diff options
Diffstat (limited to 'sys-auth')
-rw-r--r-- | sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch | 67 | ||||
-rw-r--r-- | sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch | 394 |
2 files changed, 0 insertions, 461 deletions
diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch b/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch deleted file mode 100644 index e43e9e6ca889..000000000000 --- a/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 5505de31a91aea88e0cf623ec8edfd928b5432a7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Manuel=20R=C3=BCger?= <mrueg@gentoo.org> -Date: Mon, 18 Sep 2017 14:02:38 +0200 -Subject: [PATCH] Set custom CA certificate for ldap cert verification - -Code taken from: https://github.com/hashicorp/go-rootcerts/blob/master/rootcerts.go -Original author: Paul Hinze <phinze@phinze.com> ---- - auth_server/authn/ldap_auth.go | 17 ++++++++++++++++- - examples/reference.yml | 2 ++ - 2 files changed, 18 insertions(+), 1 deletion(-) - -diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go -index 3bdf7c3..a3425ed 100644 ---- a/auth_server/authn/ldap_auth.go -+++ b/auth_server/authn/ldap_auth.go -@@ -19,6 +19,7 @@ package authn - import ( - "bytes" - "crypto/tls" -+ "crypto/x509" - "fmt" - "io/ioutil" - "strings" -@@ -31,6 +32,7 @@ type LDAPAuthConfig struct { - Addr string `yaml:"addr,omitempty"` - TLS string `yaml:"tls,omitempty"` - InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"` -+ CACertificate string `yaml:"ca_certificate,omitempty"` - Base string `yaml:"base,omitempty"` - Filter string `yaml:"filter,omitempty"` - BindDN string `yaml:"bind_dn,omitempty"` -@@ -140,7 +142,20 @@ func (la *LDAPAuth) ldapConnection() (*ldap.Conn, error) { - tlsConfig := &tls.Config{InsecureSkipVerify: true} - if !la.config.InsecureTLSSkipVerify { - addr := strings.Split(la.config.Addr, ":") -- tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]} -+ if la.config.CACertificate != "" { -+ pool := x509.NewCertPool() -+ pem, err := ioutil.ReadFile(la.config.CACertificate) -+ if err != nil { -+ return nil, fmt.Errorf("Error loading CA File: %s", err) -+ } -+ ok := pool.AppendCertsFromPEM(pem) -+ if !ok { -+ return nil, fmt.Errorf("Error loading CA File: Couldn't parse PEM in: %s", la.config.CACertificate) -+ } -+ tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0], RootCAs: pool} -+ } else { -+ tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]} -+ } - } - - if la.config.TLS == "" || la.config.TLS == "none" || la.config.TLS == "starttls" { -diff --git a/examples/reference.yml b/examples/reference.yml -index 3090978..769cc91 100644 ---- a/examples/reference.yml -+++ b/examples/reference.yml -@@ -131,6 +131,8 @@ ldap_auth: - tls: always - # set to true to allow insecure tls - insecure_tls_skip_verify: false -+ # set this to specify the ca certificate path -+ ca_cert: - # In case bind DN and password is required for querying user information, - # specify them here. Plain text password is read from the file. - bind_dn: diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch b/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch deleted file mode 100644 index f9e98f410c8a..000000000000 --- a/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch +++ /dev/null @@ -1,394 +0,0 @@ -From 4a33badac6b74617dfe3797a716a6907cf018b27 Mon Sep 17 00:00:00 2001 -From: Kevin <kcd83@users.noreply.github.com> -Date: Mon, 27 Feb 2017 19:09:52 +1300 -Subject: [PATCH 1/4] Initial proof of concept mapping memberOf CN to the label - groups #63 - ---- - auth_server/authn/ldap_auth.go | 73 ++++++++++++++++++++++++++++++++++-------- - 1 file changed, 60 insertions(+), 13 deletions(-) - -diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go -index f8fc08f..42f5ad0 100644 ---- a/auth_server/authn/ldap_auth.go -+++ b/auth_server/authn/ldap_auth.go -@@ -17,7 +17,6 @@ - package authn - - import ( -- "bytes" - "crypto/tls" - "fmt" - "io/ioutil" -@@ -71,10 +70,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool, - account = la.escapeAccountInput(account) - - filter := la.getFilter(account) -- accountEntryDN, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &[]string{}) -+ -+ // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute -+ groupAttribute := "memberOf" -+ dnAndGroupAttr := []string{"DN", groupAttribute} -+ -+ entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr) - if uSearchErr != nil { - return false, nil, uSearchErr - } -+ if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 { -+ return false, nil, NoMatch // User does not exist -+ } -+ -+ accountEntryDN := entryAttrMap["DN"][0] - if accountEntryDN == "" { - return false, nil, NoMatch // User does not exist - } -@@ -93,6 +102,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool, - return false, nil, bindErr - } - -+ // Extract group names from the attribute values -+ if entryAttrMap[groupAttribute] != nil { -+ rawGroups := entryAttrMap[groupAttribute] -+ labels := make(map[string][]string) -+ var groups []string -+ for _, value := range rawGroups { -+ cn := la.getCNFromDN(value) -+ groups = append(groups, cn) -+ } -+ labels["groups"] = groups -+ -+ return true, labels, nil -+ } -+ - return true, nil, nil - } - -@@ -170,9 +193,9 @@ func (la *LDAPAuth) getFilter(account string) string { - - //ldap search and return required attributes' value from searched entries - //default return entry's DN value if you leave attrs array empty --func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, error) { -+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) { - if l == nil { -- return "", fmt.Errorf("No ldap connection!") -+ return nil, fmt.Errorf("No ldap connection!") - } - glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter) - searchRequest := ldap.NewSearchRequest( -@@ -183,30 +206,54 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att - nil) - sr, err := l.Search(searchRequest) - if err != nil { -- return "", err -+ return nil, err - } - - if len(sr.Entries) == 0 { -- return "", nil // User does not exist -+ return nil, nil // User does not exist - } else if len(sr.Entries) > 1 { -- return "", fmt.Errorf("Too many entries returned.") -+ return nil, fmt.Errorf("Too many entries returned.") - } - -- var buffer bytes.Buffer -+ result := make(map[string][]string) - for _, entry := range sr.Entries { -+ - if len(*attrs) == 0 { - glog.V(2).Infof("Entry DN = %s", entry.DN) -- buffer.WriteString(entry.DN) -+ result["DN"] = []string{entry.DN} - } else { - for _, attr := range *attrs { -- values := strings.Join(entry.GetAttributeValues(attr), " ") -- glog.V(2).Infof("Entry %s = %s", attr, values) -- buffer.WriteString(values) -+ var values []string -+ if attr == "DN" { -+ // DN is excluded from attributes -+ values = []string{entry.DN} -+ } else { -+ values = entry.GetAttributeValues(attr) -+ } -+ valuesString := strings.Join(values, "\n") -+ glog.V(2).Infof("Entry %s = %s", attr, valuesString) -+ result[attr] = values -+ } -+ } -+ } -+ -+ return result, nil -+} -+ -+func (la *LDAPAuth) getCNFromDN(dn string) string { -+ parsedDN, err := ldap.ParseDN(dn) -+ if err != nil || len(parsedDN.RDNs) > 0 { -+ for _, rdn := range parsedDN.RDNs { -+ for _, rdnAttr := range rdn.Attributes { -+ if rdnAttr.Type == "CN" { -+ return rdnAttr.Value -+ } - } - } - } - -- return buffer.String(), nil -+ // else try using raw DN -+ return dn - } - - func (la *LDAPAuth) Stop() { - -From ddde2fa779e746d7e74cd972a4c6795c72f17ee6 Mon Sep 17 00:00:00 2001 -From: Kevin <kcd83@users.noreply.github.com> -Date: Tue, 28 Feb 2017 18:09:55 +1300 -Subject: [PATCH 2/4] Apply attribute mapping from configuration - ---- - auth_server/authn/ldap_auth.go | 125 ++++++++++++++++++++++++----------------- - 1 file changed, 74 insertions(+), 51 deletions(-) - -diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go -index 42f5ad0..6f733a2 100644 ---- a/auth_server/authn/ldap_auth.go -+++ b/auth_server/authn/ldap_auth.go -@@ -26,16 +26,22 @@ import ( - "github.com/golang/glog" - ) - -+type LabelMap struct { -+ Attribute string `yaml:"attribute,omitempty"` -+ ParseCN bool `yaml:"parse_cn,omitempty"` -+} -+ - type LDAPAuthConfig struct { -- Addr string `yaml:"addr,omitempty"` -- TLS string `yaml:"tls,omitempty"` -- InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"` -- Base string `yaml:"base,omitempty"` -- Filter string `yaml:"filter,omitempty"` -- BindDN string `yaml:"bind_dn,omitempty"` -- BindPasswordFile string `yaml:"bind_password_file,omitempty"` -- GroupBaseDN string `yaml:"group_base_dn,omitempty"` -- GroupFilter string `yaml:"group_filter,omitempty"` -+ Addr string `yaml:"addr,omitempty"` -+ TLS string `yaml:"tls,omitempty"` -+ InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"` -+ Base string `yaml:"base,omitempty"` -+ Filter string `yaml:"filter,omitempty"` -+ BindDN string `yaml:"bind_dn,omitempty"` -+ BindPasswordFile string `yaml:"bind_password_file,omitempty"` -+ LabelMaps map[string]LabelMap `yaml:"labels,omitempty"` -+ GroupBaseDN string `yaml:"group_base_dn,omitempty"` -+ GroupFilter string `yaml:"group_filter,omitempty"` - } - - type LDAPAuth struct { -@@ -71,22 +77,19 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool, - - filter := la.getFilter(account) - -- // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute -- groupAttribute := "memberOf" -- dnAndGroupAttr := []string{"DN", groupAttribute} -+ labelAttributes, labelsConfigErr := la.getLabelAttributes() -+ if labelsConfigErr != nil { -+ return false, nil, labelsConfigErr -+ } - -- entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr) -+ accountEntryDN, entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &labelAttributes) - if uSearchErr != nil { - return false, nil, uSearchErr - } -- if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 { -- return false, nil, NoMatch // User does not exist -- } -- -- accountEntryDN := entryAttrMap["DN"][0] - if accountEntryDN == "" { - return false, nil, NoMatch // User does not exist - } -+ - // Bind as the user to verify their password - if len(accountEntryDN) > 0 { - err := l.Bind(accountEntryDN, string(password)) -@@ -102,21 +105,13 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool, - return false, nil, bindErr - } - -- // Extract group names from the attribute values -- if entryAttrMap[groupAttribute] != nil { -- rawGroups := entryAttrMap[groupAttribute] -- labels := make(map[string][]string) -- var groups []string -- for _, value := range rawGroups { -- cn := la.getCNFromDN(value) -- groups = append(groups, cn) -- } -- labels["groups"] = groups -- -- return true, labels, nil -+ // Extract labels from the attribute values -+ labels, labelsExtractErr := la.getLabelsFromMap(entryAttrMap) -+ if labelsExtractErr != nil { -+ return false, nil, labelsExtractErr - } - -- return true, nil, nil -+ return true, labels, nil - } - - func (la *LDAPAuth) bindReadOnlyUser(l *ldap.Conn) error { -@@ -193,9 +188,9 @@ func (la *LDAPAuth) getFilter(account string) string { - - //ldap search and return required attributes' value from searched entries - //default return entry's DN value if you leave attrs array empty --func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) { -+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, map[string][]string, error) { - if l == nil { -- return nil, fmt.Errorf("No ldap connection!") -+ return "", nil, fmt.Errorf("No ldap connection!") - } - glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter) - searchRequest := ldap.NewSearchRequest( -@@ -206,38 +201,66 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att - nil) - sr, err := l.Search(searchRequest) - if err != nil { -- return nil, err -+ return "", nil, err - } - - if len(sr.Entries) == 0 { -- return nil, nil // User does not exist -+ return "", nil, nil // User does not exist - } else if len(sr.Entries) > 1 { -- return nil, fmt.Errorf("Too many entries returned.") -+ return "", nil, fmt.Errorf("Too many entries returned.") - } - -- result := make(map[string][]string) -+ attributes := make(map[string][]string) -+ var entryDn string - for _, entry := range sr.Entries { -- -+ entryDn = entry.DN - if len(*attrs) == 0 { -- glog.V(2).Infof("Entry DN = %s", entry.DN) -- result["DN"] = []string{entry.DN} -+ glog.V(2).Infof("Entry DN = %s", entryDn) - } else { - for _, attr := range *attrs { -- var values []string -- if attr == "DN" { -- // DN is excluded from attributes -- values = []string{entry.DN} -- } else { -- values = entry.GetAttributeValues(attr) -- } -- valuesString := strings.Join(values, "\n") -- glog.V(2).Infof("Entry %s = %s", attr, valuesString) -- result[attr] = values -+ values := entry.GetAttributeValues(attr) -+ glog.V(2).Infof("Entry %s = %s", attr, strings.Join(values, "\n")) -+ attributes[attr] = values - } - } - } - -- return result, nil -+ return entryDn, attributes, nil -+} -+ -+func (la *LDAPAuth) getLabelAttributes() ([]string, error) { -+ labelAttributes := make([]string, len(la.config.LabelMaps)) -+ i := 0 -+ for key, mapping := range la.config.LabelMaps { -+ if mapping.Attribute == "" { -+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key) -+ } -+ labelAttributes[i] = mapping.Attribute -+ i++ -+ } -+ return labelAttributes, nil -+} -+ -+func (la *LDAPAuth) getLabelsFromMap(attrMap map[string][]string) (map[string][]string, error) { -+ labels := make(map[string][]string) -+ for key, mapping := range la.config.LabelMaps { -+ if mapping.Attribute == "" { -+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key) -+ } -+ -+ mappingValues := attrMap[mapping.Attribute] -+ if mappingValues != nil { -+ if mapping.ParseCN { -+ // shorten attribute to its common name -+ for i, value := range mappingValues { -+ cn := la.getCNFromDN(value) -+ mappingValues[i] = cn -+ } -+ } -+ labels[key] = mappingValues -+ } -+ } -+ return labels, nil - } - - func (la *LDAPAuth) getCNFromDN(dn string) string { - -From cd37001980267a99a9faa19f1927891af63acb90 Mon Sep 17 00:00:00 2001 -From: Kevin <kcd83@users.noreply.github.com> -Date: Tue, 28 Feb 2017 18:27:16 +1300 -Subject: [PATCH 3/4] Remove unused configuration fields, never implemented? - ---- - auth_server/authn/ldap_auth.go | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go -index 6f733a2..9c8bcb8 100644 ---- a/auth_server/authn/ldap_auth.go -+++ b/auth_server/authn/ldap_auth.go -@@ -40,8 +40,6 @@ type LDAPAuthConfig struct { - BindDN string `yaml:"bind_dn,omitempty"` - BindPasswordFile string `yaml:"bind_password_file,omitempty"` - LabelMaps map[string]LabelMap `yaml:"labels,omitempty"` -- GroupBaseDN string `yaml:"group_base_dn,omitempty"` -- GroupFilter string `yaml:"group_filter,omitempty"` - } - - type LDAPAuth struct { - -From 2fd43be4e5c2cfe177d9e1d36bcd1b29f4d6f262 Mon Sep 17 00:00:00 2001 -From: Kevin <kcd83@users.noreply.github.com> -Date: Fri, 1 Sep 2017 22:50:19 +1200 -Subject: [PATCH 4/4] Add LDAP label map examples to the reference config - ---- - examples/reference.yml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/examples/reference.yml b/examples/reference.yml -index b8bb08c..40c5762 100644 ---- a/examples/reference.yml -+++ b/examples/reference.yml -@@ -134,6 +134,16 @@ ldap_auth: - # User query settings. ${account} is expanded from auth request - base: o=example.com - filter: (&(uid=${account})(objectClass=person)) -+ # Labels can be mapped from LDAP attributes -+ labels: -+ # Add the user's title to a label called title -+ title: -+ attribute: title -+ # Add the user's memberOf values to a label called groups -+ groups: -+ attribute: memberOf -+ # Special handling to simplify the values to just the common name -+ parse_cn: true - - mongo_auth: - # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo |