model.go

package backend

import (
	"context"
	"fmt"
	"math/rand"
	"strconv"
	"strings"

	ldaputil "git.autistici.org/ai3/go-common/ldap"
	"github.com/tstranex/u2f"
	"gopkg.in/ldap.v2"

	as "git.autistici.org/ai3/accountserver"
)

const (
	// Names of some well-known LDAP attributes.
	totpSecretLDAPAttr        = "totpSecret"
	preferredLanguageLDAPAttr = "preferredLanguage"
	recoveryHintLDAPAttr      = "recoverQuestion"
	recoveryResponseLDAPAttr  = "recoverAnswer"
	aspLDAPAttr               = "appSpecificPassword"
	storagePublicKeyLDAPAttr  = "storagePublicKey"
	storagePrivateKeyLDAPAttr = "storageEncryptedSecretKey"
	passwordLDAPAttr          = "userPassword"
	u2fRegistrationsLDAPAttr  = "u2fRegistration"
	uidNumberLDAPAttr         = "uidNumber"
)

// backend is the interface to an LDAP-backed user database.
//
// We keep a set of LDAP queries for each resource type, each having a
// "resource" query to return a specific resource belonging to a user,
// and a "presence" query that checks for existence of a resource for
// all users.
type backend struct {
	conn                ldapConn
	baseDN              string
	userQuery           *queryTemplate
	userResourceQueries []*queryTemplate
	resources           *resourceRegistry

	// Range for new user IDs.
	minUID, maxUID int
}

const (
	defaultMinUID = 10000
	defaultMaxUID = 1000000
)

// backendTX holds the business logic (that runs within a single
// transaction).
type backendTX struct {
	*ldapTX
	backend *backend
}

const ldapPoolSize = 20

func (b *backend) NewTransaction() (as.TX, error) {
	return &backendTX{
		ldapTX:  newLDAPTX(b.conn),
		backend: b,
	}, nil
}

// NewLDAPBackend initializes an LDAPBackend object with the given LDAP
// connection pool.
func NewLDAPBackend(uri, bindDN, bindPw, base string) (as.Backend, error) {
	pool, err := ldaputil.NewConnectionPool(uri, bindDN, bindPw, ldapPoolSize)
	if err != nil {
		return nil, err
	}
	return newLDAPBackendWithConn(pool, base)
}

func newLDAPBackendWithConn(conn ldapConn, base string) (*backend, error) {
	rsrc := newResourceRegistry()
	rsrc.register(as.ResourceTypeEmail, &emailResourceHandler{baseDN: base})
	rsrc.register(as.ResourceTypeMailingList, &mailingListResourceHandler{baseDN: base})
	rsrc.register(as.ResourceTypeDAV, &webdavResourceHandler{baseDN: base})
	rsrc.register(as.ResourceTypeWebsite, &websiteResourceHandler{baseDN: base})
	rsrc.register(as.ResourceTypeDomain, &domainResourceHandler{baseDN: base})
	rsrc.register(as.ResourceTypeDatabase, &databaseResourceHandler{baseDN: base})

	return &backend{
		conn:   conn,
		baseDN: base,
		userQuery: &queryTemplate{
			Base:   joinDN("uid=${user}", "ou=People", base),
			Filter: "(objectClass=*)",
			Scope:  ldap.ScopeBaseObject,
		},
		userResourceQueries: []*queryTemplate{
			// Find all resources that are children of the main uid object.
			&queryTemplate{
				Base:  joinDN("uid=${user}", "ou=People", base),
				Scope: ldap.ScopeWholeSubtree,
			},
			// Find mailing lists, which are nested under a different root.
			&queryTemplate{
				Base:   joinDN("ou=Lists", base),
				Filter: "(&(objectClass=mailingList)(listOwner=${user}))",
				Scope:  ldap.ScopeSingleLevel,
			},
		},
		resources: rsrc,
		minUID:    defaultMinUID,
		maxUID:    defaultMaxUID,
	}, nil
}

func newUser(entry *ldap.Entry) (*as.RawUser, error) {
	// Note that some user-level attributes related to
	// authentication are stored on the uid= object, while others
	// are on the email= object. We set the latter in the GetUser
	// function later.
	//
	// The case of password recovery attributes is more complex:
	// the current schema has those on email=, but we'd like to
	// move them to uid=, so we currently have to support both
	// (but the uid= one takes precedence).
	uidNumber, _ := strconv.Atoi(entry.GetAttributeValue(uidNumberLDAPAttr)) // nolint
	user := &as.RawUser{
		User: as.User{
			Name:                entry.GetAttributeValue("uid"),
			Lang:                entry.GetAttributeValue(preferredLanguageLDAPAttr),
			UID:                 uidNumber,
			AccountRecoveryHint: entry.GetAttributeValue(recoveryHintLDAPAttr),
			U2FRegistrations:    decodeU2FRegistrations(entry.GetAttributeValues(u2fRegistrationsLDAPAttr)),
			HasOTP:              entry.GetAttributeValue(totpSecretLDAPAttr) != "",
		},
		// Remove the legacy LDAP {crypt} prefix on old passwords.
		Password:         strings.TrimPrefix(entry.GetAttributeValue(passwordLDAPAttr), "{crypt}"),
		RecoveryPassword: strings.TrimPrefix(entry.GetAttributeValue(recoveryResponseLDAPAttr), "{crypt}"),
	}

	// The user has 2FA enabled if it has a TOTP secret or U2F keys.
	user.Has2FA = (user.HasOTP || (len(user.U2FRegistrations) > 0))

	if user.Lang == "" {
		user.Lang = "en"
	}
	return user, nil
}

func userToLDAP(user *as.User) (attrs []ldap.PartialAttribute) {
	// Most attributes are read-only and have specialized methods to set them.
	attrs = append(attrs, []ldap.PartialAttribute{
		{Type: "objectClass", Vals: []string{"top", "person", "posixAccount", "shadowAccount", "organizationalPerson", "inetOrgPerson", "totpAccount"}},
		{Type: "uid", Vals: s2l(user.Name)},
		{Type: "cn", Vals: s2l(user.Name)},
		{Type: uidNumberLDAPAttr, Vals: s2l(strconv.Itoa(user.UID))},
		{Type: "givenName", Vals: []string{"Private"}},
		{Type: "sn", Vals: []string{"Private"}},
		{Type: "gecos", Vals: s2l(user.Name)},
		{Type: "loginShell", Vals: []string{"/bin/false"}},
		{Type: "homeDirectory", Vals: []string{"/var/empty"}},
		{Type: "shadowLastChange", Vals: []string{"12345"}},
		{Type: "shadowWarning", Vals: []string{"7"}},
		{Type: "shadowMax", Vals: []string{"99999"}},
		{Type: preferredLanguageLDAPAttr, Vals: s2l(user.Lang)},
		{Type: u2fRegistrationsLDAPAttr, Vals: encodeU2FRegistrations(user.U2FRegistrations)},
	}...)
	return
}

func decodeU2FRegistration(enc string) (*as.U2FRegistration, error) {
	var reg u2f.Registration
	if err := reg.UnmarshalBinary([]byte(enc)); err != nil {
		return nil, err
	}
	return &as.U2FRegistration{Registration: &reg}, nil
}

func encodeU2FRegistration(r *as.U2FRegistration) string {
	// MarshalBinary can't fail, ignore error.
	b, _ := r.MarshalBinary() // nolint
	return string(b)
}

func decodeU2FRegistrations(encRegs []string) []*as.U2FRegistration {
	var out []*as.U2FRegistration
	for _, enc := range encRegs {
		if r, err := decodeU2FRegistration(enc); err == nil {
			out = append(out, r)
		}
	}
	return out
}

func encodeU2FRegistrations(regs []*as.U2FRegistration) []string {
	var out []string
	for _, r := range regs {
		out = append(out, encodeU2FRegistration(r))
	}
	return out
}

func (tx *backendTX) getUserDN(user *as.User) string {
	return joinDN("uid="+user.Name, "ou=People", tx.backend.baseDN)
}

// CreateUser creates a new user.
func (tx *backendTX) CreateUser(ctx context.Context, user *as.User) error {
	dn := tx.getUserDN(user)

	tx.create(dn)
	for _, attr := range userToLDAP(user) {
		tx.setAttr(dn, attr.Type, attr.Vals...)
	}

	// Create all resources.
	for _, r := range user.Resources {
		if err := tx.CreateResource(ctx, r); err != nil {
			return err
		}
	}

	return nil
}

// UpdateUser updates values for the user only (not the resources).
func (tx *backendTX) UpdateUser(ctx context.Context, user *as.User) error {
	dn := tx.getUserDN(user)
	for _, attr := range userToLDAP(user) {
		tx.setAttr(dn, attr.Type, attr.Vals...)
	}
	return nil
}

// GetUser returns a user.
func (tx *backendTX) GetUser(ctx context.Context, username string) (*as.RawUser, error) {
	// First of all, find the main user object, and just that one.
	vars := map[string]string{"user": username}
	result, err := tx.search(ctx, tx.backend.userQuery.query(vars))
	if err != nil {
		if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
			return nil, nil
		}
		return nil, err
	}
	if len(result.Entries) == 0 {
		return nil, nil
	}

	user, err := newUser(result.Entries[0])
	if err != nil {
		return nil, err
	}

	// Now run the resource queries, and accumulate results on the User
	// object we just created.
	// TODO: parallelize.
	// TODO: add support for non-LDAP resource queries.
	for _, tpl := range tx.backend.userResourceQueries {
		result, err = tx.search(ctx, tpl.query(vars))
		if err != nil {
			continue
		}

		for _, entry := range result.Entries {
			// Some user-level attributes are actually stored on
			// the email object, which is desired in some cases,
			// but in others is a shortcoming of the legacy A/I
			// database model. Set them on the main User
			// object. For the latter, attributes on the main User
			// object take precedence.
			if isObjectClass(entry, "virtualMailUser") {
				if user.AccountRecoveryHint == "" {
					if s := entry.GetAttributeValue(recoveryHintLDAPAttr); s != "" {
						user.AccountRecoveryHint = s
					}
				}

				user.AppSpecificPasswords = getASPInfo(decodeAppSpecificPasswords(entry.GetAttributeValues(aspLDAPAttr)))
				user.Keys = decodeUserEncryptionKeys(
					entry.GetAttributeValues(storagePrivateKeyLDAPAttr))
				user.HasEncryptionKeys = (entry.GetAttributeValue(storagePublicKeyLDAPAttr) != "")
			}

			// Parse the resource and add it to the User.
			if r, err := tx.backend.resources.FromLDAP(entry); err == nil {
				user.Resources = append(user.Resources, r)
			}
		}
	}

	return user, nil
}

func (tx *backendTX) SetUserPassword(ctx context.Context, user *as.User, encryptedPassword string) (err error) {
	dn := tx.getUserDN(user)
	tx.setAttr(dn, passwordLDAPAttr, encryptedPassword)
	for _, r := range user.GetResourcesByType(as.ResourceTypeEmail) {
		dn, err = tx.backend.resources.GetDN(r.ID)
		if err != nil {
			return
		}
		tx.setAttr(dn, passwordLDAPAttr, encryptedPassword)
	}
	return
}

func (tx *backendTX) SetAccountRecoveryHint(ctx context.Context, user *as.User, hint, response string) error {
	// Write the password recovery attributes on the uid= object,
	// as per the new schema.
	dn := tx.getUserDN(user)
	tx.setAttr(dn, recoveryHintLDAPAttr, hint)
	tx.setAttr(dn, recoveryResponseLDAPAttr, response)
	return nil
}

func (tx *backendTX) DeleteAccountRecoveryHint(ctx context.Context, user *as.User) error {
	// Write the password recovery attributes on the uid= object,
	// as per the new schema.
	dn := tx.getUserDN(user)
	tx.setAttr(dn, recoveryHintLDAPAttr)
	tx.setAttr(dn, recoveryResponseLDAPAttr)
	return nil
}

func (tx *backendTX) SetUserEncryptionKeys(ctx context.Context, user *as.User, keys []*as.UserEncryptionKey) error {
	encKeys := encodeUserEncryptionKeys(keys)
	for _, r := range user.GetResourcesByType(as.ResourceTypeEmail) {
		dn, err := tx.backend.resources.GetDN(r.ID)
		if err != nil {
			return err
		}
		tx.setAttr(dn, storagePrivateKeyLDAPAttr, encKeys...)
	}
	return nil
}

func (tx *backendTX) SetUserEncryptionPublicKey(ctx context.Context, user *as.User, pub []byte) error {
	for _, r := range user.GetResourcesByType(as.ResourceTypeEmail) {
		dn, err := tx.backend.resources.GetDN(r.ID)
		if err != nil {
			return err
		}
		tx.setAttr(dn, storagePublicKeyLDAPAttr, string(pub))
	}
	return nil
}

func excludeASPFromList(asps []*appSpecificPassword, id string) []*appSpecificPassword {
	var out []*appSpecificPassword
	for _, asp := range asps {
		if asp.ID != id {
			out = append(out, asp)
		}
	}
	return out
}

func (tx *backendTX) setASPOnResource(ctx context.Context, r *as.Resource, info *as.AppSpecificPasswordInfo, encryptedPassword string) {
	dn, err := tx.backend.resources.GetDN(r.ID)
	if err != nil {
		return
	}

	// Obtain the full list of ASPs from the backend and replace/append the new one.
	asps := decodeAppSpecificPasswords(tx.readAttributeValues(ctx, dn, aspLDAPAttr))
	asps = append(excludeASPFromList(asps, info.ID), newAppSpecificPassword(*info, encryptedPassword))
	outASPs := encodeAppSpecificPasswords(asps)
	tx.setAttr(dn, aspLDAPAttr, outASPs...)
}

func (tx *backendTX) SetApplicationSpecificPassword(ctx context.Context, user *as.User, info *as.AppSpecificPasswordInfo, encryptedPassword string) error {
	for _, r := range user.GetResourcesByType(as.ResourceTypeEmail) {
		tx.setASPOnResource(ctx, r, info, encryptedPassword)
	}
	return nil
}

func (tx *backendTX) deleteASPOnResource(ctx context.Context, r *as.Resource, id string) {
	dn, err := tx.backend.resources.GetDN(r.ID)
	if err != nil {
		return
	}
	asps := decodeAppSpecificPasswords(tx.readAttributeValues(ctx, dn, aspLDAPAttr))
	asps = excludeASPFromList(asps, id)
	outASPs := encodeAppSpecificPasswords(asps)
	tx.setAttr(dn, aspLDAPAttr, outASPs...)
}

func (tx *backendTX) DeleteApplicationSpecificPassword(ctx context.Context, user *as.User, id string) error {
	for _, r := range user.GetResourcesByType(as.ResourceTypeEmail) {
		tx.deleteASPOnResource(ctx, r, id)
	}
	return nil
}

func (tx *backendTX) SetUserTOTPSecret(ctx context.Context, user *as.User, secret string) error {
	tx.setAttr(tx.getUserDN(user), totpSecretLDAPAttr, secret)
	return nil
}

func (tx *backendTX) DeleteUserTOTPSecret(ctx context.Context, user *as.User) error {
	tx.setAttr(tx.getUserDN(user), totpSecretLDAPAttr)
	return nil
}

func (tx *backendTX) SetResourcePassword(ctx context.Context, r *as.Resource, encryptedPassword string) error {
	dn, err := tx.backend.resources.GetDN(r.ID)
	if err != nil {
		return err
	}
	tx.setAttr(dn, passwordLDAPAttr, encryptedPassword)
	return nil
}

func (tx *backendTX) hasResource(ctx context.Context, resourceType, resourceName string) (bool, error) {
	tpl, err := tx.backend.resources.SearchQuery(resourceType)
	if err != nil {
		return false, err
	}

	// Make a quick LDAP search that only fetches the DN attribute.
	tpl.Attrs = []string{"dn"}
	result, err := tx.search(ctx, tpl.query(map[string]string{
		"resource": resourceName,
		"type":     resourceType,
	}))
	if err != nil {
		if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
			return false, nil
		}
		return false, err
	}
	if len(result.Entries) == 0 {
		return false, nil
	}
	return true, nil
}

// HasAnyResource returns true if any of the specified resources exists.
func (tx *backendTX) HasAnyResource(ctx context.Context, resourceIDs []as.FindResourceRequest) (bool, error) {
	for _, req := range resourceIDs {
		has, err := tx.hasResource(ctx, req.Type, req.Name)
		if err != nil || has {
			return has, err
		}
	}
	return false, nil
}

// GetResource returns a ResourceWrapper, as part of a read-modify-update transaction.
func (tx *backendTX) GetResource(ctx context.Context, rsrcID as.ResourceID) (*as.Resource, error) {
	// From the resource ID we can obtain the DN, and fetch it
	// straight from LDAP without even doing a real search.
	dn, err := tx.backend.resources.GetDN(rsrcID)
	if err != nil {
		return nil, err
	}

	// This is just a 'point' search.
	req := ldap.NewSearchRequest(
		dn,
		ldap.ScopeBaseObject,
		ldap.NeverDerefAliases,
		0,
		0,
		false,
		"(objectClass=*)",
		nil,
		nil,
	)

	result, err := tx.search(ctx, req)
	if err != nil {
		if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
			return nil, nil
		}
		return nil, err
	}

	// We know the resource type so we don't have to guess.
	return tx.backend.resources.FromLDAPWithType(rsrcID.Type(), result.Entries[0])
}

// CreateResource creates a new LDAP-backed resource object.
func (tx *backendTX) CreateResource(ctx context.Context, r *as.Resource) error {
	dn, err := tx.backend.resources.GetDN(r.ID)
	if err != nil {
		return err
	}

	tx.create(dn)
	for _, attr := range tx.backend.resources.ToLDAP(r) {
		tx.setAttr(dn, attr.Type, attr.Vals...)
	}

	return nil
}

// UpdateResource updates a LDAP-backed resource that was obtained by a previous GetResource call.
func (tx *backendTX) UpdateResource(ctx context.Context, r *as.Resource) error {
	dn, err := tx.backend.resources.GetDN(r.ID)
	if err != nil {
		return err
	}

	// We can simply dump all attribute/value pairs and let the
	// code in ldapTX do the work of finding the differences.
	for _, attr := range tx.backend.resources.ToLDAP(r) {
		tx.setAttr(dn, attr.Type, attr.Vals...)
	}

	return nil
}

// NextUID returns an available user ID (uidNumber). It does so
// without keeping state by just guessing random UIDs in the
// minUID-maxUID range, and checking if they are available (so it's
// best to keep the range largely underutilized).
func (tx *backendTX) NextUID(ctx context.Context) (uid int, err error) {
	// Won't actually run forever, at some point the context will expire.
	var ok bool
	for !ok && err == nil {
		uid = tx.backend.minUID + rand.Intn(tx.backend.maxUID-tx.backend.minUID)
		ok, err = tx.isUIDAvailable(ctx, uid)
	}
	return
}

func (tx *backendTX) isUIDAvailable(ctx context.Context, uid int) (bool, error) {
	// Try to make this query lightweight: ask for no attributes,
	// use a size limit of 1 and treat "Size Limit Exceeded"
	// errors as a successful result.
	result, err := tx.search(ctx, ldap.NewSearchRequest(
		tx.backend.baseDN,
		ldap.ScopeWholeSubtree,
		ldap.NeverDerefAliases,
		1, // just one result is enough
		0,
		false,
		fmt.Sprintf("(uidNumber=%d)", uid),
		[]string{"dn"},
		nil,
	))
	if err != nil {
		if ldap.IsErrorWithCode(err, ldap.LDAPResultSizeLimitExceeded) {
			return false, nil
		}
		return false, err
	}
	if len(result.Entries) > 0 {
		return false, nil
	}
	return true, nil
}