superusers must not reset password by email

hacklabto · Dec 26, 2023 · 7c0d313 · 7c0d313
1 parent c97c89a
commit 7c0d313
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/internal/auth/ldap.go b/internal/auth/ldap.go
@@ -4,10 +4,13 @@ import (
 	"crypto/tls"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/go-ldap/ldap"
 )
 
+var invalidGroups = []string{"cn=operations", "cn=hacklab-sudoer", "cn=board", "ou=permissions"}
+
 func GetEmailFromUsername(bindDN, bindPassword, targetUsername string) (string, error) {
 	ldapURL := os.Getenv("LDAP_URL")
 	if ldapURL == "" {
@@ -30,7 +33,7 @@ func GetEmailFromUsername(bindDN, bindPassword, targetUsername string) (string,
 		"ou=people,dc=hacklab,dc=to",
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf("(&(uid=%s))", targetUsername),
-		[]string{"mail"},
+		[]string{"mail", "memberOf"},
 		nil,
 	)
 
@@ -40,6 +43,14 @@ func GetEmailFromUsername(bindDN, bindPassword, targetUsername string) (string,
 	}
 
 	for _, entry := range res.Entries {
+		for _, val := range entry.GetAttributeValues("memberOf") {
+			for _, g := range invalidGroups {
+				if strings.Contains(val, g) {
+					return "", fmt.Errorf("user not allowed to reset password by email")
+				}
+			}
+		}
+		//lint:ignore SA4004 "only one entry should ever be found"
 		return entry.GetAttributeValue("mail"), nil
 	}