Introduce support for 3rd-party auth (OAuth2 & LDAP)

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

lib/service/auth/authenticator.ex

@@ -0,0 +1,93 @@
+defmodule Mobilizon.Service.Auth.Authenticator do
+  @moduledoc """
+  Module to handle authentification (currently through database or LDAP)
+  """
+  alias Mobilizon.Users
+  alias Mobilizon.Users.User
+  alias Mobilizon.Web.Auth.Guardian
+
+  @type tokens :: %{
+          required(:access_token) => String.t(),
+          required(:refresh_token) => String.t()
+        }
+
+  @type tokens_with_user :: %{
+          required(:access_token) => String.t(),
+          required(:refresh_token) => String.t(),
+          required(:user) => User.t()
+        }
+
+  def implementation do
+    Mobilizon.Config.get(
+      Mobilizon.Service.Auth.Authenticator,
+      Mobilizon.Service.Auth.MobilizonAuthenticator
+    )
+  end
+
+  @callback login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
+  @spec login(String.t(), String.t()) :: {:ok, User.t()} | {:error, any()}
+  def login(email, password), do: implementation().login(email, password)
+
+  @callback can_change_email?(User.t()) :: boolean
+  def can_change_email?(%User{} = user), do: implementation().can_change_email?(user)
+
+  @callback can_change_password?(User.t()) :: boolean
+  def can_change_password?(%User{} = user), do: implementation().can_change_password?(user)
+
+  @spec has_password?(User.t()) :: boolean()
+  def has_password?(%User{provider: provider}), do: is_nil(provider) or provider == "ldap"
+
+  @spec can_reset_password?(User.t()) :: boolean()
+  def can_reset_password?(%User{} = user), do: has_password?(user) && can_change_password?(user)
+
+  @spec authenticate(String.t(), String.t()) :: {:ok, tokens_with_user()}
+  def authenticate(email, password) do
+    with {:ok, %User{} = user} <- login(email, password),
+         {:ok, %{access_token: access_token, refresh_token: refresh_token}} <-
+           generate_tokens(user) do
+      {:ok, %{access_token: access_token, refresh_token: refresh_token, user: user}}
+    end
+  end
+
+  @doc """
+  Generates access token and refresh token for an user.
+  """
+  @spec generate_tokens(User.t()) :: {:ok, tokens}
+  def generate_tokens(user) do
+    with {:ok, access_token} <- generate_access_token(user),
+         {:ok, refresh_token} <- generate_refresh_token(user) do
+      {:ok, %{access_token: access_token, refresh_token: refresh_token}}
+    end
+  end
+
+  @doc """
+  Generates access token for an user.
+  """
+  @spec generate_access_token(User.t()) :: {:ok, String.t()}
+  def generate_access_token(user) do
+    with {:ok, access_token, _claims} <-
+           Guardian.encode_and_sign(user, %{}, token_type: "access") do
+      {:ok, access_token}
+    end
+  end
+
+  @doc """
+  Generates refresh token for an user.
+  """
+  @spec generate_refresh_token(User.t()) :: {:ok, String.t()}
+  def generate_refresh_token(user) do
+    with {:ok, refresh_token, _claims} <-
+           Guardian.encode_and_sign(user, %{}, token_type: "refresh") do
+      {:ok, refresh_token}
+    end
+  end
+
+  @spec fetch_user(String.t()) :: User.t() | {:error, :user_not_found}
+  def fetch_user(nil), do: {:error, :user_not_found}
+
+  def fetch_user(email) when not is_nil(email) do
+    with {:ok, %User{} = user} <- Users.get_user_by_email(email, true) do
+      user
+    end
+  end
+end

lib/service/auth/ldap_authenticator.ex

@@ -0,0 +1,180 @@
+# Portions of this file are derived from Pleroma:
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
+  @moduledoc """
+  Authenticate Mobilizon users through LDAP accounts
+  """
+  alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
+  alias Mobilizon.Users
+  alias Mobilizon.Users.User
+
+  require Logger
+
+  import Authenticator,
+    only: [fetch_user: 1]
+
+  @behaviour Authenticator
+  @base MobilizonAuthenticator
+
+  @connection_timeout 10_000
+  @search_timeout 10_000
+
+  def login(email, password) do
+    with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
+         %User{} = user <- ldap_user(email, password) do
+      {:ok, user}
+    else
+      {:error, {:ldap_connection_error, _}} ->
+        # When LDAP is unavailable, try default authenticator
+        @base.login(email, password)
+
+      {:ldap, _} ->
+        @base.login(email, password)
+
+      error ->
+        error
+    end
+  end
+
+  def can_change_email?(%User{provider: provider}), do: provider != "ldap"
+
+  def can_change_password?(%User{provider: provider}), do: provider != "ldap"
+
+  defp ldap_user(email, password) do
+    ldap = Mobilizon.Config.get(:ldap, [])
+    host = Keyword.get(ldap, :host, "localhost")
+    port = Keyword.get(ldap, :port, 389)
+    ssl = Keyword.get(ldap, :ssl, false)
+    sslopts = Keyword.get(ldap, :sslopts, [])
+
+    options =
+      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
+        if sslopts != [], do: [{:sslopts, sslopts}], else: []
+
+    case :eldap.open([to_charlist(host)], options) do
+      {:ok, connection} ->
+        try do
+          ensure_eventual_tls(connection, ldap)
+
+          base = Keyword.get(ldap, :base)
+          uid_field = Keyword.get(ldap, :uid, "cn")
+
+          # We first need to find the LDAP UID/CN for this specif email
+          with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
+               # Then we can verify the user's password
+               :ok <- bind_user(connection, base, uid_field, uid, password) do
+            case fetch_user(email) do
+              %User{} = user ->
+                user
+
+              _ ->
+                register_user(email)
+            end
+          else
+            {:error, error} ->
+              {:error, error}
+
+            error ->
+              {:error, error}
+          end
+        after
+          :eldap.close(connection)
+        end
+
+      {:error, error} ->
+        Logger.error("Could not open LDAP connection: #{inspect(error)}")
+        {:error, {:ldap_connection_error, error}}
+    end
+  end
+
+  @spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
+          User.t() | any()
+  defp bind_user(connection, base, uid, field, password) do
+    bind = "#{uid}=#{field},#{base}"
+    Logger.debug("Binding to LDAP with \"#{bind}\"")
+    :eldap.simple_bind(connection, bind, password)
+  end
+
+  @spec search_user(any(), Keyword.t(), String.t(), String.t(), String.t()) ::
+          String.t() | {:error, :ldap_registration_missing_attributes} | any()
+  defp search_user(connection, ldap, base, uid, email) do
+    # We may need to bind before performing the search
+    res =
+      if Keyword.get(ldap, :require_bind_for_search, true) do
+        admin_field = Keyword.get(ldap, :bind_uid)
+        admin_password = Keyword.get(ldap, :bind_password)
+        bind_user(connection, base, uid, admin_field, admin_password)
+      else
+        :ok
+      end
+
+    if res == :ok do
+      do_search_user(connection, base, uid, email)
+    else
+      res
+    end
+  end
+
+  # Search an user by uid to find their CN
+  @spec do_search_user(any(), String.t(), String.t(), String.t()) ::
+          String.t() | {:error, :ldap_registration_missing_attributes} | any()
+  defp do_search_user(connection, base, uid, email) do
+    with {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} <-
+           :eldap.search(connection, [
+             {:base, to_charlist(base)},
+             {:filter, :eldap.equalityMatch(to_charlist("mail"), to_charlist(email))},
+             {:scope, :eldap.wholeSubtree()},
+             {:attributes, [to_charlist(uid)]},
+             {:timeout, @search_timeout}
+           ]),
+         {:uid, {_, [uid]}} <- {:uid, List.keyfind(attributes, to_charlist(uid), 0)} do
+      :erlang.list_to_binary(uid)
+    else
+      {:ok, {:eldap_search_result, [], []}} ->
+        Logger.info("Unable to find user with email #{email}")
+        {:error, :ldap_search_email_not_found}
+
+      {:cn, err} ->
+        Logger.error("Could not find LDAP attribute CN: #{inspect(err)}")
+        {:error, :ldap_searcy_missing_attributes}
+
+      error ->
+        error
+    end
+  end
+
+  @spec register_user(String.t()) :: User.t() | any()
+  defp register_user(email) do
+    case Users.create_external(email, "ldap") do
+      {:ok, %User{} = user} ->
+        user
+
+      error ->
+        error
+    end
+  end
+
+  @spec ensure_eventual_tls(any(), Keyword.t()) :: :ok
+  defp ensure_eventual_tls(connection, ldap) do
+    if Keyword.get(ldap, :tls, false) do
+      :application.ensure_all_started(:ssl)
+
+      case :eldap.start_tls(
+             connection,
+             Keyword.get(ldap, :tlsopts, []),
+             @connection_timeout
+           ) do
+        :ok ->
+          :ok
+
+        error ->
+          Logger.error("Could not start TLS: #{inspect(error)}")
+      end
+    end
+
+    :ok
+  end
+end

lib/service/auth/mobilizon_authenticator.ex

@@ -0,0 +1,39 @@
+defmodule Mobilizon.Service.Auth.MobilizonAuthenticator do
+  @moduledoc """
+  Authenticate Mobilizon users through database accounts
+  """
+  alias Mobilizon.Users.User
+
+  alias Mobilizon.Service.Auth.Authenticator
+
+  import Authenticator,
+    only: [fetch_user: 1]
+
+  @behaviour Authenticator
+
+  def login(email, password) do
+    require Logger
+
+    with {:user, %User{password_hash: password_hash, provider: nil} = user}
+         when not is_nil(password_hash) <-
+           {:user, fetch_user(email)},
+         {:acceptable_password, true} <-
+           {:acceptable_password, not (is_nil(password) || password == "")},
+         {:checkpw, true} <- {:checkpw, Argon2.verify_pass(password, password_hash)} do
+      {:ok, user}
+    else
+      {:user, {:error, :user_not_found}} ->
+        {:error, :user_not_found}
+
+      {:acceptable_password, false} ->
+        {:error, :bad_password}
+
+      {:checkpw, false} ->
+        {:error, :bad_password}
+    end
+  end
+
+  def can_change_email?(%User{provider: provider}), do: is_nil(provider)
+
+  def can_change_password?(%User{provider: provider}), do: is_nil(provider)
+end