From 8a57545c306aa20742ce3daa8d3eedb481be3381 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Wed, 9 Feb 2022 11:54:41 +0100
Subject: [PATCH] Add "insecure" flag to graph LDAP backend

To allow skipping TLS Certificate verification in development
environments.
---
 graph/pkg/config/config.go           |  1 +
 graph/pkg/config/defaultconfig.go    |  1 +
 graph/pkg/identity/ldap/reconnect.go | 37 +++++++++++++++++++---------
 graph/pkg/service/v0/service.go      | 17 ++++++++++---
 4 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/graph/pkg/config/config.go b/graph/pkg/config/config.go
index 0b010c4f94..88e4c11669 100644
--- a/graph/pkg/config/config.go
+++ b/graph/pkg/config/config.go
@@ -37,6 +37,7 @@ type Spaces struct {
 
 type LDAP struct {
 	URI           string `ocisConfig:"uri" env:"GRAPH_LDAP_URI"`
+	Insecure      bool   `ocisConfig:"insecure" env:"OCIS_INSECURE;GRAPH_LDAP_INSECURE"`
 	BindDN        string `ocisConfig:"bind_dn" env:"GRAPH_LDAP_BIND_DN"`
 	BindPassword  string `ocisConfig:"bind_password" env:"GRAPH_LDAP_BIND_PASSWORD"`
 	UseServerUUID bool   `ocisConfig:"use_server_uuid" env:"GRAPH_LDAP_SERVER_UUID"`
diff --git a/graph/pkg/config/defaultconfig.go b/graph/pkg/config/defaultconfig.go
index 8f09207a85..134f3419b6 100644
--- a/graph/pkg/config/defaultconfig.go
+++ b/graph/pkg/config/defaultconfig.go
@@ -30,6 +30,7 @@ func DefaultConfig() *Config {
 			Backend: "cs3",
 			LDAP: LDAP{
 				URI:                      "ldap://localhost:9125",
+				Insecure:                 false,
 				BindDN:                   "",
 				BindPassword:             "",
 				UseServerUUID:            false,
diff --git a/graph/pkg/identity/ldap/reconnect.go b/graph/pkg/identity/ldap/reconnect.go
index 8442bbd663..738aa28180 100644
--- a/graph/pkg/identity/ldap/reconnect.go
+++ b/graph/pkg/identity/ldap/reconnect.go
@@ -31,14 +31,21 @@ type ConnWithReconnect struct {
 	logger  *log.Logger
 }
 
-func NewLDAPWithReconnect(logger *log.Logger, ldapURI, bindDN, bindPassword string) ConnWithReconnect {
+type Config struct {
+	URI          string
+	BindDN       string
+	BindPassword string
+	TLSConfig    *tls.Config
+}
+
+func NewLDAPWithReconnect(logger *log.Logger, config Config) ConnWithReconnect {
 	conn := ConnWithReconnect{
 		conn:    make(chan ldapConnection),
 		reset:   make(chan *ldap.Conn),
 		retries: 1,
 		logger:  logger,
 	}
-	go conn.ldapAutoConnect(ldapURI, bindDN, bindPassword)
+	go conn.ldapAutoConnect(config)
 	return conn
 }
 
@@ -172,8 +179,8 @@ func (c ConnWithReconnect) GetConnection() (*ldap.Conn, error) {
 	return c.reconnect(conn.Conn)
 }
 
-func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string) {
-	l, err := c.ldapConnect(ldapURI, bindDN, bindPassword)
+func (c ConnWithReconnect) ldapAutoConnect(config Config) {
+	l, err := c.ldapConnect(config)
 	if err != nil {
 		c.logger.Error().Err(err).Msg("autoconnect could not get ldap Connection")
 	}
@@ -190,7 +197,7 @@ func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string)
 			}
 			if l == resConn || l == nil {
 				c.logger.Debug().Msg("reconnecting to LDAP")
-				l, err = c.ldapConnect(ldapURI, bindDN, bindPassword)
+				l, err = c.ldapConnect(config)
 			} else {
 				c.logger.Debug().Msg("already reconnected")
 			}
@@ -199,16 +206,24 @@ func (c ConnWithReconnect) ldapAutoConnect(ldapURI, bindDN, bindPassword string)
 	}
 }
 
-func (c ConnWithReconnect) ldapConnect(ldapURI, bindDN, bindPassword string) (*ldap.Conn, error) {
-	c.logger.Debug().Msgf("Connecting to %s", ldapURI)
-	l, err := ldap.DialURL(ldapURI)
+func (c ConnWithReconnect) ldapConnect(config Config) (*ldap.Conn, error) {
+	c.logger.Debug().Msgf("Connecting to %s", config.URI)
+
+	var err error
+	var l *ldap.Conn
+	if config.TLSConfig != nil {
+		l, err = ldap.DialURL(config.URI, ldap.DialWithTLSConfig(config.TLSConfig))
+	} else {
+		l, err = ldap.DialURL(config.URI)
+	}
+
 	if err != nil {
 		c.logger.Error().Err(err).Msg("could not get ldap Connection")
 	} else {
 		c.logger.Debug().Msg("LDAP Connected")
-		if bindDN != "" {
-			c.logger.Debug().Msgf("Binding as %s", bindDN)
-			err = l.Bind(bindDN, bindPassword)
+		if config.BindDN != "" {
+			c.logger.Debug().Msgf("Binding as %s", config.BindDN)
+			err = l.Bind(config.BindDN, config.BindPassword)
 			if err != nil {
 				c.logger.Error().Err(err).Msg("Bind failed")
 				l.Close()
diff --git a/graph/pkg/service/v0/service.go b/graph/pkg/service/v0/service.go
index 79859e070a..e832729a8c 100644
--- a/graph/pkg/service/v0/service.go
+++ b/graph/pkg/service/v0/service.go
@@ -59,10 +59,21 @@ func NewService(opts ...Option) Service {
 		}
 	case "ldap":
 		var err error
+
+		var tlsConf *tls.Config
+		if options.Config.Identity.LDAP.Insecure {
+			tlsConf = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+		}
+
 		conn := ldap.NewLDAPWithReconnect(&options.Logger,
-			options.Config.Identity.LDAP.URI,
-			options.Config.Identity.LDAP.BindDN,
-			options.Config.Identity.LDAP.BindPassword,
+			ldap.Config{
+				URI:          options.Config.Identity.LDAP.URI,
+				BindDN:       options.Config.Identity.LDAP.BindDN,
+				BindPassword: options.Config.Identity.LDAP.BindPassword,
+				TLSConfig:    tlsConf,
+			},
 		)
 		if backend, err = identity.NewLDAPBackend(conn, options.Config.Identity.LDAP, &options.Logger); err != nil {
 			options.Logger.Error().Msgf("Error initializing LDAP Backend: '%s'", err)