From f2c9abdcea1829cb412dd83d86641abccfb869f4 Mon Sep 17 00:00:00 2001
From: Wei Zhang <kweizh@tabbyml.com>
Date: Mon, 30 Dec 2024 18:41:13 +0800
Subject: [PATCH] feat(ldap): support starttls and ldaps

Signed-off-by: Wei Zhang <kweizh@tabbyml.com>
---
 ee/tabby-webserver/src/ldap.rs         | 32 ++++++++++++++++++++++----
 ee/tabby-webserver/src/service/auth.rs |  8 +++++--
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/ee/tabby-webserver/src/ldap.rs b/ee/tabby-webserver/src/ldap.rs
index 6bccde03f3a3..b1ae6e75849c 100644
--- a/ee/tabby-webserver/src/ldap.rs
+++ b/ee/tabby-webserver/src/ldap.rs
@@ -1,7 +1,7 @@
 use anyhow::anyhow;
 use async_trait::async_trait;
-use ldap3::{drive, LdapConnAsync, Scope, SearchEntry};
-use tabby_schema::{CoreError, Result};
+use ldap3::{drive, LdapConnAsync, LdapConnSettings, Scope, SearchEntry};
+use tabby_schema::{email::Encryption, CoreError, Result};
 
 #[async_trait]
 pub trait LdapClient: Send + Sync {
@@ -9,8 +9,10 @@ pub trait LdapClient: Send + Sync {
 }
 
 pub fn new_ldap_client(
-    host: String,
+    host: &str,
     port: i64,
+    encryption: &str,
+    skip_verify_tls: bool,
     bind_dn: String,
     bind_password: String,
     base_dn: String,
@@ -18,14 +20,31 @@ pub fn new_ldap_client(
     email_attr: String,
     name_attr: String,
 ) -> impl LdapClient {
+    let mut settings = LdapConnSettings::new();
+    if encryption == "starttls" {
+        settings = settings.set_starttls(true);
+    };
+    if skip_verify_tls {
+        settings = settings.set_no_tls_verify(true);
+    };
+
+    let schema = if encryption == "ldaps" {
+        "ldaps"
+    } else {
+        "ldap"
+    };
+
     LdapClientImpl {
-        address: format!("ldap://{}:{}", host, port),
+        address: format!("{}://{}:{}", schema, host, port),
         bind_dn,
         bind_password,
         base_dn,
         user_filter,
+
         email_attr,
         name_attr,
+
+        settings,
     }
 }
 
@@ -38,6 +57,8 @@ pub struct LdapClientImpl {
 
     email_attr: String,
     name_attr: String,
+
+    settings: LdapConnSettings,
 }
 
 pub struct LdapUser {
@@ -48,7 +69,8 @@ pub struct LdapUser {
 #[async_trait]
 impl LdapClient for LdapClientImpl {
     async fn validate(&mut self, user: &str, password: &str) -> Result<LdapUser> {
-        let (connection, mut client) = LdapConnAsync::new(&self.address).await?;
+        let (connection, mut client) =
+            LdapConnAsync::with_settings(self.settings.clone(), &self.address).await?;
         drive!(connection);
 
         // use bind_dn to search
diff --git a/ee/tabby-webserver/src/service/auth.rs b/ee/tabby-webserver/src/service/auth.rs
index b256c0034ab6..b49c7ead3be4 100644
--- a/ee/tabby-webserver/src/service/auth.rs
+++ b/ee/tabby-webserver/src/service/auth.rs
@@ -582,8 +582,10 @@ impl AuthenticationService for AuthenticationServiceImpl {
 
     async fn test_ldap_connection(&self, input: UpdateLdapCredentialInput) -> Result<()> {
         let mut client = ldap::new_ldap_client(
-            input.host,
+            input.host.as_ref(),
             input.port as i64,
+            input.encryption.as_enum_str(),
+            input.skip_tls_verify,
             input.bind_dn,
             input.bind_password,
             input.base_dn,
@@ -670,8 +672,10 @@ async fn ldap_login(
 
     let credential = credential.unwrap();
     let mut client = ldap::new_ldap_client(
-        credential.host,
+        credential.host.as_ref(),
         credential.port,
+        credential.encryption.as_str(),
+        credential.skip_tls_verify,
         credential.bind_dn,
         credential.bind_password,
         credential.base_dn,