Patch upstream to add anonymous ldap filter

2024-09-03 20:26:38 +02:00 · 2024-02-06 20:55:10 +01:00 · 2024-02-06 20:55:10 +01:00 · 29da503830
commit 29da503830
parent b2e2341ff1
2 changed files with 115 additions and 1 deletions
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,5 +1,5 @@

-
+python_version="$(python3 -V | cut -d' ' -f2 | cut -d. -f1-2)"
 main_domain=$(yunohost domain list --output-as json | jq -r .main)
 code_dir="/opt/yunohost/matrix-$app"
 base_api_url="/_matrix"
@ -58,6 +58,14 @@ install_sources() {
        deactivate
        set -$u_arg;
    fi
+
+    # Apply patch for LDAP auth if needed
+    env
+    if ! grep -F -q '# LDAP Filter anonymous user Applied' $code_dir/lib/python$python_version/site-packages/ldap_auth_provider.py; then
+        pushd $code_dir/lib/python$python_version/site-packages
+        patch < $YNH_APP_BASEDIR/sources/ldap_auth_filter_anonymous_user.patch
+        popd
+    fi
 }

 configure_synapse() {
--- a/sources/ldap_auth_filter_anonymous_user.patch
+++ b/sources/ldap_auth_filter_anonymous_user.patch
@ -0,0 +1,106 @@
+diff --git a/ldap_auth_provider.py b/ldap_auth_provider.py
+index 3646948..96296b6 100644
+--- a/ldap_auth_provider.py
+++ b/ldap_auth_provider.py
+@@ -373,9 +373,12 @@ class LdapAuthProvider:
+             ],
+         )
+ 
+        # LDAP Filter anonymous user Applied
+         ldap_config = _LdapConfig(
+             enabled=config.get("enabled", False),
+-            mode=LDAPMode.SIMPLE,
+            mode=LDAPMode.SEARCH
+            if config.get("mode", "simple") == "search"
+            else LDAPMode.SIMPLE,
+             uri=config["uri"],
+             start_tls=config.get("start_tls", False),
+             tls_options=config.get("tls_options"),
+@@ -403,6 +406,8 @@ class LdapAuthProvider:
+                 raise ValueError(
+                     "Either bind_password or bind_password_file must be set!"
+                 )
+
+        if ldap_config.mode == LDAPMode.SEARCH:
+             ldap_config.filter = config.get("filter", None)
+ 
+         # verify attribute lookup
+@@ -461,13 +466,16 @@ class LdapAuthProvider:
+         server = self._get_server(get_info=ldap3.DSA)
+ 
+         if self.ldap_bind_dn is None or self.ldap_bind_password is None:
+-            raise ValueError("Missing bind DN or bind password")
+-
+-        result, conn = await self._ldap_simple_bind(
+-            server=server,
+-            bind_dn=self.ldap_bind_dn,
+-            password=self.ldap_bind_password,
+-        )
+            result, conn = await self._ldap_simple_bind(
+                server=server,
+                auth_type=ldap3.ANONYMOUS,
+            )
+        else:
+            result, conn = await self._ldap_simple_bind(
+                server=server,
+                bind_dn=self.ldap_bind_dn,
+                password=self.ldap_bind_password,
+            )
+ 
+         if not result:
+             logger.warning("Unable to get root domain due to failed LDAP bind")
+@@ -503,7 +511,11 @@ class LdapAuthProvider:
+         return self.ldap_root_domain
+ 
+     async def _ldap_simple_bind(
+-        self, server: ldap3.ServerPool, bind_dn: str, password: str
+        self,
+        server: ldap3.ServerPool,
+        bind_dn: Optional[str] = None,
+        password: Optional[str] = None,
+        auth_type: str = ldap3.SIMPLE,
+     ) -> Tuple[bool, Optional[ldap3.Connection]]:
+         """Attempt a simple bind with the credentials given by the user against
+         the LDAP server.
+@@ -513,6 +525,8 @@ class LdapAuthProvider:
+         Returns False, None
+             if an error occured
+         """
+        if (bind_dn is None or password is None) and auth_type == ldap3.SIMPLE:
+            raise ValueError("Missing bind DN or bind password")
+ 
+         try:
+             # bind with the the local user's ldap credentials
+@@ -521,7 +535,7 @@ class LdapAuthProvider:
+                 server,
+                 bind_dn,
+                 password,
+-                authentication=ldap3.SIMPLE,
+                authentication=auth_type,
+                 read_only=True,
+             )
+             logger.debug("Established LDAP connection in simple bind mode: %s", conn)
+@@ -578,13 +592,16 @@ class LdapAuthProvider:
+ 
+         try:
+             if self.ldap_bind_dn is None or self.ldap_bind_password is None:
+-                raise ValueError("Missing bind DN or bind password")
+-
+-            result, conn = await self._ldap_simple_bind(
+-                server=server,
+-                bind_dn=self.ldap_bind_dn,
+-                password=self.ldap_bind_password,
+-            )
+                result, conn = await self._ldap_simple_bind(
+                    server=server,
+                    auth_type=ldap3.ANONYMOUS,
+                )
+            else:
+                result, conn = await self._ldap_simple_bind(
+                    server=server,
+                    bind_dn=self.ldap_bind_dn,
+                    password=self.ldap_bind_password,
+                )
+ 
+             if not result:
+                 return (False, None, None)