyNormalizer: normalizeDN}
 	// copy from old format
 	for k, v := range c.oldEntries {
 		c.Entries.Set(k, v)
@@ -168,13 +170,52 @@ func (c *Config) Parse(config *dynamic.Config, reader dynamic.Reader) error {
 		}
 	}
 
+	c.rebuildMemberOf()
+
 	return nil
 }
 
 func (c *Config) getSizeLimit() int64 {
 	return c.SizeLimit
 }
 
+func (c *Config) rebuildMemberOf() {
+	// reset entries
+
+	groups := map[string][]string{}
+	for it := c.Entries.Iter(); it.Next(); {
+		groupName := it.Key()
+		for k, v := range it.Value().Attributes {
+			if k == "member" {
+				if _, ok := groups[k]; !ok {
+					groups[k] = []string{}
+				}
+				for _, member := range v {
+					groups[groupName] = append(groups[groupName], member)
+				}
+			}
+			if k == "memberOf" {
+				delete(it.Value().Attributes, "memberOf")
+			}
+		}
+	}
+
+	for group, members := range groups {
+		for _, member := range members {
+			e, ok := c.Entries.Get(member)
+			if !ok {
+				log.Warnf("LDAP: member %s for group %s not found", member, group)
+				continue
+			}
+			if e.Attributes == nil {
+				e.Attributes = map[string][]string{}
+			}
+			e.Attributes["memberOf"] = append(e.Attributes["memberOf"], group)
+			c.Entries.Set(member, e)
+		}
+	}
+}
+
 func (e *Entry) Parse(config *dynamic.Config, reader dynamic.Reader) error {
 	if aList, ok := e.Attributes["thumbnailphoto"]; ok {
 		for i, a := range aList {
@@ -208,13 +249,13 @@ func (e *Entry) Parse(config *dynamic.Config, reader dynamic.Reader) error {
 	return nil
 }
 
-func formatDN(dn string) string {
+func normalizeDN(dn string) string {
 	result := ""
 	for _, rdn := range strings.Split(dn, ",") {
 		if len(result) > 0 {
 			result += ","
 		}
-		result += strings.TrimSpace(rdn)
+		result += strings.TrimSpace(strings.ToLower(rdn))
 	}
 	return result
 }

providers/directory/config_ldif_test.go

@@ -2,11 +2,12 @@ package directory
 
 import (
 	"encoding/json"
-	"github.com/stretchr/testify/require"
 	"mokapi/config/dynamic"
 	"mokapi/config/dynamic/dynamictest"
 	"mokapi/try"
 	"testing"
+
+	"github.com/stretchr/testify/require"
 )
 
 func TestLdif_Parse(t *testing.T) {
@@ -23,7 +24,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -34,10 +35,10 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 2)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 				require.Equal(t, &AddRecord{
-					Dn: "ou=Sales,dc=mokapi,dc=io",
+					Dn: "ou=Sales, dc=mokapi, dc=io",
 				}, ld.Records[1])
 			},
 		},
@@ -48,10 +49,10 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 2)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 				require.Equal(t, &AddRecord{
-					Dn: "ou=Sales,dc=mokapi,dc=io",
+					Dn: "ou=Sales, dc=mokapi, dc=io",
 				}, ld.Records[1])
 			},
 		},
@@ -69,7 +70,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn:         "dc=mokapi,dc=io",
+					Dn:         "dc=mokapi, dc=io",
 					Attributes: map[string][]string{"description": {"foo bar"}},
 				}, ld.Records[0])
 			},
@@ -81,7 +82,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn:         "dc=mokapi,dc=io",
+					Dn:         "dc=mokapi, dc=io",
 					Attributes: map[string][]string{"attribute": {"foo"}},
 				}, ld.Records[0])
 			},
@@ -93,7 +94,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -104,7 +105,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn:         "dc=mokapi,dc=io",
+					Dn:         "dc=mokapi, dc=io",
 					Attributes: map[string][]string{"foo": {"bar"}},
 				}, ld.Records[0])
 			},
@@ -116,7 +117,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -127,7 +128,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn:         "dc=mokapi,dc=io",
+					Dn:         "dc=mokapi, dc=io",
 					Attributes: map[string][]string{"foo": {""}},
 				}, ld.Records[0])
 			},
@@ -139,7 +140,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -150,7 +151,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &DeleteRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -161,7 +162,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &ModifyRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 				}, ld.Records[0])
 			},
 		},
@@ -172,7 +173,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &ModifyRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 					Actions: []*ModifyAction{
 						{
 							Type:       "add",
@@ -190,7 +191,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &ModifyRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 					Actions: []*ModifyAction{
 						{
 							Type:       "replace",
@@ -208,7 +209,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &ModifyRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 					Actions: []*ModifyAction{
 						{
 							Type: "delete",
@@ -232,7 +233,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 					Attributes: map[string][]string{
 						"photo": {"1234"},
 					},
@@ -246,7 +247,7 @@ func TestLdif_Parse(t *testing.T) {
 				require.NoError(t, err)
 				require.Len(t, ld.Records, 1)
 				require.Equal(t, &AddRecord{
-					Dn: "dc=mokapi,dc=io",
+					Dn: "dc=mokapi, dc=io",
 					Attributes: map[string][]string{
 						"description": {"foobar"},
 					},
@@ -333,7 +334,7 @@ func TestConfig_LDIF(t *testing.T) {
 			test: func(t *testing.T, c *Config, err error) {
 				require.NoError(t, err)
 				require.Equal(t, 3, c.Entries.Len())
-				require.Len(t, c.Entries.Lookup("dc=mokapi,dc=io").Attributes, 0)
+				require.Len(t, c.Entries.Lookup("dc=mokapi, dc=io").Attributes, 0)
 			},
 		},
 		{

providers/directory/directory.go

@@ -161,6 +161,7 @@ func (d *Directory) serveModify(rw ldap.ResponseWriter, r *ldap.ModifyRequest, c
 		res = &ldap.ModifyResponse{ResultCode: ee.Code, MatchedDn: r.Dn, Message: err.Error()}
 	} else {
 		res = &ldap.ModifyResponse{ResultCode: ldap.Success, MatchedDn: r.Dn}
+		go d.config.rebuildMemberOf()
 	}
 
 	m, doMonitor := monitor.LdapFromContext(ctx)
@@ -211,6 +212,7 @@ func (d *Directory) serveAdd(rw ldap.ResponseWriter, r *ldap.AddRequest, ctx con
 		res = &ldap.AddResponse{ResultCode: ee.Code, Message: err.Error()}
 	} else {
 		res = &ldap.AddResponse{ResultCode: ldap.Success, MatchedDn: r.Dn}
+		go d.config.rebuildMemberOf()
 	}
 
 	m, doMonitor := monitor.LdapFromContext(ctx)
@@ -242,6 +244,7 @@ func (d *Directory) serveDelete(rw ldap.ResponseWriter, r *ldap.DeleteRequest, c
 		res = &ldap.DeleteResponse{ResultCode: ee.Code, MatchedDn: del.Dn, Message: err.Error()}
 	} else {
 		res = &ldap.DeleteResponse{ResultCode: ldap.Success, MatchedDn: del.Dn}
+		go d.config.rebuildMemberOf()
 	}
 
 	m, doMonitor := monitor.LdapFromContext(ctx)
@@ -276,6 +279,7 @@ func (d *Directory) serveModifyDn(rw ldap.ResponseWriter, r *ldap.ModifyDNReques
 		res = &ldap.ModifyDNResponse{ResultCode: ee.Code, MatchedDn: r.Dn, Message: err.Error()}
 	} else {
 		res = &ldap.ModifyDNResponse{ResultCode: ldap.Success, MatchedDn: r.Dn}
+		go d.config.rebuildMemberOf()
 	}
 
 	m, doMonitor := monitor.LdapFromContext(ctx)

providers/directory/ldif.go

@@ -83,7 +83,7 @@ func (l *Ldif) Parse(config *dynamic.Config, reader dynamic.Reader) error {
 
 		switch kv[0] {
 		case "dn":
-			dn = formatDN(val)
+			dn = val
 			rec = &AddRecord{Dn: dn}
 		case "changetype":
 			switch val {

providers/directory/search.go

@@ -250,6 +250,10 @@ func (p *parser) parseSet(filter string) ([]predicate, int, error) {
 }
 
 func (p *parser) predicate(op int, name, value, rule string) (predicate, error) {
+	if strings.ToLower(name) == "memberof" {
+		value = normalizeDN(value)
+	}
+
 	switch op {
 	case ldap.FilterEqualityMatch:
 		if strings.Contains(value, "*") {
@@ -333,7 +337,7 @@ func (p *parser) substring(name, value string) predicate {
 
 func (p *parser) equal(name, value string) (predicate, error) {
 	f := func(s string) bool {
-		return value == s
+		return strings.ToLower(value) == strings.ToLower(s)
 	}
 
 	if p.s != nil {

providers/directory/search_test.go

@@ -549,6 +549,63 @@ func TestSearch(t *testing.T) {
 				}))
 				res := rr.Message.(*ldap.SearchResponse)
 
+				require.Len(t, res.Results, 1)
+			},
+		},
+		{
+			name:  "memberOf",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte("dn: cn=user\n\ndn: cn=group\nmember: cn=user")},
+			}},
+			test: func(t *testing.T, h ldap.Handler, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: "(memberOf=cn=group)",
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
+				require.Len(t, res.Results, 1)
+			},
+		},
+		{
+			name:  "memberOf different cases",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte("dn: cn=uSEr\n\ndn: cn=group\nmember: cn=UseR")},
+			}},
+			test: func(t *testing.T, h ldap.Handler, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: "(memberOf=cn=GRoup)",
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
+				require.Len(t, res.Results, 1)
+			},
+		},
+		{
+			name:  "memberOf normalize DN",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte("dn: uid=ff, cn=user\n\ndn: uid=cc,cn=group\nmember: uid=ff,cn=user")},
+			}},
+			test: func(t *testing.T, h ldap.Handler, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: "(memberOf=uid=cc, cn=group)",
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
 				require.Len(t, res.Results, 1)
 			},
 		},