Update module github.com/go-ldap/ldap/v3 to v3.4.0

go.mod

@@ -6,7 +6,7 @@ require (
 	git.autistici.org/ai3/go-common v0.0.0-20210308183328-6c663e9176af
 	git.autistici.org/id/go-sso v0.0.0-20210308195111-62a3d97a1dda
 	github.com/coreos/go-systemd/v22 v22.2.0
-	github.com/go-ldap/ldap/v3 v3.2.4
+	github.com/go-ldap/ldap/v3 v3.4.0
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/lib/pq v1.10.0
 	github.com/mattn/go-sqlite3 v1.14.6

go.sum

@@ -168,6 +168,8 @@ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
 github.com/go-ldap/ldap/v3 v3.2.4 h1:PFavAq2xTgzo/loE8qNXcQaofAaqIpI4WgaLdv+1l3E=
 github.com/go-ldap/ldap/v3 v3.2.4/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
+github.com/go-ldap/ldap/v3 v3.4.0 h1:wCttA0dcqAOygfOabqYhQPXKGG9ws8az3FBM8+GAhDs=
+github.com/go-ldap/ldap/v3 v3.4.0/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=

vendor/github.com/go-ldap/ldap/v3/bind.go

@@ -486,7 +486,7 @@ func (l *Conn) NTLMChallengeBind(ntlmBindRequest *NTLMBindRequest) (*NTLMBindRes
 			child := packet.Children[1].Children[1]
 			ntlmsspChallenge = child.ByteValue
 			// Check to make sure we got the right message. It will always start with NTLMSSP
-			if !bytes.Equal(ntlmsspChallenge[:7], []byte("NTLMSSP")) {
+			if len(ntlmsspChallenge) < 7 || !bytes.Equal(ntlmsspChallenge[:7], []byte("NTLMSSP")) {
 				return result, GetLDAPError(packet)
 			}
 			l.Debug.Printf("%d: found ntlmssp challenge", msgCtx.id)

vendor/github.com/go-ldap/ldap/v3/client.go

@@ -10,6 +10,7 @@ type Client interface {
 	Start()
 	StartTLS(*tls.Config) error
 	Close()
+	IsClosing() bool
 	SetTimeout(time.Duration)
 
 	Bind(username, password string) error
@@ -21,6 +22,7 @@ type Client interface {
 	Del(*DelRequest) error
 	Modify(*ModifyRequest) error
 	ModifyDN(*ModifyDNRequest) error
+	ModifyWithResult(*ModifyRequest) (*ModifyResult, error)
 
 	Compare(dn, attribute, value string) (bool, error)
 	PasswordModify(*PasswordModifyRequest) (*PasswordModifyResult, error)

vendor/github.com/go-ldap/ldap/v3/conn.go

 package ldap
 
 import (
+	"bufio"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -506,7 +507,7 @@ func (l *Conn) processMessages() {
 				// All reads will return immediately
 				if msgCtx, ok := l.messageContexts[message.MessageID]; ok {
 					l.Debug.Printf("Receiving message timeout for %d", message.MessageID)
-					msgCtx.sendResponse(&PacketResponse{message.Packet, errors.New("ldap: connection timed out")})
+					msgCtx.sendResponse(&PacketResponse{message.Packet, NewError(ErrorNetwork, errors.New("ldap: connection timed out"))})
 					delete(l.messageContexts, message.MessageID)
 					close(msgCtx.responses)
 				}
@@ -532,12 +533,13 @@ func (l *Conn) reader() {
 		}
 	}()
 
+	bufConn := bufio.NewReader(l.conn)
 	for {
 		if cleanstop {
 			l.Debug.Printf("reader clean stopping (without closing the connection)")
 			return
 		}
-		packet, err := ber.ReadPacket(l.conn)
+		packet, err := ber.ReadPacket(bufConn)
 		if err != nil {
 			// A read error is expected here if we are closing the connection...
 			if !l.IsClosing() {

vendor/github.com/go-ldap/ldap/v3/control.go

@@ -18,20 +18,25 @@ const (
 	ControlTypeVChuPasswordWarning = "2.16.840.1.113730.3.4.5"
 	// ControlTypeManageDsaIT - https://tools.ietf.org/html/rfc3296
 	ControlTypeManageDsaIT = "2.16.840.1.113730.3.4.2"
+	// ControlTypeWhoAmI - https://tools.ietf.org/html/rfc4532
+	ControlTypeWhoAmI = "1.3.6.1.4.1.4203.1.11.3"
 
 	// ControlTypeMicrosoftNotification - https://msdn.microsoft.com/en-us/library/aa366983(v=vs.85).aspx
 	ControlTypeMicrosoftNotification = "1.2.840.113556.1.4.528"
 	// ControlTypeMicrosoftShowDeleted - https://msdn.microsoft.com/en-us/library/aa366989(v=vs.85).aspx
 	ControlTypeMicrosoftShowDeleted = "1.2.840.113556.1.4.417"
+	// ControlTypeMicrosoftServerLinkTTL - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f4f523a8-abc0-4b3a-a471-6b2fef135481?redirectedfrom=MSDN
+	ControlTypeMicrosoftServerLinkTTL = "1.2.840.113556.1.4.2309"
 )
 
 // ControlTypeMap maps controls to text descriptions
 var ControlTypeMap = map[string]string{
-	ControlTypePaging:                "Paging",
-	ControlTypeBeheraPasswordPolicy:  "Password Policy - Behera Draft",
-	ControlTypeManageDsaIT:           "Manage DSA IT",
-	ControlTypeMicrosoftNotification: "Change Notification - Microsoft",
-	ControlTypeMicrosoftShowDeleted:  "Show Deleted Objects - Microsoft",
+	ControlTypePaging:                 "Paging",
+	ControlTypeBeheraPasswordPolicy:   "Password Policy - Behera Draft",
+	ControlTypeManageDsaIT:            "Manage DSA IT",
+	ControlTypeMicrosoftNotification:  "Change Notification - Microsoft",
+	ControlTypeMicrosoftShowDeleted:   "Show Deleted Objects - Microsoft",
+	ControlTypeMicrosoftServerLinkTTL: "Return TTL-DNs for link values with associated expiry times - Microsoft",
 }
 
 // Control defines an interface controls provide to encode and describe themselves
@@ -305,6 +310,35 @@ func NewControlMicrosoftShowDeleted() *ControlMicrosoftShowDeleted {
 	return &ControlMicrosoftShowDeleted{}
 }
 
+// ControlMicrosoftServerLinkTTL implements the control described in https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f4f523a8-abc0-4b3a-a471-6b2fef135481?redirectedfrom=MSDN
+type ControlMicrosoftServerLinkTTL struct{}
+
+// GetControlType returns the OID
+func (c *ControlMicrosoftServerLinkTTL) GetControlType() string {
+	return ControlTypeMicrosoftServerLinkTTL
+}
+
+// Encode returns the ber packet representation
+func (c *ControlMicrosoftServerLinkTTL) Encode() *ber.Packet {
+	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Control")
+	packet.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, ControlTypeMicrosoftServerLinkTTL, "Control Type ("+ControlTypeMap[ControlTypeMicrosoftServerLinkTTL]+")"))
+
+	return packet
+}
+
+// String returns a human-readable description
+func (c *ControlMicrosoftServerLinkTTL) String() string {
+	return fmt.Sprintf(
+		"Control Type: %s (%q)",
+		ControlTypeMap[ControlTypeMicrosoftServerLinkTTL],
+		ControlTypeMicrosoftServerLinkTTL)
+}
+
+// NewControlMicrosoftServerLinkTTL returns a ControlMicrosoftServerLinkTTL control
+func NewControlMicrosoftServerLinkTTL() *ControlMicrosoftServerLinkTTL {
+	return &ControlMicrosoftServerLinkTTL{}
+}
+
 // FindControl returns the first control of the given type in the list, or nil
 func FindControl(controls []Control, controlType string) Control {
 	for _, c := range controls {
@@ -449,6 +483,8 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 		return NewControlMicrosoftNotification(), nil
 	case ControlTypeMicrosoftShowDeleted:
 		return NewControlMicrosoftShowDeleted(), nil
+	case ControlTypeMicrosoftServerLinkTTL:
+		return NewControlMicrosoftServerLinkTTL(), nil
 	default:
 		c := new(ControlString)
 		c.ControlType = ControlType

vendor/github.com/go-ldap/ldap/v3/dn.go

@@ -205,3 +205,66 @@ func (r *RelativeDN) hasAllAttributes(attrs []*AttributeTypeAndValue) bool {
 func (a *AttributeTypeAndValue) Equal(other *AttributeTypeAndValue) bool {
 	return strings.EqualFold(a.Type, other.Type) && a.Value == other.Value
 }
+
+// Equal returns true if the DNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
+// Returns true if they have the same number of relative distinguished names
+// and corresponding relative distinguished names (by position) are the same.
+// Case of the attribute type and value is not significant
+func (d *DN) EqualFold(other *DN) bool {
+	if len(d.RDNs) != len(other.RDNs) {
+		return false
+	}
+	for i := range d.RDNs {
+		if !d.RDNs[i].EqualFold(other.RDNs[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// AncestorOfFold returns true if the other DN consists of at least one RDN followed by all the RDNs of the current DN.
+// Case of the attribute type and value is not significant
+func (d *DN) AncestorOfFold(other *DN) bool {
+	if len(d.RDNs) >= len(other.RDNs) {
+		return false
+	}
+	// Take the last `len(d.RDNs)` RDNs from the other DN to compare against
+	otherRDNs := other.RDNs[len(other.RDNs)-len(d.RDNs):]
+	for i := range d.RDNs {
+		if !d.RDNs[i].EqualFold(otherRDNs[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if the RelativeDNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
+// Case of the attribute type is not significant
+func (r *RelativeDN) EqualFold(other *RelativeDN) bool {
+	if len(r.Attributes) != len(other.Attributes) {
+		return false
+	}
+	return r.hasAllAttributesFold(other.Attributes) && other.hasAllAttributesFold(r.Attributes)
+}
+
+func (r *RelativeDN) hasAllAttributesFold(attrs []*AttributeTypeAndValue) bool {
+	for _, attr := range attrs {
+		found := false
+		for _, myattr := range r.Attributes {
+			if myattr.EqualFold(attr) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}
+
+// EqualFold returns true if the AttributeTypeAndValue is equivalent to the specified AttributeTypeAndValue
+// Case of the attribute type and value is not significant
+func (a *AttributeTypeAndValue) EqualFold(other *AttributeTypeAndValue) bool {
+	return strings.EqualFold(a.Type, other.Type) && strings.EqualFold(a.Value, other.Value)
+}

vendor/github.com/go-ldap/ldap/v3/moddn.go

@@ -12,6 +12,8 @@ type ModifyDNRequest struct {
 	NewRDN       string
 	DeleteOldRDN bool
 	NewSuperior  string
+	// Controls hold optional controls to send with the request
+	Controls []Control
 }
 
 // NewModifyDNRequest creates a new request which can be passed to ModifyDN().
@@ -35,21 +37,39 @@ func NewModifyDNRequest(dn string, rdn string, delOld bool, newSup string) *Modi
 	}
 }
 
+// NewModifyDNWithControlsRequest creates a new request which can be passed to ModifyDN()
+// and also allows setting LDAP request controls.
+//
+// Refer NewModifyDNRequest for other parameters
+func NewModifyDNWithControlsRequest(dn string, rdn string, delOld bool,
+	newSup string, controls []Control) *ModifyDNRequest {
+	return &ModifyDNRequest{
+		DN:           dn,
+		NewRDN:       rdn,
+		DeleteOldRDN: delOld,
+		NewSuperior:  newSup,
+		Controls:     controls,
+	}
+}
+
 func (req *ModifyDNRequest) appendTo(envelope *ber.Packet) error {
 	pkt := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationModifyDNRequest, nil, "Modify DN Request")
 	pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, req.DN, "DN"))
 	pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, req.NewRDN, "New RDN"))
 	if req.DeleteOldRDN {
 		buf := []byte{0xff}
-		pkt.AppendChild(ber.NewString(ber.ClassUniversal,ber.TypePrimitive,ber.TagBoolean, string(buf),"Delete old RDN"))
-	}else{
+		pkt.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagBoolean, string(buf), "Delete old RDN"))
+	} else {
 		pkt.AppendChild(ber.NewBoolean(ber.ClassUniversal, ber.TypePrimitive, ber.TagBoolean, req.DeleteOldRDN, "Delete old RDN"))
-	}  
+	}
 	if req.NewSuperior != "" {
 		pkt.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, req.NewSuperior, "New Superior"))
 	}
 
 	envelope.AppendChild(pkt)
+	if len(req.Controls) > 0 {
+		envelope.AppendChild(encodeControls(req.Controls))
+	}
 
 	return nil
 }

vendor/github.com/go-ldap/ldap/v3/modify.go

 package ldap
 
 import (
+	"errors"
 	"log"
 
 	ber "github.com/go-asn1-ber/asn1-ber"
@@ -130,3 +131,47 @@ func (l *Conn) Modify(modifyRequest *ModifyRequest) error {
 	}
 	return nil
 }
+
+// ModifyResult holds the server's response to a modify request
+type ModifyResult struct {
+	// Controls are the returned controls
+	Controls []Control
+}
+
+// ModifyWithResult performs the ModifyRequest and returns the result
+func (l *Conn) ModifyWithResult(modifyRequest *ModifyRequest) (*ModifyResult, error) {
+	msgCtx, err := l.doRequest(modifyRequest)
+	if err != nil {
+		return nil, err
+	}
+	defer l.finishMessage(msgCtx)
+
+	result := &ModifyResult{
+		Controls: make([]Control, 0),
+	}
+
+	l.Debug.Printf("%d: waiting for response", msgCtx.id)
+	packet, err := l.readPacket(msgCtx)
+	if err != nil {
+		return nil, err
+	}
+
+	switch packet.Children[1].Tag {
+	case ApplicationModifyResponse:
+		err := GetLDAPError(packet)
+		if err != nil {
+			return nil, err
+		}
+		if len(packet.Children) == 3 {
+			for _, child := range packet.Children[2].Children {
+				decodedChild, err := DecodeControl(child)
+				if err != nil {
+					return nil, errors.New("failed to decode child control: " + err.Error())
+				}
+				result.Controls = append(result.Controls, decodedChild)
+			}
+		}
+	}
+	l.Debug.Printf("%d: returning", msgCtx.id)
+	return result, nil
+}

vendor/github.com/go-ldap/ldap/v3/request.go

@@ -9,6 +9,7 @@ import (
 var (
 	errRespChanClosed = errors.New("ldap: response channel closed")
 	errCouldNotRetMsg = errors.New("ldap: could not retrieve message")
+	ErrNilConnection  = errors.New("ldap: conn is nil, expected net.Conn")
 )
 
 type request interface {
@@ -22,6 +23,10 @@ func (f requestFunc) appendTo(p *ber.Packet) error {
 }
 
 func (l *Conn) doRequest(req request) (*messageContext, error) {
+	if l == nil || l.conn == nil {
+		return nil, ErrNilConnection
+	}
+
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 	if err := req.appendTo(packet); err != nil {

vendor/github.com/go-ldap/ldap/v3/search.go

@@ -376,16 +376,9 @@ func (l *Conn) Search(searchRequest *SearchRequest) (*SearchResult, error) {
 
 		switch packet.Children[1].Tag {
 		case 4:
-			entry := new(Entry)
-			entry.DN = packet.Children[1].Children[0].Value.(string)
-			for _, child := range packet.Children[1].Children[1].Children {
-				attr := new(EntryAttribute)
-				attr.Name = child.Children[0].Value.(string)
-				for _, value := range child.Children[1].Children {
-					attr.Values = append(attr.Values, value.Value.(string))
-					attr.ByteValues = append(attr.ByteValues, value.ByteValue)
-				}
-				entry.Attributes = append(entry.Attributes, attr)
+			entry := &Entry{
+				DN:         packet.Children[1].Children[0].Value.(string),
+				Attributes: unpackAttributes(packet.Children[1].Children[1].Children),
 			}
 			result.Entries = append(result.Entries, entry)
 		case 5:
@@ -408,3 +401,27 @@ func (l *Conn) Search(searchRequest *SearchRequest) (*SearchResult, error) {
 		}
 	}
 }
+
+// unpackAttributes will extract all given LDAP attributes and it's values
+// from the ber.Packet
+func unpackAttributes(children []*ber.Packet) []*EntryAttribute {
+	entries := make([]*EntryAttribute, len(children))
+	for i, child := range children {
+		length := len(child.Children[1].Children)
+		entry := &EntryAttribute{
+			Name: child.Children[0].Value.(string),
+			// pre-allocate the slice since we can determine
+			// the number of attributes at this point
+			Values:     make([]string, length),
+			ByteValues: make([][]byte, length),
+		}
+
+		for i, value := range child.Children[1].Children {
+			entry.ByteValues[i] = value.ByteValue
+			entry.Values[i] = value.Value.(string)
+		}
+		entries[i] = entry
+	}
+
+	return entries
+}

vendor/github.com/go-ldap/ldap/v3/unbind.go

+package ldap
+
+import (
+	"errors"
+
+	ber "github.com/go-asn1-ber/asn1-ber"
+)
+
+var ErrConnUnbound = NewError(ErrorNetwork, errors.New("ldap: connection is closed"))
+
+type unbindRequest struct{}
+
+func (unbindRequest) appendTo(envelope *ber.Packet) error {
+	envelope.AppendChild(ber.Encode(ber.ClassApplication, ber.TypePrimitive, ApplicationUnbindRequest, nil, ApplicationMap[ApplicationUnbindRequest]))
+	return nil
+}
+
+// Unbind will perform an unbind request. The Unbind operation
+// should be thought of as the "quit" operation.
+// See https://datatracker.ietf.org/doc/html/rfc4511#section-4.3
+func (l *Conn) Unbind() error {
+	if l.IsClosing() {
+		return ErrConnUnbound
+	}
+
+	_, err := l.doRequest(unbindRequest{})
+	if err != nil {
+		return err
+	}
+
+	// Sending an unbindRequest will make the connection unusable.
+	// Pending requests will fail with:
+	// LDAP Result Code 200 "Network Error": ldap: response channel closed
+	l.Close()
+
+	return nil
+}

vendor/github.com/go-ldap/ldap/v3/whoami.go

+package ldap
+
+// This file contains the "Who Am I?" extended operation as specified in rfc 4532
+//
+// https://tools.ietf.org/html/rfc4532
+
+import (
+	"errors"
+	"fmt"
+
+	ber "github.com/go-asn1-ber/asn1-ber"
+)
+
+type whoAmIRequest bool
+
+// WhoAmIResult is returned by the WhoAmI() call
+type WhoAmIResult struct {
+	AuthzID string
+}
+
+func (r whoAmIRequest) encode() (*ber.Packet, error) {
+	request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationExtendedRequest, nil, "Who Am I? Extended Operation")
+	request.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, ControlTypeWhoAmI, "Extended Request Name: Who Am I? OID"))
+	return request, nil
+}
+
+// WhoAmI returns the authzId the server thinks we are, you may pass controls
+// like a Proxied Authorization control
+func (l *Conn) WhoAmI(controls []Control) (*WhoAmIResult, error) {
+	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
+	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
+	req := whoAmIRequest(true)
+	encodedWhoAmIRequest, err := req.encode()
+	if err != nil {
+		return nil, err
+	}
+	packet.AppendChild(encodedWhoAmIRequest)
+
+	if len(controls) != 0 {
+		packet.AppendChild(encodeControls(controls))
+	}
+
+	l.Debug.PrintPacket(packet)
+
+	msgCtx, err := l.sendMessage(packet)
+	if err != nil {
+		return nil, err
+	}
+	defer l.finishMessage(msgCtx)
+
+	result := &WhoAmIResult{}
+
+	l.Debug.Printf("%d: waiting for response", msgCtx.id)
+	packetResponse, ok := <-msgCtx.responses
+	if !ok {
+		return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
+	}
+	packet, err = packetResponse.ReadPacket()
+	l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
+	if err != nil {
+		return nil, err
+	}
+
+	if packet == nil {
+		return nil, NewError(ErrorNetwork, errors.New("ldap: could not retrieve message"))
+	}
+
+	if l.Debug {
+		if err := addLDAPDescriptions(packet); err != nil {
+			return nil, err
+		}
+		ber.PrintPacket(packet)
+	}
+
+	if packet.Children[1].Tag == ApplicationExtendedResponse {
+		if err := GetLDAPError(packet); err != nil {
+			return nil, err
+		}
+	} else {
+		return nil, NewError(ErrorUnexpectedResponse, fmt.Errorf("Unexpected Response: %d", packet.Children[1].Tag))
+	}
+
+	extendedResponse := packet.Children[1]
+	for _, child := range extendedResponse.Children {
+		if child.Tag == 11 {
+			result.AuthzID = ber.DecodeString(child.Data.Bytes())
+		}
+	}
+
+	return result, nil
+}

vendor/modules.txt

@@ -29,7 +29,7 @@ github.com/coreos/go-systemd/v22/daemon
 github.com/felixge/httpsnoop
 # github.com/go-asn1-ber/asn1-ber v1.5.3
 github.com/go-asn1-ber/asn1-ber
-# github.com/go-ldap/ldap/v3 v3.2.4
+# github.com/go-ldap/ldap/v3 v3.4.0
 ## explicit
 github.com/go-ldap/ldap/v3
 # github.com/go-sql-driver/mysql v1.5.0