syncthing/lib/api/api_auth.go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.

package api

import (
	"crypto/tls"
	"fmt"
	"net"
	"net/http"
	"strings"
	"time"

	ldap "github.com/go-ldap/ldap/v3"
	"github.com/syncthing/syncthing/lib/config"
	"github.com/syncthing/syncthing/lib/events"
	"github.com/syncthing/syncthing/lib/rand"
	"github.com/syncthing/syncthing/lib/sync"
)

var (
	sessions    = make(map[string]bool)
	sessionsMut = sync.NewMutex()
)

func emitLoginAttempt(success bool, username, address string, evLogger events.Logger) {
	evLogger.Log(events.LoginAttempt, map[string]interface{}{
		"success":       success,
		"username":      username,
		"remoteAddress": address,
	})
	if !success {
		l.Infof("Wrong credentials supplied during API authorization from %s", address)
	}
}

func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if guiCfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {
			next.ServeHTTP(w, r)
			return
		}

		// Exception for REST calls that don't require authentication.
		if strings.HasPrefix(r.URL.Path, "/rest/noauth") {
			next.ServeHTTP(w, r)
			return
		}

		cookie, err := r.Cookie(cookieName)
		if err == nil && cookie != nil {
			sessionsMut.Lock()
			_, ok := sessions[cookie.Value]
			sessionsMut.Unlock()
			if ok {
				next.ServeHTTP(w, r)
				return
			}
		}

		l.Debugln("Sessionless HTTP request with authentication; this is expensive.")

		error := func() {
			time.Sleep(time.Duration(rand.Intn(100)+100) * time.Millisecond)
			w.Header().Set("WWW-Authenticate", "Basic realm=\"Authorization Required\"")
			http.Error(w, "Not Authorized", http.StatusUnauthorized)
		}

		username, password, ok := r.BasicAuth()
		if !ok {
			error()
			return
		}

		authOk := auth(username, password, guiCfg, ldapCfg)
		if !authOk {
			usernameIso := string(iso88591ToUTF8([]byte(username)))
			passwordIso := string(iso88591ToUTF8([]byte(password)))
			authOk = auth(usernameIso, passwordIso, guiCfg, ldapCfg)
			if authOk {
				username = usernameIso
			}
		}

		if !authOk {
			emitLoginAttempt(false, username, r.RemoteAddr, evLogger)
			error()
			return
		}

		sessionid := rand.String(32)
		sessionsMut.Lock()
		sessions[sessionid] = true
		sessionsMut.Unlock()

		// Best effort detection of whether the connection is HTTPS --
		// either directly to us, or as used by the client towards a reverse
		// proxy who sends us headers.
		connectionIsHTTPS := r.TLS != nil ||
			strings.ToLower(r.Header.Get("x-forwarded-proto")) == "https" ||
			strings.Contains(strings.ToLower(r.Header.Get("forwarded")), "proto=https")
		// If the connection is HTTPS, or *should* be HTTPS, set the Secure
		// bit in cookies.
		useSecureCookie := connectionIsHTTPS || guiCfg.UseTLS()

		http.SetCookie(w, &http.Cookie{
			Name:   cookieName,
			Value:  sessionid,
			MaxAge: 0,
			Secure: useSecureCookie,
		})

		emitLoginAttempt(true, username, r.RemoteAddr, evLogger)
		next.ServeHTTP(w, r)
	})
}

func auth(username string, password string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration) bool {
	if guiCfg.AuthMode == config.AuthModeLDAP {
		return authLDAP(username, password, ldapCfg)
	} else {
		return authStatic(username, password, guiCfg)
	}
}

func authStatic(username string, password string, guiCfg config.GUIConfiguration) bool {
	return guiCfg.CompareHashedPassword(password) == nil && username == guiCfg.User
}

func authLDAP(username string, password string, cfg config.LDAPConfiguration) bool {
	address := cfg.Address
	hostname, _, err := net.SplitHostPort(address)
	if err != nil {
		hostname = address
	}
	var connection *ldap.Conn
	if cfg.Transport == config.LDAPTransportTLS {
		connection, err = ldap.DialTLS("tcp", address, &tls.Config{
			ServerName:         hostname,
			InsecureSkipVerify: cfg.InsecureSkipVerify,
		})
	} else {
		connection, err = ldap.Dial("tcp", address)
	}

	if err != nil {
		l.Warnln("LDAP Dial:", err)
		return false
	}

	if cfg.Transport == config.LDAPTransportStartTLS {
		err = connection.StartTLS(&tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify})
		if err != nil {
			l.Warnln("LDAP Start TLS:", err)
			return false
		}
	}

	defer connection.Close()

	err = connection.Bind(fmt.Sprintf(cfg.BindDN, username), password)
	if err != nil {
		l.Warnln("LDAP Bind:", err)
		return false
	}

	if cfg.SearchFilter == "" && cfg.SearchBaseDN == "" {
		// We're done here.
		return true
	}

	if cfg.SearchFilter == "" || cfg.SearchBaseDN == "" {
		l.Warnln("LDAP configuration: both searchFilter and searchBaseDN must be set, or neither.")
		return false
	}

	// If a search filter and search base is set we do an LDAP search for
	// the user. If this matches precisely one user then we are good to go.
	// The search filter uses the same %s interpolation as the bind DN.

	searchString := fmt.Sprintf(cfg.SearchFilter, username)
	const sizeLimit = 2  // we search for up to two users -- we only want to match one, so getting any number >1 is a failure.
	const timeLimit = 60 // Search for up to a minute...
	searchReq := ldap.NewSearchRequest(cfg.SearchBaseDN, ldap.ScopeWholeSubtree, ldap.DerefFindingBaseObj, sizeLimit, timeLimit, false, searchString, nil, nil)

	res, err := connection.Search(searchReq)
	if err != nil {
		l.Warnln("LDAP Search:", err)
		return false
	}
	if len(res.Entries) != 1 {
		l.Infof("Wrong number of LDAP search results, %d != 1", len(res.Entries))
		return false
	}

	return true
}

// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the
// principle that ISO-8859-1 bytes are equivalent to unicode code points,
// that a rune slice is a list of code points, and that stringifying a slice
// of runes generates UTF-8 in Go.
func iso88591ToUTF8(s []byte) []byte {
	runes := make([]rune, len(s))
	for i := range s {
		runes[i] = rune(s[i])
	}
	return []byte(string(runes))
}
Use more inclusive copyright header 2014-11-16 20:13:20 +00:00			`// Copyright (C) 2014 The Syncthing Authors.`
Relicense to GPL 2014-09-29 19:43:32 +00:00			`//`
MPLv2 2015-03-07 20:36:35 +00:00			`// This Source Code Form is subject to the terms of the Mozilla Public`
			`// License, v. 2.0. If a copy of the MPL was not distributed with this file,`
all: Update license url to https (ref #3976) 2017-02-09 06:52:18 +00:00			`// You can obtain one at https://mozilla.org/MPL/2.0/.`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00
cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) * cmd/syncthing, lib/gui: Separate gui into own package (ref #4085) * fix tests * Don't use main as interface name (make old go happy) * gui->api * don't leak state via locations and use in-tree config * let api (un-)subscribe to config * interface naming and exporting * lib/ur * fix tests and lib/foldersummary * shorter URVersion and ur debug fix * review * model.JsonCompletion(FolderCompletion) -> FolderCompletion.Map() * rename debug facility https -> api * folder summaries in model * disassociate unrelated constants * fix merge fail * missing id assignement 2019-03-26 19:53:58 +00:00			`package api`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00
			`import (`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`"crypto/tls"`
			`"fmt"`
lib/api: Set ServerName on LDAPS connections (fixes #6450) (#6451) tls.Dial needs it for certificate verification. 2020-03-24 11:56:43 +00:00			`"net"`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`"net/http"`
			`"strings"`
			`"time"`

lib/api: Update ldap package (fixes #6479) (#6481) 2020-03-31 07:56:04 +00:00			`ldap "github.com/go-ldap/ldap/v3"`
mv internal lib 2015-08-06 09:29:25 +00:00			`"github.com/syncthing/syncthing/lib/config"`
Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 20:05:36 +00:00			`"github.com/syncthing/syncthing/lib/events"`
lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`"github.com/syncthing/syncthing/lib/rand"`
mv internal lib 2015-08-06 09:29:25 +00:00			`"github.com/syncthing/syncthing/lib/sync"`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`)`

			`var (`
Run vet and lint. Make us lint clean. 2015-04-28 20:32:10 +00:00			`sessions = make(map[string]bool)`
			`sessionsMut = sync.NewMutex()`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`)`

lib/api: Log the remote address on login attempts (#7560) This enables usage of the audit log to e.g. automatically block remote addresses from connecting after repeated login failures. 2021-04-13 08:14:44 +00:00			`func emitLoginAttempt(success bool, username, address string, evLogger events.Logger) {`
all: Remove global events.Default (ref #4085) (#5886) 2019-08-15 14:29:37 +00:00			`evLogger.Log(events.LoginAttempt, map[string]interface{}{`
lib/api: Log the remote address on login attempts (#7560) This enables usage of the audit log to e.g. automatically block remote addresses from connecting after repeated login failures. 2021-04-13 08:14:44 +00:00			`"success": success,`
			`"username": username,`
			`"remoteAddress": address,`
Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 20:05:36 +00:00			`})`
api: Log API authorization failures. (#7575) 2021-04-15 05:33:02 +00:00			`if !success {`
			`l.Infof("Wrong credentials supplied during API authorization from %s", address)`
			`}`
Audit logins with new LoginAttempt event (fixes #2377) 2015-11-08 20:05:36 +00:00			`}`

all: Remove global events.Default (ref #4085) (#5886) 2019-08-15 14:29:37 +00:00			`func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration, next http.Handler, evLogger events.Logger) http.Handler {`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`if guiCfg.IsValidAPIKey(r.Header.Get("X-API-Key")) {`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`next.ServeHTTP(w, r)`
			`return`
			`}`

lib/api: Add /rest/noauth/health health-check (fixes #8430) (#8585) 2022-10-06 19:28:49 +00:00			`// Exception for REST calls that don't require authentication.`
			`if strings.HasPrefix(r.URL.Path, "/rest/noauth") {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`

Use different session cookies per device 2015-06-22 15:57:08 +00:00			`cookie, err := r.Cookie(cookieName)`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`if err == nil && cookie != nil {`
			`sessionsMut.Lock()`
			`_, ok := sessions[cookie.Value]`
			`sessionsMut.Unlock()`
			`if ok {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`}`

cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) * cmd/syncthing, lib/gui: Separate gui into own package (ref #4085) * fix tests * Don't use main as interface name (make old go happy) * gui->api * don't leak state via locations and use in-tree config * let api (un-)subscribe to config * interface naming and exporting * lib/ur * fix tests and lib/foldersummary * shorter URVersion and ur debug fix * review * model.JsonCompletion(FolderCompletion) -> FolderCompletion.Map() * rename debug facility https -> api * folder summaries in model * disassociate unrelated constants * fix merge fail * missing id assignement 2019-03-26 19:53:58 +00:00			`l.Debugln("Sessionless HTTP request with authentication; this is expensive.")`
Reminder in debug output to explain high CPU usage 2015-04-20 05:29:38 +00:00
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`error := func() {`
			`time.Sleep(time.Duration(rand.Intn(100)+100) * time.Millisecond)`
			`w.Header().Set("WWW-Authenticate", "Basic realm=\"Authorization Required\"")`
			`http.Error(w, "Not Authorized", http.StatusUnauthorized)`
			`}`

lib/api: http.Request.BasicAuth instead of custom code (#8039) 2021-11-06 11:38:08 +00:00			`username, password, ok := r.BasicAuth()`
			`if !ok {`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`error()`
			`return`
			`}`

all: Fix some linter errors (#5499) I'm working through linter complaints, these are some fixes. Broad categories: 1) Ignore errors where we can ignore errors: add "_ = ..." construct. you can argue that this is annoying noise, but apart from silencing the linter it does serve the purpose of highlighting that an error is being ignored. I think this is OK, because the linter highlighted some error cases I wasn't aware of (starting CPU profiles, for example). 2) Untyped constants where we though we had set the type. 3) A real bug where we ineffectually assigned to a shadowed err. 4) Some dead code removed. There'll be more of these, because not all packages are fixed, but the diff was already large enough. 2019-02-02 09:11:42 +00:00			`authOk := auth(username, password, guiCfg, ldapCfg)`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`if !authOk {`
			`usernameIso := string(iso88591ToUTF8([]byte(username)))`
			`passwordIso := string(iso88591ToUTF8([]byte(password)))`
			`authOk = auth(usernameIso, passwordIso, guiCfg, ldapCfg)`
			`if authOk {`
			`username = usernameIso`
			`}`
cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 20:24:38 +00:00			`}`

cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`if !authOk {`
lib/api: Log the remote address on login attempts (#7560) This enables usage of the audit log to e.g. automatically block remote addresses from connecting after repeated login failures. 2021-04-13 08:14:44 +00:00			`emitLoginAttempt(false, username, r.RemoteAddr, evLogger)`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`error()`
			`return`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`}`

lib/rand: Break out random functions into separate package The intention for this package is to provide a combination of the security of crypto/rand and the convenience of math/rand. It should be the first choice of random data unless ultimate performance is required and the usage is provably irrelevant from a security standpoint. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3186 2016-05-26 07:02:56 +00:00			`sessionid := rand.String(32)`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`sessionsMut.Lock()`
			`sessions[sessionid] = true`
			`sessionsMut.Unlock()`
lib/api: Set "Secure" on session cookies served over HTTPS (ref #7399) (#7907) So that it does not unnecessarily leak over clear text connections. 2021-08-27 15:56:54 +00:00
			`// Best effort detection of whether the connection is HTTPS --`
			`// either directly to us, or as used by the client towards a reverse`
			`// proxy who sends us headers.`
			`connectionIsHTTPS := r.TLS != nil \|\|`
			`strings.ToLower(r.Header.Get("x-forwarded-proto")) == "https" \|\|`
			`strings.Contains(strings.ToLower(r.Header.Get("forwarded")), "proto=https")`
			`// If the connection is HTTPS, or should be HTTPS, set the Secure`
			`// bit in cookies.`
			`useSecureCookie := connectionIsHTTPS \|\| guiCfg.UseTLS()`

Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`http.SetCookie(w, &http.Cookie{`
Use different session cookies per device 2015-06-22 15:57:08 +00:00			`Name: cookieName,`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`Value: sessionid,`
			`MaxAge: 0,`
lib/api: Set "Secure" on session cookies served over HTTPS (ref #7399) (#7907) So that it does not unnecessarily leak over clear text connections. 2021-08-27 15:56:54 +00:00			`Secure: useSecureCookie,`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`})`

lib/api: Log the remote address on login attempts (#7560) This enables usage of the audit log to e.g. automatically block remote addresses from connecting after repeated login failures. 2021-04-13 08:14:44 +00:00			`emitLoginAttempt(true, username, r.RemoteAddr, evLogger)`
Add session support (fixes #611) 2014-09-01 20:51:44 +00:00			`next.ServeHTTP(w, r)`
			`})`
			`}`
cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 20:24:38 +00:00
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`func auth(username string, password string, guiCfg config.GUIConfiguration, ldapCfg config.LDAPConfiguration) bool {`
			`if guiCfg.AuthMode == config.AuthModeLDAP {`
			`return authLDAP(username, password, ldapCfg)`
			`} else {`
lib/config: Move the bcrypt password hashing to GUIConfiguration (#8028) What hash is used to store the password should ideally be an implementation detail, so that every user of the GUIConfiguration object automatically agrees on how to handle it. That is currently distribututed over the confighandler.go and api_auth.go files, plus tests. Add the SetHasedPassword() / CompareHashedPassword() API to keep the hashing method encapsulated. Add a separate test for it and adjust other users and tests. Remove all deprecated imports of the bcrypt package. 2021-11-08 12:32:04 +00:00			`return authStatic(username, password, guiCfg)`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`}`
			`}`

lib/config: Move the bcrypt password hashing to GUIConfiguration (#8028) What hash is used to store the password should ideally be an implementation detail, so that every user of the GUIConfiguration object automatically agrees on how to handle it. That is currently distribututed over the confighandler.go and api_auth.go files, plus tests. Add the SetHasedPassword() / CompareHashedPassword() API to keep the hashing method encapsulated. Add a separate test for it and adjust other users and tests. Remove all deprecated imports of the bcrypt package. 2021-11-08 12:32:04 +00:00			`func authStatic(username string, password string, guiCfg config.GUIConfiguration) bool {`
			`return guiCfg.CompareHashedPassword(password) == nil && username == guiCfg.User`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`}`

			`func authLDAP(username string, password string, cfg config.LDAPConfiguration) bool {`
			`address := cfg.Address`
lib/api: Set ServerName on LDAPS connections (fixes #6450) (#6451) tls.Dial needs it for certificate verification. 2020-03-24 11:56:43 +00:00			`hostname, _, err := net.SplitHostPort(address)`
			`if err != nil {`
			`hostname = address`
			`}`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`var connection *ldap.Conn`
			`if cfg.Transport == config.LDAPTransportTLS {`
lib/api: Set ServerName on LDAPS connections (fixes #6450) (#6451) tls.Dial needs it for certificate verification. 2020-03-24 11:56:43 +00:00			`connection, err = ldap.DialTLS("tcp", address, &tls.Config{`
			`ServerName: hostname,`
			`InsecureSkipVerify: cfg.InsecureSkipVerify,`
			`})`
cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`} else {`
			`connection, err = ldap.Dial("tcp", address)`
			`}`

			`if err != nil {`
			`l.Warnln("LDAP Dial:", err)`
			`return false`
			`}`

			`if cfg.Transport == config.LDAPTransportStartTLS {`
			`err = connection.StartTLS(&tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify})`
			`if err != nil {`
			`l.Warnln("LDAP Start TLS:", err)`
			`return false`
			`}`
			`}`

			`defer connection.Close()`

			`err = connection.Bind(fmt.Sprintf(cfg.BindDN, username), password)`
			`if err != nil {`
			`l.Warnln("LDAP Bind:", err)`
			`return false`
			`}`

lib/api: Add LDAP search filters (fixes #5376) (#6488) This adds the functionality to run a user search with a filter for LDAP authentication. The search is done after successful bind, as the binding user. The typical use case is to limit authentication to users who are member of a group or under a certain OU. For example, to only match users in the "Syncthing" group in otherwise default Active Directory set up for example.com: <searchBaseDN>CN=Users,DC=example,DC=com</searchBaseDN> <searchFilter>(&(sAMAccountName=%s)(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com))</searchFilter> The search filter is an "and" of two criteria (with the ampersand being XML quoted), - "(sAMAccountName=%s)" matches the user logging in - "(memberOf=CN=Syncthing,CN=Users,DC=example,DC=com)" matches members of the group in question. Authentication will only proceed if the search filter matches precisely one user. 2020-04-04 09:33:43 +00:00			`if cfg.SearchFilter == "" && cfg.SearchBaseDN == "" {`
			`// We're done here.`
			`return true`
			`}`

			`if cfg.SearchFilter == "" \|\| cfg.SearchBaseDN == "" {`
			`l.Warnln("LDAP configuration: both searchFilter and searchBaseDN must be set, or neither.")`
			`return false`
			`}`

			`// If a search filter and search base is set we do an LDAP search for`
			`// the user. If this matches precisely one user then we are good to go.`
			`// The search filter uses the same %s interpolation as the bind DN.`

			`searchString := fmt.Sprintf(cfg.SearchFilter, username)`
			`const sizeLimit = 2 // we search for up to two users -- we only want to match one, so getting any number >1 is a failure.`
			`const timeLimit = 60 // Search for up to a minute...`
			`searchReq := ldap.NewSearchRequest(cfg.SearchBaseDN, ldap.ScopeWholeSubtree, ldap.DerefFindingBaseObj, sizeLimit, timeLimit, false, searchString, nil, nil)`

			`res, err := connection.Search(searchReq)`
			`if err != nil {`
			`l.Warnln("LDAP Search:", err)`
			`return false`
			`}`
			`if len(res.Entries) != 1 {`
			`l.Infof("Wrong number of LDAP search results, %d != 1", len(res.Entries))`
			`return false`
			`}`

cmd/syncthing: Add LDAP authentication for GUI (fixes #5163) (#5169) 2018-09-11 21:25:24 +00:00			`return true`
			`}`

cmd/syncthing: Accept ISO-8859-1 and UTF-8 in HTTP BasicAuth header (fixes #2779) GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/2989 2016-04-18 20:24:38 +00:00			`// Convert an ISO-8859-1 encoded byte string to UTF-8. Works by the`
			`// principle that ISO-8859-1 bytes are equivalent to unicode code points,`
			`// that a rune slice is a list of code points, and that stringifying a slice`
			`// of runes generates UTF-8 in Go.`
			`func iso88591ToUTF8(s []byte) []byte {`
			`runes := make([]rune, len(s))`
			`for i := range s {`
			`runes[i] = rune(s[i])`
			`}`
			`return []byte(string(runes))`
			`}`