upstreamldap

package
v0.26.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 19, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Package upstreamldap implements an abstraction of upstream LDAP IDP interactions.

Index

Constants

View Source
const (
	StartTLS = LDAPConnectionProtocol("StartTLS")
	TLS      = LDAPConnectionProtocol("TLS")
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Conn

type Conn interface {
	Bind(username, password string) error

	Search(searchRequest *ldap.SearchRequest) (*ldap.SearchResult, error)

	SearchWithPaging(searchRequest *ldap.SearchRequest, pagingSize uint32) (*ldap.SearchResult, error)

	Close() error
}

Conn abstracts the upstream LDAP communication protocol (mostly for testing).

type GroupSearchConfig

type GroupSearchConfig struct {
	// Base is the base DN to use for the group search in the upstream LDAP IDP. Empty means to skip group search
	// entirely, in which case authenticated users will not belong to any groups from the upstream LDAP IDP.
	Base string

	// Filter is the filter to use for the group search in the upstream LDAP IDP. Empty means to use `member={}`.
	Filter string

	// UserAttributeForFilter is the name of the user attribute whose value should be used to replace the placeholder
	// in the Filter. Empty means to use 'dn'.
	UserAttributeForFilter string

	// GroupNameAttribute is the attribute in the LDAP group entry from which the group name should be
	// retrieved. Empty means to use 'cn'.
	GroupNameAttribute string

	// SkipGroupRefresh skips the group refresh operation that occurs with each refresh
	// (every 5 minutes). This can be done if group search is very slow or resource intensive for the LDAP
	// server.
	SkipGroupRefresh bool
}

GroupSearchConfig contains information about how to search for group membership for users in the upstream LDAP IDP.

type LDAPConnectionProtocol

type LDAPConnectionProtocol string

type LDAPDialer

type LDAPDialer interface {
	Dial(ctx context.Context, addr endpointaddr.HostPort) (Conn, error)
}

LDAPDialer is a factory of Conn, and the resulting Conn can then be used to interact with an upstream LDAP IDP.

type LDAPDialerFunc

type LDAPDialerFunc func(ctx context.Context, addr endpointaddr.HostPort) (Conn, error)

LDAPDialerFunc makes it easy to use a func as an LDAPDialer.

func (LDAPDialerFunc) Dial

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

func New

func New(config ProviderConfig) *Provider

New creates a Provider. The config is not a pointer to ensure that a copy of the config is created, making the resulting Provider use an effectively read-only configuration.

func (*Provider) AuthenticateUser

func (p *Provider) AuthenticateUser(ctx context.Context, username, password string, grantedScopes []string) (*authenticators.Response, bool, error)

AuthenticateUser authenticates an end user and returns their mapped username, groups, and UID. Implements authenticators.UserAuthenticator.

func (*Provider) DryRunAuthenticateUser

func (p *Provider) DryRunAuthenticateUser(ctx context.Context, username string, grantedScopes []string) (*authenticators.Response, bool, error)

DryRunAuthenticateUser provides a method for testing all of the Provider settings in a kind of dry run of authentication for a given end user's username. It runs the same logic as AuthenticateUser except it does not bind as that user, so it does not test their password. It returns the same values that a real call to AuthenticateUser with the correct password would return.

func (*Provider) GetConfig

func (p *Provider) GetConfig() ProviderConfig

GetConfig is a reader for the config. Returns a copy of the config to keep the underlying config read-only.

func (*Provider) GetName

func (p *Provider) GetName() string

GetName returns a name for this upstream provider.

func (*Provider) GetResourceUID added in v0.13.0

func (p *Provider) GetResourceUID() types.UID

func (*Provider) GetURL

func (p *Provider) GetURL() *url.URL

GetURL returns a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234?base=user-search-base". This URL is not used for connecting to the provider, but rather is used for creating a globally unique user identifier by being combined with the user's UID, since user UIDs are only unique within one provider.

func (*Provider) PerformRefresh added in v0.13.0

func (p *Provider) PerformRefresh(ctx context.Context, storedRefreshAttributes upstreamprovider.RefreshAttributes, idpDisplayName string) ([]string, error)

func (*Provider) SearchForDefaultNamingContext added in v0.11.0

func (p *Provider) SearchForDefaultNamingContext(ctx context.Context) (string, error)

func (*Provider) TestConnection

func (p *Provider) TestConnection(ctx context.Context) error

TestConnection provides a method for testing the connection and bind settings. It performs a dial and bind and returns any errors that we encountered.

type ProviderConfig

type ProviderConfig struct {
	// Name is the unique name of this upstream LDAP IDP.
	Name string

	// ResourceUID is the Kubernetes resource UID of this identity provider.
	ResourceUID types.UID

	// Host is the hostname or "hostname:port" of the LDAP server. When the port is not specified,
	// the default LDAP port will be used.
	Host string

	// ConnectionProtocol determines how to establish the connection to the server. Either StartTLS or TLS.
	ConnectionProtocol LDAPConnectionProtocol

	// PEM-encoded CA cert bundle to trust when connecting to the LDAP server. Can be nil.
	CABundle []byte

	// BindUsername is the username to use when performing a bind with the upstream LDAP IDP.
	BindUsername string

	// BindPassword is the password to use when performing a bind with the upstream LDAP IDP.
	BindPassword string

	// UserSearch contains information about how to search for users in the upstream LDAP IDP.
	UserSearch UserSearchConfig

	// GroupSearch contains information about how to search for group membership in the upstream LDAP IDP.
	GroupSearch GroupSearchConfig

	// Dialer exists to enable testing. When nil, will use a default appropriate for production use.
	Dialer LDAPDialer

	// UIDAttributeParsingOverrides are mappings between an attribute name and a way to parse it as a UID when
	// it comes out of LDAP.
	UIDAttributeParsingOverrides map[string]func(*ldap.Entry) (string, error)

	// GroupNameMappingOverrides are the mappings between an attribute name and a way to parse it as a group
	// name when it comes out of LDAP.
	GroupAttributeParsingOverrides map[string]func(*ldap.Entry) (string, error)

	// RefreshAttributeChecks are extra checks that attributes in a refresh response are as expected.
	RefreshAttributeChecks map[string]func(*ldap.Entry, upstreamprovider.RefreshAttributes) error
}

ProviderConfig includes all of the settings for connection and searching for users and groups in the upstream LDAP IDP. It also provides methods for testing the connection and performing logins. The nested structs are not pointer fields to enable deep copy on function params and return values.

type UserSearchConfig

type UserSearchConfig struct {
	// Base is the base DN to use for the user search in the upstream LDAP IDP.
	Base string

	// Filter is the filter to use for the user search in the upstream LDAP IDP.
	Filter string

	// UsernameAttribute is the attribute in the LDAP entry from which the username should be
	// retrieved.
	UsernameAttribute string

	// UIDAttribute is the attribute in the LDAP entry from which the user's unique ID should be
	// retrieved.
	UIDAttribute string
}

UserSearchConfig contains information about how to search for users in the upstream LDAP IDP.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL