Compare commits
No commits in common. "593f64d38c329de42558c936d208cb022871e69c" and "cac8ac210cd7fe7c70e9c0ae024b5fa35e942a6c" have entirely different histories.
593f64d38c
...
cac8ac210c
@ -2,7 +2,13 @@
|
|||||||
let
|
let
|
||||||
secrets = import ./secrets.nix;
|
secrets = import ./secrets.nix;
|
||||||
|
|
||||||
image = "chocobozzz/peertube:production-bookworm";
|
ldap = pkgs.buildGoModule rec {
|
||||||
|
name = "ldap";
|
||||||
|
src = ./ldap;
|
||||||
|
vendorHash = "sha256-HlsVCWs7Q4kBAtRpt3U323tRmgWdQxZlpfMZ/cSlw4Q=";
|
||||||
|
};
|
||||||
|
|
||||||
|
image = "chocobozzz/peertube:production-bullseye";
|
||||||
|
|
||||||
s3cmd = pkgs.writeShellScript "s3cmd" ''
|
s3cmd = pkgs.writeShellScript "s3cmd" ''
|
||||||
${pkgs.s3cmd}/bin/s3cmd \
|
${pkgs.s3cmd}/bin/s3cmd \
|
||||||
@ -56,7 +62,24 @@ in {
|
|||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [ vim htop git tmux jq ];
|
environment.systemPackages = with pkgs; [ vim htop git tmux ];
|
||||||
|
|
||||||
|
systemd.services."peertube-ldap" = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
environment = {
|
||||||
|
AUTH_URL = secrets.peertube.auth.url;
|
||||||
|
AUTH_SECRET = secrets.peertube.auth.secret;
|
||||||
|
LDAP_USER = secrets.peertube.ldap.user;
|
||||||
|
LDAP_PASS = secrets.peertube.ldap.password;
|
||||||
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 30;
|
||||||
|
ExecStart = "${ldap}/bin/ldap";
|
||||||
|
User = "peertube";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
16
ldap/go.mod
Normal file
16
ldap/go.mod
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
module code.dumpstack.io/infra/v.lor.sh/ldap
|
||||||
|
|
||||||
|
go 1.19
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/jackc/pgx/v5 v5.2.0
|
||||||
|
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3
|
||||||
|
github.com/vjeantet/ldapserver v1.0.1
|
||||||
|
)
|
||||||
|
|
||||||
|
require (
|
||||||
|
github.com/jackc/pgpassfile v1.0.0 // indirect
|
||||||
|
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
|
||||||
|
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
|
||||||
|
golang.org/x/text v0.3.8 // indirect
|
||||||
|
)
|
25
ldap/go.sum
Normal file
25
ldap/go.sum
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
|
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||||
|
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
|
||||||
|
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
|
||||||
|
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b h1:C8S2+VttkHFdOOCXJe+YGfa4vHYwlt4Zx+IVXQ97jYg=
|
||||||
|
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b/go.mod h1:vsD4gTJCa9TptPL8sPkXrLZ+hDuNrZCnj29CQpr4X1E=
|
||||||
|
github.com/jackc/pgx/v5 v5.2.0 h1:NdPpngX0Y6z6XDFKqmFQaE+bCtkqzvQIOt1wvBlAqs8=
|
||||||
|
github.com/jackc/pgx/v5 v5.2.0/go.mod h1:Ptn7zmohNsWEsdxRawMzk3gaKma2obW+NWTnKa0S4nk=
|
||||||
|
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 h1:wIONC+HMNRqmWBjuMxhatuSzHaljStc4gjDeKycxy0A=
|
||||||
|
github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3/go.mod h1:37YR9jabpiIxsb8X9VCIx8qFOjTDIIrIHHODa8C4gz0=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||||
|
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||||
|
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||||
|
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||||
|
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
|
||||||
|
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
|
||||||
|
github.com/vjeantet/ldapserver v1.0.1 h1:3z+TCXhwwDLJC3pZCNbuECPDqC2x1R7qQQbswB1Qwoc=
|
||||||
|
github.com/vjeantet/ldapserver v1.0.1/go.mod h1:YvUqhu5vYhmbcLReMLrm/Tq3S7Yj43kSVFvvol6Lh6k=
|
||||||
|
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
|
||||||
|
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||||
|
golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
|
||||||
|
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
|
||||||
|
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||||
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
|
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
169
ldap/ldap.go
Normal file
169
ldap/ldap.go
Normal file
@ -0,0 +1,169 @@
|
|||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"context"
|
||||||
|
"encoding/json"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"os/signal"
|
||||||
|
"strings"
|
||||||
|
"syscall"
|
||||||
|
|
||||||
|
"github.com/jackc/pgx/v5"
|
||||||
|
"github.com/lor00x/goldap/message"
|
||||||
|
ldap "github.com/vjeantet/ldapserver"
|
||||||
|
)
|
||||||
|
|
||||||
|
func auth(username, email, password string) (ruser, remail string, err error) {
|
||||||
|
var payload struct {
|
||||||
|
Secret string
|
||||||
|
Username string
|
||||||
|
Email string
|
||||||
|
Password string
|
||||||
|
}
|
||||||
|
|
||||||
|
payload.Secret = os.Getenv("AUTH_SECRET")
|
||||||
|
payload.Username = username
|
||||||
|
payload.Email = email
|
||||||
|
payload.Password = password
|
||||||
|
|
||||||
|
raw, err := json.Marshal(payload)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
body := bytes.NewReader(raw)
|
||||||
|
|
||||||
|
req, err := http.NewRequest("POST", os.Getenv("AUTH_URL"), body)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
req.Header.Set("Content-Type", "application/json")
|
||||||
|
|
||||||
|
resp, err := http.DefaultClient.Do(req)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
defer resp.Body.Close()
|
||||||
|
|
||||||
|
var result struct {
|
||||||
|
Username string
|
||||||
|
Email string
|
||||||
|
Error string
|
||||||
|
}
|
||||||
|
|
||||||
|
err = json.NewDecoder(resp.Body).Decode(&result)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if result.Error != "" {
|
||||||
|
err = errors.New(result.Error)
|
||||||
|
}
|
||||||
|
|
||||||
|
ruser = result.Username
|
||||||
|
remail = result.Email
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func bind(w ldap.ResponseWriter, m *ldap.Message) {
|
||||||
|
r := m.GetBindRequest()
|
||||||
|
res := ldap.NewBindResponse(ldap.LDAPResultSuccess)
|
||||||
|
|
||||||
|
username := string(r.Name())
|
||||||
|
password := string(r.AuthenticationSimple())
|
||||||
|
|
||||||
|
if username == os.Getenv("LDAP_USER") {
|
||||||
|
if password == os.Getenv("LDAP_PASS") {
|
||||||
|
w.Write(res)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if username == "root" {
|
||||||
|
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
|
||||||
|
res.SetDiagnosticMessage("root login is disabled")
|
||||||
|
w.Write(res)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
_, _, err := auth(username, "", password)
|
||||||
|
if err == nil {
|
||||||
|
fmt.Println("bind:", username, "ok")
|
||||||
|
w.Write(res)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Println("bind:", username, "incorrect password")
|
||||||
|
res.SetResultCode(ldap.LDAPResultInvalidCredentials)
|
||||||
|
res.SetDiagnosticMessage("invalid credentials")
|
||||||
|
w.Write(res)
|
||||||
|
}
|
||||||
|
|
||||||
|
func updateEmail(username, email string) (err error) {
|
||||||
|
path := "dbname=" + os.Getenv("DATABASE")
|
||||||
|
conn, err := pgx.Connect(context.Background(), path)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
defer conn.Close(context.Background())
|
||||||
|
|
||||||
|
query := "update \"user\" set email=$1 where username=$2"
|
||||||
|
_, err = conn.Exec(context.Background(), query, email, username)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func search(w ldap.ResponseWriter, m *ldap.Message) {
|
||||||
|
r := m.GetSearchRequest()
|
||||||
|
res := ldap.NewSearchResultDoneResponse(ldap.LDAPResultSuccess)
|
||||||
|
defer w.Write(res)
|
||||||
|
|
||||||
|
var username, email string
|
||||||
|
|
||||||
|
s := r.FilterString()
|
||||||
|
s = s[6 : len(s)-1]
|
||||||
|
|
||||||
|
if strings.Contains(s, "@") {
|
||||||
|
username, email, _ = auth("", s, "")
|
||||||
|
} else {
|
||||||
|
username, email, _ = auth(s, "", "")
|
||||||
|
}
|
||||||
|
|
||||||
|
if username == "" || email == "" {
|
||||||
|
fmt.Println("search:", s, "not found")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
fmt.Println("search:", s, "found", username, email)
|
||||||
|
|
||||||
|
err := updateEmail(username, email)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Println(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
e := ldap.NewSearchResultEntry(username)
|
||||||
|
e.AddAttribute("uid", message.AttributeValue(username))
|
||||||
|
e.AddAttribute("mail", message.AttributeValue(email))
|
||||||
|
w.Write(e)
|
||||||
|
}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
ldap.Logger = ldap.DiscardingLogger
|
||||||
|
|
||||||
|
server := ldap.NewServer()
|
||||||
|
|
||||||
|
routes := ldap.NewRouteMux()
|
||||||
|
routes.Bind(bind)
|
||||||
|
routes.Search(search)
|
||||||
|
server.Handle(routes)
|
||||||
|
|
||||||
|
go server.ListenAndServe(":10389")
|
||||||
|
|
||||||
|
ch := make(chan os.Signal)
|
||||||
|
signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
|
||||||
|
<-ch
|
||||||
|
close(ch)
|
||||||
|
|
||||||
|
server.Stop()
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user