Skip to content

Commit

Permalink
feat(ldap): add option to load ldap from file (#1778)
Browse files Browse the repository at this point in the history
Signed-off-by: Laurentiu Niculae <[email protected]>
  • Loading branch information
laurentiuNiculae authored Nov 15, 2023
1 parent b2a9239 commit 272eb7c
Show file tree
Hide file tree
Showing 10 changed files with 668 additions and 41 deletions.
4 changes: 4 additions & 0 deletions examples/config-ldap-credentials.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
"bindPassword":"ldap-searcher-password"
}
3 changes: 1 addition & 2 deletions examples/config-ldap.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,13 @@
},
"auth": {
"ldap": {
"credentialsFile": "examples/config-ldap-credentials.json",
"address": "ldap.example.org",
"port": 389,
"startTLS": false,
"baseDN":"ou=Users,dc=example,dc=org",
"userAttribute": "uid",
"userGroupAttribute": "memberOf",
"bindDN":"cn=ldap-searcher,ou=Users,dc=example,dc=org",
"bindPassword":"ldap-searcher-password",
"skipVerify": true,
"subtreeSearch": true
},
Expand Down
4 changes: 2 additions & 2 deletions pkg/api/authn.go
Original file line number Diff line number Diff line change
Expand Up @@ -266,9 +266,9 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
UseSSL: !ldapConfig.Insecure,
SkipTLS: !ldapConfig.StartTLS,
Base: ldapConfig.BaseDN,
BindDN: ldapConfig.BindDN,
BindDN: ldapConfig.BindDN(),
BindPassword: ldapConfig.BindPassword(),
UserGroupAttribute: ldapConfig.UserGroupAttribute, // from config
BindPassword: ldapConfig.BindPassword,
UserFilter: fmt.Sprintf("(%s=%%s)", ldapConfig.UserAttribute),
InsecureSkipVerify: ldapConfig.SkipVerify,
ServerName: ldapConfig.Address,
Expand Down
34 changes: 30 additions & 4 deletions pkg/api/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -121,21 +121,47 @@ type SchedulerConfig struct {
NumWorkers int
}

type LDAPCredentials struct {
BindDN string
BindPassword string
}

type LDAPConfig struct {
CredentialsFile string
Port int
Insecure bool
StartTLS bool // if !Insecure, then StartTLS or LDAPs
SkipVerify bool
SubtreeSearch bool
Address string
BindDN string
bindDN string `json:"-"`
bindPassword string `json:"-"`
UserGroupAttribute string
BindPassword string
BaseDN string
UserAttribute string
CACert string
}

func (ldapConf *LDAPConfig) BindDN() string {
return ldapConf.bindDN
}

func (ldapConf *LDAPConfig) SetBindDN(bindDN string) *LDAPConfig {
ldapConf.bindDN = bindDN

return ldapConf
}

func (ldapConf *LDAPConfig) BindPassword() string {
return ldapConf.bindPassword
}

func (ldapConf *LDAPConfig) SetBindPassword(bindPassword string) *LDAPConfig {
ldapConf.bindPassword = bindPassword

return ldapConf
}

type LogConfig struct {
Level string
Output string
Expand Down Expand Up @@ -266,14 +292,14 @@ func (c *Config) Sanitize() *Config {
panic(err)
}

if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" {
if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.bindPassword != "" {
sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}

if err := DeepCopy(c.HTTP.Auth.LDAP, sanitizedConfig.HTTP.Auth.LDAP); err != nil {
panic(err)
}

sanitizedConfig.HTTP.Auth.LDAP.BindPassword = "******"
sanitizedConfig.HTTP.Auth.LDAP.bindPassword = "******"
}

return sanitizedConfig
Expand Down
4 changes: 2 additions & 2 deletions pkg/api/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,11 @@ func TestConfig(t *testing.T) {
Convey("Test DeepCopy() & Sanitize()", t, func() {
conf := config.New()
So(conf, ShouldNotBeNil)
authConfig := &config.AuthConfig{LDAP: &config.LDAPConfig{BindPassword: "oina"}}
authConfig := &config.AuthConfig{LDAP: (&config.LDAPConfig{}).SetBindPassword("oina")}
conf.HTTP.Auth = authConfig
So(func() { conf.Sanitize() }, ShouldNotPanic)
conf = conf.Sanitize()
So(conf.HTTP.Auth.LDAP.BindPassword, ShouldEqual, "******")
So(conf.HTTP.Auth.LDAP.BindPassword(), ShouldEqual, "******")

// negative
obj := make(chan int)
Expand Down
Loading

0 comments on commit 272eb7c

Please sign in to comment.