feat: retrieve and store groups from ldap provider

internal/service/auth_service.go

@@ -70,7 +70,7 @@ func (auth *AuthService) SearchUser(username string) config.UserSearch {
 	}
 
 	if auth.ldap != nil {
-		userDN, err := auth.ldap.Search(username)
+		userDN, err := auth.ldap.GetUserDN(username)
 
 		if err != nil {
 			log.Warn().Err(err).Str("username", username).Msg("Failed to search for user in LDAP")
@@ -131,6 +131,19 @@ func (auth *AuthService) GetLocalUser(username string) config.User {
 	return config.User{}
 }
 
+func (auth *AuthService) GetLdapUser(userDN string) (config.LdapUser, error) {
+	groups, err := auth.ldap.GetUserGroups(userDN)
+
+	if err != nil {
+		return config.LdapUser{}, err
+	}
+
+	return config.LdapUser{
+		DN:     userDN,
+		Groups: groups,
+	}, nil
+}
+
 func (auth *AuthService) CheckPassword(user config.User, password string) bool {
 	return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) == nil
 }
@@ -217,6 +230,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *repository.Se
 		CreatedAt:   time.Now().Unix(),
 		OAuthName:   data.OAuthName,
 		OAuthSub:    data.OAuthSub,
+		LdapGroups:  data.LdapGroups,
 	}
 
 	_, err = auth.queries.CreateSession(c, session)
@@ -270,6 +284,7 @@ func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
 		OAuthName:   session.OAuthName,
 		OAuthSub:    session.OAuthSub,
 		UUID:        session.UUID,
+		LdapGroups:  session.LdapGroups,
 	})
 
 	if err != nil {
@@ -346,6 +361,7 @@ func (auth *AuthService) GetSessionCookie(c *gin.Context) (repository.Session, e
 		OAuthGroups: session.OAuthGroups,
 		OAuthName:   session.OAuthName,
 		OAuthSub:    session.OAuthSub,
+		LdapGroups:  session.LdapGroups,
 	}, nil
 }
 

internal/service/ldap_service.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"slices"
+	"strings"
 	"sync"
 	"time"
 
@@ -117,7 +118,7 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	return ldap.conn, nil
 }
 
-func (ldap *LdapService) Search(username string) (string, error) {
+func (ldap *LdapService) GetUserDN(username string) (string, error) {
 	// Escape the username to prevent LDAP injection
 	escapedUsername := ldapgo.EscapeFilter(username)
 	filter := fmt.Sprintf(ldap.config.SearchFilter, escapedUsername)
@@ -146,7 +147,7 @@ func (ldap *LdapService) Search(username string) (string, error) {
 	return userDN, nil
 }
 
-func (ldap *LdapService) GetUserGroups(username string) ([]string, error) {
+func (ldap *LdapService) GetUserGroups(userDN string) ([]string, error) {
 	searchRequest := ldapgo.NewSearchRequest(
 		ldap.config.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
@@ -163,13 +164,24 @@ func (ldap *LdapService) GetUserGroups(username string) ([]string, error) {
 		return []string{}, err
 	}
 
-	groups := []string{}
+	groupDNs := []string{}
 
 	for _, entry := range searchResult.Entries {
 		memberAttributes := entry.GetAttributeValues("uniquemember")
 		// no need to escape username here, if it's malicious it won't match anything
-		if slices.Contains(memberAttributes, fmt.Sprintf(ldap.config.SearchFilter, username)) {
-			groups = append(groups, entry.DN)
+		if slices.Contains(memberAttributes, userDN) {
+			groupDNs = append(groupDNs, entry.DN)
+		}
+	}
+
+	// Should work for most ldap providers?
+	groups := []string{}
+
+	for _, groupDN := range groupDNs {
+		groupDN = strings.TrimPrefix(groupDN, "cn=")
+		parts := strings.SplitN(groupDN, ",", 2)
+		if len(parts) > 0 {
+			groups = append(groups, parts[0])
 		}
 	}