pleroma/lib/pleroma/ldap.ex

defmodule Pleroma.LDAP do
  use GenServer

  require Logger

  alias Pleroma.Config
  alias Pleroma.User

  import Pleroma.Web.Auth.Helpers, only: [fetch_user: 1]

  @connection_timeout 2_000
  @search_timeout 2_000

  def start_link(_) do
    GenServer.start_link(__MODULE__, [], name: __MODULE__)
  end

  @impl true
  def init(state) do
    case {Config.get(Pleroma.Web.Auth.Authenticator), Config.get([:ldap, :enabled])} do
      {Pleroma.Web.Auth.LDAPAuthenticator, true} ->
        {:ok, state, {:continue, :connect}}

      {Pleroma.Web.Auth.LDAPAuthenticator, false} ->
        Logger.error(
          "LDAP Authenticator enabled but :pleroma, :ldap is not enabled. Auth will not work."
        )

        {:ok, state}

      {_, true} ->
        Logger.warning(
          ":pleroma, :ldap is enabled but Pleroma.Web.Authenticator is not set to the LDAPAuthenticator. LDAP will not be used."
        )

        {:ok, state}

      _ ->
        {:ok, state}
    end
  end

  @impl true
  def handle_continue(:connect, _state), do: do_handle_connect()

  @impl true
  def handle_info(:connect, _state), do: do_handle_connect()

  def handle_info({:bind_after_reconnect, name, password, from}, state) do
    result = bind_user(state[:handle], name, password)

    GenServer.reply(from, result)

    {:noreply, state}
  end

  defp do_handle_connect do
    state =
      case connect() do
        {:ok, handle} ->
          :eldap.controlling_process(handle, self())
          Process.link(handle)
          [handle: handle]

        _ ->
          Logger.error("Failed to connect to LDAP. Retrying in 5000ms")
          Process.send_after(self(), :connect, 5_000)
          []
      end

    {:noreply, state}
  end

  @impl true
  def handle_call({:bind_user, name, password}, from, state) do
    case bind_user(state[:handle], name, password) do
      :needs_reconnect ->
        Process.send(self(), {:bind_after_reconnect, name, password, from}, [])
        {:noreply, state, {:continue, :connect}}

      result ->
        {:reply, result, state, :hibernate}
    end
  end

  @impl true
  def terminate(_, state) do
    handle = Keyword.get(state, :handle)

    if not is_nil(handle) do
      :eldap.close(handle)
    end

    :ok
  end

  def bind_user(name, password) do
    GenServer.call(__MODULE__, {:bind_user, name, password})
  end

  defp connect do
    ldap = Config.get(:ldap, [])
    host = Keyword.get(ldap, :host, "localhost")
    port = Keyword.get(ldap, :port, 389)
    ssl = Keyword.get(ldap, :ssl, false)
    tls = Keyword.get(ldap, :tls, false)
    cacertfile = Keyword.get(ldap, :cacertfile) || CAStore.file_path()

    if ssl, do: Application.ensure_all_started(:ssl)

    default_secure_opts = [
      verify: :verify_peer,
      cacerts: decode_certfile(cacertfile),
      customize_hostname_check: [
        fqdn_fun: fn _ -> to_charlist(host) end
      ]
    ]

    sslopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :sslopts, []))
    tlsopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :tlsopts, []))

    default_options = [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}]

    # :sslopts can only be included in :eldap.open/2 when {ssl: true}
    # or the connection will fail
    options =
      if ssl do
        default_options ++ [{:sslopts, sslopts}]
      else
        default_options
      end

    case :eldap.open([to_charlist(host)], options) do
      {:ok, handle} ->
        try do
          cond do
            tls ->
              case :eldap.start_tls(
                     handle,
                     tlsopts,
                     @connection_timeout
                   ) do
                :ok ->
                  {:ok, handle}

                error ->
                  Logger.error("Could not start TLS: #{inspect(error)}")
                  :eldap.close(handle)
              end

            true ->
              {:ok, handle}
          end
        after
          :ok
        end

      {:error, error} ->
        Logger.error("Could not open LDAP connection: #{inspect(error)}")
        {:error, {:ldap_connection_error, error}}
    end
  end

  defp bind_user(handle, name, password) do
    uid = Config.get([:ldap, :uid], "cn")
    base = Config.get([:ldap, :base])

    case :eldap.simple_bind(handle, "#{uid}=#{name},#{base}", password) do
      :ok ->
        case fetch_user(name) do
          %User{} = user ->
            user

          _ ->
            register_user(handle, base, uid, name)
        end

      # eldap does not inform us of socket closure
      # until it is used
      {:error, {:gen_tcp_error, :closed}} ->
        :eldap.close(handle)
        :needs_reconnect

      {:error, error} = e ->
        Logger.error("Could not bind LDAP user #{name}: #{inspect(error)}")
        e
    end
  end

  defp register_user(handle, base, uid, name) do
    case :eldap.search(handle, [
           {:base, to_charlist(base)},
           {:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},
           {:scope, :eldap.wholeSubtree()},
           {:timeout, @search_timeout}
         ]) do
      # The :eldap_search_result record structure changed in OTP 24.3 and added a controls field
      # https://github.com/erlang/otp/pull/5538
      {:ok, {:eldap_search_result, [{:eldap_entry, _object, attributes}], _referrals}} ->
        try_register(name, attributes)

      {:ok, {:eldap_search_result, [{:eldap_entry, _object, attributes}], _referrals, _controls}} ->
        try_register(name, attributes)

      error ->
        Logger.error("Couldn't register user because LDAP search failed: #{inspect(error)}")
        {:error, {:ldap_search_error, error}}
    end
  end

  defp try_register(name, attributes) do
    mail_attribute = Config.get([:ldap, :mail])

    params = %{
      name: name,
      nickname: name,
      password: nil
    }

    params =
      case List.keyfind(attributes, to_charlist(mail_attribute), 0) do
        {_, [mail]} -> Map.put_new(params, :email, :erlang.list_to_binary(mail))
        _ -> params
      end

    changeset = User.register_changeset_ldap(%User{}, params)

    case User.register(changeset) do
      {:ok, user} -> user
      error -> error
    end
  end

  defp decode_certfile(file) do
    with {:ok, data} <- File.read(file) do
      data
      |> :public_key.pem_decode()
      |> Enum.map(fn {_, b, _} -> b end)
    else
      _ ->
        Logger.error("Unable to read certfile: #{file}")
        []
    end
  end
end
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`defmodule Pleroma.LDAP do`
			`use GenServer`

			`require Logger`

			`alias Pleroma.Config`
			`alias Pleroma.User`

			`import Pleroma.Web.Auth.Helpers, only: [fetch_user: 1]`

Reduce LDAP timeouts 10 seconds is way too long for any login attempt or search result. LDAP should always be fast. 2024-09-17 10:43:21 -07:00			`@connection_timeout 2_000`
			`@search_timeout 2_000`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00
			`def start_link(_) do`
			`GenServer.start_link(__MODULE__, [], name: __MODULE__)`
			`end`

			`@impl true`
			`def init(state) do`
			`case {Config.get(Pleroma.Web.Auth.Authenticator), Config.get([:ldap, :enabled])} do`
			`{Pleroma.Web.Auth.LDAPAuthenticator, true} ->`
			`{:ok, state, {:continue, :connect}}`

			`{Pleroma.Web.Auth.LDAPAuthenticator, false} ->`
			`Logger.error(`
			`"LDAP Authenticator enabled but :pleroma, :ldap is not enabled. Auth will not work."`
			`)`

			`{:ok, state}`

			`{_, true} ->`
			`Logger.warning(`
			`":pleroma, :ldap is enabled but Pleroma.Web.Authenticator is not set to the LDAPAuthenticator. LDAP will not be used."`
			`)`

			`{:ok, state}`
Catchall for when LDAP is not enabled 2024-09-16 13:15:53 -07:00
			`_ ->`
			`{:ok, state}`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`end`
			`end`

			`@impl true`
			`def handle_continue(:connect, _state), do: do_handle_connect()`

			`@impl true`
			`def handle_info(:connect, _state), do: do_handle_connect()`

			`def handle_info({:bind_after_reconnect, name, password, from}, state) do`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`result = bind_user(state[:handle], name, password)`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00
			`GenServer.reply(from, result)`

			`{:noreply, state}`
			`end`

Credo 2024-09-16 10:14:19 -07:00			`defp do_handle_connect do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`state =`
			`case connect() do`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`{:ok, handle} ->`
			`:eldap.controlling_process(handle, self())`
			`Process.link(handle)`
			`[handle: handle]`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00
			`_ ->`
			`Logger.error("Failed to connect to LDAP. Retrying in 5000ms")`
			`Process.send_after(self(), :connect, 5_000)`
			`[]`
			`end`

			`{:noreply, state}`
			`end`

			`@impl true`
			`def handle_call({:bind_user, name, password}, from, state) do`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`case bind_user(state[:handle], name, password) do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`:needs_reconnect ->`
			`Process.send(self(), {:bind_after_reconnect, name, password, from}, [])`
			`{:noreply, state, {:continue, :connect}}`

			`result ->`
			`{:reply, result, state, :hibernate}`
			`end`
			`end`

			`@impl true`
			`def terminate(_, state) do`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`handle = Keyword.get(state, :handle)`
Only close connection if it is not nil 2024-09-17 10:14:09 -07:00
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`if not is_nil(handle) do`
			`:eldap.close(handle)`
Only close connection if it is not nil 2024-09-17 10:14:09 -07:00			`end`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00
			`:ok`
			`end`

LDAP: fix compile warning Sometimes the compile will emit the following warning, so we'll just avoid it by making it call a function in the LDAP module which will never have this problem. warning: :GenServer.call/2 is undefined (module :GenServer is not available or is yet to be defined) 2024-09-18 08:16:16 -07:00			`def bind_user(name, password) do`
			`GenServer.call(__MODULE__, {:bind_user, name, password})`
			`end`

Credo 2024-09-16 10:14:19 -07:00			`defp connect do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`ldap = Config.get(:ldap, [])`
			`host = Keyword.get(ldap, :host, "localhost")`
			`port = Keyword.get(ldap, :port, 389)`
			`ssl = Keyword.get(ldap, :ssl, false)`
			`tls = Keyword.get(ldap, :tls, false)`
			`cacertfile = Keyword.get(ldap, :cacertfile) \|\| CAStore.file_path()`

Ensure :ssl is started before we attempt to make the LDAP connection 2024-09-17 10:07:26 -07:00			`if ssl, do: Application.ensure_all_started(:ssl)`

Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`default_secure_opts = [`
			`verify: :verify_peer,`
			`cacerts: decode_certfile(cacertfile),`
			`customize_hostname_check: [`
			`fqdn_fun: fn _ -> to_charlist(host) end`
			`]`
			`]`

			`sslopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :sslopts, []))`
			`tlsopts = Keyword.merge(default_secure_opts, Keyword.get(ldap, :tlsopts, []))`

			`default_options = [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}]`

			`# :sslopts can only be included in :eldap.open/2 when {ssl: true}`
			`# or the connection will fail`
			`options =`
			`if ssl do`
			`default_options ++ [{:sslopts, sslopts}]`
			`else`
			`default_options`
			`end`

			`case :eldap.open([to_charlist(host)], options) do`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`{:ok, handle} ->`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`try do`
			`cond do`
			`tls ->`
			`case :eldap.start_tls(`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`handle,`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`tlsopts,`
			`@connection_timeout`
			`) do`
			`:ok ->`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`{:ok, handle}`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00
			`error ->`
			`Logger.error("Could not start TLS: #{inspect(error)}")`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`:eldap.close(handle)`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`end`

			`true ->`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`{:ok, handle}`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`end`
			`after`
			`:ok`
			`end`

			`{:error, error} ->`
			`Logger.error("Could not open LDAP connection: #{inspect(error)}")`
			`{:error, {:ldap_connection_error, error}}`
			`end`
			`end`

Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`defp bind_user(handle, name, password) do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`uid = Config.get([:ldap, :uid], "cn")`
			`base = Config.get([:ldap, :base])`

Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`case :eldap.simple_bind(handle, "#{uid}=#{name},#{base}", password) do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`:ok ->`
			`case fetch_user(name) do`
			`%User{} = user ->`
			`user`

			`_ ->`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`register_user(handle, base, uid, name)`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`end`

			`# eldap does not inform us of socket closure`
			`# until it is used`
			`{:error, {:gen_tcp_error, :closed}} ->`
Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`:eldap.close(handle)`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`:needs_reconnect`

Improve matching on bind errors 2024-09-17 10:54:57 -07:00			`{:error, error} = e ->`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`Logger.error("Could not bind LDAP user #{name}: #{inspect(error)}")`
Improve matching on bind errors 2024-09-17 10:54:57 -07:00			`e`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`end`
			`end`

Change :connection to :handle to match upstream nomenclature 2024-09-17 10:46:56 -07:00			`defp register_user(handle, base, uid, name) do`
			`case :eldap.search(handle, [`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`{:base, to_charlist(base)},`
			`{:filter, :eldap.equalityMatch(to_charlist(uid), to_charlist(name))},`
			`{:scope, :eldap.wholeSubtree()},`
			`{:timeout, @search_timeout}`
			`]) do`
			`# The :eldap_search_result record structure changed in OTP 24.3 and added a controls field`
			`# https://github.com/erlang/otp/pull/5538`
			`{:ok, {:eldap_search_result, [{:eldap_entry, _object, attributes}], _referrals}} ->`
			`try_register(name, attributes)`

			`{:ok, {:eldap_search_result, [{:eldap_entry, _object, attributes}], _referrals, _controls}} ->`
			`try_register(name, attributes)`

			`error ->`
			`Logger.error("Couldn't register user because LDAP search failed: #{inspect(error)}")`
			`{:error, {:ldap_search_error, error}}`
			`end`
			`end`

			`defp try_register(name, attributes) do`
Make the email attribute configurable While here, fix the System.get_env usage to use the normal fallback value method and improve the UID label description 2024-09-17 10:36:46 -07:00			`mail_attribute = Config.get([:ldap, :mail])`

Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`params = %{`
			`name: name,`
			`nickname: name,`
			`password: nil`
			`}`

			`params =`
Make the email attribute configurable While here, fix the System.get_env usage to use the normal fallback value method and improve the UID label description 2024-09-17 10:36:46 -07:00			`case List.keyfind(attributes, to_charlist(mail_attribute), 0) do`
Pleroma.LDAP This adds a GenServer which will keep an LDAP connection open and auto reconnect on failure with a 5 second wait between retries. Another benefit is this prevents parsing the Root CAs for every login attempt as we only need to do it once per connection. 2024-09-15 21:26:57 -07:00			`{_, [mail]} -> Map.put_new(params, :email, :erlang.list_to_binary(mail))`
			`_ -> params`
			`end`

			`changeset = User.register_changeset_ldap(%User{}, params)`

			`case User.register(changeset) do`
			`{:ok, user} -> user`
			`error -> error`
			`end`
			`end`

			`defp decode_certfile(file) do`
			`with {:ok, data} <- File.read(file) do`
			`data`
			`\|> :public_key.pem_decode()`
			`\|> Enum.map(fn {_, b, _} -> b end)`
			`else`
			`_ ->`
			`Logger.error("Unable to read certfile: #{file}")`
			`[]`
			`end`
			`end`
			`end`