Skip to content

look up users on LDAP explicitly using a ldap-relay API #4607

New issue
New issue
Closed
Closed
look up users on LDAP explicitly using a ldap-relay API#4607
Labels
actionable
Milestone
8.3.3: One link per FES recipient, EKM and FES sync, export PDF, WKD verify fix
@tomholub

Description

@tomholub
tomholub
opened on Aug 16, 2022

should first do #4610

Until now, when the browser extension looked up public key on https://flowcrypt.com/attester/pub/user@example.test, the server would:

  1. check if there is a public key in internal database, if yes return it
  2. check if there is a public key in LDAP at ldap://keys.[domain], if yes save & return
  3. check WKD at recipient domain, if yes save & return

We we are updating attester to be purely pulling public keys from its own database and ignore other sources. Browser extension already knows how to pull from WKD, and now we'll also teach it how to pull from LDAP. Since the browser cannot do arbitrary TCP connections, there is now a proxy for this: https://flowcrypt.com/attester/ldap-relay?server=keys.example.test&search=user@example.test . When a key was found, it will return status 200 and the armored key as text. Else it's 404. The format is the same as https://flowcrypt.com/attester/pub/user@example.test except that this ldap-relay endpoint can return more than one public key, concatenated with \n.

Steps, approximately:

  1. add a public method similar to doLookup maybe called doLookupLdap (the public method will also later be needed for stop using initialLegacySubmit #4609 )

The method accepts email and optional server. When server is not provided, it will derive it as follows: assume I'm looking up user@example.test then the server is keys.example.test. There is similar code in WKD and FES API code to extract the domain.

Since more than one armored block can be returned, you need to parse them apart with MsgBlockParser.detectBlocks if you get an error 200, then filter public keys from the parsed blocks, and then return the result as an array.

  1. in Attester.lookupEmail, after checking that lookup is enabled, instead of calling await this.doLookup(email) please call the following:
const results = await Promise.all([
  this.doLookup(email),  // get from flowcrypt.com public keyserver database
  this.doLookupLdap(email),  // get from recipient-specific LDAP server, if any, relayed through flowcrypt.com
  this.doLookupLdap(email, 'keyserver.pgp.com'), // get from keyserver.pgp.com, relayed through flowcrypt.com
])

Then please choose and return only one set of results, with the following priority, starting from highest:

  • if at least one public key was returned from customer-specific LDAP, return an array of these public keys and nothing else
  • else, if flowcrypt.com public keyserver returned any public key, return only array of these
  • else, return array of keys returned from keyserver.pgp.com (or empty array)

And return that from lookupEmail like before.

For tests, you can add attester mock endpoints, to write tests ensuring that the priority is followed and that ldap searches are also disabled when other attester searches are disabled.

Also test that it can parse and recognize more than one public key (eg respond with two public keys for one of the looked up addresses, and then check that both were imported in settings)

Metadata

Metadata

Assignees

No one assigned

    Labels

    actionable

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions