after doing further research, I think you're only supposed to pass th…

…e ca certs and not any of the rest. also simplified the sslconfig function to hopefully appease sonarqube Signed-off-by: Amndeep Singh Mann <[email protected]>
mitre · Oct 26, 2023 · e9765d7 · e9765d7
1 parent 985478f
commit e9765d7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 46 deletions.
diff --git a/apps/backend/.env-example b/apps/backend/.env-example
@@ -57,8 +57,6 @@ LDAP_NAMEFIELD="<The field that contains the user's full name (defaults to name)
 LDAP_MAILFIELD="<The field that contains the user's email (defaults to mail)>"
 LDAP_SSL=<Whether or not to use SSL certificate authentication (if nothing is provided, defaults to false)>
 LDAP_SSL_INSECURE=<Whether or not to ignore SSL issues (security risk if enabled, if nothing is provided, defaults to false)>
-LDAP_SSL_KEY=<Full path to SSL key OR the key itself (no default, must be set if using SSL)>
-LDAP_SSL_CERT=<Full path to SSL certificate OR the certificate itself (no default, must be set if using SSL)>
 LDAP_SSL_CA=<Full path to SSL certificate authority OR the certificate authority itself (no default, must be set if using SSL)>
 
 ## OAuth Client IDs and Secrets, If a variable does not have client id values assigned then the feature is disabled.

diff --git a/apps/backend/src/authn/ldap.strategy.ts b/apps/backend/src/authn/ldap.strategy.ts
@@ -17,53 +17,21 @@ export class LDAPStrategy extends PassportStrategy(Strategy, 'ldap') {
       return false;
     }
 
-    let sslKey, sslCert, sslCA;
-
-    if (typeof configService.get('LDAP_SSL_KEY') === 'string') {
-      if (configService.get('LDAP_SSL_KEY')?.indexOf('-BEGIN') !== -1) {
-        sslKey = configService.get('LDAP_SSL_KEY');
-      } else {
-        // Verify file exists
-        if (fs.statSync(configService.get('LDAP_SSL_KEY')!).isFile()) {
-          sslKey = fs.readFileSync(configService.get('LDAP_SSL_KEY')!);
-        } else {
-          throw new Error('SSL Key file does not exist');
-        }
-      }
-    }
-
-    if (typeof configService.get('LDAP_SSL_CERT') === 'string') {
-      if (configService.get('LDAP_SSL_CERT')?.indexOf('-BEGIN') !== -1) {
-        sslCert = configService.get('LDAP_SSL_CERT');
-      } else {
-        // Verify file exists
-        if (fs.statSync(configService.get('LDAP_SSL_CERT')!).isFile()) {
-          sslCert = fs.readFileSync(configService.get('LDAP_SSL_CERT')!);
-        } else {
-          throw new Error('SSL Cert file does not exist');
-        }
-      }
-    }
-
-    if (typeof configService.get('LDAP_SSL_CA') === 'string') {
-      if (configService.get('LDAP_SSL_CA')?.indexOf('-BEGIN') !== -1) {
-        sslCA = configService.get('LDAP_SSL_CA');
-      } else {
-        // Verify file exists
-        if (fs.statSync(configService.get('LDAP_SSL_CA')!).isFile()) {
-          sslCA = fs.readFileSync(configService.get('LDAP_SSL_CA')!);
-        } else {
-          throw new Error('SSL CA file does not exist');
-        }
-      }
+    let sslCA: string | Buffer | undefined = configService.get('LDAP_SSL_CA');
+    if (
+      sslCA &&
+      sslCA.indexOf('-BEGIN') === -1 &&
+      fs.statSync(sslCA).isFile()
+    ) {
+      sslCA = fs.readFileSync(sslCA);
+    } else {
+      throw new Error('SSL CA file does not exist');
     }
 
     return {
       rejectUnauthorized:
         configService.get('LDAP_SSL_INSECURE') &&
         configService.get('LDAP_SSL_INSECURE')?.toLowerCase() !== 'true',
-      key: sslKey,
-      cert: sslCert,
       ca: sslCA
     };
   }
@@ -90,9 +58,7 @@ export class LDAPStrategy extends PassportStrategy(Strategy, 'ldap') {
           ...(sslConfig && {
             tlsOptions: {
               rejectUnauthorized: sslConfig.rejectUnauthorized,
-              ca: sslConfig.ca,
-              cert: sslConfig.cert,
-              key: sslConfig.key
+              ca: sslConfig.ca
             }
           })
         }