feat: add LDAP support for dynamic secrets

backend/package.json

@@ -71,6 +71,7 @@
     "@types/jsrp": "^0.2.6",
     "@types/libsodium-wrappers": "^0.7.13",
     "@types/lodash.isequal": "^4.5.8",
+    "@types/mustache": "^4.2.5",
     "@types/node": "^20.9.5",
     "@types/nodemailer": "^6.4.14",
     "@types/passport-github": "^1.1.12",
@@ -158,10 +159,12 @@
     "jwks-rsa": "^3.1.0",
     "knex": "^3.0.1",
     "ldapjs": "^3.0.7",
+    "ldif": "^0.5.1",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "mongodb": "^6.8.1",
     "ms": "^2.1.3",
+    "mustache": "^4.2.0",
     "mysql2": "^3.9.8",
     "nanoid": "^3.3.4",
     "nodemailer": "^6.9.9",

backend/src/ee/services/dynamic-secret/providers/index.ts

@@ -3,6 +3,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
 import { MongoDBProvider } from "./mongo-db";
@@ -20,5 +21,6 @@ export const buildDynamicSecretProviders = () => ({
   [DynamicSecretProviders.MongoDB]: MongoDBProvider(),
   [DynamicSecretProviders.ElasticSearch]: ElasticSearchProvider(),
   [DynamicSecretProviders.RabbitMq]: RabbitMqProvider(),
-  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider()
+  [DynamicSecretProviders.AzureEntraID]: AzureEntraIDProvider(),
+  [DynamicSecretProviders.Ldap]: LdapProvider()
 });

backend/src/ee/services/dynamic-secret/providers/ldap.ts

@@ -0,0 +1,213 @@
+/* eslint-disable */
+
+import ldapjs from "ldapjs";
+import { render } from "mustache";
+import { customAlphabet } from "nanoid";
+import { z } from "zod";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { LdapSchema, TDynamicProviderFns } from "./models";
+import { BadRequestError } from "@app/lib/errors";
+const ldif = require("ldif");
+
+const generatePassword = () => {
+  const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~!*$#";
+  return customAlphabet(charset, 64)();
+};
+
+const encodePassword = (password?: string) => {
+  const quotedPassword = `"${password}"`;
+  const utf16lePassword = Buffer.from(quotedPassword, "utf16le");
+  const base64Password = utf16lePassword.toString("base64");
+  return base64Password;
+}
+
+const generateUsername = () => {
+  return alphaNumericNanoId(20);
+};
+
+const generateLDIF = ({
+  username,
+  password,
+  ldifTemplate
+}: {
+  username: string;
+  password?: string;
+  ldifTemplate: string;
+}): string => {
+
+  const data = {
+    Username: username,
+    Password: password,
+    EncodedPassword: encodePassword(password)
+  };
+
+  const ldif = render(ldifTemplate, data);
+
+  return ldif;
+};
+
+export const LdapProvider = (): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await LdapSchema.parseAsync(inputs);
+    return providerInputs;
+  };
+
+  const getClient = async (providerInputs: z.infer<typeof LdapSchema>): Promise<ldapjs.Client> => {
+    return new Promise((resolve, reject) => {
+      const client = ldapjs.createClient({
+        url: providerInputs.url,
+        tlsOptions: {
+          ca: providerInputs.ca ? providerInputs.ca : null,
+          rejectUnauthorized: !!providerInputs.ca
+        },
+        reconnect: true,
+        bindDN: providerInputs.binddn,
+        bindCredentials: providerInputs.bindpass,
+      });
+
+      client.on("error", (err) => {
+        client.unbind();
+        reject(new BadRequestError({ message: err.message }));
+      });
+
+      client.bind(providerInputs.binddn, providerInputs.bindpass, (err) => {
+        if (err) {
+          client.unbind();
+          reject(new BadRequestError({ message: err.message }));
+        } else {
+          resolve(client);
+        }
+      });
+    });
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+    return client.connected;
+  };
+
+  const executeLdif = async (client: ldapjs.Client, ldif_file: string) => {
+    let parsedEntries;
+    try {
+      parsedEntries = ldif.parse(ldif_file).entries as any[];
+    } catch (err) {
+      throw new BadRequestError({ message: "Invalid LDIF format, refer to the documentation at Dynamic secrets > LDAP > LDIF Entries." });
+    }
+
+    const dnArray: string[] = [];
+
+    for (const entry of parsedEntries) {
+      const { dn } = entry;
+      let response_dn: string;
+
+      if (entry.type === "add") {
+        const attributes: any = {};
+
+        entry.changes.forEach((change: any) => {
+          const attrName = change.attribute.attribute;
+          const attrValue = change.value.value;
+
+          attributes[attrName] = Array.isArray(attrValue) ? attrValue : [attrValue];
+        });
+
+        response_dn = await new Promise((resolve, reject) => {
+          client.add(dn, attributes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "modify") {
+        const changes: any = [];
+
+        entry.changes.forEach((change: any) => {
+          changes.push(
+            new ldapjs.Change({
+              operation: change.operation || "replace",
+              modification: {
+                type: change.attribute.attribute,
+                values: change.values.map((value: any) => value.value)
+              }
+            })
+          );
+        });
+
+        response_dn = await new Promise((resolve, reject) => {
+          client.modify(dn, changes, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else if (entry.type === "delete") {
+        response_dn = await new Promise((resolve, reject) => {
+          client.del(dn, (err) => {
+            if (err) {
+              reject(new BadRequestError({ message: err.message }));
+            } else {
+              resolve(dn);
+            }
+          });
+        });
+      } else {
+        client.unbind();
+        throw new BadRequestError({ message: `Unsupported operation type ${entry.type}` });
+      }
+
+      dnArray.push(response_dn);
+    }
+    client.unbind();
+    return dnArray;
+  };
+
+  const create = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const client = await getClient(providerInputs);
+
+    const username = generateUsername();
+    const password = generatePassword();
+    const ldif = generateLDIF({ username, password, ldifTemplate: providerInputs.creationLdif });
+
+    try {
+      const dnArray = await executeLdif(client, ldif);
+
+      return { entityId: username, data: { DN_ARRAY: dnArray, USERNAME: username, PASSWORD: password } };
+    } catch (err) {
+      if (providerInputs.rollbackLdif) {
+        const rollbackLdif = generateLDIF({ username, password, ldifTemplate: providerInputs.rollbackLdif });
+        await executeLdif(client, rollbackLdif);
+      }
+      throw new BadRequestError({ message: (err as Error).message });
+    }
+  };
+
+  const revoke = async (inputs: unknown, entityId: string) => {
+    const providerInputs = await validateProviderInputs(inputs);
+    const connection = await getClient(providerInputs);
+    const revocationLdif = generateLDIF({ username: entityId, ldifTemplate: providerInputs.revocationLdif });
+
+    await executeLdif(connection, revocationLdif);
+
+    return { entityId };
+  };
+
+  const renew = async (inputs: unknown, entityId: string) => {
+    // Do nothing
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};

backend/src/ee/services/dynamic-secret/providers/models.ts

@@ -174,6 +174,17 @@ export const AzureEntraIDSchema = z.object({
   clientSecret: z.string().trim().min(1)
 });
 
+export const LdapSchema = z.object({
+  url: z.string().trim().min(1),
+  binddn: z.string().trim().min(1),
+  bindpass: z.string().trim().min(1),
+  ca: z.string().optional(),
+
+  creationLdif: z.string().min(1),
+  revocationLdif: z.string().min(1),
+  rollbackLdif: z.string().optional()
+});
+
 export enum DynamicSecretProviders {
   SqlDatabase = "sql-database",
   Cassandra = "cassandra",
@@ -184,7 +195,8 @@ export enum DynamicSecretProviders {
   ElasticSearch = "elastic-search",
   MongoDB = "mongo-db",
   RabbitMq = "rabbit-mq",
-  AzureEntraID = "azure-entra-id"
+  AzureEntraID = "azure-entra-id",
+  Ldap = "ldap"
 }
 
 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -197,7 +209,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
   z.object({ type: z.literal(DynamicSecretProviders.ElasticSearch), inputs: DynamicSecretElasticSearchSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.MongoDB), inputs: DynamicSecretMongoDBSchema }),
   z.object({ type: z.literal(DynamicSecretProviders.RabbitMq), inputs: DynamicSecretRabbitMqSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema })
 ]);
 
 export type TDynamicProviderFns = {