From 88a672fe88deae53d5459d651859be65555e6af2 Mon Sep 17 00:00:00 2001 From: link0ff Date: Sun, 3 Mar 2019 21:20:36 +0200 Subject: [PATCH] Move LDAP code to LDAPAuthenticator. Use Authenticator for token_exchange with grant_type as well --- docs/config.md | 5 +++ .../auth/ldap_authenticator.ex} | 42 +++++++++++++++++-- lib/pleroma/web/auth/pleroma_authenticator.ex | 9 +++- lib/pleroma/web/oauth/oauth_controller.ex | 31 ++------------ 4 files changed, 55 insertions(+), 32 deletions(-) rename lib/pleroma/{ldap.ex => web/auth/ldap_authenticator.ex} (68%) diff --git a/docs/config.md b/docs/config.md index d7349d54f..8d6770959 100644 --- a/docs/config.md +++ b/docs/config.md @@ -336,3 +336,8 @@ config :auto_linker, * `sslopts`: additional SSL options * `base`: LDAP base, e.g. "dc=example,dc=com" * `uid`: attribute type to authenticate the user, e.g. when "cn", the filter will be "cn=username,base" + +## Pleroma.Web.Auth.Authenticator + +* `Pleroma.Web.Auth.PleromaAuthenticator`: default database authenticator +* `Pleroma.Web.Auth.LDAPAuthenticator`: LDAP authentication diff --git a/lib/pleroma/ldap.ex b/lib/pleroma/web/auth/ldap_authenticator.ex similarity index 68% rename from lib/pleroma/ldap.ex rename to lib/pleroma/web/auth/ldap_authenticator.ex index 282d8e553..56f2f5aed 100644 --- a/lib/pleroma/ldap.ex +++ b/lib/pleroma/web/auth/ldap_authenticator.ex @@ -2,15 +2,51 @@ # Copyright © 2017-2019 Pleroma Authors # SPDX-License-Identifier: AGPL-3.0-only -defmodule Pleroma.LDAP do +defmodule Pleroma.Web.Auth.LDAPAuthenticator do alias Pleroma.User require Logger + @behaviour Pleroma.Web.Auth.Authenticator + @connection_timeout 10_000 @search_timeout 10_000 - def get_user(name, password) do + def get_user(%Plug.Conn{} = conn) do + if Pleroma.Config.get([:ldap, :enabled]) do + {name, password} = + case conn.params do + %{"authorization" => %{"name" => name, "password" => password}} -> + {name, password} + + %{"grant_type" => "password", "username" => name, "password" => password} -> + {name, password} + end + + case ldap_user(name, password) do + %User{} = user -> + {:ok, user} + + {:error, {:ldap_connection_error, _}} -> + # When LDAP is unavailable, try default authenticator + Pleroma.Web.Auth.PleromaAuthenticator.get_user(conn) + + error -> + error + end + else + # Fall back to default authenticator + Pleroma.Web.Auth.PleromaAuthenticator.get_user(conn) + end + end + + def handle_error(%Plug.Conn{} = _conn, error) do + error + end + + def auth_template, do: nil + + defp ldap_user(name, password) do ldap = Pleroma.Config.get(:ldap, []) host = Keyword.get(ldap, :host, "localhost") port = Keyword.get(ldap, :port, 389) @@ -50,7 +86,7 @@ defmodule Pleroma.LDAP do end end - def register_user(connection, base, uid, name, password) do + defp register_user(connection, base, uid, name, password) do case :eldap.search(connection, [ {:base, to_charlist(base)}, {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))}, diff --git a/lib/pleroma/web/auth/pleroma_authenticator.ex b/lib/pleroma/web/auth/pleroma_authenticator.ex index 3cc19af01..360772895 100644 --- a/lib/pleroma/web/auth/pleroma_authenticator.ex +++ b/lib/pleroma/web/auth/pleroma_authenticator.ex @@ -9,7 +9,14 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do @behaviour Pleroma.Web.Auth.Authenticator def get_user(%Plug.Conn{} = conn) do - %{"authorization" => %{"name" => name, "password" => password}} = conn.params + {name, password} = + case conn.params do + %{"authorization" => %{"name" => name, "password" => password}} -> + {name, password} + + %{"grant_type" => "password", "username" => name, "password" => password} -> + {name, password} + end with {_, %User{} = user} <- {:user, User.get_by_nickname_or_email(name)}, {_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index c2b6dd477..7d5a5b9c5 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -11,7 +11,6 @@ defmodule Pleroma.Web.OAuth.OAuthController do alias Pleroma.Web.OAuth.App alias Pleroma.Repo alias Pleroma.User - alias Comeonin.Pbkdf2 import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2] @@ -126,10 +125,10 @@ defmodule Pleroma.Web.OAuth.OAuthController do def token_exchange( conn, - %{"grant_type" => "password", "username" => name, "password" => password} = params + %{"grant_type" => "password"} = params ) do - with %App{} = app <- get_app_from_request(conn, params), - %User{} = user <- get_user(name, password), + with {_, {:ok, %User{} = user}} <- {:get_user, Authenticator.get_user(conn)}, + %App{} = app <- get_app_from_request(conn, params), {:auth_active, true} <- {:auth_active, User.auth_active?(user)}, scopes <- oauth_scopes(params, app.scopes), [] <- scopes -- app.scopes, @@ -213,28 +212,4 @@ defmodule Pleroma.Web.OAuth.OAuthController do nil end end - - defp get_user(name, password) do - if Pleroma.Config.get([:ldap, :enabled]) do - case Pleroma.LDAP.get_user(name, password) do - %User{} = user -> - user - - {:error, {:ldap_connection_error, _}} -> - # When LDAP is unavailable, try default login - with %User{} = user <- User.get_by_nickname_or_email(name), - true <- Pbkdf2.checkpw(password, user.password_hash) do - user - end - - error -> - error - end - else - with %User{} = user <- User.get_by_nickname_or_email(name), - true <- Pbkdf2.checkpw(password, user.password_hash) do - user - end - end - end end