outposts: don't authenticate as service user for flows to set remote-ip

set outpost token as additional header and check that token (user) if they can override remote-ip Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-19 13:17:13 +02:00
parent 673da2a96e
commit a2c587be43
5 changed files with 49 additions and 15 deletions
--- a/internal/outpost/ldap/instance_bind.go
+++ b/internal/outpost/ldap/instance_bind.go
@ -34,14 +34,8 @@ func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 }

 func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
-	if err != nil {
-		pi.log.WithError(err).Warning("Failed to get remote IP")
-		return ldap.LDAPResultOperationsError, nil
-	}
-
 	fe := outpost.NewFlowExecutor(pi.flowSlug, pi.s.ac.Client.GetConfig())
-	fe.ApiClient().GetConfig().AddDefaultHeader("X-authentik-remote-ip", host)
+	fe.DelegateClientIP(conn.RemoteAddr())
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")

 	fe.Answers[outpost.StageIdentification] = username