feat(ldap): support webdav, ftp and sftp login (#1746)

* feat(ldap): support webdav, ftp and sftp login

* fix: apply suggestions of Copilot

* feat(ldap) support ftp, sftp and webdav auto-register

Author: KirCute

internal/bootstrap/data/setting.go

@@ -208,6 +208,7 @@ func InitialSettings() []model.SettingItem {
 		// ldap settings
 		{Key: conf.LdapLoginEnabled, Value: "false", Type: conf.TypeBool, Group: model.LDAP, Flag: model.PUBLIC},
 		{Key: conf.LdapServer, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
+		{Key: conf.LdapSkipTlsVerify, Value: "false", Type: conf.TypeBool, Group: model.LDAP, Flag: model.PRIVATE},
 		{Key: conf.LdapManagerDN, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
 		{Key: conf.LdapManagerPassword, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},
 		{Key: conf.LdapUserSearchBase, Value: "", Type: conf.TypeString, Group: model.LDAP, Flag: model.PRIVATE},

internal/conf/const.go

@@ -115,6 +115,7 @@ const (
 	// ldap
 	LdapLoginEnabled      = "ldap_login_enabled"
 	LdapServer            = "ldap_server"
+	LdapSkipTlsVerify     = "ldap_skip_tls_verify"
 	LdapManagerDN         = "ldap_manager_dn"
 	LdapManagerPassword   = "ldap_manager_password"
 	LdapUserSearchBase    = "ldap_user_search_base"

internal/model/user.go

@@ -59,6 +59,7 @@ type User struct {
 	OtpSecret  string `json:"-"`
 	SsoID      string `json:"sso_id"` // unique by sso platform
 	Authn      string `gorm:"type:text" json:"-"`
+	AllowLdap  bool   `json:"allow_ldap" gorm:"default:true"`
 }
 
 func (u *User) IsGuest() bool {
@@ -90,64 +91,124 @@ func (u *User) SetPassword(pwd string) *User {
 	return u
 }
 
+func CanSeeHides(permission int32) bool {
+	return permission&1 == 1
+}
+
 func (u *User) CanSeeHides() bool {
-	return u.Permission&1 == 1
+	return CanSeeHides(u.Permission)
+}
+
+func CanAccessWithoutPassword(permission int32) bool {
+	return (permission>>1)&1 == 1
 }
 
 func (u *User) CanAccessWithoutPassword() bool {
-	return (u.Permission>>1)&1 == 1
+	return CanAccessWithoutPassword(u.Permission)
+}
+
+func CanAddOfflineDownloadTasks(permission int32) bool {
+	return (permission>>2)&1 == 1
 }
 
 func (u *User) CanAddOfflineDownloadTasks() bool {
-	return (u.Permission>>2)&1 == 1
+	return CanAddOfflineDownloadTasks(u.Permission)
+}
+
+func CanWrite(permission int32) bool {
+	return (permission>>3)&1 == 1
 }
 
 func (u *User) CanWrite() bool {
-	return (u.Permission>>3)&1 == 1
+	return CanWrite(u.Permission)
+}
+
+func CanRename(permission int32) bool {
+	return (permission>>4)&1 == 1
 }
 
 func (u *User) CanRename() bool {
-	return (u.Permission>>4)&1 == 1
+	return CanRename(u.Permission)
+}
+
+func CanMove(permission int32) bool {
+	return (permission>>5)&1 == 1
 }
 
 func (u *User) CanMove() bool {
-	return (u.Permission>>5)&1 == 1
+	return CanMove(u.Permission)
+}
+
+func CanCopy(permission int32) bool {
+	return (permission>>6)&1 == 1
 }
 
 func (u *User) CanCopy() bool {
-	return (u.Permission>>6)&1 == 1
+	return CanCopy(u.Permission)
+}
+
+func CanRemove(permission int32) bool {
+	return (permission>>7)&1 == 1
 }
 
 func (u *User) CanRemove() bool {
-	return (u.Permission>>7)&1 == 1
+	return CanRemove(u.Permission)
+}
+
+func CanWebdavRead(permission int32) bool {
+	return (permission>>8)&1 == 1
 }
 
 func (u *User) CanWebdavRead() bool {
-	return (u.Permission>>8)&1 == 1
+	return CanWebdavRead(u.Permission)
+}
+
+func CanWebdavManage(permission int32) bool {
+	return (permission>>9)&1 == 1
 }
 
 func (u *User) CanWebdavManage() bool {
-	return (u.Permission>>9)&1 == 1
+	return CanWebdavManage(u.Permission)
+}
+
+func CanFTPAccess(permission int32) bool {
+	return (permission>>10)&1 == 1
 }
 
 func (u *User) CanFTPAccess() bool {
-	return (u.Permission>>10)&1 == 1
+	return CanFTPAccess(u.Permission)
+}
+
+func CanFTPManage(permission int32) bool {
+	return (permission>>11)&1 == 1
 }
 
 func (u *User) CanFTPManage() bool {
-	return (u.Permission>>11)&1 == 1
+	return CanFTPManage(u.Permission)
+}
+
+func CanReadArchives(permission int32) bool {
+	return (permission>>12)&1 == 1
 }
 
 func (u *User) CanReadArchives() bool {
-	return (u.Permission>>12)&1 == 1
+	return CanReadArchives(u.Permission)
+}
+
+func CanDecompress(permission int32) bool {
+	return (permission>>13)&1 == 1
 }
 
 func (u *User) CanDecompress() bool {
-	return (u.Permission>>13)&1 == 1
+	return CanDecompress(u.Permission)
+}
+
+func CanShare(permission int32) bool {
+	return (permission>>14)&1 == 1
 }
 
 func (u *User) CanShare() bool {
-	return (u.Permission>>14)&1 == 1
+	return CanShare(u.Permission)
 }
 
 func (u *User) JoinPath(reqPath string) (string, error) {

server/common/ldap.go

@@ -0,0 +1,107 @@
+package common
+
+import (
+	"crypto/tls"
+	"fmt"
+	"strings"
+
+	"github.com/OpenListTeam/OpenList/v4/internal/conf"
+	"github.com/OpenListTeam/OpenList/v4/internal/model"
+	"github.com/OpenListTeam/OpenList/v4/internal/op"
+	"github.com/OpenListTeam/OpenList/v4/internal/setting"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils/random"
+	"github.com/pkg/errors"
+	log "github.com/sirupsen/logrus"
+	"gopkg.in/ldap.v3"
+)
+
+var ErrFailedLdapAuth = errors.New("failed to auth")
+
+func HandleLdapLogin(username, password string) error {
+	// Auth start
+	ldapServer := setting.GetStr(conf.LdapServer)
+	skipTlsVerify := setting.GetBool(conf.LdapSkipTlsVerify)
+	ldapManagerDN := setting.GetStr(conf.LdapManagerDN)
+	ldapManagerPassword := setting.GetStr(conf.LdapManagerPassword)
+	ldapUserSearchBase := setting.GetStr(conf.LdapUserSearchBase)
+	ldapUserSearchFilter := setting.GetStr(conf.LdapUserSearchFilter) // (uid=%s)
+
+	// Connect to LdapServer
+	l, err := dial(ldapServer, skipTlsVerify)
+	if err != nil {
+		return errors.WithMessagef(err, "failed to connect to LDAP")
+	}
+	defer l.Close()
+
+	// First bind with a read only user
+	if ldapManagerDN != "" && ldapManagerPassword != "" {
+		err = l.Bind(ldapManagerDN, ldapManagerPassword)
+		if err != nil {
+			return errors.WithMessagef(err, "failed to bind to LDAP")
+		}
+	}
+
+	// Search for the given username
+	searchRequest := ldap.NewSearchRequest(
+		ldapUserSearchBase,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf(ldapUserSearchFilter, ldap.EscapeFilter(username)),
+		[]string{"dn"},
+		nil,
+	)
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		return errors.WithMessagef(err, "failed login ldap: LDAP search failed")
+	}
+	if len(sr.Entries) != 1 {
+		return errors.New("failed login ldap: user does not exist or too many entries returned")
+	}
+	userDN := sr.Entries[0].DN
+
+	// Bind as the user to verify their password
+	err = l.Bind(userDN, password)
+	if err != nil {
+		return errors.WithMessagef(ErrFailedLdapAuth, "%v", err)
+	}
+	log.Infof("LDAP auth successful for %s", username)
+	// Auth finished
+	return nil
+}
+
+func LdapRegister(username string) (*model.User, error) {
+	if username == "" {
+		return nil, errors.New("cannot get username from ldap provider")
+	}
+	user := &model.User{
+		Username:   username,
+		Password:   "",
+		Authn:      "[]",
+		Permission: int32(setting.GetInt(conf.LdapDefaultPermission, 0)),
+		BasePath:   setting.GetStr(conf.LdapDefaultDir),
+		Role:       0,
+		Disabled:   false,
+		AllowLdap:  true,
+	}
+	user.SetPassword(random.String(16))
+	if err := op.CreateUser(user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func dial(ldapServer string, skipTlsVerify ...bool) (*ldap.Conn, error) {
+	tlsEnabled := false
+	if strings.HasPrefix(ldapServer, "ldaps://") {
+		tlsEnabled = true
+		ldapServer = strings.TrimPrefix(ldapServer, "ldaps://")
+	} else if strings.HasPrefix(ldapServer, "ldap://") {
+		ldapServer = strings.TrimPrefix(ldapServer, "ldap://")
+	}
+
+	if tlsEnabled {
+		return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: utils.IsBool(skipTlsVerify...)})
+	} else {
+		return ldap.Dial("tcp", ldapServer)
+	}
+}

server/ftp.go

@@ -19,6 +19,7 @@ import (
 	"github.com/OpenListTeam/OpenList/v4/internal/op"
 	"github.com/OpenListTeam/OpenList/v4/internal/setting"
 	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
+	"github.com/OpenListTeam/OpenList/v4/server/common"
 	"github.com/OpenListTeam/OpenList/v4/server/ftp"
 	ftpserver "github.com/fclairamb/ftpserverlib"
 )
@@ -112,6 +113,12 @@ func (d *FtpMainDriver) ClientDisconnected(cc ftpserver.ClientContext) {
 }
 
 func (d *FtpMainDriver) AuthUser(cc ftpserver.ClientContext, user, pass string) (ftpserver.ClientDriver, error) {
+	ip := cc.RemoteAddr().String()
+	count, ok := model.LoginCache.Get(ip)
+	if ok && count >= model.DefaultMaxAuthRetries {
+		model.LoginCache.Expire(ip, model.DefaultLockDuration)
+		return nil, errors.New("Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.")
+	}
 	var userObj *model.User
 	var err error
 	if user == "anonymous" || user == "guest" {
@@ -121,17 +128,24 @@ func (d *FtpMainDriver) AuthUser(cc ftpserver.ClientContext, user, pass string)
 		}
 	} else {
 		userObj, err = op.GetUserByName(user)
-		if err != nil {
-			return nil, err
+		if err == nil {
+			err = userObj.ValidateRawPassword(pass)
+			if err != nil && setting.GetBool(conf.LdapLoginEnabled) && userObj.AllowLdap {
+				err = common.HandleLdapLogin(user, pass)
+			}
+		} else if setting.GetBool(conf.LdapLoginEnabled) && model.CanFTPAccess(int32(setting.GetInt(conf.LdapDefaultPermission, 0))) {
+			userObj, err = tryLdapLoginAndRegister(user, pass)
 		}
-		passHash := model.StaticHash(pass)
-		if err = userObj.ValidatePwdStaticHash(passHash); err != nil {
+		if err != nil {
+			model.LoginCache.Set(ip, count+1)
 			return nil, err
 		}
 	}
 	if userObj.Disabled || !userObj.CanFTPAccess() {
+		model.LoginCache.Set(ip, count+1)
 		return nil, errors.New("user is not allowed to access via FTP")
 	}
+	model.LoginCache.Del(ip)
 
 	ctx := context.Background()
 	ctx = context.WithValue(ctx, conf.UserKey, userObj)
@@ -140,7 +154,7 @@ func (d *FtpMainDriver) AuthUser(cc ftpserver.ClientContext, user, pass string)
 	} else {
 		ctx = context.WithValue(ctx, conf.MetaPassKey, "")
 	}
-	ctx = context.WithValue(ctx, conf.ClientIPKey, cc.RemoteAddr().String())
+	ctx = context.WithValue(ctx, conf.ClientIPKey, ip)
 	ctx = context.WithValue(ctx, conf.ProxyHeaderKey, d.proxyHeader)
 	return ftp.NewAferoAdapter(ctx), nil
 }