internal: fix nil pointer dereference in ldap outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
ebb44c992b
commit
5c91658484
|
@ -48,8 +48,8 @@ func (sb *SessionBinder) Bind(username string, req *bind.Request) (ldap.LDAPResu
|
||||||
result, err := sb.DirectBinder.Bind(username, req)
|
result, err := sb.DirectBinder.Bind(username, req)
|
||||||
// Only cache the result if there's been an error
|
// Only cache the result if there's been an error
|
||||||
if err == nil {
|
if err == nil {
|
||||||
flags, ok := sb.si.GetFlags(req.BindDN)
|
flags := sb.si.GetFlags(req.BindDN)
|
||||||
if !ok {
|
if flags == nil {
|
||||||
sb.log.Error("user flags not set after bind")
|
sb.log.Error("user flags not set after bind")
|
||||||
return result, err
|
return result, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -38,7 +38,7 @@ type ProviderInstance struct {
|
||||||
outpostPk int32
|
outpostPk int32
|
||||||
searchAllowedGroups []*strfmt.UUID
|
searchAllowedGroups []*strfmt.UUID
|
||||||
boundUsersMutex sync.RWMutex
|
boundUsersMutex sync.RWMutex
|
||||||
boundUsers map[string]flags.UserFlags
|
boundUsers map[string]*flags.UserFlags
|
||||||
|
|
||||||
uidStartNumber int32
|
uidStartNumber int32
|
||||||
gidStartNumber int32
|
gidStartNumber int32
|
||||||
|
@ -68,16 +68,19 @@ func (pi *ProviderInstance) GetOutpostName() string {
|
||||||
return pi.outpostName
|
return pi.outpostName
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pi *ProviderInstance) GetFlags(dn string) (flags.UserFlags, bool) {
|
func (pi *ProviderInstance) GetFlags(dn string) *flags.UserFlags {
|
||||||
pi.boundUsersMutex.RLock()
|
pi.boundUsersMutex.RLock()
|
||||||
|
defer pi.boundUsersMutex.RUnlock()
|
||||||
flags, ok := pi.boundUsers[dn]
|
flags, ok := pi.boundUsers[dn]
|
||||||
pi.boundUsersMutex.RUnlock()
|
if !ok {
|
||||||
return flags, ok
|
return nil
|
||||||
|
}
|
||||||
|
return flags
|
||||||
}
|
}
|
||||||
|
|
||||||
func (pi *ProviderInstance) SetFlags(dn string, flag flags.UserFlags) {
|
func (pi *ProviderInstance) SetFlags(dn string, flag flags.UserFlags) {
|
||||||
pi.boundUsersMutex.Lock()
|
pi.boundUsersMutex.Lock()
|
||||||
pi.boundUsers[dn] = flag
|
pi.boundUsers[dn] = &flag
|
||||||
pi.boundUsersMutex.Unlock()
|
pi.boundUsersMutex.Unlock()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,7 @@ func (ls *LDAPServer) Refresh() error {
|
||||||
|
|
||||||
// Get existing instance so we can transfer boundUsers
|
// Get existing instance so we can transfer boundUsers
|
||||||
existing := ls.getCurrentProvider(provider.Pk)
|
existing := ls.getCurrentProvider(provider.Pk)
|
||||||
users := make(map[string]flags.UserFlags)
|
users := make(map[string]*flags.UserFlags)
|
||||||
if existing != nil {
|
if existing != nil {
|
||||||
existing.boundUsersMutex.RLock()
|
existing.boundUsersMutex.RLock()
|
||||||
users = existing.boundUsers
|
users = existing.boundUsers
|
||||||
|
|
|
@ -70,8 +70,8 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
|
||||||
}
|
}
|
||||||
|
|
||||||
flags, ok := ds.si.GetFlags(req.BindDN)
|
flags := ds.si.GetFlags(req.BindDN)
|
||||||
if !ok {
|
if flags == nil {
|
||||||
req.Log().Debug("User info not cached")
|
req.Log().Debug("User info not cached")
|
||||||
metrics.RequestsRejected.With(prometheus.Labels{
|
metrics.RequestsRejected.With(prometheus.Labels{
|
||||||
"outpost_name": ds.si.GetOutpostName(),
|
"outpost_name": ds.si.GetOutpostName(),
|
||||||
|
|
|
@ -73,8 +73,8 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
|
||||||
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
|
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
|
||||||
}
|
}
|
||||||
|
|
||||||
flags, ok := ms.si.GetFlags(req.BindDN)
|
flags := ms.si.GetFlags(req.BindDN)
|
||||||
if !ok {
|
if flags == nil {
|
||||||
req.Log().Debug("User info not cached")
|
req.Log().Debug("User info not cached")
|
||||||
metrics.RequestsRejected.With(prometheus.Labels{
|
metrics.RequestsRejected.With(prometheus.Labels{
|
||||||
"outpost_name": ms.si.GetOutpostName(),
|
"outpost_name": ms.si.GetOutpostName(),
|
||||||
|
|
|
@ -31,7 +31,7 @@ type LDAPServerInstance interface {
|
||||||
|
|
||||||
UsersForGroup(api.Group) []string
|
UsersForGroup(api.Group) []string
|
||||||
|
|
||||||
GetFlags(dn string) (flags.UserFlags, bool)
|
GetFlags(dn string) *flags.UserFlags
|
||||||
SetFlags(dn string, flags flags.UserFlags)
|
SetFlags(dn string, flags flags.UserFlags)
|
||||||
|
|
||||||
GetBaseEntry() *ldap.Entry
|
GetBaseEntry() *ldap.Entry
|
||||||
|
|
Reference in a new issue