ldap_backend/src/methods/account_update.rs

use crate::State;
use ldap3::{exop::PasswordModify, LdapConn, Mod, Scope, SearchEntry};
use std::collections::HashSet;
use tide::{
    prelude::{json, Deserialize},
    Request,
};

#[derive(Debug, Deserialize)]
pub struct LdapUpdate {
    user: String,
    pass: String,
    field: String,
    value: String,
}

/// Handles updating a single field with the users own password
pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
    let LdapUpdate {
        user,
        pass,
        field,
        value,
    } = req.body_json().await?;

    // check that any mail is not using @skynet.ie
    if field == "mail" && value.trim().ends_with("@skynet.ie") {
        return Ok(json!({"result": "error", "error": "skynet email not valid contact address"}).into());
    }

    let config = &req.state().config;

    // easier to give each request its own connection
    let mut ldap = LdapConn::new(&config.ldap_host)?;

    let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);
    ldap.simple_bind(&dn, &pass)?.success()?;

    // always assume insecure
    let mut pw_keep_same = false;

    // get the users current password hash
    let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;
    if !rs.is_empty() {
        let tmp = SearchEntry::construct(rs[0].clone());
        if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
            pw_keep_same = true;
        }
    }

    // check if the password field itself is being updated
    let pass_new = if &field != "userPassword" {
        // if password is not being updated then just update the required field
        let mods = vec![
            // the value we are updating
            Mod::Replace(field, HashSet::from([value])),
        ];

        ldap.modify(&dn, mods)?.success()?;

        // pass back the "old" and "new" passwords
        // using this means we can create teh vars without them needing to be mutable
        pass.clone()
    } else {
        // password is going to be updated, even if the old value is not starting with "{SSHA512}"
        pw_keep_same = false;
        value
    };

    // changing teh password because of an explicit request or upgrading teh security.
    if !pw_keep_same {
        // really easy to update password once ye know how
        let tmp = PasswordModify {
            // none as we are staying on the same connection
            user_id: None,
            old_pass: Some(&pass),
            new_pass: Some(&pass_new),
        };

        ldap.extended(tmp)?.success()?;
    };

    ldap.unbind()?;

    Ok(json!({"result": "success"}).into())
}
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`use crate::State;`
feat: simplified the signup 2023-07-30 02:50:13 +01:00			`use ldap3::{exop::PasswordModify, LdapConn, Mod, Scope, SearchEntry};`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`use std::collections::HashSet;`
feat: simplified the signup 2023-07-30 02:50:13 +01:00			`use tide::{`
			`prelude::{json, Deserialize},`
			`Request,`
			`};`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00
			`#[derive(Debug, Deserialize)]`
			`pub struct LdapUpdate {`
			`user: String,`
			`pass: String,`
			`field: String,`
			`value: String,`
			`}`
doc: added small bit of dsocumentaiton 2023-06-04 12:19:17 +01:00
			`/// Handles updating a single field with the users own password`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`pub async fn post_update_ldap(mut req: Request<State>) -> tide::Result {`
			`let LdapUpdate {`
			`user,`
			`pass,`
			`field,`
			`value,`
			`} = req.body_json().await?;`

fix: disallow using skynet email as a contact address closes #1 2023-07-29 17:16:29 +01:00			`// check that any mail is not using @skynet.ie`
			`if field == "mail" && value.trim().ends_with("@skynet.ie") {`
			`return Ok(json!({"result": "error", "error": "skynet email not valid contact address"}).into());`
			`}`

feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`let config = &req.state().config;`

			`// easier to give each request its own connection`
			`let mut ldap = LdapConn::new(&config.ldap_host)?;`

			`let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);`
			`ldap.simple_bind(&dn, &pass)?.success()?;`

			`// always assume insecure`
			`let mut pw_keep_same = false;`

			`// get the users current password hash`
			`let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;`
			`if !rs.is_empty() {`
			`let tmp = SearchEntry::construct(rs[0].clone());`
			`if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {`
			`pw_keep_same = true;`
			`}`
			`}`

			`// check if the password field itself is being updated`
feat: further reduction in complexity #5 2023-07-30 22:20:15 +01:00			`let pass_new = if &field != "userPassword" {`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`// if password is not being updated then just update the required field`
feat: reduce complexity around skSecure #5 2023-07-30 21:39:32 +01:00			`let mods = vec![`
			`// the value we are updating`
feat:a dd field to make the password as secure 2023-07-16 23:14:21 +01:00			`Mod::Replace(field, HashSet::from([value])),`
			`];`
fmt: fmt and clippy 2023-07-17 00:14:48 +01:00
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`ldap.modify(&dn, mods)?.success()?;`

			`// pass back the "old" and "new" passwords`
feat: reduce complexity around skSecure #5 2023-07-30 21:39:32 +01:00			`// using this means we can create teh vars without them needing to be mutable`
feat: further reduction in complexity #5 2023-07-30 22:20:15 +01:00			`pass.clone()`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`} else {`
			`// password is going to be updated, even if the old value is not starting with "{SSHA512}"`
			`pw_keep_same = false;`
feat: further reduction in complexity #5 2023-07-30 22:20:15 +01:00			`value`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`};`

feat: reduce complexity around skSecure #5 2023-07-30 21:39:32 +01:00			`// changing teh password because of an explicit request or upgrading teh security.`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`if !pw_keep_same {`
			`// really easy to update password once ye know how`
			`let tmp = PasswordModify {`
			`// none as we are staying on the same connection`
			`user_id: None,`
feat: further reduction in complexity #5 2023-07-30 22:20:15 +01:00			`old_pass: Some(&pass),`
feat: split up into seperate modules before it gets too tangled up 2023-06-04 12:17:16 +01:00			`new_pass: Some(&pass_new),`
			`};`

			`ldap.extended(tmp)?.success()?;`
			`};`

			`ldap.unbind()?;`

			`Ok(json!({"result": "success"}).into())`
			`}`