From a048ab6d47667f4b412792b39955c46adbcac48b Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 28 Oct 2022 20:21:43 +1100 Subject: [PATCH] fix(authentication): erroneously escaped group base dn (#4288) The BaseDN for groups was escaped improperly and failed on any BaseDN with special characters. This fixes the issue. --- internal/authentication/ldap_user_provider.go | 31 ++++++++++++------- .../ldap_user_provider_startup.go | 2 +- .../authentication/ldap_user_provider_test.go | 4 +-- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/internal/authentication/ldap_user_provider.go b/internal/authentication/ldap_user_provider.go index a4c23a37a..65f635bf7 100644 --- a/internal/authentication/ldap_user_provider.go +++ b/internal/authentication/ldap_user_provider.go @@ -126,21 +126,24 @@ func (p *LDAPUserProvider) GetDetails(username string) (details *UserDetails, er } var ( - filter string request *ldap.SearchRequest result *ldap.SearchResult ) - if filter, err = p.resolveGroupsFilter(username, profile); err != nil { - return nil, fmt.Errorf("unable to create group filter for user '%s'. Cause: %w", username, err) - } - // Search for the users groups. request = ldap.NewSearchRequest( p.groupsBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, - 0, 0, false, filter, p.groupsAttributes, nil, + 0, 0, false, p.resolveGroupsFilter(username, profile), p.groupsAttributes, nil, ) + p.log. + WithField("base_dn", request.BaseDN). + WithField("filter", request.Filter). + WithField("attr", request.Attributes). + WithField("scope", request.Scope). + WithField("deref", request.DerefAliases). + Trace("Performing group search") + if result, err = p.search(client, request); err != nil { return nil, fmt.Errorf("unable to retrieve groups of user '%s'. Cause: %w", username, err) } @@ -318,14 +321,20 @@ func (p *LDAPUserProvider) searchReferrals(request *ldap.SearchRequest, result * } func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (profile *ldapUserProfile, err error) { - userFilter := p.resolveUsersFilter(username) - // Search for the given username. request := ldap.NewSearchRequest( p.usersBaseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, - 1, 0, false, userFilter, p.usersAttributes, nil, + 1, 0, false, p.resolveUsersFilter(username), p.usersAttributes, nil, ) + p.log. + WithField("base_dn", request.BaseDN). + WithField("filter", request.Filter). + WithField("attr", request.Attributes). + WithField("scope", request.Scope). + WithField("deref", request.DerefAliases). + Trace("Performing user search") + var result *ldap.SearchResult if result, err = p.search(client, request); err != nil { @@ -398,7 +407,7 @@ func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) { return filter } -func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string, err error) { //nolint:unparam +func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string) { filter = p.config.GroupsFilter if p.groupsFilterReplacementInput { @@ -418,7 +427,7 @@ func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUse p.log.Tracef("Computed groups filter is %s", filter) - return filter, nil + return filter } func (p *LDAPUserProvider) modify(client LDAPClient, modifyRequest *ldap.ModifyRequest) (err error) { diff --git a/internal/authentication/ldap_user_provider_startup.go b/internal/authentication/ldap_user_provider_startup.go index 2956fd42e..a3a2e760a 100644 --- a/internal/authentication/ldap_user_provider_startup.go +++ b/internal/authentication/ldap_user_provider_startup.go @@ -130,7 +130,7 @@ func (p *LDAPUserProvider) parseDynamicGroupsConfiguration() { } if p.config.AdditionalGroupsDN != "" { - p.groupsBaseDN = ldap.EscapeFilter(p.config.AdditionalGroupsDN + "," + p.config.BaseDN) + p.groupsBaseDN = p.config.AdditionalGroupsDN + "," + p.config.BaseDN } else { p.groupsBaseDN = p.config.BaseDN } diff --git a/internal/authentication/ldap_user_provider_test.go b/internal/authentication/ldap_user_provider_test.go index a74e24477..d28d05e9c 100644 --- a/internal/authentication/ldap_user_provider_test.go +++ b/internal/authentication/ldap_user_provider_test.go @@ -120,10 +120,10 @@ func TestEscapeSpecialCharsInGroupsFilter(t *testing.T) { Emails: []string{"john.doe@authelia.com"}, } - filter, _ := ldapClient.resolveGroupsFilter("john", &profile) + filter := ldapClient.resolveGroupsFilter("john", &profile) assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john))", filter) - filter, _ = ldapClient.resolveGroupsFilter("john#=(abc,def)", &profile) + filter = ldapClient.resolveGroupsFilter("john#=(abc,def)", &profile) assert.Equal(t, "(|(member=cn=john \\28external\\29,dc=example,dc=com)(uid=john)(uid=john\\#\\=\\28abc\\,def\\29))", filter) }