Compare commits

..

No commits in common. "593f64d38c329de42558c936d208cb022871e69c" and "cac8ac210cd7fe7c70e9c0ae024b5fa35e942a6c" have entirely different histories.

4 changed files with 235 additions and 2 deletions

View File

@ -2,7 +2,13 @@
let let
secrets = import ./secrets.nix; secrets = import ./secrets.nix;
image = "chocobozzz/peertube:production-bookworm"; ldap = pkgs.buildGoModule rec {
name = "ldap";
src = ./ldap;
vendorHash = "sha256-HlsVCWs7Q4kBAtRpt3U323tRmgWdQxZlpfMZ/cSlw4Q=";
};
image = "chocobozzz/peertube:production-bullseye";
s3cmd = pkgs.writeShellScript "s3cmd" '' s3cmd = pkgs.writeShellScript "s3cmd" ''
${pkgs.s3cmd}/bin/s3cmd \ ${pkgs.s3cmd}/bin/s3cmd \
@ -56,7 +62,24 @@ in {
services.openssh.enable = true; services.openssh.enable = true;
environment.systemPackages = with pkgs; [ vim htop git tmux jq ]; environment.systemPackages = with pkgs; [ vim htop git tmux ];
systemd.services."peertube-ldap" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
AUTH_URL = secrets.peertube.auth.url;
AUTH_SECRET = secrets.peertube.auth.secret;
LDAP_USER = secrets.peertube.ldap.user;
LDAP_PASS = secrets.peertube.ldap.password;
};
serviceConfig = {
Restart = "always";
RestartSec = 30;
ExecStart = "${ldap}/bin/ldap";
User = "peertube";
};
};
services.caddy = { services.caddy = {
enable = true; enable = true;

16
ldap/go.mod Normal file
View File

@ -0,0 +1,16 @@
module code.dumpstack.io/infra/v.lor.sh/ldap
go 1.19
require (
github.com/jackc/pgx/v5 v5.2.0
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
github.com/vjeantet/ldapserver v1.0.1
)
require (
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
golang.org/x/text v0.3.8 // indirect
)

25
ldap/go.sum Normal file
View File

@ -0,0 +1,25 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
github.com/jackc/pgx/v5 v5.2.0 h1:NdPpngX0Y6z6XDFKqmFQaE+bCtkqzvQIOt1wvBlAqs8=
github.com/jackc/pgx/v5 v5.2.0/go.mod h1:Ptn7zmohNsWEsdxRawMzk3gaKma2obW+NWTnKa0S4nk=
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
github.com/vjeantet/ldapserver v1.0.1 h1:3z+TCXhwwDLJC3pZCNbuECPDqC2x1R7qQQbswB1Qwoc=
github.com/vjeantet/ldapserver v1.0.1/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

169
ldap/ldap.go Normal file
View File

@ -0,0 +1,169 @@
package main
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"os"
"os/signal"
"strings"
"syscall"
"github.com/jackc/pgx/v5"
"github.com/lor00x/goldap/message"
ldap "github.com/vjeantet/ldapserver"
)
func auth(username, email, password string) (ruser, remail string, err error) {
var payload struct {
Secret string
Username string
Email string
Password string
}
payload.Secret = os.Getenv("AUTH_SECRET")
payload.Username = username
payload.Email = email
payload.Password = password
raw, err := json.Marshal(payload)
if err != nil {
return
}
body := bytes.NewReader(raw)
req, err := http.NewRequest("POST", os.Getenv("AUTH_URL"), body)
if err != nil {
return
}
req.Header.Set("Content-Type", "application/json")
resp, err := http.DefaultClient.Do(req)
if err != nil {
return
}
defer resp.Body.Close()
var result struct {
Username string
Email string
Error string
}
err = json.NewDecoder(resp.Body).Decode(&result)
if err != nil {
return
}
if result.Error != "" {
err = errors.New(result.Error)
}
ruser = result.Username
remail = result.Email
return
}
func bind(w ldap.ResponseWriter, m *ldap.Message) {
r := m.GetBindRequest()
res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
username := string(r.Name())
password := string(r.AuthenticationSimple())
if username == os.Getenv("LDAP_USER") {
if password == os.Getenv("LDAP_PASS") {
w.Write(res)
return
}
}
if username == "root" {
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
res.SetDiagnosticMessage("root login is disabled")
w.Write(res)
return
}
_, _, err := auth(username, "", password)
if err == nil {
fmt.Println("bind:", username, "ok")
w.Write(res)
return
}
fmt.Println("bind:", username, "incorrect password")
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
res.SetDiagnosticMessage("invalid credentials")
w.Write(res)
}
func updateEmail(username, email string) (err error) {
path := "dbname=" + os.Getenv("DATABASE")
conn, err := pgx.Connect(context.Background(), path)
if err != nil {
return
}
defer conn.Close(context.Background())
query := "update \"user\" set email=$1 where username=$2"
_, err = conn.Exec(context.Background(), query, email, username)
return
}
func search(w ldap.ResponseWriter, m *ldap.Message) {
r := m.GetSearchRequest()
res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
defer w.Write(res)
var username, email string
s := r.FilterString()
s = s[6 : len(s)-1]
if strings.Contains(s, "@") {
username, email, _ = auth("", s, "")
} else {
username, email, _ = auth(s, "", "")
}
if username == "" || email == "" {
fmt.Println("search:", s, "not found")
return
}
fmt.Println("search:", s, "found", username, email)
err := updateEmail(username, email)
if err != nil {
fmt.Println(err)
}
e := ldap.NewSearchResultEntry(username)
e.AddAttribute("uid", message.AttributeValue(username))
e.AddAttribute("mail", message.AttributeValue(email))
w.Write(e)
}
func main() {
ldap.Logger = ldap.DiscardingLogger
server := ldap.NewServer()
routes := ldap.NewRouteMux()
routes.Bind(bind)
routes.Search(search)
server.Handle(routes)
go server.ListenAndServe(":10389")
ch := make(chan os.Signal)
signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
<-ch
close(ch)
server.Stop()
}