2021-04-19 23:30:27 +01:00
|
|
|
package ldap
|
|
|
|
|
|
|
|
import (
|
2021-05-16 20:07:01 +01:00
|
|
|
"context"
|
2021-07-13 17:24:18 +01:00
|
|
|
"crypto/tls"
|
2021-04-26 10:53:06 +01:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2021-05-08 19:59:31 +01:00
|
|
|
"net/http"
|
2021-04-26 10:53:06 +01:00
|
|
|
"strings"
|
2021-05-08 19:59:31 +01:00
|
|
|
"sync"
|
2021-04-26 10:53:06 +01:00
|
|
|
|
2021-05-04 23:03:19 +01:00
|
|
|
"github.com/go-openapi/strfmt"
|
2021-04-19 23:30:27 +01:00
|
|
|
log "github.com/sirupsen/logrus"
|
2021-07-13 17:24:18 +01:00
|
|
|
"goauthentik.io/outpost/pkg/ak"
|
2021-04-19 23:30:27 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
func (ls *LDAPServer) Refresh() error {
|
2021-05-16 20:35:23 +01:00
|
|
|
outposts, _, err := ls.ac.Client.OutpostsApi.OutpostsLdapList(context.Background()).Execute()
|
2021-04-26 10:53:06 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
if len(outposts.Results) < 1 {
|
2021-04-26 10:53:06 +01:00
|
|
|
return errors.New("no ldap provider defined")
|
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
providers := make([]*ProviderInstance, len(outposts.Results))
|
|
|
|
for idx, provider := range outposts.Results {
|
|
|
|
userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", *provider.BaseDn))
|
|
|
|
groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", *provider.BaseDn))
|
2021-07-13 17:24:18 +01:00
|
|
|
logger := log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name)
|
2021-04-26 10:53:06 +01:00
|
|
|
providers[idx] = &ProviderInstance{
|
2021-05-16 20:07:01 +01:00
|
|
|
BaseDN: *provider.BaseDn,
|
2021-05-04 23:03:19 +01:00
|
|
|
GroupDN: groupDN,
|
|
|
|
UserDN: userDN,
|
2021-05-16 20:07:01 +01:00
|
|
|
appSlug: provider.ApplicationSlug,
|
|
|
|
flowSlug: provider.BindFlowSlug,
|
|
|
|
searchAllowedGroups: []*strfmt.UUID{(*strfmt.UUID)(provider.SearchGroup.Get())},
|
2021-05-08 19:59:31 +01:00
|
|
|
boundUsersMutex: sync.RWMutex{},
|
|
|
|
boundUsers: make(map[string]UserFlags),
|
2021-05-04 23:03:19 +01:00
|
|
|
s: ls,
|
2021-07-13 17:24:18 +01:00
|
|
|
log: logger,
|
|
|
|
tlsServerName: provider.TlsServerName,
|
|
|
|
}
|
|
|
|
if provider.Certificate.Get() != nil {
|
|
|
|
logger.WithField("provider", provider.Name).Debug("Enabling TLS")
|
|
|
|
cert, err := ak.ParseCertificate(*provider.Certificate.Get(), ls.ac.Client.CryptoApi)
|
|
|
|
if err != nil {
|
|
|
|
logger.WithField("provider", provider.Name).WithError(err).Warning("Failed to fetch certificate")
|
|
|
|
} else {
|
|
|
|
providers[idx].cert = cert
|
|
|
|
logger.WithField("provider", provider.Name).Debug("Loaded certificates")
|
|
|
|
}
|
2021-04-26 10:53:06 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
ls.providers = providers
|
|
|
|
ls.log.Info("Update providers")
|
2021-04-19 23:30:27 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-06-06 22:07:13 +01:00
|
|
|
func (ls *LDAPServer) StartHTTPServer() error {
|
|
|
|
listen := "0.0.0.0:4180" // same port as proxy
|
|
|
|
m := http.NewServeMux()
|
|
|
|
m.HandleFunc("/akprox/ping", func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
rw.WriteHeader(204)
|
|
|
|
})
|
|
|
|
ls.log.WithField("listen", listen).Info("Starting http server")
|
|
|
|
return http.ListenAndServe(listen, m)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ls *LDAPServer) StartLDAPServer() error {
|
2021-04-26 13:46:29 +01:00
|
|
|
listen := "0.0.0.0:3389"
|
2021-06-06 22:07:13 +01:00
|
|
|
ls.log.WithField("listen", listen).Info("Starting ldap server")
|
|
|
|
return ls.s.ListenAndServe(listen)
|
|
|
|
}
|
|
|
|
|
2021-07-13 17:24:18 +01:00
|
|
|
func (ls *LDAPServer) StartLDAPTLSServer() error {
|
|
|
|
listen := "0.0.0.0:6636"
|
|
|
|
tlsConfig := &tls.Config{
|
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
MaxVersion: tls.VersionTLS12,
|
|
|
|
GetCertificate: ls.getCertificates,
|
|
|
|
}
|
|
|
|
|
|
|
|
ln, err := tls.Listen("tcp", listen, tlsConfig)
|
|
|
|
if err != nil {
|
|
|
|
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
|
|
|
|
}
|
|
|
|
ls.log.WithField("listen", listen).Info("Starting ldap tls server")
|
|
|
|
err = ls.s.Serve(ln)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ls.log.Printf("closing %s", ln.Addr())
|
|
|
|
return ls.s.ListenAndServe(listen)
|
|
|
|
}
|
|
|
|
|
2021-06-06 22:07:13 +01:00
|
|
|
func (ls *LDAPServer) Start() error {
|
|
|
|
wg := sync.WaitGroup{}
|
2021-07-13 17:24:18 +01:00
|
|
|
wg.Add(3)
|
2021-06-06 22:07:13 +01:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartHTTPServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartLDAPServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
2021-07-13 17:24:18 +01:00
|
|
|
go func() {
|
|
|
|
defer wg.Done()
|
|
|
|
err := ls.StartLDAPTLSServer()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
2021-06-06 22:07:13 +01:00
|
|
|
wg.Wait()
|
2021-04-19 23:30:27 +01:00
|
|
|
return nil
|
|
|
|
}
|
2021-05-08 19:59:31 +01:00
|
|
|
|
|
|
|
type transport struct {
|
|
|
|
headers map[string]string
|
2021-05-16 20:07:01 +01:00
|
|
|
inner http.RoundTripper
|
2021-05-08 19:59:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *transport) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
|
|
for key, value := range t.headers {
|
|
|
|
req.Header.Add(key, value)
|
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
return t.inner.RoundTrip(req)
|
2021-05-08 19:59:31 +01:00
|
|
|
}
|
2021-05-16 20:07:01 +01:00
|
|
|
func newTransport(inner http.RoundTripper, headers map[string]string) *transport {
|
|
|
|
return &transport{
|
|
|
|
inner: inner,
|
|
|
|
headers: headers,
|
|
|
|
}
|
2021-05-08 19:59:31 +01:00
|
|
|
}
|