-
Notifications
You must be signed in to change notification settings - Fork 0
/
access_ldap.go
102 lines (91 loc) · 2.45 KB
/
access_ldap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// +build ldap,!libc !cgo,!libc freebsd,!libc
package main
import (
"os"
"regexp"
"gopkg.in/ldap.v2"
)
const (
netgrMember = "nisNetgroupTriple"
netgrChild = "memberNisNetgroup"
tripleElem = `(|\-|[[:alnum:]](?:[[:alnum:]\-\.]*?[[:alnum:]])?)`
netgrTriple = `^\(` + tripleElem + `,` + tripleElem + `,` + tripleElem + `\)$`
)
var (
ngMemberRegex = regexp.MustCompile(netgrTriple)
)
func (h Host) inNetGroups(netgroups []string) bool {
debugLog("Search host in netgroups")
for _, netgroup := range netgroups {
debugLog("Netgroup: \t%s", netgroup)
}
var (
looptest = map[string]bool{}
nextgrps []string
)
nextgrps = netgroups
for _, grp := range nextgrps {
looptest[grp] = true
}
for len(nextgrps) > 0 {
var netgr string
netgr, nextgrps = nextgrps[0], nextgrps[1:]
looptest[netgr] = true
netGroupReq := ldap.NewSearchRequest(
config.GetLdapNetGrs(),
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
strCat("(cn=", netgr, ")"),
[]string{netgrMember, netgrChild},
nil,
)
if sr, err := ldconn.Search(netGroupReq); err != nil {
logger.Error(err.Error())
os.Exit(20)
} else {
for _, entry := range sr.Entries {
if matchHosts(netgr, entry.GetAttributeValues(netgrMember), h.names) {
return true
}
newchildren := filterLoops(netgr, entry.GetAttributeValues(netgrChild), looptest)
nextgrps = append(nextgrps, newchildren...)
}
}
}
return false
}
func filterLoops(netgr string, children []string, looptest map[string]bool) (res []string) {
for _, child := range children {
if _, ok := looptest[child]; !ok {
logger.Warn("Detected loop on netgroup %s", netgr)
continue
}
res = append(res, child)
}
return
}
func matchHosts(netgr string, triples []string, hosts []string) bool {
if triples == nil {
return false
}
for _, triple := range triples {
if matches := ngMemberRegex.FindStringSubmatch(triple); len(matches) == 0 {
logger.Warn("Invalid %s triple in netgroup %s", triple, netgr)
continue
} else {
for _, host := range hosts {
if matches[1] == "-" {
logger.Warn("Undefined host in triple %s of netgroup %s", triple, netgr)
continue
} else if matches[1] == "" {
logger.Warn("Wildcard host in triple %s of netgroup %s", triple, netgr)
continue
} else if matches[1] == host {
logger.Info("Found host %s in netgroup %s", host, netgr)
return true
}
}
logger.Debug("No host in netgroup %s", netgr)
}
}
return false
}