From 6cdf696fc4eff1856e0180c463a1da3acbd010af Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Thu, 5 Jan 2023 13:46:19 +0100
Subject: [PATCH] :bug: Fix issues on ldap provider and rpc method

---
 backend/src/app/auth/ldap.clj         | 36 ++++++++++++++-------------
 backend/src/app/main.clj              |  5 ++--
 backend/src/app/rpc.clj               |  5 ++--
 backend/src/app/rpc/commands/ldap.clj | 16 ++++++------
 4 files changed, 34 insertions(+), 28 deletions(-)

diff --git a/backend/src/app/auth/ldap.clj b/backend/src/app/auth/ldap.clj
index 7e2c30ce9..5100abff9 100644
--- a/backend/src/app/auth/ldap.clj
+++ b/backend/src/app/auth/ldap.clj
@@ -41,15 +41,18 @@
   (reduce-kv clojure.string/replace s replacements))
 
 (defn- search-user
-  [{:keys [conn attrs base-dn] :as cfg} email]
-  (let [query   (replace-several (:query cfg) ":username" email)
+  [{:keys [::conn base-dn] :as cfg} email]
+  (let [query  (replace-several (:query cfg) ":username" email)
+        attrs  [(:attrs-username cfg)
+                (:attrs-email cfg)
+                (:attrs-fullname cfg)]
         params  {:filter query
                  :sizelimit 1
                  :attributes attrs}]
     (first (ldap/search conn base-dn params))))
 
 (defn- retrieve-user
-  [{:keys [conn] :as cfg} {:keys [email password]}]
+  [{:keys [::conn] :as cfg} {:keys [email password]}]
   (when-let [{:keys [dn] :as user} (search-user cfg email)]
     (when (ldap/bind? conn dn password)
       {:fullname (get user (-> cfg :attrs-fullname keyword))
@@ -66,7 +69,7 @@
 (defn authenticate
   [cfg params]
   (with-open [conn (connect cfg)]
-    (when-let [user (-> (assoc cfg :conn conn)
+    (when-let [user (-> (assoc cfg ::conn conn)
                         (retrieve-user params))]
       (when-not (s/valid? ::info-data user)
         (let [explain (s/explain-str ::info-data user)]
@@ -100,17 +103,6 @@
                  :host (:host cfg) :port (:port cfg) :cause cause)
         nil))))
 
-(defn- prepare-attributes
-  [cfg]
-  (assoc cfg :attrs [(:attrs-username cfg)
-                     (:attrs-email cfg)
-                     (:attrs-fullname cfg)]))
-
-(defmethod ig/init-key ::provider
-  [_ cfg]
-  (when (:enabled? cfg)
-    (some-> cfg try-connectivity prepare-attributes)))
-
 (s/def ::enabled? ::us/boolean)
 (s/def ::host ::cf/ldap-host)
 (s/def ::port ::cf/ldap-port)
@@ -124,8 +116,7 @@
 (s/def ::attrs-fullname ::cf/ldap-attrs-fullname)
 (s/def ::attrs-username ::cf/ldap-attrs-username)
 
-(defmethod ig/pre-init-spec ::provider
-  [_]
+(s/def ::provider-params
   (s/keys :opt-un [::host ::port
                    ::ssl ::tls
                    ::enabled?
@@ -135,3 +126,14 @@
                    ::attrs-email
                    ::attrs-username
                    ::attrs-fullname]))
+(s/def ::provider
+  (s/nilable ::provider-params))
+
+(defmethod ig/pre-init-spec ::provider
+  [_]
+  (s/spec ::provider))
+
+(defmethod ig/init-key ::provider
+  [_ cfg]
+  (when (:enabled? cfg)
+    (try-connectivity cfg)))
diff --git a/backend/src/app/main.clj b/backend/src/app/main.clj
index 045846a18..78250dce0 100644
--- a/backend/src/app/main.clj
+++ b/backend/src/app/main.clj
@@ -6,6 +6,7 @@
 
 (ns app.main
   (:require
+   [app.auth.ldap :as-alias ldap]
    [app.auth.oidc :as-alias oidc]
    [app.auth.oidc.providers :as-alias oidc.providers]
    [app.common.logging :as l]
@@ -231,7 +232,7 @@
     :max-body-size           (cf/get :http-server-max-body-size)
     :max-multipart-body-size (cf/get :http-server-max-multipart-body-size)}
 
-   :app.auth.ldap/provider
+   ::ldap/provider
    {:host           (cf/get :ldap-host)
     :port           (cf/get :ldap-port)
     :ssl            (cf/get :ldap-ssl)
@@ -327,6 +328,7 @@
     ::db/pool            (ig/ref ::db/pool)
     ::wrk/executor       (ig/ref ::wrk/executor)
     ::props              (ig/ref :app.setup/props)
+    ::ldap/provider      (ig/ref ::ldap/provider)
     :pool                (ig/ref ::db/pool)
     :session             (ig/ref :app.http.session/manager)
     :sprops              (ig/ref :app.setup/props)
@@ -335,7 +337,6 @@
     :msgbus              (ig/ref :app.msgbus/msgbus)
     :public-uri          (cf/get :public-uri)
     :redis               (ig/ref ::rds/redis)
-    :ldap                (ig/ref :app.auth.ldap/provider)
     :http-client         (ig/ref ::http.client/client)
     :climit              (ig/ref :app.rpc/climit)
     :rlimit              (ig/ref :app.rpc/rlimit)
diff --git a/backend/src/app/rpc.clj b/backend/src/app/rpc.clj
index 38b80baac..6681c13b1 100644
--- a/backend/src/app/rpc.clj
+++ b/backend/src/app/rpc.clj
@@ -6,6 +6,7 @@
 
 (ns app.rpc
   (:require
+   [app.auth.ldap :as-alias ldap]
    [app.common.data :as d]
    [app.common.exceptions :as ex]
    [app.common.logging :as l]
@@ -319,6 +320,7 @@
   (s/keys :req [::audit/collector
                 ::http.client/client
                 ::db/pool
+                ::ldap/provider
                 ::wrk/executor]
           :req-un [::sto/storage
                    ::http.session/session
@@ -329,8 +331,7 @@
                    ::climit
                    ::wrk/executor
                    ::mtx/metrics
-                   ::db/pool
-                   ::ldap]))
+                   ::db/pool]))
 
 (defmethod ig/init-key ::methods
   [_ cfg]
diff --git a/backend/src/app/rpc/commands/ldap.clj b/backend/src/app/rpc/commands/ldap.clj
index 485194f6c..6283e1423 100644
--- a/backend/src/app/rpc/commands/ldap.clj
+++ b/backend/src/app/rpc/commands/ldap.clj
@@ -12,10 +12,13 @@
    [app.db :as db]
    [app.http.session :as session]
    [app.loggers.audit :as-alias audit]
+   [app.main :as-alias main]
+   [app.rpc :as-alias rpc]
    [app.rpc.commands.auth :as cmd.auth]
    [app.rpc.doc :as-alias doc]
    [app.rpc.helpers :as rph]
    [app.rpc.queries.profile :as profile]
+   [app.tokens :as tokens]
    [app.util.services :as sv]
    [clojure.spec.alpha :as s]))
 
@@ -34,15 +37,15 @@
 (sv/defmethod ::login-with-ldap
   "Performs the authentication using LDAP backend. Only works if LDAP
   is properly configured and enabled with `login-with-ldap` flag."
-  {:auth false
+  {::rpc/auth false
    ::doc/added "1.15"}
-  [{:keys [session tokens ldap] :as cfg} params]
-  (when-not ldap
+  [{:keys [::main/props ::ldap/provider session] :as cfg} params]
+  (when-not provider
     (ex/raise :type :restriction
               :code :ldap-not-initialized
               :hide "ldap auth provider is not initialized"))
 
-  (let [info (ldap/authenticate ldap params)]
+  (let [info (ldap/authenticate provider params)]
     (when-not info
       (ex/raise :type :validation
                 :code :wrong-credentials))
@@ -58,12 +61,11 @@
         ;; user comes from team-invitation process; in this case,
         ;; regenerate token and send back to the user a new invitation
         ;; token (and mark current session as logged).
-        (let [claims (tokens :verify {:token token :iss :team-invitation})
+        (let [claims (tokens/verify props {:token token :iss :team-invitation})
               claims (assoc claims
                             :member-id  (:id profile)
                             :member-email (:email profile))
-              token  (tokens :generate claims)]
-
+              token  (tokens/generate props claims)]
           (-> {:invitation-token token}
               (rph/with-transform (session/create-fn session (:id profile)))
               (rph/with-meta {::audit/props (:props profile)