outposts: Refactor session end signal and add LDAP support (#14539)
* outpost: promote session end signal to non-provider specific Signed-off-by: Jens Langhammer <jens@goauthentik.io> * implement server-side logout in ldap Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix previous import Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use better retry logic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * log Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make more generic if we switch from ws to something else Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make it possible to e2e test WS Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix ldap session id Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ok I actually need to go to bed this took me an hour to fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format; add ldap test Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix leftover state Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove thread Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use ws base for radius Signed-off-by: Jens Langhammer <jens@goauthentik.io> * separate test utils Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rename Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix missing super calls Signed-off-by: Jens Langhammer <jens@goauthentik.io> * websocket tests with browser 🎉 Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add proxy test for sign out Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix install_id issue with channels tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix proxy basic auth test Signed-off-by: Jens Langhammer <jens@goauthentik.io> * big code dedupe Signed-off-by: Jens Langhammer <jens@goauthentik.io> * allow passing go build args Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve waiting for outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rewrite ldap tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ok actually fix the tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * undo a couple things that need more time to cook Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove unused lockfile-lint dependency since we use a shell script and SFE does not have a lockfile Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix session id for ldap Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix missing createTimestamp and modifyTimestamp ldap attributes closes #10474 Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
@ -18,21 +18,26 @@ import (
|
||||
)
|
||||
|
||||
type LDAPServer struct {
|
||||
s *ldap.Server
|
||||
log *log.Entry
|
||||
ac *ak.APIController
|
||||
cs *ak.CryptoStore
|
||||
defaultCert *tls.Certificate
|
||||
providers []*ProviderInstance
|
||||
s *ldap.Server
|
||||
log *log.Entry
|
||||
ac *ak.APIController
|
||||
cs *ak.CryptoStore
|
||||
defaultCert *tls.Certificate
|
||||
providers []*ProviderInstance
|
||||
connections map[string]net.Conn
|
||||
connectionsSync sync.Mutex
|
||||
}
|
||||
|
||||
func NewServer(ac *ak.APIController) ak.Outpost {
|
||||
ls := &LDAPServer{
|
||||
log: log.WithField("logger", "authentik.outpost.ldap"),
|
||||
ac: ac,
|
||||
cs: ak.NewCryptoStore(ac.Client.CryptoApi),
|
||||
providers: []*ProviderInstance{},
|
||||
log: log.WithField("logger", "authentik.outpost.ldap"),
|
||||
ac: ac,
|
||||
cs: ak.NewCryptoStore(ac.Client.CryptoApi),
|
||||
providers: []*ProviderInstance{},
|
||||
connections: map[string]net.Conn{},
|
||||
connectionsSync: sync.Mutex{},
|
||||
}
|
||||
ac.AddEventHandler(ls.handleWSSessionEnd)
|
||||
s := ldap.NewServer()
|
||||
s.EnforceLDAP = true
|
||||
|
||||
@ -50,6 +55,7 @@ func NewServer(ac *ak.APIController) ak.Outpost {
|
||||
s.BindFunc("", ls)
|
||||
s.UnbindFunc("", ls)
|
||||
s.SearchFunc("", ls)
|
||||
s.CloseFunc("", ls)
|
||||
return ls
|
||||
}
|
||||
|
||||
@ -117,3 +123,23 @@ func (ls *LDAPServer) TimerFlowCacheExpiry(ctx context.Context) {
|
||||
p.binder.TimerFlowCacheExpiry(ctx)
|
||||
}
|
||||
}
|
||||
|
||||
func (ls *LDAPServer) handleWSSessionEnd(ctx context.Context, msg ak.Event) error {
|
||||
if msg.Instruction != ak.EventKindSessionEnd {
|
||||
return nil
|
||||
}
|
||||
mmsg := ak.EventArgsSessionEnd{}
|
||||
err := msg.ArgsAs(&mmsg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ls.connectionsSync.Lock()
|
||||
defer ls.connectionsSync.Unlock()
|
||||
ls.log.Info("Disconnecting session due to session end event")
|
||||
conn, ok := ls.connections[mmsg.SessionID]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
delete(ls.connections, mmsg.SessionID)
|
||||
return conn.Close()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user