ldapclient: allow search queries customisation in configuration

internal/ldapclient/ldapclient.go

@@ -52,8 +52,10 @@ type Config struct {
 	BindDN          string            `envconfig:"binddn" desc:"a LDAP bind DN"`
 	BindPass        string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
 	BaseDN          string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
+	UserSearchQuery string            `envconfig:"user_search_query" desc:"the user search query" default:"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"`
 	AttrClaims      map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
 	RoleBaseDN      string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
+	RoleSearchQuery string            `envconfig:"role_search_query" desc:"the role search query" default:"(|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))"`
 	RoleAttr        string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
 	RoleClaim       string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
 	CacheSize       int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
@@ -72,7 +74,13 @@ type Client struct {
 func New(cnf Config) *Client {
 	return &Client{
 		Config: cnf,
-		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
+		connector: &ldapConnector{
+			BaseDN:          cnf.BaseDN,
+			UserSearchQuery: cnf.UserSearchQuery,
+			RoleBaseDN:      cnf.RoleBaseDN,
+			IsTLS:           cnf.IsTLS,
+			RoleSearchQuery: cnf.RoleSearchQuery,
+		},
 		cache: freecache.NewCache(cnf.CacheSize * 1024),
 	}
 }
@@ -299,6 +307,8 @@ type ldapConnector struct {
 	BaseDN          string
 	RoleBaseDN      string
 	IsTLS           bool
+	UserSearchQuery string
+	RoleSearchQuery string
 }
 
 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
@@ -319,13 +329,21 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
 	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
 
 	ldapcn.Start()
-	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
+	return &ldapConn{
+		Conn:            ldapcn,
+		BaseDN:          c.BaseDN,
+		UserSearchQuery: c.UserSearchQuery,
+		RoleBaseDN:      c.RoleBaseDN,
+		RoleSearchQuery: c.RoleSearchQuery,
+	}, nil
 }
 
 type ldapConn struct {
 	*ldap.Conn
 	BaseDN          string
 	RoleBaseDN      string
+	UserSearchQuery string
+	RoleSearchQuery string
 }
 
 func (c *ldapConn) Bind(bindDN, password string) error {
@@ -337,17 +355,12 @@ func (c *ldapConn) Bind(bindDN, password string) error {
 }
 
 func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf(
+	query := fmt.Sprintf(c.UserSearchQuery, user)
-		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
-			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
 	return c.searchEntries(c.BaseDN, query, attrs)
 }
 
 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf("(|"+
+	query := fmt.Sprintf(c.RoleSearchQuery, user)
-		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
-		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
-		")", user)
 	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }