remove ldap plugin
This commit is contained in:
parent
cac8ac210c
commit
a7b30695da
@ -2,11 +2,6 @@
|
|||||||
let
|
let
|
||||||
secrets = import ./secrets.nix;
|
secrets = import ./secrets.nix;
|
||||||
|
|
||||||
ldap = pkgs.buildGoModule rec {
|
|
||||||
name = "ldap";
|
|
||||||
src = ./ldap;
|
|
||||||
vendorHash = "sha256-HlsVCWs7Q4kBAtRpt3U323tRmgWdQxZlpfMZ/cSlw4Q=";
|
|
||||||
};
|
|
||||||
|
|
||||||
image = "chocobozzz/peertube:production-bullseye";
|
image = "chocobozzz/peertube:production-bullseye";
|
||||||
|
|
||||||
@ -64,22 +59,6 @@ in {
|
|||||||
|
|
||||||
environment.systemPackages = with pkgs; [ vim htop git tmux ];
|
environment.systemPackages = with pkgs; [ vim htop git tmux ];
|
||||||
|
|
||||||
systemd.services."peertube-ldap" = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" ];
|
|
||||||
environment = {
|
|
||||||
AUTH_URL = secrets.peertube.auth.url;
|
|
||||||
AUTH_SECRET = secrets.peertube.auth.secret;
|
|
||||||
LDAP_USER = secrets.peertube.ldap.user;
|
|
||||||
LDAP_PASS = secrets.peertube.ldap.password;
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = 30;
|
|
||||||
ExecStart = "${ldap}/bin/ldap";
|
|
||||||
User = "peertube";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
16
ldap/go.mod
16
ldap/go.mod
@ -1,16 +0,0 @@
|
|||||||
module code.dumpstack.io/infra/v.lor.sh/ldap
|
|
||||||
|
|
||||||
go 1.19
|
|
||||||
|
|
||||||
require (
|
|
||||||
github.com/jackc/pgx/v5 v5.2.0
|
|
||||||
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
|
|
||||||
github.com/vjeantet/ldapserver v1.0.1
|
|
||||||
)
|
|
||||||
|
|
||||||
require (
|
|
||||||
github.com/jackc/pgpassfile v1.0.0 // indirect
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
|
|
||||||
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
|
|
||||||
golang.org/x/text v0.3.8 // indirect
|
|
||||||
)
|
|
25
ldap/go.sum
25
ldap/go.sum
@ -1,25 +0,0 @@
|
|||||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
|
||||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
|
||||||
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
|
|
||||||
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
|
|
||||||
github.com/jackc/pgx/v5 v5.2.0 h1:NdPpngX0Y6z6XDFKqmFQaE+bCtkqzvQIOt1wvBlAqs8=
|
|
||||||
github.com/jackc/pgx/v5 v5.2.0/go.mod h1:Ptn7zmohNsWEsdxRawMzk3gaKma2obW+NWTnKa0S4nk=
|
|
||||||
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
|
|
||||||
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
|
|
||||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
|
||||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
|
||||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
|
||||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
|
||||||
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
|
||||||
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
|
|
||||||
github.com/vjeantet/ldapserver v1.0.1 h1:3z+TCXhwwDLJC3pZCNbuECPDqC2x1R7qQQbswB1Qwoc=
|
|
||||||
github.com/vjeantet/ldapserver v1.0.1/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
|
|
||||||
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
|
|
||||||
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
|
||||||
golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
|
|
||||||
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
|
|
||||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
|
||||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
|
||||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
|
169
ldap/ldap.go
169
ldap/ldap.go
@ -1,169 +0,0 @@
|
|||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"bytes"
|
|
||||||
"context"
|
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
|
||||||
"fmt"
|
|
||||||
"net/http"
|
|
||||||
"os"
|
|
||||||
"os/signal"
|
|
||||||
"strings"
|
|
||||||
"syscall"
|
|
||||||
|
|
||||||
"github.com/jackc/pgx/v5"
|
|
||||||
"github.com/lor00x/goldap/message"
|
|
||||||
ldap "github.com/vjeantet/ldapserver"
|
|
||||||
)
|
|
||||||
|
|
||||||
func auth(username, email, password string) (ruser, remail string, err error) {
|
|
||||||
var payload struct {
|
|
||||||
Secret string
|
|
||||||
Username string
|
|
||||||
Email string
|
|
||||||
Password string
|
|
||||||
}
|
|
||||||
|
|
||||||
payload.Secret = os.Getenv("AUTH_SECRET")
|
|
||||||
payload.Username = username
|
|
||||||
payload.Email = email
|
|
||||||
payload.Password = password
|
|
||||||
|
|
||||||
raw, err := json.Marshal(payload)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
body := bytes.NewReader(raw)
|
|
||||||
|
|
||||||
req, err := http.NewRequest("POST", os.Getenv("AUTH_URL"), body)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
req.Header.Set("Content-Type", "application/json")
|
|
||||||
|
|
||||||
resp, err := http.DefaultClient.Do(req)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
defer resp.Body.Close()
|
|
||||||
|
|
||||||
var result struct {
|
|
||||||
Username string
|
|
||||||
Email string
|
|
||||||
Error string
|
|
||||||
}
|
|
||||||
|
|
||||||
err = json.NewDecoder(resp.Body).Decode(&result)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if result.Error != "" {
|
|
||||||
err = errors.New(result.Error)
|
|
||||||
}
|
|
||||||
|
|
||||||
ruser = result.Username
|
|
||||||
remail = result.Email
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func bind(w ldap.ResponseWriter, m *ldap.Message) {
|
|
||||||
r := m.GetBindRequest()
|
|
||||||
res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
|
|
||||||
|
|
||||||
username := string(r.Name())
|
|
||||||
password := string(r.AuthenticationSimple())
|
|
||||||
|
|
||||||
if username == os.Getenv("LDAP_USER") {
|
|
||||||
if password == os.Getenv("LDAP_PASS") {
|
|
||||||
w.Write(res)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if username == "root" {
|
|
||||||
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
|
|
||||||
res.SetDiagnosticMessage("root login is disabled")
|
|
||||||
w.Write(res)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
_, _, err := auth(username, "", password)
|
|
||||||
if err == nil {
|
|
||||||
fmt.Println("bind:", username, "ok")
|
|
||||||
w.Write(res)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
fmt.Println("bind:", username, "incorrect password")
|
|
||||||
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
|
|
||||||
res.SetDiagnosticMessage("invalid credentials")
|
|
||||||
w.Write(res)
|
|
||||||
}
|
|
||||||
|
|
||||||
func updateEmail(username, email string) (err error) {
|
|
||||||
path := "dbname=" + os.Getenv("DATABASE")
|
|
||||||
conn, err := pgx.Connect(context.Background(), path)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
defer conn.Close(context.Background())
|
|
||||||
|
|
||||||
query := "update \"user\" set email=$1 where username=$2"
|
|
||||||
_, err = conn.Exec(context.Background(), query, email, username)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
func search(w ldap.ResponseWriter, m *ldap.Message) {
|
|
||||||
r := m.GetSearchRequest()
|
|
||||||
res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
|
|
||||||
defer w.Write(res)
|
|
||||||
|
|
||||||
var username, email string
|
|
||||||
|
|
||||||
s := r.FilterString()
|
|
||||||
s = s[6 : len(s)-1]
|
|
||||||
|
|
||||||
if strings.Contains(s, "@") {
|
|
||||||
username, email, _ = auth("", s, "")
|
|
||||||
} else {
|
|
||||||
username, email, _ = auth(s, "", "")
|
|
||||||
}
|
|
||||||
|
|
||||||
if username == "" || email == "" {
|
|
||||||
fmt.Println("search:", s, "not found")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
fmt.Println("search:", s, "found", username, email)
|
|
||||||
|
|
||||||
err := updateEmail(username, email)
|
|
||||||
if err != nil {
|
|
||||||
fmt.Println(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
e := ldap.NewSearchResultEntry(username)
|
|
||||||
e.AddAttribute("uid", message.AttributeValue(username))
|
|
||||||
e.AddAttribute("mail", message.AttributeValue(email))
|
|
||||||
w.Write(e)
|
|
||||||
}
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
ldap.Logger = ldap.DiscardingLogger
|
|
||||||
|
|
||||||
server := ldap.NewServer()
|
|
||||||
|
|
||||||
routes := ldap.NewRouteMux()
|
|
||||||
routes.Bind(bind)
|
|
||||||
routes.Search(search)
|
|
||||||
server.Handle(routes)
|
|
||||||
|
|
||||||
go server.ListenAndServe(":10389")
|
|
||||||
|
|
||||||
ch := make(chan os.Signal)
|
|
||||||
signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
|
|
||||||
<-ch
|
|
||||||
close(ch)
|
|
||||||
|
|
||||||
server.Stop()
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user