From b01d3819939304e01c7b0839d7672f5bf4fc5a47 Mon Sep 17 00:00:00 2001
From: Tuan Dang <dangtony98@gmail.com>
Date: Wed, 24 Apr 2024 21:19:07 -0700
Subject: [PATCH] Refactor ldap filter validation

---
 backend/src/ee/routes/v1/ldap-router.ts       | 21 +++++++------
 .../ldap-config/ldap-config-service.ts        | 30 +------------------
 2 files changed, 13 insertions(+), 38 deletions(-)

diff --git a/backend/src/ee/routes/v1/ldap-router.ts b/backend/src/ee/routes/v1/ldap-router.ts
index 34db0fb7e1..6730e9101b 100644
--- a/backend/src/ee/routes/v1/ldap-router.ts
+++ b/backend/src/ee/routes/v1/ldap-router.ts
@@ -54,13 +54,18 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         try {
           const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
 
-          const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
-          const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
-            .replace(/{{\.Username}}/g, user.uid)
-            .replace(/{{\.UserDN}}/g, user.dn);
+          let groups: { dn: string; cn: string }[] | undefined;
+          if (ldapConfig.groupSearchBase) {
+            const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
+            const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
+              .replace(/{{\.Username}}/g, user.uid)
+              .replace(/{{\.UserDN}}/g, user.dn);
 
-          if (!isValidLdapFilter(groupSearchFilter)) {
-            throw new Error("Generated LDAP search filter is invalid.");
+            if (!isValidLdapFilter(groupSearchFilter)) {
+              throw new Error("Generated LDAP search filter is invalid.");
+            }
+
+            groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
           }
 
           const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
@@ -70,9 +75,7 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
             firstName: user.givenName ?? user.cn ?? "",
             lastName: user.sn ?? "",
             emails: user.mail ? [user.mail] : [],
-            groups: ldapConfig.groupSearchBase
-              ? await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase)
-              : undefined,
+            groups,
             relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
             orgId: (req as unknown as FastifyRequest).ldapConfig.organization
           });
diff --git a/backend/src/ee/services/ldap-config/ldap-config-service.ts b/backend/src/ee/services/ldap-config/ldap-config-service.ts
index 6141044da5..85c5376845 100644
--- a/backend/src/ee/services/ldap-config/ldap-config-service.ts
+++ b/backend/src/ee/services/ldap-config/ldap-config-service.ts
@@ -40,7 +40,7 @@ import {
   TTestLdapConnectionDTO,
   TUpdateLdapCfgDTO
 } from "./ldap-config-types";
-import { isValidLdapFilter, testLDAPConfig } from "./ldap-fns";
+import { testLDAPConfig } from "./ldap-fns";
 import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 
 type TLdapConfigServiceFactoryDep = {
@@ -113,18 +113,6 @@ export const ldapConfigServiceFactory = ({
           "Failed to create LDAP configuration due to plan restriction. Upgrade plan to create LDAP configuration."
       });
 
-    const isSearchFilterValid = isValidLdapFilter(searchFilter);
-    if (!isSearchFilterValid)
-      throw new BadRequestError({
-        message: "Failed to create LDAP configuration due to invalid search filter."
-      });
-
-    const isGroupSearchFilterValid = isValidLdapFilter(groupSearchFilter);
-    if (!isGroupSearchFilterValid)
-      throw new BadRequestError({
-        message: "Failed to create LDAP configuration due to invalid group search filter."
-      });
-
     const orgBot = await orgBotDAL.transaction(async (tx) => {
       const doc = await orgBotDAL.findOne({ orgId }, tx);
       if (doc) return doc;
@@ -225,22 +213,6 @@ export const ldapConfigServiceFactory = ({
           "Failed to update LDAP configuration due to plan restriction. Upgrade plan to update LDAP configuration."
       });
 
-    if (searchFilter) {
-      const isSearchFilterValid = isValidLdapFilter(searchFilter);
-      if (!isSearchFilterValid)
-        throw new BadRequestError({
-          message: "Failed to update LDAP configuration due to invalid search filter."
-        });
-    }
-
-    if (groupSearchFilter) {
-      const isGroupSearchFilterValid = isValidLdapFilter(groupSearchFilter);
-      if (!isGroupSearchFilterValid)
-        throw new BadRequestError({
-          message: "Failed to update LDAP configuration due to invalid group search filter."
-        });
-    }
-
     const updateQuery: TLdapConfigsUpdate = {
       isActive,
       url,