outpost: migrate to openapitools/openapi-generator-cli

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

outpost/pkg/ldap/instance_bind.go

@@ -12,23 +12,14 @@ import (
 	"time"
 
 	goldap "github.com/go-ldap/ldap/v3"
-	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/nmcclain/ldap"
-	"goauthentik.io/outpost/pkg/client/core"
-	"goauthentik.io/outpost/pkg/client/flows"
-	"goauthentik.io/outpost/pkg/models"
+	"goauthentik.io/outpost/api"
+	"goauthentik.io/outpost/pkg"
+	"goauthentik.io/outpost/pkg/ak"
 )
 
 const ContextUserKey = "ak_user"
 
-type UIDResponse struct {
-	UIDFIeld string `json:"uid_field"`
-}
-
-type PasswordResponse struct {
-	Password string `json:"password"`
-}
-
 func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	if !strings.HasSuffix(strings.ToLower(dn), strings.ToLower(pi.BaseDN)) {
 		return "", errors.New("invalid base DN")
@@ -58,16 +49,25 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne
 		pi.log.WithError(err).Warning("Failed to get remote IP")
 		return ldap.LDAPResultOperationsError, nil
 	}
+
 	// Create new http client that also sets the correct ip
-	client := &http.Client{
+	config := api.NewConfiguration()
+	// Carry over the bearer authentication, so that failed login attempts are attributed to the outpost
+	config.DefaultHeader = pi.s.ac.Client.GetConfig().DefaultHeader
+	config.Host = pi.s.ac.Client.GetConfig().Host
+	config.Scheme = pi.s.ac.Client.GetConfig().Scheme
+	config.HTTPClient = &http.Client{
 		Jar: jar,
-		Transport: newTransport(map[string]string{
+		Transport: newTransport(ak.SetUserAgent(ak.GetTLSTransport(), pkg.UserAgent()), map[string]string{
 			"X-authentik-remote-ip": host,
 		}),
 	}
+	// create the API client, with the transport
+	apiClient := api.NewAPIClient(config)
+
 	params := url.Values{}
 	params.Add("goauthentik.io/outpost/ldap", "true")
-	passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1)
+	passed, err := pi.solveFlowChallenge(username, bindPW, apiClient, params.Encode(), 1)
 	if err != nil {
 		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to solve challenge")
 		return ldap.LDAPResultOperationsError, nil
@@ -75,33 +75,26 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne
 	if !passed {
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
-	_, err = pi.s.ac.Client.Core.CoreApplicationsCheckAccess(&core.CoreApplicationsCheckAccessParams{
-		Slug:       pi.appSlug,
-		Context:    context.Background(),
-		HTTPClient: client,
-	}, httptransport.PassThroughAuth)
+	r, err := pi.s.ac.Client.CoreApi.CoreApplicationsCheckAccessRetrieve(context.Background(), pi.appSlug).Execute()
+	if r.StatusCode == 403 {
+		pi.log.WithField("bindDN", bindDN).Info("Access denied for user")
+		return ldap.LDAPResultInsufficientAccessRights, nil
+	}
 	if err != nil {
-		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
-			pi.log.WithField("bindDN", bindDN).Info("Access denied for user")
-			return ldap.LDAPResultInsufficientAccessRights, nil
-		}
 		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	pi.log.WithField("bindDN", bindDN).Info("User has access")
 	// Get user info to store in context
-	userInfo, err := pi.s.ac.Client.Core.CoreUsersMe(&core.CoreUsersMeParams{
-		Context:    context.Background(),
-		HTTPClient: client,
-	}, httptransport.PassThroughAuth)
+	userInfo, _, err := pi.s.ac.Client.CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
 		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	pi.boundUsersMutex.Lock()
 	pi.boundUsers[bindDN] = UserFlags{
-		UserInfo:  *userInfo.Payload.User,
-		CanSearch: pi.SearchAccessCheck(userInfo.Payload.User),
+		UserInfo:  userInfo.User,
+		CanSearch: pi.SearchAccessCheck(userInfo.User),
 	}
 	defer pi.boundUsersMutex.Unlock()
 	pi.delayDeleteUserInfo(username)
@@ -109,11 +102,11 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne
 }
 
 // SearchAccessCheck Check if the current user is allowed to search
-func (pi *ProviderInstance) SearchAccessCheck(user *models.User) bool {
+func (pi *ProviderInstance) SearchAccessCheck(user api.User) bool {
 	for _, group := range user.Groups {
 		for _, allowedGroup := range pi.searchAllowedGroups {
 			pi.log.WithField("userGroup", group.Pk).WithField("allowedGroup", allowedGroup).Trace("Checking search access")
-			if group.Pk.String() == allowedGroup.String() {
+			if group.Pk == allowedGroup.String() {
 				pi.log.WithField("group", group.Name).Info("Allowed access to search")
 				return true
 			}
@@ -140,51 +133,48 @@ func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {
 	}()
 }
 
-func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string, depth int) (bool, error) {
-	challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
-		FlowSlug:   pi.flowSlug,
-		Query:      urlParams,
-		Context:    context.Background(),
-		HTTPClient: client,
-	}, pi.s.ac.Auth)
+func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *api.APIClient, urlParams string, depth int) (bool, error) {
+	req := client.FlowsApi.FlowsExecutorGet(context.Background(), pi.flowSlug)
+	req.Query(urlParams)
+	challenge, _, err := req.Execute()
 	if err != nil {
 		pi.log.WithError(err).Warning("Failed to get challenge")
 		return false, err
 	}
-	pi.log.WithField("component", challenge.Payload.Component).WithField("type", *challenge.Payload.Type).Debug("Got challenge")
-	responseParams := &flows.FlowsExecutorSolveParams{
-		FlowSlug:   pi.flowSlug,
-		Query:      urlParams,
-		Context:    context.Background(),
-		HTTPClient: client,
-	}
-	switch challenge.Payload.Component {
+	pi.log.WithField("component", challenge.Component).WithField("type", challenge.Type).Debug("Got challenge")
+	responseReq := client.FlowsApi.FlowsExecutorSolve(context.Background(), pi.flowSlug)
+	responseReq.Query(urlParams)
+	switch *challenge.Component {
 	case "ak-stage-identification":
-		responseParams.Data = &UIDResponse{UIDFIeld: bindDN}
+		responseReq.RequestBody(map[string]interface{}{
+			"uid_field": bindDN,
+		})
 	case "ak-stage-password":
-		responseParams.Data = &PasswordResponse{Password: password}
+		responseReq.RequestBody(map[string]interface{}{
+			"password": password,
+		})
 	case "ak-stage-access-denied":
 		return false, errors.New("got ak-stage-access-denied")
 	default:
-		return false, fmt.Errorf("unsupported challenge type: %s", challenge.Payload.Component)
+		return false, fmt.Errorf("unsupported challenge type: %s", *challenge.Component)
 	}
-	response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth)
-	pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
-	switch response.Payload.Component {
+	response, _, err := responseReq.Execute()
+	pi.log.WithField("component", response.Component).WithField("type", response.Type).Debug("Got response")
+	switch *response.Component {
 	case "ak-stage-access-denied":
 		return false, errors.New("got ak-stage-access-denied")
 	}
-	if *response.Payload.Type == "redirect" {
+	if response.Type == "redirect" {
 		return true, nil
 	}
 	if err != nil {
 		pi.log.WithError(err).Warning("Failed to submit challenge")
 		return false, err
 	}
-	if len(response.Payload.ResponseErrors) > 0 {
-		for key, errs := range response.Payload.ResponseErrors {
+	if len(*response.ResponseErrors) > 0 {
+		for key, errs := range *response.ResponseErrors {
 			for _, err := range errs {
-				pi.log.WithField("key", key).WithField("code", *err.Code).Debug(*err.String)
+				pi.log.WithField("key", key).WithField("code", err.Code).Debug(err.String)
 				return false, nil
 			}
 		}