nathan/go-authcheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nathan:dd15312a0d3b235ff77b3fee5f1ac42bd9ffc645
Branches Tags
nathan:main
..
compare: nathan:main
Branches Tags
nathan:main

27 Commits
dd15312a0d ... main

Author SHA1 Message Date
Nathan Coad
4bd71d8099 improve version string
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-26 08:43:03 +10:00
Nathan Coad
7acd2fac7a add version info in output
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 16:21:34 +10:00
Nathan Coad
0ddb0f356a remove unnecessary dependency
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 16:10:26 +10:00
Nathan Coad
8f01a39eda change group separation to semicolon
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 12:13:10 +10:00
Nathan Coad
174774795b fix error message too
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 12:05:29 +10:00
Nathan Coad
2e8335c97d authsuccess false when no groups
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
2023-07-24 12:04:55 +10:00
Nathan Coad
ba5e949a9e output groups in json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 11:58:14 +10:00
Nathan Coad
de93fc3091 print groups
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 11:51:26 +10:00
Nathan Coad
d4811f5deb get memberOf
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone Build is passing
Details
2023-07-24 11:32:18 +10:00
Nathan Coad
0f2034cc87 try again
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 11:26:37 +10:00
Nathan Coad
01d1e4fd4b different debugging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 11:13:13 +10:00
Nathan Coad
2521e2472a temporary extra logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 11:00:09 +10:00
Nathan Coad
46ca98a0ce improved error message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 10:56:38 +10:00
Nathan Coad
0d911a715c change search filter
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 10:55:35 +10:00
Nathan Coad
00103bcb7e split sAMAccountName from UPN
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 10:50:02 +10:00
Nathan Coad
4ee3838c72 add feature to search for groups of user
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-24 10:41:04 +10:00
Nathan Coad
5dcf111d9d just output DN
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-21 13:35:05 +10:00
Nathan Coad
5b4179b221 output the result
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-21 13:26:05 +10:00
Nathan Coad
e2e5f320ae add output message
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-21 11:34:00 +10:00
Nathan Coad
955f07b4d7 test using base ldap package
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-21 11:28:27 +10:00
Nathan Coad
8e42f4bd77 update
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-20 09:18:33 +10:00
Nathan Coad
d0c3d4cdc5 don't use ioutil 2023-07-20 09:06:33 +10:00
Nathan Coad
23e3044f89 load cert from file rather than embed
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-20 09:05:48 +10:00
Nathan Coad
f987f4438a only output json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-19 15:13:21 +10:00
Nathan Coad
5f6f116068 output result as json
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-19 15:08:19 +10:00
Nathan Coad
db0b104a58 bugfix
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-07-19 14:54:28 +10:00
Nathan Coad
062aebe299 add wsdc intermediate cert 2023-07-19 14:52:41 +10:00
4 changed files with 303 additions and 19 deletions
Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -1 +1,3 @@
log.txt
log.txt
*.pem
authcheck

10
go.mod
View File

@@ -2,10 +2,10 @@ module go-authcheck
go 1.19
require github.com/korylprince/go-ad-auth/v3 v3.3.0
require (
github.com/go-asn1-ber/asn1-ber v1.4.1 // indirect
github.com/go-ldap/ldap/v3 v3.1.7 // indirect
golang.org/x/text v0.3.2 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
github.com/go-ldap/ldap/v3 v3.4.5 // indirect
golang.org/x/crypto v0.7.0 // indirect
golang.org/x/text v0.8.0 // indirect
)

52
go.sum
View File

@@ -1,10 +1,62 @@
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-asn1-ber/asn1-ber v1.4.1 h1:qP/QDxOtmMoJVgXHCXNzDpA0+wkgYB2x5QoLMVOciyw=
github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-ldap/ldap/v3 v3.1.7 h1:aHjuWTgZsnxjMgqzx0JHwNqz4jBYZTcNarbPFkW1Oww=
github.com/go-ldap/ldap/v3 v3.1.7/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8=
github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs=
github.com/korylprince/go-ad-auth/v3 v3.3.0 h1:iXuB+sCk4GniHnpUn0BAHH8rKeOLTKuYcBNvERa773Y=
github.com/korylprince/go-ad-auth/v3 v3.3.0/go.mod h1:19M0geaOeNN489k1MO6GCqOCgbruYRQkHRBfhhUZAoE=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

256
main.go
View File

@@ -1,38 +1,268 @@
package main
import (
"crypto/tls"
"crypto/x509"
"encoding/json"
"encoding/pem"
"flag"
"fmt"
"os"
"path/filepath"
"strings"
auth "github.com/korylprince/go-ad-auth/v3"
"github.com/go-ldap/ldap/v3"
)
type Output struct {
Server string
AuthSuccess bool
Error string
CertLoaded bool
Results string
Groups string
Version string
}
// For build numbers, from https://blog.kowalczyk.info/article/vEja/embedding-build-number-in-go-executable.html
var sha1ver string // sha1 revision used to build the program
var buildTime string // when the executable was built
func GetFilePath(path string) string {
// Check for empty filename
if len(path) == 0 {
return ""
}
// check if filename exists
if _, err := os.Stat(path); os.IsNotExist((err)) {
fmt.Printf("File '%s' not found, searching in same directory as binary\n", path)
// if not, check that it exists in the same directory as the currently executing binary
ex, err2 := os.Executable()
if err2 != nil {
//log.Printf("Error determining binary path : '%s'", err)
return ""
}
binaryPath := filepath.Dir(ex)
path = filepath.Join(binaryPath, path)
}
return path
}
func isFlagPassed(name string) bool {
found := false
flag.Visit(func(f *flag.Flag) {
if f.Name == name {
found = true
}
})
return found
}
// GetGroupsOfUser returns the group for a user.
// Taken from https://github.com/jtblin/go-ldap-client/issues/13#issuecomment-456090979
func GetGroupsOfUser(username string, baseDN string, conn *ldap.Conn) ([]string, error) {
var samAccountName string
var groups []string
if strings.Contains(username, "@") {
s := strings.Split(username, "@")
samAccountName = s[0]
} else if strings.Contains(username, "\\") {
s := strings.Split(username, "\\")
samAccountName = s[len(s)-1]
} else {
samAccountName = username
}
// Get the users DN
// Search for the given username
searchRequest := ldap.NewSearchRequest(
baseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(CN=%s)", ldap.EscapeFilter(samAccountName)),
[]string{},
nil,
)
sr, err := conn.Search(searchRequest)
if err != nil {
return nil, err
}
if len(sr.Entries) != 1 {
return nil, fmt.Errorf("user '%s' does not exist", samAccountName)
} else {
// Get the groups of the first result
groups = sr.Entries[0].GetAttributeValues("memberOf")
/*
for _, entry := range sr.Entries {
entry.PrettyPrint(2)
}
*/
}
/*
userdn := sr.Entries[0].DN
fmt.Printf("userdn is '%s' from CN '%s'", userdn, samAccountName)
searchRequest = ldap.NewSearchRequest(
baseDN,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(memberUid=%s)", userdn),
[]string{}, // can it be something else than "cn"?
nil,
)
sr, err = conn.Search(searchRequest)
if err != nil {
return nil, err
}
for _, entry := range sr.Entries {
fmt.Println(entry.GetAttributeValue("cn"))
groups = append(groups, entry.GetAttributeValue("cn"))
}
*/
return groups, nil
}
// Some good ideas at https://gist.github.com/tboerger/4840e1b5464fc26fbb165b168be23345
func main() {
var output Output
// Process command line arguments
server := flag.String("server", "ldap.example.com", "LDAP server to bind to")
baseDN := flag.String("baseDN", "OU=Users,DC=example,DC=com", "Base DN to use when attempting to bind to AD")
username := flag.String("username", "user", "Username to use when attempting to bind to AD")
password := flag.String("password", "pass", "Password to use when attempting to bind to AD")
certFile := flag.String("cert-file", "rootca.pem", "Filename to load trusted certificate from")
flag.Parse()
config := &auth.Config{
Server: *server,
Port: 636,
BaseDN: *baseDN,
Security: auth.SecurityStartTLS,
output.Server = *server
output.Version = fmt.Sprintf("Built %s from %s", buildTime, sha1ver)
// Get a copy of the system defined CA's
system, err := x509.SystemCertPool()
if err != nil {
output.AuthSuccess = false
output.Error = "failed to access system CA list"
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
status, err := auth.Authenticate(config, *username, *password)
// only try to load certificate from file if the command line argument was specified
if isFlagPassed("cert-file") {
// Try to read the file
cf, err := os.ReadFile(GetFilePath(*certFile))
if err != nil {
output.AuthSuccess = false
output.Error = err.Error()
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
// Get the certificate from the file
cpb, _ := pem.Decode(cf)
crt, err := x509.ParseCertificate(cpb.Bytes)
//fmt.Printf("Loaded certificate with subject %s\n", crt.Subject)
if err != nil {
output.AuthSuccess = false
output.Error = err.Error()
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
// Add custom certificate to the system cert pool
system.AddCert(crt)
/*
ok := system.AppendCertsFromPEM(crt)
if !ok {
output.AuthSuccess = false
output.Error = "failed to parse WSDC intermediate certificate"
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
*/
output.CertLoaded = true
}
// Start trying to use ldap package
// Set up TLS to use our custom certificate authority passed in cli argument
tlsConfig := &tls.Config{
RootCAs: system,
}
// try connecting to AD via TLS and our custom certificate authority
ldaps, err := ldap.DialTLS("tcp", fmt.Sprintf("%s:636", *server), tlsConfig)
if err != nil {
//handle err
fmt.Println(err)
output.AuthSuccess = false
output.Error = fmt.Sprintf("Dial Error: %s", err)
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
if !status {
//handle failed authentication
fmt.Println(err)
defer ldaps.Close()
// try to bind to AD
err = ldaps.Bind(*username, *password)
if err != nil {
output.AuthSuccess = false
output.Error = fmt.Sprintf("Bind Error: %s", err)
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
fmt.Println("success")
searchReq := ldap.NewSearchRequest(
*baseDN,
ldap.ScopeBaseObject, // you can also use ldap.ScopeWholeSubtree
ldap.NeverDerefAliases,
0,
0,
false,
"(objectClass=*)",
[]string{},
nil,
)
result, err := ldaps.Search(searchReq)
if err != nil {
output.AuthSuccess = false
output.Error = fmt.Sprintf("Search Error: %s", err)
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
if len(result.Entries) == 0 {
output.AuthSuccess = false
output.Error = "No search results"
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
} else {
output.AuthSuccess = true
output.Results = fmt.Sprintf("Search result count: %d; %s", len(result.Entries), result.Entries[0].DN)
// Since we have a successful connection, try getting group membership
groups, err := GetGroupsOfUser(*username, *baseDN, ldaps)
if err != nil {
output.AuthSuccess = false
output.Results = fmt.Sprintf("Group search Error: %s", err)
} else {
output.Groups = strings.Join(groups[:], ";")
}
b, _ := json.Marshal(output)
fmt.Println(string(b))
return
}
}