ldap_backend/src/main.rs

use ldap3::{LdapConn, Mod, Scope, SearchEntry};

use ldap3::exop::{PasswordModify, PasswordModifyResp};
use std::collections::HashSet;

// for teh webserver
use dotenv::dotenv;
use skynet_ldap_server::db_init;
use sqlx::{Pool, Sqlite};
use std::env;
use tide::prelude::{json, Deserialize};
use tide::Request;

#[derive(Clone)]
struct State {
    db: Pool<Sqlite>,
    config: Config,
}

#[async_std::main]
async fn main() -> tide::Result<()> {
    let config = get_config();
    let db = db_init(&config.database).await?;

    let host_port = config.host_port.clone();

    tide::log::start();

    let state = State {
        db,
        config,
    };

    let mut app = tide::with_state(state);

    app.at("/ldap/update").post(post_update_ldap);

    app.listen(host_port).await?;
    Ok(())
}

#[derive(Debug, Clone)]
struct Config {
    ldap_host: String,
    database: String,
    host_port: String,
}
fn get_config() -> Config {
    dotenv().ok();

    // reasonable defaults
    let mut config = Config {
        ldap_host: "".to_string(),
        database: "database.db".to_string(),
        host_port: "127.0.0.1:8087".to_string(),
    };

    if let Ok(x) = env::var("LDAP_HOST") {
        config.ldap_host = x.trim().to_string();
    }
    if let Ok(x) = env::var("DATABASE") {
        config.database = x.trim().to_string();
    }
    if let Ok(x) = env::var("HOST_PORT") {
        config.host_port = x.trim().to_string();
    }

    config
}

#[derive(Debug, Deserialize)]
struct LdapUpdate {
    user: String,
    pass: String,
    field: String,
    value: String,
}
async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
    let LdapUpdate {
        user,
        pass,
        field,
        value,
    } = req.body_json().await?;

    let config = &req.state().config;

    // easier to give each request its own connection
    let mut ldap = LdapConn::new(&config.ldap_host)?;

    let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);
    ldap.simple_bind(&dn, &pass)?.success()?;

    // always assume insecure
    let mut pw_keep_same = false;

    // get the users current password hash
    let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;
    if !rs.is_empty() {
        let tmp = SearchEntry::construct(rs[0].clone());
        if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {
            pw_keep_same = true;
        }
    }

    // check if the password field itself is being updated
    let (pass_old, pass_new) = if &field != "userPassword" {
        // if password is not being updated then just update the required field
        let mods = vec![
            Mod::Replace(field, HashSet::from([value]))
        ];
        ldap.modify(&dn, mods)?.success()?;
        
        
        // pass back the "old" and "new" passwords 
        (pass.clone(), pass.clone())
    } else {
        // password is going to be updated, even if the old value is not starting with "{SSHA512}"
        
        pw_keep_same = false;
        (pass.clone(), value.clone())
    };

    if !pw_keep_same {
        // really easy to update password once ye know how
        
        let tmp = PasswordModify{
            // none as we are staying on the same connection
            user_id: None,
            
            old_pass: Some(&pass_old),
            new_pass: Some(&pass_new),
        };

        ldap.extended(tmp)?.success()?;
    };

    ldap.unbind()?;

    Ok(json!({"result": "success"}).into())
}


/* Create new account
   

   1. Check if ID is available
   2. Ask user to fill in:
     * uid
     * First Name
     * Surname Name
     * Wolves email
   3. Email + link is sent to wolves email 
     * only if its paid up and it hasn't been used before
   4. Ldap entry created
   5. Email with initial pw is sent to user
   6. Account added to skynet-users (they are paid up)

 */

/* Join existing account to wolves
    related to above

 */

/* Password reset via email

 */

/* script to pull in all active members from wolves
    update the groups
    check if there are any pending signups

 */
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00			`use ldap3::{LdapConn, Mod, Scope, SearchEntry};`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`use ldap3::exop::{PasswordModify, PasswordModifyResp};`
			`use std::collections::HashSet;`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00			`// for teh webserver`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00			`use dotenv::dotenv;`
			`use skynet_ldap_server::db_init;`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00			`use sqlx::{Pool, Sqlite};`
			`use std::env;`
fmt: fmt and clippy 2023-05-25 23:58:18 +00:00			`use tide::prelude::{json, Deserialize};`
			`use tide::Request;`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00
			`#[derive(Clone)]`
			`struct State {`
			`db: Pool<Sqlite>,`
			`config: Config,`
			`}`

			`#[async_std::main]`
			`async fn main() -> tide::Result<()> {`
			`let config = get_config();`
			`let db = db_init(&config.database).await?;`

			`let host_port = config.host_port.clone();`

			`tide::log::start();`

			`let state = State {`
			`db,`
			`config,`
			`};`

			`let mut app = tide::with_state(state);`

feat: the post request works 2023-05-25 23:38:50 +00:00			`app.at("/ldap/update").post(post_update_ldap);`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00
			`app.listen(host_port).await?;`
			`Ok(())`
			`}`

			`#[derive(Debug, Clone)]`
			`struct Config {`
			`ldap_host: String,`
			`database: String,`
			`host_port: String,`
			`}`
			`fn get_config() -> Config {`
			`dotenv().ok();`

			`// reasonable defaults`
			`let mut config = Config {`
			`ldap_host: "".to_string(),`
			`database: "database.db".to_string(),`
			`host_port: "127.0.0.1:8087".to_string(),`
			`};`

			`if let Ok(x) = env::var("LDAP_HOST") {`
feat: the post request works 2023-05-25 23:38:50 +00:00			`config.ldap_host = x.trim().to_string();`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00			`}`
			`if let Ok(x) = env::var("DATABASE") {`
			`config.database = x.trim().to_string();`
			`}`
			`if let Ok(x) = env::var("HOST_PORT") {`
			`config.host_port = x.trim().to_string();`
			`}`

			`config`
			`}`

feat: the post request works 2023-05-25 23:38:50 +00:00			`#[derive(Debug, Deserialize)]`
			`struct LdapUpdate {`
			`user: String,`
			`pass: String,`
			`field: String,`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00			`value: String,`
feat: the post request works 2023-05-25 23:38:50 +00:00			`}`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00			`async fn post_update_ldap(mut req: Request<State>) -> tide::Result {`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00			`let LdapUpdate {`
			`user,`
			`pass,`
			`field,`
			`value,`
			`} = req.body_json().await?;`
feat: the post request works 2023-05-25 23:38:50 +00:00
			`let config = &req.state().config;`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00
feat: the post request works 2023-05-25 23:38:50 +00:00			`// easier to give each request its own connection`
			`let mut ldap = LdapConn::new(&config.ldap_host)?;`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00			`let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);`
feat: the post request works 2023-05-25 23:38:50 +00:00			`ldap.simple_bind(&dn, &pass)?.success()?;`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00
			`// always assume insecure`
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`let mut pw_keep_same = false;`
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00			`// get the users current password hash`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00			`let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?;`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00			`if !rs.is_empty() {`
			`let tmp = SearchEntry::construct(rs[0].clone());`
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") {`
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`pw_keep_same = true;`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00			`}`
			`}`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`// check if the password field itself is being updated`
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`let (pass_old, pass_new) = if &field != "userPassword" {`
			`// if password is not being updated then just update the required field`
			`let mods = vec![`
			`Mod::Replace(field, HashSet::from([value]))`
			`];`
			`ldap.modify(&dn, mods)?.success()?;`


			`// pass back the "old" and "new" passwords`
			`(pass.clone(), pass.clone())`
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`} else {`
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`// password is going to be updated, even if the old value is not starting with "{SSHA512}"`

feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`pw_keep_same = false;`
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`(pass.clone(), value.clone())`
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`};`
fmt: fmt and clippy 2023-05-25 23:51:36 +00:00
feat: able to deal with password changes now 2023-05-25 23:45:07 +00:00			`if !pw_keep_same {`
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`// really easy to update password once ye know how`

			`let tmp = PasswordModify{`
			`// none as we are staying on the same connection`
			`user_id: None,`

			`old_pass: Some(&pass_old),`
			`new_pass: Some(&pass_new),`
			`};`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00
feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`ldap.extended(tmp)?.success()?;`
feat: can fix up the hash if required 2023-05-25 21:02:42 +00:00			`};`
feat: the post request works 2023-05-25 23:38:50 +00:00
feat: basic setup[ of the webserver 2023-05-25 23:02:12 +00:00			`ldap.unbind()?;`
fmt: fmt and clippy 2023-05-25 23:58:18 +00:00
			`Ok(json!({"result": "success"}).into())`
initial commit 2023-05-25 16:01:50 +00:00			`}`
todo: added notes on what to do next 2023-05-26 00:23:45 +00:00

feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`/* Create new account`
todo: added notes on what to do next 2023-05-26 00:23:45 +00:00

			`1. Check if ID is available`
			`2. Ask user to fill in:`
			`* uid`
			`* First Name`
			`* Surname Name`
			`* Wolves email`
			`3. Email + link is sent to wolves email`
			`* only if its paid up and it hasn't been used before`
			`4. Ldap entry created`
			`5. Email with initial pw is sent to user`
			`6. Account added to skynet-users (they are paid up)`

			`*/`

feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`/* Join existing account to wolves`
todo: added notes on what to do next 2023-05-26 00:23:45 +00:00			`related to above`

			`*/`

feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`/* Password reset via email`
todo: added notes on what to do next 2023-05-26 00:23:45 +00:00
			`*/`

feat: turns out there is an extended ldap3 operation called password modify 2023-05-26 09:37:50 +00:00			`/* script to pull in all active members from wolves`
todo: added notes on what to do next 2023-05-26 00:23:45 +00:00			`update the groups`
			`check if there are any pending signups`

			`*/`