authentik/outpost/pkg/ldap/instance_bind.go

package ldap

import (
	"context"
	"errors"
	"fmt"
	"net"
	"net/http"
	"net/http/cookiejar"
	"net/url"
	"strings"
	"time"

	goldap "github.com/go-ldap/ldap/v3"
	httptransport "github.com/go-openapi/runtime/client"
	"github.com/nmcclain/ldap"
	"goauthentik.io/outpost/pkg/client/core"
	"goauthentik.io/outpost/pkg/client/flows"
	"goauthentik.io/outpost/pkg/models"
)

const ContextUserKey = "ak_user"

type UIDResponse struct {
	UIDFIeld string `json:"uid_field"`
}

type PasswordResponse struct {
	Password string `json:"password"`
}

func (pi *ProviderInstance) getUsername(dn string) (string, error) {
	if !strings.HasSuffix(strings.ToLower(dn), strings.ToLower(pi.BaseDN)) {
		return "", errors.New("invalid base DN")
	}
	dns, err := goldap.ParseDN(dn)
	if err != nil {
		return "", err
	}
	for _, part := range dns.RDNs {
		for _, attribute := range part.Attributes {
			if strings.ToLower(attribute.Type) == "cn" {
				return attribute.Value, nil
			}
		}
	}
	return "", errors.New("failed to find cn")
}

func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
	jar, err := cookiejar.New(nil)
	if err != nil {
		pi.log.WithError(err).Warning("Failed to create cookiejar")
		return ldap.LDAPResultOperationsError, nil
	}
	host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
	if err != nil {
		pi.log.WithError(err).Warning("Failed to get remote IP")
		return ldap.LDAPResultOperationsError, nil
	}
	// Create new http client that also sets the correct ip
	client := &http.Client{
		Jar: jar,
		Transport: newTransport(map[string]string{
			"X-authentik-remote-ip": host,
		}),
	}
	params := url.Values{}
	params.Add("goauthentik.io/outpost/ldap", "true")
	passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1)
	if err != nil {
		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to solve challenge")
		return ldap.LDAPResultOperationsError, nil
	}
	if !passed {
		return ldap.LDAPResultInvalidCredentials, nil
	}
	_, err = pi.s.ac.Client.Core.CoreApplicationsCheckAccess(&core.CoreApplicationsCheckAccessParams{
		Slug:       pi.appSlug,
		Context:    context.Background(),
		HTTPClient: client,
	}, httptransport.PassThroughAuth)
	if err != nil {
		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
			pi.log.WithField("bindDN", bindDN).Info("Access denied for user")
			return ldap.LDAPResultInsufficientAccessRights, nil
		}
		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to check access")
		return ldap.LDAPResultOperationsError, nil
	}
	pi.log.WithField("bindDN", bindDN).Info("User has access")
	// Get user info to store in context
	userInfo, err := pi.s.ac.Client.Core.CoreUsersMe(&core.CoreUsersMeParams{
		Context:    context.Background(),
		HTTPClient: client,
	}, httptransport.PassThroughAuth)
	if err != nil {
		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to get user info")
		return ldap.LDAPResultOperationsError, nil
	}
	pi.boundUsersMutex.Lock()
	pi.boundUsers[bindDN] = UserFlags{
		UserInfo:  *userInfo.Payload.User,
		CanSearch: pi.SearchAccessCheck(userInfo.Payload.User),
	}
	defer pi.boundUsersMutex.Unlock()
	pi.delayDeleteUserInfo(username)
	return ldap.LDAPResultSuccess, nil
}

// SearchAccessCheck Check if the current user is allowed to search
func (pi *ProviderInstance) SearchAccessCheck(user *models.User) bool {
	for _, group := range user.Groups {
		for _, allowedGroup := range pi.searchAllowedGroups {
			pi.log.WithField("userGroup", group.Pk).WithField("allowedGroup", allowedGroup).Trace("Checking search access")
			if group.Pk.String() == allowedGroup.String() {
				pi.log.WithField("group", group.Name).Info("Allowed access to search")
				return true
			}
		}
	}
	return false
}
func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {
	ticker := time.NewTicker(30 * time.Second)
	quit := make(chan struct{})
	go func() {
		for {
			select {
			case <-ticker.C:
				pi.boundUsersMutex.Lock()
				delete(pi.boundUsers, dn)
				pi.boundUsersMutex.Unlock()
				close(quit)
			case <-quit:
				ticker.Stop()
				return
			}
		}
	}()
}

func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string, depth int) (bool, error) {
	challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
		FlowSlug:   pi.flowSlug,
		Query:      urlParams,
		Context:    context.Background(),
		HTTPClient: client,
	}, pi.s.ac.Auth)
	if err != nil {
		pi.log.WithError(err).Warning("Failed to get challenge")
		return false, err
	}
	pi.log.WithField("component", challenge.Payload.Component).WithField("type", *challenge.Payload.Type).Debug("Got challenge")
	responseParams := &flows.FlowsExecutorSolveParams{
		FlowSlug:   pi.flowSlug,
		Query:      urlParams,
		Context:    context.Background(),
		HTTPClient: client,
	}
	switch challenge.Payload.Component {
	case "ak-stage-identification":
		responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
	case "ak-stage-password":
		responseParams.Data = &PasswordResponse{Password: password}
	case "ak-stage-access-denied":
		return false, errors.New("got ak-stage-access-denied")
	default:
		return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
	}
	response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth)
	pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
	switch response.Payload.Component {
	case "ak-stage-access-denied":
		return false, errors.New("got ak-stage-access-denied")
	}
	if *response.Payload.Type == "redirect" {
		return true, nil
	}
	if err != nil {
		pi.log.WithError(err).Warning("Failed to submit challenge")
		return false, err
	}
	if len(response.Payload.ResponseErrors) > 0 {
		for key, errs := range response.Payload.ResponseErrors {
			for _, err := range errs {
				pi.log.WithField("key", key).WithField("code", *err.Code).Debug(*err.String)
				return false, nil
			}
		}
	}
	if depth >= 10 {
		return false, errors.New("exceeded stage recursion depth")
	}
	return pi.solveFlowChallenge(bindDN, password, client, urlParams, depth+1)
}
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`package ldap`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"net"`
			`"net/http"`
			`"net/http/cookiejar"`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`"net/url"`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`"strings"`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`"time"`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00
			`goldap "github.com/go-ldap/ldap/v3"`
			`httptransport "github.com/go-openapi/runtime/client"`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`"github.com/nmcclain/ldap"`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`"goauthentik.io/outpost/pkg/client/core"`
			`"goauthentik.io/outpost/pkg/client/flows"`
outpost/ldap: check access based on Group Membership Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 22:03:19 +00:00			`"goauthentik.io/outpost/pkg/models"`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`)`

outposts/ldap: use forked version of ldap library Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-29 18:26:14 +00:00			`const ContextUserKey = "ak_user"`

outposts/ldap: add dockerfile Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 13:35:56 +00:00			`type UIDResponse struct {`
			UIDFIeld string `json:"uid_field"`
			`}`

			`type PasswordResponse struct {`
			Password string `json:"password"`
			`}`

outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`func (pi *ProviderInstance) getUsername(dn string) (string, error) {`
outpost/ldap: make users and groups OU instead of CN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-07 09:46:26 +00:00			`if !strings.HasSuffix(strings.ToLower(dn), strings.ToLower(pi.BaseDN)) {`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`return "", errors.New("invalid base DN")`
			`}`
			`dns, err := goldap.ParseDN(dn)`
			`if err != nil {`
			`return "", err`
			`}`
			`for _, part := range dns.RDNs {`
			`for _, attribute := range part.Attributes {`
outpost/ldap: make users and groups OU instead of CN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-07 09:46:26 +00:00			`if strings.ToLower(attribute.Type) == "cn" {`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`return attribute.Value, nil`
			`}`
			`}`
			`}`
outpost/ldap: make users and groups OU instead of CN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-07 09:46:26 +00:00			`return "", errors.New("failed to find cn")`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`}`

outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`jar, err := cookiejar.New(nil)`
			`if err != nil {`
			`pi.log.WithError(err).Warning("Failed to create cookiejar")`
			`return ldap.LDAPResultOperationsError, nil`
			`}`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`host, _, err := net.SplitHostPort(conn.RemoteAddr().String())`
			`if err != nil {`
			`pi.log.WithError(err).Warning("Failed to get remote IP")`
			`return ldap.LDAPResultOperationsError, nil`
			`}`
			`// Create new http client that also sets the correct ip`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`client := &http.Client{`
			`Jar: jar,`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`Transport: newTransport(map[string]string{`
			`"X-authentik-remote-ip": host,`
			`}),`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`}`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`params := url.Values{}`
			`params.Add("goauthentik.io/outpost/ldap", "true")`
outposts/ldap: add infinite loop prevention Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-12 16:31:44 +00:00			`passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1)`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`if err != nil {`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to solve challenge")`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`return ldap.LDAPResultOperationsError, nil`
			`}`
			`if !passed {`
			`return ldap.LDAPResultInvalidCredentials, nil`
			`}`
			`_, err = pi.s.ac.Client.Core.CoreApplicationsCheckAccess(&core.CoreApplicationsCheckAccessParams{`
			`Slug: pi.appSlug,`
			`Context: context.Background(),`
			`HTTPClient: client,`
			`}, httptransport.PassThroughAuth)`
			`if err != nil {`
			`if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("bindDN", bindDN).Info("Access denied for user")`
outposts/ldap: add dockerfile Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 13:35:56 +00:00			`return ldap.LDAPResultInsufficientAccessRights, nil`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`}`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to check access")`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`return ldap.LDAPResultOperationsError, nil`
			`}`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("bindDN", bindDN).Info("User has access")`
outposts/ldap: use forked version of ldap library Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-29 18:26:14 +00:00			`// Get user info to store in context`
			`userInfo, err := pi.s.ac.Client.Core.CoreUsersMe(&core.CoreUsersMeParams{`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`Context: context.Background(),`
outposts/ldap: use forked version of ldap library Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-29 18:26:14 +00:00			`HTTPClient: client,`
			`}, httptransport.PassThroughAuth)`
			`if err != nil {`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to get user info")`
outposts/ldap: use forked version of ldap library Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-29 18:26:14 +00:00			`return ldap.LDAPResultOperationsError, nil`
			`}`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`pi.boundUsersMutex.Lock()`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.boundUsers[bindDN] = UserFlags{`
			`UserInfo: *userInfo.Payload.User,`
outpost/ldap: check access based on Group Membership Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 22:03:19 +00:00			`CanSearch: pi.SearchAccessCheck(userInfo.Payload.User),`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`}`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`defer pi.boundUsersMutex.Unlock()`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`pi.delayDeleteUserInfo(username)`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`return ldap.LDAPResultSuccess, nil`
			`}`

outpost/ldap: check access based on Group Membership Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 22:03:19 +00:00			`// SearchAccessCheck Check if the current user is allowed to search`
			`func (pi ProviderInstance) SearchAccessCheck(user models.User) bool {`
			`for _, group := range user.Groups {`
			`for _, allowedGroup := range pi.searchAllowedGroups {`
outposts/ldap: fix user info caching, fix mixed case DN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #864 2021-05-12 16:49:15 +00:00			`pi.log.WithField("userGroup", group.Pk).WithField("allowedGroup", allowedGroup).Trace("Checking search access")`
			`if group.Pk.String() == allowedGroup.String() {`
outpost/ldap: check access based on Group Membership Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 22:03:19 +00:00			`pi.log.WithField("group", group.Name).Info("Allowed access to search")`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`
outposts/ldap: save user DN to determine who can search Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-04 19:49:15 +00:00			`func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {`
			`ticker := time.NewTicker(30 * time.Second)`
			`quit := make(chan struct{})`
			`go func() {`
			`for {`
			`select {`
			`case <-ticker.C:`
			`pi.boundUsersMutex.Lock()`
			`delete(pi.boundUsers, dn)`
			`pi.boundUsersMutex.Unlock()`
			`close(quit)`
			`case <-quit:`
			`ticker.Stop()`
			`return`
			`}`
			`}`
			`}()`
			`}`

outposts/ldap: add infinite loop prevention Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-12 16:31:44 +00:00			`func (pi ProviderInstance) solveFlowChallenge(bindDN string, password string, client http.Client, urlParams string, depth int) (bool, error) {`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{`
			`FlowSlug: pi.flowSlug,`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`Query: urlParams,`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`Context: context.Background(),`
			`HTTPClient: client,`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`}, pi.s.ac.Auth)`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`if err != nil {`
			`pi.log.WithError(err).Warning("Failed to get challenge")`
			`return false, err`
			`}`
			`pi.log.WithField("component", challenge.Payload.Component).WithField("type", *challenge.Payload.Type).Debug("Got challenge")`
			`responseParams := &flows.FlowsExecutorSolveParams{`
			`FlowSlug: pi.flowSlug,`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`Query: urlParams,`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`Context: context.Background(),`
			`HTTPClient: client,`
			`}`
			`switch challenge.Payload.Component {`
			`case "ak-stage-identification":`
			`responseParams.Data = &UIDResponse{UIDFIeld: bindDN}`
			`case "ak-stage-password":`
			`responseParams.Data = &PasswordResponse{Password: password}`
outpost/ldap: make users and groups OU instead of CN Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-07 09:46:26 +00:00			`case "ak-stage-access-denied":`
			`return false, errors.New("got ak-stage-access-denied")`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`default:`
			`return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)`
			`}`
outposts/ldap: fix concurrency issues Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-08 18:59:31 +00:00			`response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth)`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")`
outposts/ldap: add infinite loop prevention Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-12 16:31:44 +00:00			`switch response.Payload.Component {`
			`case "ak-stage-access-denied":`
			`return false, errors.New("got ak-stage-access-denied")`
			`}`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`if *response.Payload.Type == "redirect" {`
			`return true, nil`
			`}`
			`if err != nil {`
			`pi.log.WithError(err).Warning("Failed to submit challenge")`
			`return false, err`
			`}`
			`if len(response.Payload.ResponseErrors) > 0 {`
			`for key, errs := range response.Payload.ResponseErrors {`
			`for _, err := range errs {`
			`pi.log.WithField("key", key).WithField("code", err.Code).Debug(err.String)`
			`return false, nil`
			`}`
			`}`
			`}`
outposts/ldap: add infinite loop prevention Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-05-12 16:31:44 +00:00			`if depth >= 10 {`
			`return false, errors.New("exceeded stage recursion depth")`
			`}`
			`return pi.solveFlowChallenge(bindDN, password, client, urlParams, depth+1)`
outposts/ldap: add ability to use multiple providers on the same outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-26 09:53:06 +00:00			`}`