providers/ldap: improve mapping of LDAP filters to authentik queries

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-12 18:30:52 +00:00 · 2022-12-12 18:30:52 +00:00 · 107f2745c8
parent 6f9002eb01
commit 107f2745c8
4 changed files with 55 additions and 60 deletions
--- a/internal/outpost/ldap/utils/utils.go
+++ b/internal/outpost/ldap/utils/utils.go
@ -9,7 +9,7 @@ import (
 	ldapConstants "goauthentik.io/internal/outpost/ldap/constants"
 )
-func ldapResolveTypeSingle(in interface{}) *string {
+func stringify(in interface{}) *string {
 	switch t := in.(type) {
 	case string:
 		return &t
@ -51,13 +51,13 @@ func AKAttrsToLDAP(attrs map[string]interface{}) []*ldap.EntryAttribute {
 		case []interface{}:
 			entry.Values = make([]string, len(t))
 			for idx, v := range t {
-				v := ldapResolveTypeSingle(v)
+				v := stringify(v)
 				if v != nil {
 					entry.Values[idx] = *v
 				}
 			}
 		default:
-			v := ldapResolveTypeSingle(t)
+			v := stringify(t)
 			if v != nil {
 				entry.Values = []string{*v}
 			}
--- a/internal/outpost/ldap/utils/utils_group.go
+++ b/internal/outpost/ldap/utils/utils_group.go
@ -40,18 +40,20 @@ func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet)
 	if v == nil {
 		return req, false
 	}
-	// Switch on type of the value, then check the key
+	val := stringify(v)
-	switch vv := v.(type) {
+	if val == nil {
-	case string:
+		return req, false
 	}
 	// Check key
 	switch strings.ToLower(k.(string)) {
 	case "cn":
-			return req.Name(vv), false
+		return req.Name(*val), false
 	case "member":
 		fallthrough
 	case "memberOf":
-			userDN, err := goldap.ParseDN(vv)
+		userDN, err := goldap.ParseDN(*val)
 		if err != nil {
-				return req.MembersByUsername([]string{vv}), false
+			return req.MembersByUsername([]string{*val}), false
 		}
 		username := userDN.RDNs[0].Attributes[0].Value
 		// If the DN's first ou is virtual-groups, ignore this filter
@ -63,9 +65,5 @@ func parseFilterForGroupSingle(req api.ApiCoreGroupsListRequest, f *ber.Packet)
 		}
 		return req.MembersByUsername([]string{username}), false
 	}
 	//TODO: Support int
 	default:
 		return req, false
 	}
 	return req, false
 }
--- a/internal/outpost/ldap/utils/utils_test.go
+++ b/internal/outpost/ldap/utils/utils_test.go
@ -7,9 +7,9 @@ import (
 	"goauthentik.io/api/v3"
 )
-func Test_ldapResolveTypeSingle_nil(t *testing.T) {
+func Test_stringify_nil(t *testing.T) {
 	var ex *string
-	assert.Equal(t, ex, ldapResolveTypeSingle(nil))
+	assert.Equal(t, ex, stringify(nil))
 }
 func TestAKAttrsToLDAP_String(t *testing.T) {
--- a/internal/outpost/ldap/utils/utils_user.go
+++ b/internal/outpost/ldap/utils/utils_user.go
@ -38,23 +38,24 @@ func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) (a
 	if v == nil {
 		return req, false
 	}
-	// Switch on type of the value, then check the key
+	val := stringify(v)
-	switch vv := v.(type) {
+	if val == nil {
-	case string:
+		return req, false
 	}
 	switch k {
 	case "cn":
-			return req.Username(vv), false
+		return req.Username(*val), false
 	case "name":
 	case "displayName":
-			return req.Name(vv), false
+		return req.Name(*val), false
 	case "mail":
-			return req.Email(vv), false
+		return req.Email(*val), false
 	case "member":
 		fallthrough
 	case "memberOf":
-			groupDN, err := goldap.ParseDN(vv)
+		groupDN, err := goldap.ParseDN(*val)
 		if err != nil {
-				return req.GroupsByName([]string{vv}), false
+			return req.GroupsByName([]string{*val}), false
 		}
 		name := groupDN.RDNs[0].Attributes[0].Value
 		// If the DN's first ou is virtual-groups, ignore this filter
@ -66,9 +67,5 @@ func parseFilterForUserSingle(req api.ApiCoreUsersListRequest, f *ber.Packet) (a
 		}
 		return req.GroupsByName([]string{name}), false
 	}
 	//TODO: Support int
 	default:
 		return req, false
 	}
 	return req, false
 }