Added auth

djthorpe · djthorpe · commit dbecac0f04ea · 2025-05-06T09:29:01.000+02:00
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -42,7 +42,10 @@ type CLI struct {
 		auth.AuthCommands
 	} `cmd:""`
 
-	LDAP struct{ ldap.ObjectCommands } `cmd:""`
+	LDAP struct {
+		ldap.ObjectCommands
+		ldap.AuthCommands
+	} `cmd:""`
 
 	VersionCommands
 }
diff --git a/pkg/ldap/client/auth.go b/pkg/ldap/client/auth.go
@@ -0,0 +1,46 @@
+package client
+
+import (
+	"context"
+	"net/http"
+
+	// Packages
+	client "github.com/mutablelogic/go-client"
+	schema "github.com/mutablelogic/go-server/pkg/ldap/schema"
+)
+
+///////////////////////////////////////////////////////////////////////////////
+// PUBLIC METHODS
+
+func (c *Client) Auth(ctx context.Context, dn, password string) (*schema.Object, error) {
+	req, err := client.NewJSONRequest(password)
+	if err != nil {
+		return nil, err
+	}
+
+	// Perform request
+	var response schema.Object
+	if err := c.DoWithContext(ctx, req, &response, client.OptPath("auth", dn)); err != nil {
+		return nil, err
+	}
+
+	// Return the responses
+	return &response, nil
+}
+
+func (c *Client) ChangePassword(ctx context.Context, dn, password string) (*schema.Object, error) {
+	req, err := client.NewJSONRequestEx(http.MethodPut, password, "")
+	if err != nil {
+		return nil, err
+	}
+
+	// Perform request
+	// TODO: Retrieve the new password from the response
+	var response schema.Object
+	if err := c.DoWithContext(ctx, req, &response, client.OptPath("auth", dn)); err != nil {
+		return nil, err
+	}
+
+	// Return the responses
+	return &response, nil
+}
diff --git a/pkg/ldap/cmd/auth.go b/pkg/ldap/cmd/auth.go
@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	// Packages
+	server "github.com/mutablelogic/go-server"
+	client "github.com/mutablelogic/go-server/pkg/ldap/client"
+)
+
+///////////////////////////////////////////////////////////////////////////////
+// TYPES
+
+type AuthCommands struct {
+	Auth           AuthBindCommand           `cmd:"" group:"LDAP" help:"Authenticate user"`
+	ChangePassword AuthChangePasswordCommand `cmd:"" group:"LDAP" help:"Change password"`
+}
+
+type AuthBindCommand struct {
+	ObjectGetCommand
+	Password string `required:"" help:"Password"`
+}
+
+type AuthChangePasswordCommand struct {
+	AuthBindCommand
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PUBLIC METHODS
+
+func (cmd AuthBindCommand) Run(ctx server.Cmd) error {
+	return run(ctx, func(ctx context.Context, provider *client.Client) error {
+		object, err := provider.Auth(ctx, cmd.DN, cmd.Password)
+		if err != nil {
+			return err
+		}
+
+		// Print object
+		fmt.Println(object)
+		return nil
+	})
+}
+
+func (cmd AuthChangePasswordCommand) Run(ctx server.Cmd) error {
+	return run(ctx, func(ctx context.Context, provider *client.Client) error {
+		object, err := provider.ChangePassword(ctx, cmd.DN, cmd.Password)
+		if err != nil {
+			return err
+		}
+
+		// Print object
+		fmt.Println(object)
+		return nil
+	})
+}
diff --git a/pkg/ldap/handler/auth.go b/pkg/ldap/handler/auth.go
@@ -0,0 +1,64 @@
+package handler
+
+import (
+	"net/http"
+
+	// Packages
+	httprequest "github.com/mutablelogic/go-server/pkg/httprequest"
+	httpresponse "github.com/mutablelogic/go-server/pkg/httpresponse"
+	ldap "github.com/mutablelogic/go-server/pkg/ldap"
+	schema "github.com/mutablelogic/go-server/pkg/ldap/schema"
+)
+
+///////////////////////////////////////////////////////////////////////////////
+// PRIVATE METHODS
+
+func authBind(w http.ResponseWriter, r *http.Request, manager *ldap.Manager, dn string) error {
+	// Get the password from the post body
+	var password string
+	if err := httprequest.Read(r, &password); err != nil {
+		return httpresponse.Error(w, err)
+	}
+
+	// Return error if the password is empty
+	if password == "" {
+		return httpresponse.Error(w, httpresponse.ErrBadRequest.With("missing password"))
+	}
+
+	// Bind the password
+	response, err := manager.Bind(r.Context(), dn, password)
+	if err != nil {
+		return httpresponse.Error(w, err)
+	}
+
+	// Return success
+	return httpresponse.JSON(w, http.StatusOK, httprequest.Indent(r), response)
+}
+
+func authChangePassword(w http.ResponseWriter, r *http.Request, manager *ldap.Manager, dn string) error {
+	// Get the new password from the post body
+	var password string
+	if err := httprequest.Read(r, &password); err != nil {
+		return httpresponse.Error(w, err)
+	}
+
+	// Change the password
+	var response struct {
+		*schema.Object
+		Password string `json:"password,omitempty"`
+	}
+
+	// Set the new password
+	response.Password = password
+
+	// Change the password
+	user, err := manager.ChangePassword(r.Context(), dn, "", &response.Password)
+	if err != nil {
+		return httpresponse.Error(w, err)
+	} else {
+		response.Object = user
+	}
+
+	// Return success
+	return httpresponse.JSON(w, http.StatusOK, httprequest.Indent(r), response)
+}
diff --git a/pkg/ldap/handler/handler.go b/pkg/ldap/handler/handler.go
@@ -17,6 +17,7 @@ import (
 
 func Register(ctx context.Context, router server.HTTPRouter, manager *ldap.Manager) {
 	registerObject(ctx, router, schema.APIPrefix, manager)
+	registerAuth(ctx, router, schema.APIPrefix, manager)
 }
 
 func registerObject(ctx context.Context, router server.HTTPRouter, prefix string, manager *ldap.Manager) {
@@ -54,3 +55,21 @@ func registerObject(ctx context.Context, router server.HTTPRouter, prefix string
 		}
 	})
 }
+
+func registerAuth(ctx context.Context, router server.HTTPRouter, prefix string, manager *ldap.Manager) {
+	router.HandleFunc(ctx, types.JoinPath(prefix, "auth/{dn...}"), func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		httpresponse.Cors(w, r, router.Origin(), http.MethodPost, http.MethodPut)
+
+		switch r.Method {
+		case http.MethodOptions:
+			_ = httpresponse.Empty(w, http.StatusOK)
+		case http.MethodPost:
+			_ = authBind(w, r, manager, r.PathValue("dn"))
+		case http.MethodPut:
+			_ = authChangePassword(w, r, manager, r.PathValue("dn"))
+		default:
+			_ = httpresponse.Error(w, httpresponse.Err(http.StatusMethodNotAllowed), r.Method)
+		}
+	})
+}
diff --git a/pkg/ldap/manager.go b/pkg/ldap/manager.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"math/rand"
+	"net/http"
 	"net/url"
 	"strconv"
 	"sync"
@@ -348,7 +349,7 @@ func (manager *Manager) Get(ctx context.Context, dn string) (*schema.Object, err
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
@@ -385,7 +386,7 @@ func (manager *Manager) Create(ctx context.Context, dn string, attr url.Values)
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
@@ -418,7 +419,7 @@ func (manager *Manager) Delete(ctx context.Context, dn string) (*schema.Object,
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
@@ -450,19 +451,24 @@ func (manager *Manager) Bind(ctx context.Context, dn, password string) (*schema.
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
 
-	// Bind
-	if err := manager.conn.Bind(absdn.String(), password); err != nil {
-		return nil, ldaperr(err)
+	// Bind - which may result in invalid credentials
+	var errs error
+	if err := manager.conn.Bind(absdn.String(), password); ldapErrorCode(err) == ldap.LDAPResultInvalidCredentials {
+		errs = ldaperr(err)
+	} else if err != nil {
+		return nil, err
 	}
 
 	// Rebind with this user
 	if err := ldapBind(manager.conn, manager.User(), manager.pass); err != nil {
-		return nil, ldaperr(err)
+		return nil, errors.Join(errs, ldaperr(err))
+	} else if errs != nil {
+		return nil, errs
 	}
 
 	// Return the user
@@ -487,7 +493,7 @@ func (manager *Manager) ChangePassword(ctx context.Context, dn, old string, new
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
@@ -515,7 +521,7 @@ func (manager *Manager) Update(ctx context.Context, dn string, attr url.Values)
 	}
 
 	// Make absolute DN
-	absdn, err := manager.absdn(dn, manager.dn)
+	absdn, err := manager.absdn(dn)
 	if err != nil {
 		return nil, err
 	}
@@ -887,13 +893,15 @@ func ldaperr(err error) error {
 		return httpresponse.ErrNotFound.With(err.Error())
 	case ldap.LDAPResultConstraintViolation:
 		return httpresponse.ErrConflict.With(err.Error())
+	case ldap.LDAPResultUnwillingToPerform:
+		return httpresponse.Err(http.StatusServiceUnavailable).With(err.Error())
 	default:
 		return httpresponse.ErrInternalError.With(err)
 	}
 }
 
 // Make the DN absolute
-func (manager *Manager) absdn(dn string, base *schema.DN) (*schema.DN, error) {
+func (manager *Manager) absdn(dn string) (*schema.DN, error) {
 	rdn, err := schema.NewDN(dn)
 	if err != nil {
 		return nil, httpresponse.ErrBadRequest.Withf("Invalid DN: %v", err.Error())

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"fmt"`
`8`	`8`	`"io"`
`9`	`9`	`"math/rand"`
	`10`	`+ "net/http"`
`10`	`11`	`"net/url"`
`11`	`12`	`"strconv"`
`12`	`13`	`"sync"`
`@@ -348,7 +349,7 @@ func (manager Manager) Get(ctx context.Context, dn string) (schema.Object, err`
`348`	`349`	`}`
`349`	`350`
`350`	`351`	`// Make absolute DN`
`351`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`352`	`+ absdn, err := manager.absdn(dn)`
`352`	`353`	`if err != nil {`
`353`	`354`	`return nil, err`
`354`	`355`	`}`
`@@ -385,7 +386,7 @@ func (manager *Manager) Create(ctx context.Context, dn string, attr url.Values)`
`385`	`386`	`}`
`386`	`387`
`387`	`388`	`// Make absolute DN`
`388`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`389`	`+ absdn, err := manager.absdn(dn)`
`389`	`390`	`if err != nil {`
`390`	`391`	`return nil, err`
`391`	`392`	`}`
`@@ -418,7 +419,7 @@ func (manager Manager) Delete(ctx context.Context, dn string) (schema.Object,`
`418`	`419`	`}`
`419`	`420`
`420`	`421`	`// Make absolute DN`
`421`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`422`	`+ absdn, err := manager.absdn(dn)`
`422`	`423`	`if err != nil {`
`423`	`424`	`return nil, err`
`424`	`425`	`}`
`@@ -450,19 +451,24 @@ func (manager Manager) Bind(ctx context.Context, dn, password string) (schema.`
`450`	`451`	`}`
`451`	`452`
`452`	`453`	`// Make absolute DN`
`453`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`454`	`+ absdn, err := manager.absdn(dn)`
`454`	`455`	`if err != nil {`
`455`	`456`	`return nil, err`
`456`	`457`	`}`
`457`	`458`
`458`		`- // Bind`
`459`		`- if err := manager.conn.Bind(absdn.String(), password); err != nil {`
`460`		`- return nil, ldaperr(err)`
	`459`	`+ // Bind - which may result in invalid credentials`
	`460`	`+ var errs error`
	`461`	`+ if err := manager.conn.Bind(absdn.String(), password); ldapErrorCode(err) == ldap.LDAPResultInvalidCredentials {`
	`462`	`+ errs = ldaperr(err)`
	`463`	`+ } else if err != nil {`
	`464`	`+ return nil, err`
`461`	`465`	`}`
`462`	`466`
`463`	`467`	`// Rebind with this user`
`464`	`468`	`if err := ldapBind(manager.conn, manager.User(), manager.pass); err != nil {`
`465`		`- return nil, ldaperr(err)`
	`469`	`+ return nil, errors.Join(errs, ldaperr(err))`
	`470`	`+ } else if errs != nil {`
	`471`	`+ return nil, errs`
`466`	`472`	`}`
`467`	`473`
`468`	`474`	`// Return the user`
`@@ -487,7 +493,7 @@ func (manager *Manager) ChangePassword(ctx context.Context, dn, old string, new`
`487`	`493`	`}`
`488`	`494`
`489`	`495`	`// Make absolute DN`
`490`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`496`	`+ absdn, err := manager.absdn(dn)`
`491`	`497`	`if err != nil {`
`492`	`498`	`return nil, err`
`493`	`499`	`}`
`@@ -515,7 +521,7 @@ func (manager *Manager) Update(ctx context.Context, dn string, attr url.Values)`
`515`	`521`	`}`
`516`	`522`
`517`	`523`	`// Make absolute DN`
`518`		`- absdn, err := manager.absdn(dn, manager.dn)`
	`524`	`+ absdn, err := manager.absdn(dn)`
`519`	`525`	`if err != nil {`
`520`	`526`	`return nil, err`
`521`	`527`	`}`
`@@ -887,13 +893,15 @@ func ldaperr(err error) error {`
`887`	`893`	`return httpresponse.ErrNotFound.With(err.Error())`
`888`	`894`	`case ldap.LDAPResultConstraintViolation:`
`889`	`895`	`return httpresponse.ErrConflict.With(err.Error())`
	`896`	`+ case ldap.LDAPResultUnwillingToPerform:`
	`897`	`+ return httpresponse.Err(http.StatusServiceUnavailable).With(err.Error())`
`890`	`898`	`default:`
`891`	`899`	`return httpresponse.ErrInternalError.With(err)`
`892`	`900`	`}`
`893`	`901`	`}`
`894`	`902`
`895`	`903`	`// Make the DN absolute`
`896`		`-func (manager Manager) absdn(dn string, base schema.DN) (*schema.DN, error) {`
	`904`	`+func (manager Manager) absdn(dn string) (schema.DN, error) {`
`897`	`905`	`rdn, err := schema.NewDN(dn)`
`898`	`906`	`if err != nil {`
`899`	`907`	`return nil, httpresponse.ErrBadRequest.Withf("Invalid DN: %v", err.Error())`