habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

LDAP Provider: TLS support (#1137)

Browse Source
This commit is contained in:
Jens L
2021-07-13 18:24:18 +02:00
committed by GitHub
parent cd0a6f2d7c
commit 7dfc621ae4
18 changed files with 387 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
outpost/pkg/ak/cert.go
View File

@ -37,7 +37,7 @@ func GenerateSelfSignedCert() (tls.Certificate, error) {
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"authentik"},
CommonName: "authentik Proxy default certificate",
CommonName: "authentik Outpost default certificate",
},
NotBefore: notBefore,
NotAfter: notAfter,

21
outpost/pkg/ak/global.go
View File

@ -1,6 +1,8 @@
package ak
import (
"context"
"crypto/tls"
"net/http"
"os"
"strings"
@ -9,6 +11,7 @@ import (
"github.com/getsentry/sentry-go"
httptransport "github.com/go-openapi/runtime/client"
log "github.com/sirupsen/logrus"
"goauthentik.io/outpost/api"
"goauthentik.io/outpost/pkg"
)
@ -66,3 +69,21 @@ func GetTLSTransport() http.RoundTripper {
}
return tlsTransport
}
// ParseCertificate Load certificate from Keyepair UUID and parse it into a go Certificate
func ParseCertificate(kpUuid string, cryptoApi *api.CryptoApiService) (*tls.Certificate, error) {
cert, _, err := cryptoApi.CryptoCertificatekeypairsViewCertificateRetrieve(context.Background(), kpUuid).Execute()
if err != nil {
return nil, err
}
key, _, err := cryptoApi.CryptoCertificatekeypairsViewPrivateKeyRetrieve(context.Background(), kpUuid).Execute()
if err != nil {
return nil, err
}
x509cert, err := tls.X509KeyPair([]byte(cert.Data), []byte(key.Data))
if err != nil {
return nil, err
}
return &x509cert, nil
}

46
outpost/pkg/ldap/api.go
View File

@ -2,6 +2,7 @@ package ldap
import (
"context"
"crypto/tls"
"errors"
"fmt"
"net/http"
@ -10,6 +11,7 @@ import (
"github.com/go-openapi/strfmt"
log "github.com/sirupsen/logrus"
"goauthentik.io/outpost/pkg/ak"
)
func (ls *LDAPServer) Refresh() error {
@ -24,6 +26,7 @@ func (ls *LDAPServer) Refresh() error {
for idx, provider := range outposts.Results {
userDN := strings.ToLower(fmt.Sprintf("ou=users,%s", *provider.BaseDn))
groupDN := strings.ToLower(fmt.Sprintf("ou=groups,%s", *provider.BaseDn))
logger := log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name)
providers[idx] = &ProviderInstance{
BaseDN: *provider.BaseDn,
GroupDN: groupDN,
@ -34,7 +37,18 @@ func (ls *LDAPServer) Refresh() error {
boundUsersMutex: sync.RWMutex{},
boundUsers: make(map[string]UserFlags),
s: ls,
log: log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
log: logger,
tlsServerName: provider.TlsServerName,
}
if provider.Certificate.Get() != nil {
logger.WithField("provider", provider.Name).Debug("Enabling TLS")
cert, err := ak.ParseCertificate(*provider.Certificate.Get(), ls.ac.Client.CryptoApi)
if err != nil {
logger.WithField("provider", provider.Name).WithError(err).Warning("Failed to fetch certificate")
} else {
providers[idx].cert = cert
logger.WithField("provider", provider.Name).Debug("Loaded certificates")
}
}
}
ls.providers = providers
@ -58,9 +72,30 @@ func (ls *LDAPServer) StartLDAPServer() error {
return ls.s.ListenAndServe(listen)
}
func (ls *LDAPServer) StartLDAPTLSServer() error {
listen := "0.0.0.0:6636"
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12,
GetCertificate: ls.getCertificates,
}
ln, err := tls.Listen("tcp", listen, tlsConfig)
if err != nil {
ls.log.Fatalf("FATAL: listen (%s) failed - %s", listen, err)
}
ls.log.WithField("listen", listen).Info("Starting ldap tls server")
err = ls.s.Serve(ln)
if err != nil {
return err
}
ls.log.Printf("closing %s", ln.Addr())
return ls.s.ListenAndServe(listen)
}
func (ls *LDAPServer) Start() error {
wg := sync.WaitGroup{}
wg.Add(2)
wg.Add(3)
go func() {
defer wg.Done()
err := ls.StartHTTPServer()
@ -75,6 +110,13 @@ func (ls *LDAPServer) Start() error {
panic(err)
}
}()
go func() {
defer wg.Done()
err := ls.StartLDAPTLSServer()
if err != nil {
panic(err)
}
}()
wg.Wait()
return nil
}

23
outpost/pkg/ldap/api_tls.go Normal file
View File

@ -0,0 +1,23 @@
package ldap
import "crypto/tls"
func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
if len(ls.providers) == 1 {
if ls.providers[0].cert != nil {
ls.log.WithField("server-name", info.ServerName).Debug("We only have a single provider, using their cert")
return ls.providers[0].cert, nil
}
}
for _, provider := range ls.providers {
if provider.tlsServerName == &info.ServerName {
if provider.cert == nil {
ls.log.WithField("server-name", info.ServerName).Debug("Handler does not have a certificate")
return ls.defaultCert, nil
}
return provider.cert, nil
}
}
ls.log.WithField("server-name", info.ServerName).Debug("Fallback to default cert")
return ls.defaultCert, nil
}

5
outpost/pkg/ldap/instance_search.go
View File

@ -109,7 +109,7 @@ func (pi *ProviderInstance) UserEntry(u api.User) *ldap.Entry {
attrs = append(attrs, AKAttrsToLDAP(u.Attributes)...)
dn := fmt.Sprintf("cn=%s,%s", u.Username, pi.UserDN)
dn := pi.GetUserDN(u.Username)
return &ldap.Entry{DN: dn, Attributes: attrs}
}
@ -129,6 +129,9 @@ func (pi *ProviderInstance) GroupEntry(g api.Group) *ldap.Entry {
Values: []string{GroupObjectClass, "goauthentik.io/ldap/group"},
},
}
attrs = append(attrs, &ldap.EntryAttribute{Name: "member", Values: pi.UsersForGroup(g)})
attrs = append(attrs, &ldap.EntryAttribute{Name: "goauthentik.io/ldap/superuser", Values: []string{BoolToString(*g.IsSuperuser)}})
attrs = append(attrs, AKAttrsToLDAP(g.Attributes)...)
dn := pi.GetGroupDN(g)

19
outpost/pkg/ldap/ldap.go
View File

@ -1,6 +1,7 @@
package ldap
import (
"crypto/tls"
"sync"
"github.com/go-openapi/strfmt"
@ -25,6 +26,9 @@ type ProviderInstance struct {
s *LDAPServer
log *log.Entry
tlsServerName *string
cert *tls.Certificate
searchAllowedGroups []*strfmt.UUID
boundUsersMutex sync.RWMutex
boundUsers map[string]UserFlags
@ -36,11 +40,11 @@ type UserFlags struct {
}
type LDAPServer struct {
s *ldap.Server
log *log.Entry
ac *ak.APIController
providers []*ProviderInstance
s *ldap.Server
log *log.Entry
ac *ak.APIController
defaultCert *tls.Certificate
providers []*ProviderInstance
}
func NewServer(ac *ak.APIController) *LDAPServer {
@ -52,6 +56,11 @@ func NewServer(ac *ak.APIController) *LDAPServer {
ac: ac,
providers: []*ProviderInstance{},
}
defaultCert, err := ak.GenerateSelfSignedCert()
if err != nil {
log.Warning(err)
}
ls.defaultCert = &defaultCert
s.BindFunc("", ls)
s.SearchFunc("", ls)
return ls

49
outpost/pkg/ldap/utils.go
View File

@ -2,8 +2,10 @@ package ldap
import (
"fmt"
"reflect"
"github.com/nmcclain/ldap"
log "github.com/sirupsen/logrus"
"goauthentik.io/outpost/api"
)
@ -14,6 +16,24 @@ func BoolToString(in bool) string {
return "false"
}
func ldapResolveTypeSingle(in interface{}) *string {
switch t := in.(type) {
case string:
return &t
case *string:
return t
case bool:
s := BoolToString(t)
return &s
case *bool:
s := BoolToString(*t)
return &s
default:
log.WithField("type", reflect.TypeOf(in).String()).Warning("Type can't be mapped to LDAP yet")
return nil
}
}
func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
attrList := []*ldap.EntryAttribute{}
a := attrs.(*map[string]interface{})
@ -22,10 +42,19 @@ func AKAttrsToLDAP(attrs interface{}) []*ldap.EntryAttribute {
switch t := attrValue.(type) {
case []string:
entry.Values = t
case string:
entry.Values = []string{t}
case bool:
entry.Values = []string{BoolToString(t)}
case *[]string:
entry.Values = *t
case []interface{}:
entry.Values = make([]string, len(t))
for idx, v := range t {
v := ldapResolveTypeSingle(v)
entry.Values[idx] = *v
}
default:
v := ldapResolveTypeSingle(t)
if v != nil {
entry.Values = []string{*v}
}
}
attrList = append(attrList, entry)
}
@ -40,6 +69,18 @@ func (pi *ProviderInstance) GroupsForUser(user api.User) []string {
return groups
}
func (pi *ProviderInstance) UsersForGroup(group api.Group) []string {
users := make([]string, len(group.UsersObj))
for i, user := range group.UsersObj {
users[i] = pi.GetUserDN(user.Username)
}
return users
}
func (pi *ProviderInstance) GetUserDN(user string) string {
return fmt.Sprintf("cn=%s,%s", user, pi.UserDN)
}
func (pi *ProviderInstance) GetGroupDN(group api.Group) string {
return fmt.Sprintf("cn=%s,%s", group.Name, pi.GroupDN)
}

17
outpost/pkg/proxy/api_bundle.go
View File

@ -1,7 +1,6 @@
package proxy
import (
"context"
"crypto/tls"
"net"
"net/http"
@ -16,6 +15,7 @@ import (
"github.com/oauth2-proxy/oauth2-proxy/pkg/validation"
log "github.com/sirupsen/logrus"
"goauthentik.io/outpost/api"
"goauthentik.io/outpost/pkg/ak"
)
type providerBundle struct {
@ -90,23 +90,12 @@ func (pb *providerBundle) prepareOpts(provider api.ProxyOutpostConfig) *options.
if provider.Certificate.Get() != nil {
pb.log.WithField("provider", provider.Name).Debug("Enabling TLS")
cert, _, err := pb.s.ak.Client.CryptoApi.CryptoCertificatekeypairsViewCertificateRetrieve(context.Background(), *provider.Certificate.Get()).Execute()
cert, err := ak.ParseCertificate(*provider.Certificate.Get(), pb.s.ak.Client.CryptoApi)
if err != nil {
pb.log.WithField("provider", provider.Name).WithError(err).Warning("Failed to fetch certificate")
return providerOpts
}
key, _, err := pb.s.ak.Client.CryptoApi.CryptoCertificatekeypairsViewPrivateKeyRetrieve(context.Background(), *provider.Certificate.Get()).Execute()
if err != nil {
pb.log.WithField("provider", provider.Name).WithError(err).Warning("Failed to fetch private key")
return providerOpts
}
x509cert, err := tls.X509KeyPair([]byte(cert.Data), []byte(key.Data))
if err != nil {
pb.log.WithField("provider", provider.Name).WithError(err).Warning("Failed to parse certificate")
return providerOpts
}
pb.cert = &x509cert
pb.cert = cert
pb.log.WithField("provider", provider.Name).Debug("Loaded certificates")
}
return providerOpts