outposts/ldap: add dockerfile

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-04-26 15:35:56 +02:00 · 2021-04-26 15:35:56 +02:00 · 91ca90f700
parent b3c8ffb96c
commit 91ca90f700
7 changed files with 72 additions and 14 deletions
--- a/outpost/azure-pipelines.yml
+++ b/outpost/azure-pipelines.yml
@ -51,9 +51,9 @@ stages:
              script: |
                docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
              workingDirectory: 'outpost/'
-  - stage: proxy_build_go
+  - stage: build_go
    jobs:
-      - job: build_go
+      - job: proxy_build_go
        pool:
          vmImage: 'ubuntu-latest'
        steps:
@ -70,9 +70,26 @@ stages:
              command: 'build'
              arguments: './cmd/proxy'
              workingDirectory: 'outpost/'
-  - stage: proxy_build_docker
+      - job: ldap_build_go
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: GoTool@0
+            inputs:
+              version: '1.16.3'
+          - task: DownloadPipelineArtifact@2
+            inputs:
+              buildType: 'current'
+              artifactName: 'go_swagger_client'
+              path: "outpost/pkg/"
+          - task: Go@0
+            inputs:
+              command: 'build'
+              arguments: './cmd/ldap'
+              workingDirectory: 'outpost/'
+  - stage: build_docker
    jobs:
-      - job: build
+      - job: proxy_build_docker
        pool:
          vmImage: 'ubuntu-latest'
        steps:
@ -97,3 +114,28 @@ stages:
              Dockerfile: 'outpost/proxy.Dockerfile'
              buildContext: 'outpost/'
              tags: "gh-$(branchName)"
+      - job: ldap_build_docker
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: GoTool@0
+            inputs:
+              version: '1.16.3'
+          - task: DownloadPipelineArtifact@2
+            inputs:
+              buildType: 'current'
+              artifactName: 'go_swagger_client'
+              path: "outpost/pkg/"
+          - task: Bash@3
+            inputs:
+              targetType: 'inline'
+              script: |
+                python ./scripts/az_do_set_branch.py
+          - task: Docker@2
+            inputs:
+              containerRegistry: 'beryjuorg-harbor'
+              repository: 'authentik/outpost-ldap'
+              command: 'buildAndPush'
+              Dockerfile: 'outpost/ldap.Dockerfile'
+              buildContext: 'outpost/'
+              tags: "gh-$(branchName)"
--- a/outpost/ldap.Dockerfile
+++ b/outpost/ldap.Dockerfile
@ -0,0 +1,13 @@
+FROM golang:1.16.3 AS builder
+
+WORKDIR /work
+
+COPY . .
+
+RUN go build -o /work/ldap ./cmd/ldap
+
+FROM gcr.io/distroless/base-debian10:debug
+
+COPY --from=builder /work/ldap /
+
+ENTRYPOINT ["/ldap"]
--- a/outpost/pkg/ldap/api.go
+++ b/outpost/pkg/ldap/api.go
@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
 			appSlug:  *provider.ApplicationSlug,
 			flowSlug: *provider.BindFlowSlug,
 			s:        ls,
-			log:      log.WithField("provider", provider.Name),
+			log:      log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
 		}
 	}
 	ls.providers = providers
--- a/outpost/pkg/ldap/bind.go
+++ b/outpost/pkg/ldap/bind.go
@ -6,15 +6,9 @@ import (
 	"github.com/nmcclain/ldap"
 )

-type UIDResponse struct {
-	UIDFIeld string `json:"uid_field"`
-}
-
-type PasswordResponse struct {
-	Password string `json:"password"`
-}

 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
+	ls.log.WithField("dn", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@ -16,6 +16,14 @@ import (
 	"goauthentik.io/outpost/pkg/client/flows"
 )

+type UIDResponse struct {
+	UIDFIeld string `json:"uid_field"`
+}
+
+type PasswordResponse struct {
+	Password string `json:"password"`
+}
+
 func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	if !strings.HasSuffix(dn, pi.BaseDN) {
 		return "", errors.New("invalid base DN")
@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	if err != nil {
 		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
 			pi.log.WithField("dn", username).Info("Access denied for user")
-			return ldap.LDAPResultInvalidCredentials, nil
+			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
 		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
--- a/outpost/pkg/ldap/ldap.go
+++ b/outpost/pkg/ldap/ldap.go
@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	s.EnforceLDAP = true
 	ls := &LDAPServer{
 		s:         s,
-		log:       log.WithField("logger", "ldap-server"),
+		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,
 		providers: []*ProviderInstance{},
 	}
--- a/outpost/pkg/ldap/search.go
+++ b/outpost/pkg/ldap/search.go
@ -9,6 +9,7 @@ import (
 )

 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
+	ls.log.WithField("dn", boundDN).Info("search")
 	bd, err := goldap.ParseDN(boundDN)
 	if err != nil {
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")