Skip to content

Commit e53604d

Browse files
zeripathsilverwind
authored andcommitted
Encrypt LDAP bind password in db with SECRET_KEY (go-gitea#15547)
* Encrypt LDAP bind password in db with SECRET_KEY The LDAP source bind password are currently stored in plaintext in the db This PR simply encrypts them with the setting.SECRET_KEY. Fix go-gitea#15460 Signed-off-by: Andrew Thornton <art27@cantab.net> * remove ui warning regarding unencrypted password Co-authored-by: silverwind <me@silverwind.io>
1 parent 9457094 commit e53604d

File tree

6 files changed

+19
-6
lines changed

6 files changed

+19
-6
lines changed

docs/content/doc/features/authentication.en-us.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -88,8 +88,8 @@ Adds the following fields:
8888
- Bind Password (optional)
8989

9090
- The password for the Bind DN specified above, if any. _Note: The password
91-
is stored in plaintext at the server. As such, ensure that the Bind DN
92-
has as few privileges as possible._
91+
is stored encrypted with the SECRET_KEY on the server. It is still recommended
92+
to ensure that the Bind DN has as few privileges as possible._
9393

9494
- User Search Base **(required)**
9595

models/login_source.go

+16-1
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
"code.gitea.io/gitea/modules/auth/oauth2"
1919
"code.gitea.io/gitea/modules/auth/pam"
2020
"code.gitea.io/gitea/modules/log"
21+
"code.gitea.io/gitea/modules/secret"
2122
"code.gitea.io/gitea/modules/setting"
2223
"code.gitea.io/gitea/modules/timeutil"
2324
"code.gitea.io/gitea/modules/util"
@@ -77,11 +78,25 @@ type LDAPConfig struct {
7778
// FromDB fills up a LDAPConfig from serialized format.
7879
func (cfg *LDAPConfig) FromDB(bs []byte) error {
7980
json := jsoniter.ConfigCompatibleWithStandardLibrary
80-
return json.Unmarshal(bs, &cfg)
81+
err := json.Unmarshal(bs, &cfg)
82+
if err != nil {
83+
return err
84+
}
85+
if cfg.BindPasswordEncrypt != "" {
86+
cfg.BindPassword, err = secret.DecryptSecret(setting.SecretKey, cfg.BindPasswordEncrypt)
87+
cfg.BindPasswordEncrypt = ""
88+
}
89+
return err
8190
}
8291

8392
// ToDB exports a LDAPConfig to a serialized format.
8493
func (cfg *LDAPConfig) ToDB() ([]byte, error) {
94+
var err error
95+
cfg.BindPasswordEncrypt, err = secret.EncryptSecret(setting.SecretKey, cfg.BindPassword)
96+
if err != nil {
97+
return nil, err
98+
}
99+
cfg.BindPassword = ""
85100
json := jsoniter.ConfigCompatibleWithStandardLibrary
86101
return json.Marshal(cfg)
87102
}

modules/auth/ldap/ldap.go

+1
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ type Source struct {
3535
SecurityProtocol SecurityProtocol
3636
SkipVerify bool
3737
BindDN string // DN to bind with
38+
BindPasswordEncrypt string // Encrypted Bind BN password
3839
BindPassword string // Bind DN password
3940
UserBase string // Base search path for users
4041
UserDN string // Template for the DN of the user for simple auth

options/locale/locale_en-US.ini

-1
Original file line numberDiff line numberDiff line change
@@ -2283,7 +2283,6 @@ auths.host = Host
22832283
auths.port = Port
22842284
auths.bind_dn = Bind DN
22852285
auths.bind_password = Bind Password
2286-
auths.bind_password_helper = Warning: This password is stored in plain text. Use a read-only account if possible.
22872286
auths.user_base = User Search Base
22882287
auths.user_dn = User DN
22892288
auths.attribute_username = Username Attribute

templates/admin/auth/edit.tmpl

-1
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,6 @@
5353
<div class="field">
5454
<label for="bind_password">{{.i18n.Tr "admin.auths.bind_password"}}</label>
5555
<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
56-
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
5756
</div>
5857
{{end}}
5958
<div class="{{if .Source.IsLDAP}}required{{end}} field">

templates/admin/auth/source/ldap.tmpl

-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@
2828
<div class="ldap field {{if not (eq .type 2)}}hide{{end}}">
2929
<label for="bind_password">{{.i18n.Tr "admin.auths.bind_password"}}</label>
3030
<input id="bind_password" name="bind_password" type="password" autocomplete="off" value="{{.bind_password}}">
31-
<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
3231
</div>
3332
<div class="binddnrequired {{if (eq .type 2)}}required{{end}} field">
3433
<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>

0 commit comments

Comments
 (0)