From 2c6a197cb383b4f04722ca8f0f7759c0327d9ea6 Mon Sep 17 00:00:00 2001
From: aizerin <l.nuzky@gmail.com>
Date: Fri, 28 Jan 2022 13:33:27 +0100
Subject: [PATCH] LDAP: add admin auth and search filter (#1403)

Co-authored-by: Roman Zabaluev <rzabaluev@provectus.com>
---
 docker/auth-ldap.yaml                         |  8 +++++++
 .../ui/config/auth/LdapSecurityConfig.java    | 23 +++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/docker/auth-ldap.yaml b/docker/auth-ldap.yaml
index 2a06d21272..7c25adce5d 100644
--- a/docker/auth-ldap.yaml
+++ b/docker/auth-ldap.yaml
@@ -29,6 +29,14 @@ services:
       AUTH_TYPE: "LDAP"
       SPRING_LDAP_URLS: "ldap://ldap:10389"
       SPRING_LDAP_DN_PATTERN: "cn={0},ou=people,dc=planetexpress,dc=com"
+#     USER SEARCH FILTER INSTEAD OF DN
+#     SPRING_LDAP_USERFILTER_SEARCHBASE: "dc=planetexpress,dc=com"
+#     SPRING_LDAP_USERFILTER_SEARCHFILTER: "(&(uid={0})(objectClass=inetOrgPerson))"
+#     LDAP ADMIN USER
+#     SPRING_LDAP_ADMINUSER: "cn=admin,dc=planetexpress,dc=com"
+#     SPRING_LDAP_ADMINPASSWORD: "GoodNewsEveryone"
+
+
 
   ldap:
     image: rroemhild/test-openldap:latest
diff --git a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java
index b0e7c9ca8d..ebd7e09c24 100644
--- a/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java
+++ b/kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/LdapSecurityConfig.java
@@ -16,6 +16,8 @@ import org.springframework.security.config.annotation.web.reactive.EnableWebFlux
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.ldap.authentication.BindAuthenticator;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.search.LdapUserSearch;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 
 @Configuration
@@ -26,13 +28,28 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig {
 
   @Value("${spring.ldap.urls}")
   private String ldapUrls;
-  @Value("${spring.ldap.dn.pattern}")
+  @Value("${spring.ldap.dn.pattern:#{null}}")
   private String ldapUserDnPattern;
+  @Value("${spring.ldap.adminUser:#{null}}")
+  private String adminUser;
+  @Value("${spring.ldap.adminPassword:#{null}}")
+  private String adminPassword;
+  @Value("${spring.ldap.userFilter.searchBase:#{null}}")
+  private String userFilterSearchBase;
+  @Value("${spring.ldap.userFilter.searchFilter:#{null}}")
+  private String userFilterSearchFilter;
 
   @Bean
   public ReactiveAuthenticationManager authenticationManager(BaseLdapPathContextSource contextSource) {
     BindAuthenticator ba = new BindAuthenticator(contextSource);
-    ba.setUserDnPatterns(new String[]{ldapUserDnPattern});
+    if (ldapUserDnPattern != null) {
+      ba.setUserDnPatterns(new String[]{ldapUserDnPattern});
+    }
+    if (userFilterSearchFilter != null) {
+      LdapUserSearch userSearch =
+              new FilterBasedLdapUserSearch(userFilterSearchBase, userFilterSearchFilter, contextSource);
+      ba.setUserSearch(userSearch);
+    }
 
     LdapAuthenticationProvider lap = new LdapAuthenticationProvider(ba);
 
@@ -45,6 +62,8 @@ public class LdapSecurityConfig extends AbstractAuthSecurityConfig {
   public BaseLdapPathContextSource contextSource() {
     LdapContextSource ctx = new LdapContextSource();
     ctx.setUrl(ldapUrls);
+    ctx.setUserDn(adminUser);
+    ctx.setPassword(adminPassword);
     ctx.afterPropertiesSet();
     return ctx;
   }