From 26798cdf3ab2b5a404419d07095f040a88b89b71 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sun, 8 Dec 2019 23:21:55 +0100 Subject: [PATCH] Add a check for enclosing parenthesis in LDAP users and groups filters. --- internal/configuration/validator/authentication.go | 9 +++++++++ .../configuration/validator/authentication_test.go | 14 ++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/internal/configuration/validator/authentication.go b/internal/configuration/validator/authentication.go index 8b8969e64..e3f1e5618 100644 --- a/internal/configuration/validator/authentication.go +++ b/internal/configuration/validator/authentication.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "net/url" + "strings" "github.com/clems4ever/authelia/internal/configuration/schema" ) @@ -66,10 +67,18 @@ func validateLdapAuthenticationBackend(configuration *schema.LDAPAuthenticationB configuration.UsersFilter = "(cn={0})" } + if !strings.HasPrefix(configuration.UsersFilter, "(") || !strings.HasSuffix(configuration.UsersFilter, ")") { + validator.Push(errors.New("The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")) + } + if configuration.GroupsFilter == "" { configuration.GroupsFilter = "(member={dn})" } + if !strings.HasPrefix(configuration.GroupsFilter, "(") || !strings.HasSuffix(configuration.GroupsFilter, ")") { + validator.Push(errors.New("The groups filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})")) + } + if configuration.GroupNameAttribute == "" { configuration.GroupNameAttribute = "cn" } diff --git a/internal/configuration/validator/authentication_test.go b/internal/configuration/validator/authentication_test.go index 0b9b40b65..c0a97e518 100644 --- a/internal/configuration/validator/authentication_test.go +++ b/internal/configuration/validator/authentication_test.go @@ -120,6 +120,20 @@ func (suite *LdapAuthenticationBackendSuite) TestShouldSetDefaultMailAttribute() assert.Equal(suite.T(), "mail", suite.configuration.Ldap.MailAttribute) } +func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenUsersFilterDoesNotContainEnclosingParenthesis() { + suite.configuration.Ldap.UsersFilter = "cn={0}" + ValidateAuthenticationBackend(&suite.configuration, suite.validator) + assert.Len(suite.T(), suite.validator.Errors(), 1) + assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})") +} + +func (suite *LdapAuthenticationBackendSuite) TestShouldRaiseWhenGroupsFilterDoesNotContainEnclosingParenthesis() { + suite.configuration.Ldap.UsersFilter = "cn={0}" + ValidateAuthenticationBackend(&suite.configuration, suite.validator) + assert.Len(suite.T(), suite.validator.Errors(), 1) + assert.EqualError(suite.T(), suite.validator.Errors()[0], "The users filter should contain enclosing parenthesis. For instance cn={0} should be (cn={0})") +} + func (suite *LdapAuthenticationBackendSuite) TestShouldAdaptLDAPURL() { assert.Equal(suite.T(), "", validateLdapURL("127.0.0.1", suite.validator)) require.Len(suite.T(), suite.validator.Errors(), 1)