F #4924: user regex for LDAP auth (#71)

2025-03-28 14:50:08 +03:00 · 2020-07-02 18:53:43 +02:00 · 2020-07-02 18:53:43 +02:00 · ed36cf6f5d
commit ed36cf6f5d
parent b531366cde
2 changed files with 64 additions and 24 deletions
--- a/src/authm_mad/remotes/ldap/authenticate
+++ b/src/authm_mad/remotes/ldap/authenticate
@ -63,32 +63,11 @@ end

 options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf'))

-order=options[:order]
+order = get_server_order(options, user)

-if !order
-    STDERR.puts ":order value not found, the configuration file could be malformed"
-    order=options.keys
-elsif order.class != Array
-    STDERR.puts ":order value malformed, must be an Array"
-    exit(-1)
-end
-
-order.each do |name|
-    if name.is_a? Array
-        servers = name
-    elsif name.is_a? Hash
-        if name.keys.size == 1
-            servers = [name.values].flatten
-        else
-            STDERR.puts ":order contains invalid group configuration: #{name}"
-            exit(-1)
-        end
-    else
-        servers = [name]
-    end
-
-    STDERR.puts "Using group of servers: #{servers.join(', ')}" if servers.length>1
+STDERR.puts "Using group of servers: #{servers.join(', ')}" if order.length>1

+order.each do |servers|
    servers.each do |server_name|
        STDERR.puts "Trying LDAP server #{server_name} "

--- a/src/authm_mad/remotes/ldap/ldap_auth.rb
+++ b/src/authm_mad/remotes/ldap/ldap_auth.rb
@ -222,3 +222,64 @@ class OpenNebula::LdapAuth
        groups.compact.uniq
    end
 end
+
+
+# ---------------------------------------------------------------------------- #
+# Helper functions to parse ldap_auth.conf server entries
+# ---------------------------------------------------------------------------- #
+def to_array(name)
+    if name.is_a? Array
+        name
+    elsif name.is_a? Hash
+        if name.keys.size == 1
+            [name.values].flatten
+        else
+            STDERR.puts "invalid group configuration: #{name}"
+            exit(-1)
+        end
+    else
+        [name]
+    end
+end
+
+def get_server_order(opts, user)
+    order = []
+
+    if opts[:order] && opts[:match_user_regex]
+        STDERR.puts ":order and :match_user_regex are mutually exclusive"
+        exit(-1)
+    end
+
+    if opts[:order]
+        if opts[:order].class != Array
+            STDERR.puts ":order value malformed, must be an Array"
+            exit(-1)
+        end
+
+        opts[:order].each do |name|
+            order << to_array(name)
+        end
+
+    elsif opts[:match_user_regex]
+        if opts[:match_user_regex].class != Hash || opts[:match_user_regex].empty?
+            STDERR.puts ":match_user_regex value malformed, must be an Hash"
+            exit(-1)
+        end
+
+        opts[:match_user_regex].each do |regex, server|
+            if user =~ /#{regex}/i
+                order << to_array(server)
+            end
+        end
+
+        if order.empty?
+            STDERR.puts "User #{user} does not mach any regex"
+        end
+
+    else
+        STDERR.puts "missing either :order or :match_user_regex in configuration"
+        exit(-1)
+    end
+
+    return order
+end