From d92717a1c60e3125eeb5227f3659c24cce130f2f Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Fri, 28 Jun 2024 15:46:54 +0200
Subject: [PATCH] fix: encode ldap values to make valid UTF8 (#8210)

# Which Problems Are Solved

UUIDs stored in LDAP are Octet Strings and have to be parsed, so that
they can be stored as IDs as they are not valid UTF8.

# How the Problems Are Solved

Try to parse the RawValue from LDAP as UUID, otherwise try to base64
decode and then parse as UUID, else use the data as string as before.

# Additional Changes

None

# Additional Context

Closes #7601
---
 internal/idp/providers/ldap/session.go | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/internal/idp/providers/ldap/session.go b/internal/idp/providers/ldap/session.go
index 13d2bb6793..c3ca5c6364 100644
--- a/internal/idp/providers/ldap/session.go
+++ b/internal/idp/providers/ldap/session.go
@@ -3,11 +3,13 @@ package ldap
 import (
 	"context"
 	"crypto/tls"
+	"encoding/base64"
 	"errors"
 	"net"
 	"net/url"
 	"strconv"
 	"time"
+	"unicode/utf8"
 
 	"github.com/go-ldap/ldap/v3"
 	"github.com/zitadel/logging"
@@ -262,12 +264,12 @@ func mapLDAPEntryToUser(
 	}
 
 	return NewUser(
-		user.GetAttributeValue(idAttribute),
-		user.GetAttributeValue(firstNameAttribute),
-		user.GetAttributeValue(lastNameAttribute),
-		user.GetAttributeValue(displayNameAttribute),
-		user.GetAttributeValue(nickNameAttribute),
-		user.GetAttributeValue(preferredUsernameAttribute),
+		getAttributeValue(user, idAttribute),
+		getAttributeValue(user, firstNameAttribute),
+		getAttributeValue(user, lastNameAttribute),
+		getAttributeValue(user, displayNameAttribute),
+		getAttributeValue(user, nickNameAttribute),
+		getAttributeValue(user, preferredUsernameAttribute),
 		domain.EmailAddress(user.GetAttributeValue(emailAttribute)),
 		emailVerified,
 		domain.PhoneNumber(user.GetAttributeValue(phoneAttribute)),
@@ -277,3 +279,15 @@ func mapLDAPEntryToUser(
 		user.GetAttributeValue(profileAttribute),
 	), nil
 }
+
+func getAttributeValue(user *ldap.Entry, attribute string) string {
+	// return an empty string if no attribute is needed
+	if attribute == "" {
+		return ""
+	}
+	value := user.GetAttributeValue(attribute)
+	if utf8.ValidString(value) {
+		return value
+	}
+	return base64.StdEncoding.EncodeToString(user.GetRawAttributeValue(attribute))
+}