Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt LDAP bind password in db with SECRET_KEY #15547

Merged
merged 9 commits into from
May 20, 2021
Merged

Encrypt LDAP bind password in db with SECRET_KEY #15547

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a5f7e4c
Encrypt LDAP bind password in db with SECRET_KEY
zeripath Apr 19, 2021
8a5a948
Merge branch 'main' into fix-15460-encrypt-ldap-bind-password-in-db
zeripath May 16, 2021
07ef6f5
Merge branch 'main' into fix-15460-encrypt-ldap-bind-password-in-db
zeripath May 18, 2021
bd1c33c
update documentation
zeripath May 18, 2021
a1484ba
update doc
zeripath May 18, 2021
74386d9
Merge branch 'main' into fix-15460-encrypt-ldap-bind-password-in-db
zeripath May 19, 2021
987f192
remove ui warning regarding unencrypted password
silverwind May 19, 2021
39fc0eb
Merge branch 'main' into fix-15460-encrypt-ldap-bind-password-in-db
zeripath May 19, 2021
9049bcb
Merge branch 'main' into fix-15460-encrypt-ldap-bind-password-in-db
lunny May 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/content/doc/features/authentication.en-us.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,8 @@ Adds the following fields:
- Bind Password (optional)

- The password for the Bind DN specified above, if any. _Note: The password
is stored in plaintext at the server. As such, ensure that the Bind DN
has as few privileges as possible._
is stored in encrypted with the SECRET_KEY on the server. It is still recommended
zeripath marked this conversation as resolved.
Show resolved Hide resolved
to ensure that the Bind DN has as few privileges as possible._

- User Search Base **(required)**

Expand Down
17 changes: 16 additions & 1 deletion models/login_source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"code.gitea.io/gitea/modules/auth/oauth2"
"code.gitea.io/gitea/modules/auth/pam"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"
Expand Down Expand Up @@ -77,11 +78,25 @@ type LDAPConfig struct {
// FromDB fills up a LDAPConfig from serialized format.
func (cfg *LDAPConfig) FromDB(bs []byte) error {
json := jsoniter.ConfigCompatibleWithStandardLibrary
return json.Unmarshal(bs, &cfg)
err := json.Unmarshal(bs, &cfg)
if err != nil {
return err
}
if cfg.BindPasswordEncrypt != "" {
cfg.BindPassword, err = secret.DecryptSecret(setting.SecretKey, cfg.BindPasswordEncrypt)
cfg.BindPasswordEncrypt = ""
}
return err
}

// ToDB exports a LDAPConfig to a serialized format.
func (cfg *LDAPConfig) ToDB() ([]byte, error) {
var err error
cfg.BindPasswordEncrypt, err = secret.EncryptSecret(setting.SecretKey, cfg.BindPassword)
if err != nil {
return nil, err
}
cfg.BindPassword = ""
json := jsoniter.ConfigCompatibleWithStandardLibrary
return json.Marshal(cfg)
}
Expand Down
1 change: 1 addition & 0 deletions modules/auth/ldap/ldap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ type Source struct {
SecurityProtocol SecurityProtocol
SkipVerify bool
BindDN string // DN to bind with
BindPasswordEncrypt string // Encrypted Bind BN password
BindPassword string // Bind DN password
UserBase string // Base search path for users
UserDN string // Template for the DN of the user for simple auth
Expand Down