node-radius-server/src/auth/GoogleLDAPAuth.ts

import { Client, createClient } from 'ldapjs';
import debug from 'debug';
import * as tls from 'tls';
import { IAuthentication } from '../types/Authentication';

const usernameFields = ['posixUid', 'mail'];

const log = debug('radius:auth:google-ldap');
// TLS:
// https://github.com/ldapjs/node-ldapjs/issues/307

interface IGoogleLDAPAuthOptions {
	/** base DN
	 *  e.g. 'dc=hokify,dc=com', */
	base: string;
	/** tls options
	 * e.g. {
			key: fs.readFileSync('ldap.gsuite.hokify.com.40567.key'),
			cert: fs.readFileSync('ldap.gsuite.hokify.com.40567.crt')
		} */
	tlsOptions: tls.TlsOptions;
}

export class GoogleLDAPAuth implements IAuthentication {
	private ldap: Client;

	private lastDNsFetch: Date;

	private allValidDNsCache: { [key: string]: string };

	private base: string;

	constructor(config: IGoogleLDAPAuthOptions) {
		this.base = config.base;

		this.ldap = createClient({
			url: 'ldaps://ldap.google.com:636',
			tlsOptions: {
				...config.tlsOptions,
				servername: 'ldap.google.com'
			}
		}).on('error', error => {
			console.error('Error in ldap', error);
		});

		this.fetchDNs();
	}

	private async fetchDNs() {
		const dns: { [key: string]: string } = {};

		await new Promise((resolve, reject) => {
			this.ldap.search(
				this.base,
				{
					scope: 'sub'
				},
				(err, res) => {
					if (err) {
						reject(err);
						return;
					}

					res.on('searchEntry', function(entry) {
						// log('entry: ' + JSON.stringify(entry.object));
						usernameFields.forEach(field => {
							const index = entry.object[field] as string;
							dns[index] = entry.object.dn;
						});
					});

					res.on('searchReference', function(referral) {
						log(`referral: ${referral.uris.join()}`);
					});

					res.on('error', function(ldapErr) {
						console.error(`error: ${ldapErr.message}`);
						reject();
					});

					res.on('end', result => {
						log(`ldap status: ${result?.status}`);

						// replace with new dns
						this.allValidDNsCache = dns;
						// log('allValidDNsCache', this.allValidDNsCache);
						resolve();
					});
				}
			);
		});
		this.lastDNsFetch = new Date();
	}

	async authenticate(username: string, password: string, count = 0, forceFetching = false) {
		const cacheValidTime = new Date();
		cacheValidTime.setHours(cacheValidTime.getHours() - 12);

		let dnsFetched = false;

		if (!this.lastDNsFetch || this.lastDNsFetch < cacheValidTime || forceFetching) {
			log('fetching dns');
			await this.fetchDNs();
			dnsFetched = true;
		}

		if (count > 5) {
			throw new Error('Failed to authenticate with LDAP!');
		}
		// const dn = ;
		const dn = this.allValidDNsCache[username];
		if (!dn) {
			if (!dnsFetched && !forceFetching) {
				return this.authenticate(username, password, count, true);
			}
			console.error(`invalid username, not found in DN: ${username}`, this.allValidDNsCache);
			return false;
		}

		const authResult: boolean = await new Promise((resolve, reject) => {
			this.ldap.bind(dn, password, (err, res) => {
				if (err) {
					if (err && (err as any).stack && (err as any).stack.includes(`ldap.google.com closed`)) {
						count++;
						// wait 1 second to give the ldap error handler time to reconnect
						setTimeout(() => resolve(this.authenticate(dn, password)), 2000);
						return;
					}

					resolve(false);
					// console.error('ldap error', err);
					// reject(err);
				}
				if (res) resolve(res);
				else reject();
			});
		});

		return !!authResult;
	}
}
refactor: major code cleanups :-) first working version 4 years ago			`import { Client, createClient } from 'ldapjs';`
feat: add debug pkg to reduce output 4 years ago			`import debug from 'debug';`
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`import * as tls from 'tls';`
fix: a lot of bug fixes, first running version for windows and android :) code is super ugly right now.. please don't judge 4 years ago			`import { IAuthentication } from '../types/Authentication';`
initial commit 4 years ago
			`const usernameFields = ['posixUid', 'mail'];`

feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`const log = debug('radius:auth:google-ldap');`
initial commit 4 years ago			`// TLS:`
			`// https://github.com/ldapjs/node-ldapjs/issues/307`

feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`interface IGoogleLDAPAuthOptions {`
			`/** base DN`
			`* e.g. 'dc=hokify,dc=com', */`
			`base: string;`
			`/** tls options`
			`* e.g. {`
			`key: fs.readFileSync('ldap.gsuite.hokify.com.40567.key'),`
			`cert: fs.readFileSync('ldap.gsuite.hokify.com.40567.crt')`
			`} */`
			`tlsOptions: tls.TlsOptions;`
			`}`

fix: a lot of bug fixes, first running version for windows and android :) code is super ugly right now.. please don't judge 4 years ago			`export class GoogleLDAPAuth implements IAuthentication {`
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`private ldap: Client;`

			`private lastDNsFetch: Date;`
initial commit 4 years ago
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`private allValidDNsCache: { [key: string]: string };`
initial commit 4 years ago
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`private base: string;`
initial commit 4 years ago
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`constructor(config: IGoogleLDAPAuthOptions) {`
			`this.base = config.base;`
initial commit 4 years ago
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`this.ldap = createClient({`
			`url: 'ldaps://ldap.google.com:636',`
			`tlsOptions: {`
			`...config.tlsOptions,`
			`servername: 'ldap.google.com'`
			`}`
			`}).on('error', error => {`
initial commit 4 years ago			`console.error('Error in ldap', error);`
			`});`

			`this.fetchDNs();`
			`}`

fix: a lot of bug fixes, first running version for windows and android :) code is super ugly right now.. please don't judge 4 years ago			`private async fetchDNs() {`
initial commit 4 years ago			`const dns: { [key: string]: string } = {};`

			`await new Promise((resolve, reject) => {`
			`this.ldap.search(`
			`this.base,`
			`{`
			`scope: 'sub'`
			`},`
			`(err, res) => {`
			`if (err) {`
			`reject(err);`
			`return;`
			`}`

			`res.on('searchEntry', function(entry) {`
feat: add debug pkg to reduce output 4 years ago			`// log('entry: ' + JSON.stringify(entry.object));`
initial commit 4 years ago			`usernameFields.forEach(field => {`
			`const index = entry.object[field] as string;`
			`dns[index] = entry.object.dn;`
			`});`
			`});`

			`res.on('searchReference', function(referral) {`
feat: add debug pkg to reduce output 4 years ago			log(`referral: ${referral.uris.join()}`);
initial commit 4 years ago			`});`

			`res.on('error', function(ldapErr) {`
			console.error(`error: ${ldapErr.message}`);
			`reject();`
			`});`

			`res.on('end', result => {`
feat: add debug pkg to reduce output 4 years ago			log(`ldap status: ${result?.status}`);
initial commit 4 years ago
			`// replace with new dns`
			`this.allValidDNsCache = dns;`
feat: add debug pkg to reduce output 4 years ago			`// log('allValidDNsCache', this.allValidDNsCache);`
initial commit 4 years ago			`resolve();`
			`});`
			`}`
			`);`
			`});`
			`this.lastDNsFetch = new Date();`
			`}`

			`async authenticate(username: string, password: string, count = 0, forceFetching = false) {`
			`const cacheValidTime = new Date();`
			`cacheValidTime.setHours(cacheValidTime.getHours() - 12);`

			`let dnsFetched = false;`

			`if (!this.lastDNsFetch \|\| this.lastDNsFetch < cacheValidTime \|\| forceFetching) {`
feat: add debug pkg to reduce output 4 years ago			`log('fetching dns');`
initial commit 4 years ago			`await this.fetchDNs();`
			`dnsFetched = true;`
			`}`

			`if (count > 5) {`
			`throw new Error('Failed to authenticate with LDAP!');`
			`}`
			`// const dn = ;`
			`const dn = this.allValidDNsCache[username];`
			`if (!dn) {`
			`if (!dnsFetched && !forceFetching) {`
			`return this.authenticate(username, password, count, true);`
			`}`
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			console.error(`invalid username, not found in DN: ${username}`, this.allValidDNsCache);
fix: ldap auth failed auth and added test scripts 4 years ago			`return false;`
initial commit 4 years ago			`}`

fix: ldap auth failed auth and added test scripts 4 years ago			`const authResult: boolean = await new Promise((resolve, reject) => {`
initial commit 4 years ago			`this.ldap.bind(dn, password, (err, res) => {`
			`if (err) {`
feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			if (err && (err as any).stack && (err as any).stack.includes(`ldap.google.com closed`)) {
initial commit 4 years ago			`count++;`
			`// wait 1 second to give the ldap error handler time to reconnect`
			`setTimeout(() => resolve(this.authenticate(dn, password)), 2000);`
			`return;`
			`}`
fix: ldap auth failed auth and added test scripts 4 years ago
			`resolve(false);`
			`// console.error('ldap error', err);`
			`// reject(err);`
initial commit 4 years ago			`}`
			`if (res) resolve(res);`
			`else reject();`
			`});`
			`});`

feat: add more auth providers and cleanup google auth it's no longer needed to use stunnel ;-) 4 years ago			`return !!authResult;`
initial commit 4 years ago			`}`
			`}`