2015-07-15 10:08:23 +02:00
|
|
|
package login
|
2015-07-10 11:10:48 +02:00
|
|
|
|
|
|
|
|
import (
|
2015-07-16 11:57:59 +02:00
|
|
|
"crypto/tls"
|
2015-07-13 14:23:59 +02:00
|
|
|
"errors"
|
2015-07-10 11:10:48 +02:00
|
|
|
"fmt"
|
2015-07-14 17:35:11 +02:00
|
|
|
"strings"
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-15 10:08:23 +02:00
|
|
|
"github.com/davecgh/go-spew/spew"
|
2015-07-10 11:10:48 +02:00
|
|
|
"github.com/go-ldap/ldap"
|
2015-07-13 16:45:47 +02:00
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
2015-07-10 11:10:48 +02:00
|
|
|
"github.com/grafana/grafana/pkg/log"
|
2015-07-13 16:45:47 +02:00
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
2015-07-10 11:10:48 +02:00
|
|
|
)
|
|
|
|
|
|
2015-07-13 14:23:59 +02:00
|
|
|
type ldapAuther struct {
|
2015-07-14 10:20:21 +02:00
|
|
|
server *LdapServerConf
|
2015-07-13 14:23:59 +02:00
|
|
|
conn *ldap.Conn
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-14 10:20:21 +02:00
|
|
|
func NewLdapAuthenticator(server *LdapServerConf) *ldapAuther {
|
|
|
|
|
return &ldapAuther{server: server}
|
2015-07-13 14:23:59 +02:00
|
|
|
}
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-13 14:23:59 +02:00
|
|
|
func (a *ldapAuther) Dial() error {
|
2015-07-15 10:08:23 +02:00
|
|
|
address := fmt.Sprintf("%s:%d", a.server.Host, a.server.Port)
|
2015-07-13 14:23:59 +02:00
|
|
|
var err error
|
|
|
|
|
if a.server.UseSSL {
|
2015-07-16 11:57:59 +02:00
|
|
|
tlsCfg := &tls.Config{
|
|
|
|
|
InsecureSkipVerify: a.server.SkipVerifySSL,
|
|
|
|
|
ServerName: a.server.CertServerName,
|
|
|
|
|
}
|
|
|
|
|
a.conn, err = ldap.DialTLS("tcp", address, tlsCfg)
|
2015-07-13 14:23:59 +02:00
|
|
|
} else {
|
|
|
|
|
a.conn, err = ldap.Dial("tcp", address)
|
|
|
|
|
}
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-13 14:23:59 +02:00
|
|
|
return err
|
|
|
|
|
}
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-15 10:08:23 +02:00
|
|
|
func (a *ldapAuther) login(query *LoginUserQuery) error {
|
2015-07-13 14:23:59 +02:00
|
|
|
if err := a.Dial(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer a.conn.Close()
|
|
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
// perform initial authentication
|
|
|
|
|
if err := a.initialBind(query.Username, query.Password); err != nil {
|
2015-07-10 11:10:48 +02:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
// find user entry & attributes
|
2015-07-13 16:45:47 +02:00
|
|
|
if ldapUser, err := a.searchForUser(query.Username); err != nil {
|
2015-07-10 15:29:34 +02:00
|
|
|
return err
|
2015-07-13 15:37:11 +02:00
|
|
|
} else {
|
2015-07-15 10:08:23 +02:00
|
|
|
if ldapCfg.VerboseLogging {
|
|
|
|
|
log.Info("Ldap User Info: %s", spew.Sdump(ldapUser))
|
|
|
|
|
}
|
2015-07-13 16:45:47 +02:00
|
|
|
|
2015-07-14 17:35:11 +02:00
|
|
|
// check if a second user bind is needed
|
|
|
|
|
if a.server.BindPassword != "" {
|
|
|
|
|
if err := a.secondBind(ldapUser, query.Password); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-13 16:45:47 +02:00
|
|
|
if grafanaUser, err := a.getGrafanaUserFor(ldapUser); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
} else {
|
2015-07-14 14:29:07 +02:00
|
|
|
// sync org roles
|
|
|
|
|
if err := a.syncOrgRoles(grafanaUser, ldapUser); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-07-13 16:45:47 +02:00
|
|
|
query.User = grafanaUser
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ldapAuther) getGrafanaUserFor(ldapUser *ldapUserInfo) (*m.User, error) {
|
2015-07-14 10:20:21 +02:00
|
|
|
// validate that the user has access
|
2015-07-14 15:46:11 +02:00
|
|
|
// if there are no ldap group mappings access is true
|
|
|
|
|
// otherwise a single group must match
|
|
|
|
|
access := len(a.server.LdapGroups) == 0
|
2015-07-14 10:20:21 +02:00
|
|
|
for _, ldapGroup := range a.server.LdapGroups {
|
|
|
|
|
if ldapUser.isMemberOf(ldapGroup.GroupDN) {
|
|
|
|
|
access = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !access {
|
|
|
|
|
log.Info("Ldap Auth: user %s does not belong in any of the specified ldap groups", ldapUser.Username)
|
|
|
|
|
return nil, ErrInvalidCredentials
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-13 16:45:47 +02:00
|
|
|
// get user from grafana db
|
|
|
|
|
userQuery := m.GetUserByLoginQuery{LoginOrEmail: ldapUser.Username}
|
|
|
|
|
if err := bus.Dispatch(&userQuery); err != nil {
|
|
|
|
|
if err == m.ErrUserNotFound {
|
|
|
|
|
return a.createGrafanaUser(ldapUser)
|
2015-07-14 10:20:21 +02:00
|
|
|
} else {
|
|
|
|
|
return nil, err
|
2015-07-13 16:45:47 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return userQuery.Result, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *ldapAuther) createGrafanaUser(ldapUser *ldapUserInfo) (*m.User, error) {
|
|
|
|
|
cmd := m.CreateUserCommand{
|
|
|
|
|
Login: ldapUser.Username,
|
|
|
|
|
Email: ldapUser.Email,
|
|
|
|
|
Name: fmt.Sprintf("%s %s", ldapUser.FirstName, ldapUser.LastName),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := bus.Dispatch(&cmd); err != nil {
|
|
|
|
|
return nil, err
|
2015-07-10 15:29:34 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-13 16:45:47 +02:00
|
|
|
return &cmd.Result, nil
|
2015-07-13 15:37:11 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-14 14:29:07 +02:00
|
|
|
func (a *ldapAuther) syncOrgRoles(user *m.User, ldapUser *ldapUserInfo) error {
|
2015-07-14 15:46:11 +02:00
|
|
|
if len(a.server.LdapGroups) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
orgsQuery := m.GetUserOrgListQuery{UserId: user.Id}
|
|
|
|
|
if err := bus.Dispatch(&orgsQuery); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// remove or update org roles
|
|
|
|
|
for _, org := range orgsQuery.Result {
|
|
|
|
|
for _, group := range a.server.LdapGroups {
|
2015-07-14 16:42:55 +02:00
|
|
|
if org.OrgId != group.OrgId {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ldapUser.isMemberOf(group.GroupDN) {
|
2015-07-14 15:46:11 +02:00
|
|
|
if org.Role != group.OrgRole {
|
|
|
|
|
// update role
|
2015-07-14 16:42:55 +02:00
|
|
|
cmd := m.UpdateOrgUserCommand{OrgId: org.OrgId, UserId: user.Id, Role: group.OrgRole}
|
|
|
|
|
if err := bus.Dispatch(&cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-07-14 15:46:11 +02:00
|
|
|
}
|
2015-07-15 10:08:23 +02:00
|
|
|
// ignore subsequent ldap group mapping matches
|
|
|
|
|
break
|
2015-07-14 15:46:11 +02:00
|
|
|
} else {
|
|
|
|
|
// remove role
|
2015-07-14 16:42:55 +02:00
|
|
|
cmd := m.RemoveOrgUserCommand{OrgId: org.OrgId, UserId: user.Id}
|
|
|
|
|
if err := bus.Dispatch(&cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-07-14 15:46:11 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-14 16:42:55 +02:00
|
|
|
// add missing org roles
|
2015-07-14 15:46:11 +02:00
|
|
|
for _, group := range a.server.LdapGroups {
|
|
|
|
|
if !ldapUser.isMemberOf(group.GroupDN) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
match := false
|
|
|
|
|
for _, org := range orgsQuery.Result {
|
|
|
|
|
if group.OrgId == org.OrgId {
|
|
|
|
|
match = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !match {
|
|
|
|
|
// add role
|
|
|
|
|
cmd := m.AddOrgUserCommand{UserId: user.Id, Role: group.OrgRole, OrgId: group.OrgId}
|
|
|
|
|
if err := bus.Dispatch(&cmd); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-14 14:29:07 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-14 17:35:11 +02:00
|
|
|
func (a *ldapAuther) secondBind(ldapUser *ldapUserInfo, userPassword string) error {
|
|
|
|
|
if err := a.conn.Bind(ldapUser.DN, userPassword); err != nil {
|
|
|
|
|
if ldapErr, ok := err.(*ldap.Error); ok {
|
|
|
|
|
if ldapErr.ResultCode == 49 {
|
|
|
|
|
return ErrInvalidCredentials
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
func (a *ldapAuther) initialBind(username, userPassword string) error {
|
|
|
|
|
if a.server.BindPassword != "" {
|
|
|
|
|
userPassword = a.server.BindPassword
|
2015-07-13 14:23:59 +02:00
|
|
|
}
|
2015-07-10 15:29:34 +02:00
|
|
|
|
2015-07-14 17:35:11 +02:00
|
|
|
bindPath := a.server.BindDN
|
|
|
|
|
if strings.Contains(bindPath, "%s") {
|
|
|
|
|
bindPath = fmt.Sprintf(a.server.BindDN, username)
|
|
|
|
|
}
|
2015-07-13 15:37:11 +02:00
|
|
|
|
|
|
|
|
if err := a.conn.Bind(bindPath, userPassword); err != nil {
|
|
|
|
|
if ldapErr, ok := err.(*ldap.Error); ok {
|
|
|
|
|
if ldapErr.ResultCode == 49 {
|
|
|
|
|
return ErrInvalidCredentials
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return err
|
2015-07-10 15:29:34 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
2015-07-13 14:23:59 +02:00
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
func (a *ldapAuther) searchForUser(username string) (*ldapUserInfo, error) {
|
|
|
|
|
var searchResult *ldap.SearchResult
|
|
|
|
|
var err error
|
2015-07-13 14:23:59 +02:00
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
for _, searchBase := range a.server.SearchBaseDNs {
|
|
|
|
|
searchReq := ldap.SearchRequest{
|
|
|
|
|
BaseDN: searchBase,
|
|
|
|
|
Scope: ldap.ScopeWholeSubtree,
|
|
|
|
|
DerefAliases: ldap.NeverDerefAliases,
|
|
|
|
|
Attributes: []string{
|
2015-07-15 10:08:23 +02:00
|
|
|
a.server.Attr.Username,
|
|
|
|
|
a.server.Attr.Surname,
|
|
|
|
|
a.server.Attr.Email,
|
|
|
|
|
a.server.Attr.Name,
|
|
|
|
|
a.server.Attr.MemberOf,
|
2015-07-13 15:37:11 +02:00
|
|
|
},
|
|
|
|
|
Filter: fmt.Sprintf(a.server.SearchFilter, username),
|
|
|
|
|
}
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
searchResult, err = a.conn.Search(&searchReq)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(searchResult.Entries) > 0 {
|
|
|
|
|
break
|
2015-07-10 11:10:48 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
if len(searchResult.Entries) == 0 {
|
2015-07-15 10:08:23 +02:00
|
|
|
return nil, ErrInvalidCredentials
|
2015-07-13 15:37:11 +02:00
|
|
|
}
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2015-07-13 15:37:11 +02:00
|
|
|
if len(searchResult.Entries) > 1 {
|
2015-07-15 10:08:23 +02:00
|
|
|
return nil, errors.New("Ldap search matched more than one entry, please review your filter setting")
|
2015-07-13 15:37:11 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &ldapUserInfo{
|
2015-07-14 17:35:11 +02:00
|
|
|
DN: searchResult.Entries[0].DN,
|
2015-07-15 10:08:23 +02:00
|
|
|
LastName: getLdapAttr(a.server.Attr.Surname, searchResult),
|
|
|
|
|
FirstName: getLdapAttr(a.server.Attr.Name, searchResult),
|
|
|
|
|
Username: getLdapAttr(a.server.Attr.Username, searchResult),
|
|
|
|
|
Email: getLdapAttr(a.server.Attr.Email, searchResult),
|
|
|
|
|
MemberOf: getLdapAttrArray(a.server.Attr.MemberOf, searchResult),
|
2015-07-13 15:37:11 +02:00
|
|
|
}, nil
|
2015-07-10 11:10:48 +02:00
|
|
|
}
|
2015-07-10 15:29:34 +02:00
|
|
|
|
2015-07-13 14:23:59 +02:00
|
|
|
func getLdapAttr(name string, result *ldap.SearchResult) string {
|
|
|
|
|
for _, attr := range result.Entries[0].Attributes {
|
|
|
|
|
if attr.Name == name {
|
|
|
|
|
if len(attr.Values) > 0 {
|
|
|
|
|
return attr.Values[0]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getLdapAttrArray(name string, result *ldap.SearchResult) []string {
|
|
|
|
|
for _, attr := range result.Entries[0].Attributes {
|
|
|
|
|
if attr.Name == name {
|
|
|
|
|
return attr.Values
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return []string{}
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-10 15:29:34 +02:00
|
|
|
func createUserFromLdapInfo() error {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
