internal: fix nil pointer dereference in ldap outpost

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-05-21 15:48:50 +02:00
parent ebb44c992b
commit 5c91658484
6 changed files with 16 additions and 13 deletions

View file

@ -48,8 +48,8 @@ func (sb *SessionBinder) Bind(username string, req *bind.Request) (ldap.LDAPResu
result, err := sb.DirectBinder.Bind(username, req) result, err := sb.DirectBinder.Bind(username, req)
// Only cache the result if there's been an error // Only cache the result if there's been an error
if err == nil { if err == nil {
flags, ok := sb.si.GetFlags(req.BindDN) flags := sb.si.GetFlags(req.BindDN)
if !ok { if flags == nil {
sb.log.Error("user flags not set after bind") sb.log.Error("user flags not set after bind")
return result, err return result, err
} }

View file

@ -38,7 +38,7 @@ type ProviderInstance struct {
outpostPk int32 outpostPk int32
searchAllowedGroups []*strfmt.UUID searchAllowedGroups []*strfmt.UUID
boundUsersMutex sync.RWMutex boundUsersMutex sync.RWMutex
boundUsers map[string]flags.UserFlags boundUsers map[string]*flags.UserFlags
uidStartNumber int32 uidStartNumber int32
gidStartNumber int32 gidStartNumber int32
@ -68,16 +68,19 @@ func (pi *ProviderInstance) GetOutpostName() string {
return pi.outpostName return pi.outpostName
} }
func (pi *ProviderInstance) GetFlags(dn string) (flags.UserFlags, bool) { func (pi *ProviderInstance) GetFlags(dn string) *flags.UserFlags {
pi.boundUsersMutex.RLock() pi.boundUsersMutex.RLock()
defer pi.boundUsersMutex.RUnlock()
flags, ok := pi.boundUsers[dn] flags, ok := pi.boundUsers[dn]
pi.boundUsersMutex.RUnlock() if !ok {
return flags, ok return nil
}
return flags
} }
func (pi *ProviderInstance) SetFlags(dn string, flag flags.UserFlags) { func (pi *ProviderInstance) SetFlags(dn string, flag flags.UserFlags) {
pi.boundUsersMutex.Lock() pi.boundUsersMutex.Lock()
pi.boundUsers[dn] = flag pi.boundUsers[dn] = &flag
pi.boundUsersMutex.Unlock() pi.boundUsersMutex.Unlock()
} }

View file

@ -44,7 +44,7 @@ func (ls *LDAPServer) Refresh() error {
// Get existing instance so we can transfer boundUsers // Get existing instance so we can transfer boundUsers
existing := ls.getCurrentProvider(provider.Pk) existing := ls.getCurrentProvider(provider.Pk)
users := make(map[string]flags.UserFlags) users := make(map[string]*flags.UserFlags)
if existing != nil { if existing != nil {
existing.boundUsersMutex.RLock() existing.boundUsersMutex.RLock()
users = existing.boundUsers users = existing.boundUsers

View file

@ -70,8 +70,8 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN()) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
} }
flags, ok := ds.si.GetFlags(req.BindDN) flags := ds.si.GetFlags(req.BindDN)
if !ok { if flags == nil {
req.Log().Debug("User info not cached") req.Log().Debug("User info not cached")
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"outpost_name": ds.si.GetOutpostName(), "outpost_name": ds.si.GetOutpostName(),

View file

@ -73,8 +73,8 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN()) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
} }
flags, ok := ms.si.GetFlags(req.BindDN) flags := ms.si.GetFlags(req.BindDN)
if !ok { if flags == nil {
req.Log().Debug("User info not cached") req.Log().Debug("User info not cached")
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"outpost_name": ms.si.GetOutpostName(), "outpost_name": ms.si.GetOutpostName(),

View file

@ -31,7 +31,7 @@ type LDAPServerInstance interface {
UsersForGroup(api.Group) []string UsersForGroup(api.Group) []string
GetFlags(dn string) (flags.UserFlags, bool) GetFlags(dn string) *flags.UserFlags
SetFlags(dn string, flags flags.UserFlags) SetFlags(dn string, flags flags.UserFlags)
GetBaseEntry() *ldap.Entry GetBaseEntry() *ldap.Entry