From 6181e586bfc8ba7417ae99b6df7aec467f847ae2 Mon Sep 17 00:00:00 2001
From: Philip Molares <philip.molares@udo.edu>
Date: Wed, 30 Mar 2022 23:55:09 +0200
Subject: [PATCH] fix: ldap auth config

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 src/config/auth.config.ts                     | 65 ++++++++++++-------
 src/config/utils.ts                           | 12 ++--
 .../frontend-config.service.spec.ts           |  7 +-
 3 files changed, 53 insertions(+), 31 deletions(-)

diff --git a/src/config/auth.config.ts b/src/config/auth.config.ts
index 9432eb432..cde622931 100644
--- a/src/config/auth.config.ts
+++ b/src/config/auth.config.ts
@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 import { registerAs } from '@nestjs/config';
+import * as fs from 'fs';
 import * as Joi from 'joi';
 
 import { GitlabScope, GitlabVersion } from './gitlab.enum';
@@ -14,6 +15,21 @@ import {
   toArrayConfig,
 } from './utils';
 
+export interface LDAPConfig {
+  identifier: string;
+  providerName: string;
+  url: string;
+  bindDn?: string;
+  bindCredentials?: string;
+  searchBase: string;
+  searchFilter: string;
+  searchAttributes: string[];
+  userIdField: string;
+  displayNameField: string;
+  profilePictureField: string;
+  tlsCaCerts?: string[];
+}
+
 export interface AuthConfig {
   session: {
     secret: string;
@@ -55,19 +71,7 @@ export interface AuthConfig {
     version: GitlabVersion;
   }[];
   // ToDo: tlsOptions exist in config.json.example. See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
-  ldap: {
-    identifier: string;
-    providerName: string;
-    url: string;
-    bindDn: string;
-    bindCredentials: string;
-    searchBase: string;
-    searchFilter: string;
-    searchAttributes: string[];
-    usernameField: string;
-    useridField: string;
-    tlsCa?: string[];
-  }[];
+  ldap: LDAPConfig[];
   saml: {
     identifier: string;
     providerName: string;
@@ -181,13 +185,11 @@ const authSchema = Joi.object({
         bindCredentials: Joi.string().optional(),
         searchBase: Joi.string(),
         searchFilter: Joi.string().default('(uid={{username}})').optional(),
-        searchAttributes: Joi.array()
-          .items(Joi.string())
-          .default(['displayName', 'mail'])
-          .optional(),
-        usernameField: Joi.string().optional(),
-        useridField: Joi.string(),
-        tlsCa: Joi.array().items(Joi.string()).optional(),
+        searchAttributes: Joi.array().items(Joi.string()).optional(),
+        userIdField: Joi.string().default('uid').optional(),
+        displayNameField: Joi.string().default('displayName').optional(),
+        profilePictureField: Joi.string().default('jpegPhoto').optional(),
+        tlsCaCerts: Joi.array().items(Joi.string()).optional(),
       }).optional(),
     )
     .optional(),
@@ -267,6 +269,18 @@ export default registerAs('authConfig', () => {
   });
 
   const ldaps = ldapNames.map((ldapName) => {
+    const caFiles = toArrayConfig(
+      process.env[`HD_AUTH_LDAP_${ldapName}_TLS_CERT_PATHS`],
+      ',',
+    );
+    let tlsCaCerts = undefined;
+    if (caFiles) {
+      tlsCaCerts = caFiles.map((fileName) => {
+        if (fs.existsSync(fileName)) {
+          return fs.readFileSync(fileName, 'utf8');
+        }
+      });
+    }
     return {
       identifier: ldapName,
       providerName: process.env[`HD_AUTH_LDAP_${ldapName}_PROVIDER_NAME`],
@@ -279,9 +293,12 @@ export default registerAs('authConfig', () => {
         process.env[`HD_AUTH_LDAP_${ldapName}_SEARCH_ATTRIBUTES`],
         ',',
       ),
-      usernameField: process.env[`HD_AUTH_LDAP_${ldapName}_USERNAME_FIELD`],
-      useridField: process.env[`HD_AUTH_LDAP_${ldapName}_USERID_FIELD`],
-      tlsCa: toArrayConfig(process.env[`HD_AUTH_LDAP_${ldapName}_TLS_CA`], ','),
+      userIdField: process.env[`HD_AUTH_LDAP_${ldapName}_USER_ID_FIELD`],
+      displayNameField:
+        process.env[`HD_AUTH_LDAP_${ldapName}_DISPLAY_NAME_FIELD`],
+      profilePictureField:
+        process.env[`HD_AUTH_LDAP_${ldapName}_PROFILE_PICTURE_FIELD`],
+      tlsCaCerts: tlsCaCerts,
     };
   });
 
@@ -309,7 +326,7 @@ export default registerAs('authConfig', () => {
       attribute: {
         id: process.env[`HD_AUTH_SAML_${samlName}_ATTRIBUTE_ID`],
         username: process.env[`HD_AUTH_SAML_${samlName}_ATTRIBUTE_USERNAME`],
-        local: process.env[`HD_AUTH_SAML_${samlName}_ATTRIBUTE_USERNAME`],
+        local: process.env[`HD_AUTH_SAML_${samlName}_ATTRIBUTE_LOCAL`],
       },
     };
   });
diff --git a/src/config/utils.ts b/src/config/utils.ts
index 9f1433a79..f068f3d1d 100644
--- a/src/config/utils.ts
+++ b/src/config/utils.ts
@@ -54,9 +54,13 @@ export function replaceAuthErrorsWithEnvironmentVariables(
     newMessage = newMessage.replace('.searchBase', '_SEARCH_BASE');
     newMessage = newMessage.replace('.searchFilter', '_SEARCH_FILTER');
     newMessage = newMessage.replace('.searchAttributes', '_SEARCH_ATTRIBUTES');
-    newMessage = newMessage.replace('.usernameField', '_USERNAME_FIELD');
-    newMessage = newMessage.replace('.useridField', '_USERID_FIELD');
-    newMessage = newMessage.replace('.tlsCa', '_TLS_CA');
+    newMessage = newMessage.replace('.userIdField', '_USER_ID_FIELD');
+    newMessage = newMessage.replace('.displayNameField', '_DISPLAY_NAME_FIELD');
+    newMessage = newMessage.replace(
+      '.profilePictureField',
+      '_PROFILE_PICTURE_FIELD',
+    );
+    newMessage = newMessage.replace('.tlsCaCerts', '_TLS_CERT_PATHS');
     newMessage = newMessage.replace('.idpSsoUrl', '_IDP_SSO_URL');
     newMessage = newMessage.replace('.idpCert', '_IDP_CERT');
     newMessage = newMessage.replace('.clientCert', '_CLIENT_CERT');
@@ -74,7 +78,7 @@ export function replaceAuthErrorsWithEnvironmentVariables(
       '.attribute.username',
       '_ATTRIBUTE_USERNAME',
     );
-    newMessage = newMessage.replace('.attribute.email', '_ATTRIBUTE_USERNAME');
+    newMessage = newMessage.replace('.attribute.local', '_ATTRIBUTE_LOCAL');
     newMessage = newMessage.replace('.userProfileURL', '_USER_PROFILE_URL');
     newMessage = newMessage.replace(
       '.userProfileIdAttr',
diff --git a/src/frontend-config/frontend-config.service.spec.ts b/src/frontend-config/frontend-config.service.spec.ts
index 87d5dc345..f73d35ec8 100644
--- a/src/frontend-config/frontend-config.service.spec.ts
+++ b/src/frontend-config/frontend-config.service.spec.ts
@@ -104,9 +104,10 @@ describe('FrontendConfigService', () => {
       searchBase: 'ldapTestSearchBase',
       searchFilter: 'ldapTestSearchFilter',
       searchAttributes: ['ldapTestSearchAttribute'],
-      usernameField: 'ldapTestUsername',
-      useridField: 'ldapTestUserId',
-      tlsCa: ['ldapTestTlsCa'],
+      userIdField: 'ldapTestUserId',
+      displayNameField: 'ldapTestDisplayName',
+      profilePictureField: 'ldapTestProfilePicture',
+      tlsCaCerts: ['ldapTestTlsCa'],
     },
   ];
   const saml: AuthConfig['saml'] = [