outposts/ldap: add dockerfile

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-04-26 15:35:56 +02:00
parent b3c8ffb96c
commit 91ca90f700
7 changed files with 72 additions and 14 deletions

View file

@ -51,9 +51,9 @@ stages:
script: | script: |
docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
workingDirectory: 'outpost/' workingDirectory: 'outpost/'
- stage: proxy_build_go - stage: build_go
jobs: jobs:
- job: build_go - job: proxy_build_go
pool: pool:
vmImage: 'ubuntu-latest' vmImage: 'ubuntu-latest'
steps: steps:
@ -70,9 +70,26 @@ stages:
command: 'build' command: 'build'
arguments: './cmd/proxy' arguments: './cmd/proxy'
workingDirectory: 'outpost/' workingDirectory: 'outpost/'
- stage: proxy_build_docker - job: ldap_build_go
pool:
vmImage: 'ubuntu-latest'
steps:
- task: GoTool@0
inputs:
version: '1.16.3'
- task: DownloadPipelineArtifact@2
inputs:
buildType: 'current'
artifactName: 'go_swagger_client'
path: "outpost/pkg/"
- task: Go@0
inputs:
command: 'build'
arguments: './cmd/ldap'
workingDirectory: 'outpost/'
- stage: build_docker
jobs: jobs:
- job: build - job: proxy_build_docker
pool: pool:
vmImage: 'ubuntu-latest' vmImage: 'ubuntu-latest'
steps: steps:
@ -97,3 +114,28 @@ stages:
Dockerfile: 'outpost/proxy.Dockerfile' Dockerfile: 'outpost/proxy.Dockerfile'
buildContext: 'outpost/' buildContext: 'outpost/'
tags: "gh-$(branchName)" tags: "gh-$(branchName)"
- job: ldap_build_docker
pool:
vmImage: 'ubuntu-latest'
steps:
- task: GoTool@0
inputs:
version: '1.16.3'
- task: DownloadPipelineArtifact@2
inputs:
buildType: 'current'
artifactName: 'go_swagger_client'
path: "outpost/pkg/"
- task: Bash@3
inputs:
targetType: 'inline'
script: |
python ./scripts/az_do_set_branch.py
- task: Docker@2
inputs:
containerRegistry: 'beryjuorg-harbor'
repository: 'authentik/outpost-ldap'
command: 'buildAndPush'
Dockerfile: 'outpost/ldap.Dockerfile'
buildContext: 'outpost/'
tags: "gh-$(branchName)"

13
outpost/ldap.Dockerfile Normal file
View file

@ -0,0 +1,13 @@
FROM golang:1.16.3 AS builder
WORKDIR /work
COPY . .
RUN go build -o /work/ldap ./cmd/ldap
FROM gcr.io/distroless/base-debian10:debug
COPY --from=builder /work/ldap /
ENTRYPOINT ["/ldap"]

View file

@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
appSlug: *provider.ApplicationSlug, appSlug: *provider.ApplicationSlug,
flowSlug: *provider.BindFlowSlug, flowSlug: *provider.BindFlowSlug,
s: ls, s: ls,
log: log.WithField("provider", provider.Name), log: log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
} }
} }
ls.providers = providers ls.providers = providers

View file

@ -6,15 +6,9 @@ import (
"github.com/nmcclain/ldap" "github.com/nmcclain/ldap"
) )
type UIDResponse struct {
UIDFIeld string `json:"uid_field"`
}
type PasswordResponse struct {
Password string `json:"password"`
}
func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) { func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
ls.log.WithField("dn", bindDN).Info("bind")
for _, instance := range ls.providers { for _, instance := range ls.providers {
username, err := instance.getUsername(bindDN) username, err := instance.getUsername(bindDN)
if err == nil { if err == nil {

View file

@ -16,6 +16,14 @@ import (
"goauthentik.io/outpost/pkg/client/flows" "goauthentik.io/outpost/pkg/client/flows"
) )
type UIDResponse struct {
UIDFIeld string `json:"uid_field"`
}
type PasswordResponse struct {
Password string `json:"password"`
}
func (pi *ProviderInstance) getUsername(dn string) (string, error) { func (pi *ProviderInstance) getUsername(dn string) (string, error) {
if !strings.HasSuffix(dn, pi.BaseDN) { if !strings.HasSuffix(dn, pi.BaseDN) {
return "", errors.New("invalid base DN") return "", errors.New("invalid base DN")
@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
if err != nil { if err != nil {
if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied { if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
pi.log.WithField("dn", username).Info("Access denied for user") pi.log.WithField("dn", username).Info("Access denied for user")
return ldap.LDAPResultInvalidCredentials, nil return ldap.LDAPResultInsufficientAccessRights, nil
} }
pi.log.WithField("dn", username).WithError(err).Warning("failed to check access") pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil

View file

@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
s.EnforceLDAP = true s.EnforceLDAP = true
ls := &LDAPServer{ ls := &LDAPServer{
s: s, s: s,
log: log.WithField("logger", "ldap-server"), log: log.WithField("logger", "authentik.outpost.ldap"),
ac: ac, ac: ac,
providers: []*ProviderInstance{}, providers: []*ProviderInstance{},
} }

View file

@ -9,6 +9,7 @@ import (
) )
func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) { func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
ls.log.WithField("dn", boundDN).Info("search")
bd, err := goldap.ParseDN(boundDN) bd, err := goldap.ParseDN(boundDN)
if err != nil { if err != nil {
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN") return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")