leviathonbeast/lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-03-31 15:07:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix LDAP bind to not support email login - only allow email login for web UI

Browse Source 
Co-authored-by: nitnelave <796633+nitnelave@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-09-04 20:55:24 +00:00
parent 2d899d5672
commit a82533498c
1 changed files with 64 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/sql-backend-handler/src/sql_opaque_handler.rs
+64 -66
View File
@@ -78,40 +78,24 @@ impl SqlBackendHandler {
Ok(users.first().map(|user_and_groups| user_and_groups.user.user_id.clone())) Ok(users.first().map(|user_and_groups| user_and_groups.user.user_id.clone()))
} }
} }
#[async_trait] #[async_trait]
impl LoginHandler for SqlBackendHandler { impl LoginHandler for SqlBackendHandler {
#[instrument(skip_all, level = "debug", err)] #[instrument(skip_all, level = "debug", err)]
async fn bind(&self, request: BindRequest) -> Result<()> { async fn bind(&self, request: BindRequest) -> Result<()> {
// First try to authenticate with the provided name as a user ID if let Some(password_hash) = self
let mut actual_user_id = request.name.clone();
let mut password_hash = self
.get_password_file_for_user(request.name.clone()) .get_password_file_for_user(request.name.clone())
.await?; .await?
{
// If no user found by user ID, try to find by email info!(r#"Login attempt for "{}""#, &request.name);
if password_hash.is_none() {
debug!(r#"User "{}" not found by user ID, trying email lookup"#, &request.name);
if let Some(user_id_by_email) = self
.find_user_id_by_email(&request.name.as_str())
.await?
{
debug!(r#"Found user by email: "{}""#, &user_id_by_email);
actual_user_id = user_id_by_email;
password_hash = self
.get_password_file_for_user(actual_user_id.clone())
.await?;
}
}
if let Some(password_hash) = password_hash {
info!(r#"Login attempt for "{}" (input: "{}")"#, &actual_user_id, &request.name);
if passwords_match( if passwords_match(
&password_hash, &password_hash,
&request.password, &request.password,
&self.opaque_setup, &self.opaque_setup,
&actual_user_id, &request.name,
) )
.is_ok() .is_ok()
{ {
@@ -137,14 +121,33 @@ impl OpaqueHandler for SqlOpaqueHandler {
&self, &self,
request: login::ClientLoginStartRequest, request: login::ClientLoginStartRequest,
) -> Result<login::ServerLoginStartResponse> { ) -> Result<login::ServerLoginStartResponse> {
let user_id = request.username; // First try to authenticate with the provided name as a user ID
info!(r#"OPAQUE login attempt for "{}""#, &user_id); let mut actual_user_id = request.username.clone();
let maybe_password_file = self let mut maybe_password_file = self
.get_password_file_for_user(user_id.clone()) .get_password_file_for_user(request.username.clone())
.await? .await?;
// If no user found by user ID, try to find by email for web UI login
if maybe_password_file.is_none() {
debug!(r#"User "{}" not found by user ID, trying email lookup for web login"#, &request.username);
if let Some(user_id_by_email) = self
.find_user_id_by_email(request.username.as_str())
.await?
{
debug!(r#"Found user by email: "{}""#, &user_id_by_email);
actual_user_id = user_id_by_email;
maybe_password_file = self
.get_password_file_for_user(actual_user_id.clone())
.await?;
}
}
info!(r#"OPAQUE login attempt for "{}" (input: "{}")"#, &actual_user_id, &request.username);
let maybe_password_file = maybe_password_file
.map(|bytes| { .map(|bytes| {
opaque::server::ServerRegistration::deserialize(&bytes).map_err(|_| { opaque::server::ServerRegistration::deserialize(&bytes).map_err(|_| {
DomainError::InternalError(format!("Corrupted password file for {}", &user_id)) DomainError::InternalError(format!("Corrupted password file for {}", &actual_user_id))
}) })
}) })
.transpose()?; .transpose()?;
@@ -156,11 +159,11 @@ impl OpaqueHandler for SqlOpaqueHandler {
&self.opaque_setup, &self.opaque_setup,
maybe_password_file, maybe_password_file,
request.login_start_request, request.login_start_request,
&user_id, &actual_user_id,
)?; )?;
let secret_key = self.get_orion_secret_key()?; let secret_key = self.get_orion_secret_key()?;
let server_data = login::ServerData { let server_data = login::ServerData {
username: user_id, username: actual_user_id,
server_login: start_response.state, server_login: start_response.state,
}; };
let encrypted_state = orion::aead::seal(&secret_key, &bincode::serialize(&server_data)?)?; let encrypted_state = orion::aead::seal(&secret_key, &bincode::serialize(&server_data)?)?;
@@ -342,6 +345,7 @@ mod tests {
let handler = SqlOpaqueHandler::new(generate_random_private_key(), sql_pool.clone()); let handler = SqlOpaqueHandler::new(generate_random_private_key(), sql_pool.clone());
insert_user(&handler, "bob", "bob00").await; insert_user(&handler, "bob", "bob00").await;
// Test login with username (should work)
handler handler
.bind(BindRequest { .bind(BindRequest {
name: UserId::new("bob"), name: UserId::new("bob"),
@@ -349,6 +353,8 @@ mod tests {
}) })
.await .await
.unwrap(); .unwrap();
// Test login with non-existent user
handler handler
.bind(BindRequest { .bind(BindRequest {
name: UserId::new("andrew"), name: UserId::new("andrew"),
@@ -356,6 +362,8 @@ mod tests {
}) })
.await .await
.unwrap_err(); .unwrap_err();
// Test login with wrong password
handler handler
.bind(BindRequest { .bind(BindRequest {
name: UserId::new("bob"), name: UserId::new("bob"),
@@ -363,47 +371,37 @@ mod tests {
}) })
.await .await
.unwrap_err(); .unwrap_err();
// Test that email login is NOT supported for LDAP bind
handler
.bind(BindRequest {
name: UserId::new("bob@bob.bob"),
password: "bob00".to_string(),
})
.await
.unwrap_err();
} }
#[tokio::test] #[tokio::test]
async fn test_bind_user_with_email() { async fn test_opaque_login_with_email() {
let sql_pool = get_initialized_db().await; let sql_pool = get_initialized_db().await;
let handler = SqlOpaqueHandler::new(generate_random_private_key(), sql_pool.clone()); crate::logging::init_for_tests();
insert_user(&handler, "bob", "bob00").await; let backend_handler = SqlBackendHandler::new(generate_random_private_key(), sql_pool);
insert_user(&backend_handler, "bob", "bob00").await;
// Test login with username (should work as before)
handler // Test OPAQUE login with username (should work as before)
.bind(BindRequest { attempt_login(&backend_handler, "bob", "bob00").await.unwrap();
name: UserId::new("bob"),
password: "bob00".to_string(), // Test OPAQUE login with email (new functionality)
}) attempt_login(&backend_handler, "bob@bob.bob", "bob00").await.unwrap();
.await
.unwrap(); // Test OPAQUE login with non-existent email
attempt_login(&backend_handler, "nonexistent@bob.bob", "bob00")
// Test login with email (new functionality)
handler
.bind(BindRequest {
name: UserId::new("bob@bob.bob"),
password: "bob00".to_string(),
})
.await
.unwrap();
// Test login with non-existent email
handler
.bind(BindRequest {
name: UserId::new("nonexistent@bob.bob"),
password: "bob00".to_string(),
})
.await .await
.unwrap_err(); .unwrap_err();
// Test login with wrong password using email // Test OPAQUE login with wrong password using email
handler attempt_login(&backend_handler, "bob@bob.bob", "wrong_password")
.bind(BindRequest {
name: UserId::new("bob@bob.bob"),
password: "wrong_password".to_string(),
})
.await .await
.unwrap_err(); .unwrap_err();
} }