From 6ece6e5be9bb51136becc56567f2f3ea10140469 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Mon, 22 Mar 2021 22:52:08 +0100
Subject: [PATCH] make ldap cert check configurable, fix CodeQL warnings

---
 internal/authentication/providers/ldap/provider.go |  2 +-
 internal/ldap/config.go                            | 11 ++++++-----
 internal/ldap/ldap.go                              |  4 ++--
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/internal/authentication/providers/ldap/provider.go b/internal/authentication/providers/ldap/provider.go
index f113696..412e807 100644
--- a/internal/authentication/providers/ldap/provider.go
+++ b/internal/authentication/providers/ldap/provider.go
@@ -182,7 +182,7 @@ func (provider Provider) open() (*ldap.Conn, error) {
 
 	if provider.config.StartTLS {
 		// Reconnect with TLS
-		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: !provider.config.CertValidation})
 		if err != nil {
 			return nil, err
 		}
diff --git a/internal/ldap/config.go b/internal/ldap/config.go
index 22caa9f..4988ab0 100644
--- a/internal/ldap/config.go
+++ b/internal/ldap/config.go
@@ -8,11 +8,12 @@ const (
 )
 
 type Config struct {
-	URL      string `yaml:"url" envconfig:"LDAP_URL"`
-	StartTLS bool   `yaml:"startTLS" envconfig:"LDAP_STARTTLS"`
-	BaseDN   string `yaml:"dn" envconfig:"LDAP_BASEDN"`
-	BindUser string `yaml:"user" envconfig:"LDAP_USER"`
-	BindPass string `yaml:"pass" envconfig:"LDAP_PASSWORD"`
+	URL            string `yaml:"url" envconfig:"LDAP_URL"`
+	StartTLS       bool   `yaml:"startTLS" envconfig:"LDAP_STARTTLS"`
+	CertValidation bool   `yaml:"certcheck" envconfig:"LDAP_CERT_VALIDATION"`
+	BaseDN         string `yaml:"dn" envconfig:"LDAP_BASEDN"`
+	BindUser       string `yaml:"user" envconfig:"LDAP_USER"`
+	BindPass       string `yaml:"pass" envconfig:"LDAP_PASSWORD"`
 
 	Type                 Type   `yaml:"typ" envconfig:"LDAP_TYPE"` // AD for active directory, OpenLDAP for OpenLDAP
 	UserClass            string `yaml:"userClass" envconfig:"LDAP_USER_CLASS"`
diff --git a/internal/ldap/ldap.go b/internal/ldap/ldap.go
index 04a8d06..75ce72b 100644
--- a/internal/ldap/ldap.go
+++ b/internal/ldap/ldap.go
@@ -23,7 +23,7 @@ func Open(cfg *Config) (*ldap.Conn, error) {
 
 	if cfg.StartTLS {
 		// Reconnect with TLS
-		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		err = conn.StartTLS(&tls.Config{InsecureSkipVerify: !cfg.CertValidation})
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to star TLS on connection")
 		}
@@ -92,7 +92,7 @@ func IsActiveDirectoryUserDisabled(userAccountControl string) bool {
 		return false
 	}
 
-	uacInt, err := strconv.Atoi(userAccountControl)
+	uacInt, err := strconv.ParseInt(userAccountControl, 10, 32)
 	if err != nil {
 		return true
 	}