outposts/ldap: improve logging, add request ID

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

internal/outpost/ldap/instance_bind.go

@@ -3,12 +3,12 @@ package ldap
 import (
 	"context"
 	"errors"
-	"net"
 	"strings"
 	"time"
 
 	goldap "github.com/go-ldap/ldap/v3"
 	"github.com/nmcclain/ldap"
+	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api"
 	"goauthentik.io/internal/outpost"
 )
@@ -33,60 +33,68 @@ func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	return "", errors.New("failed to find cn")
 }
 
-func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	fe := outpost.NewFlowExecutor(pi.flowSlug, pi.s.ac.Client.GetConfig())
-	fe.DelegateClientIP(conn.RemoteAddr())
+func (pi *ProviderInstance) Bind(username string, req BindRequest) (ldap.LDAPResultCode, error) {
+	fe := outpost.NewFlowExecutor(pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
+		"bindDN":    req.BindDN,
+		"client":    req.conn.RemoteAddr().String(),
+		"requestId": req.id,
+	})
+	fe.DelegateClientIP(req.conn.RemoteAddr())
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")
 
 	fe.Answers[outpost.StageIdentification] = username
-	fe.Answers[outpost.StagePassword] = bindPW
+	fe.Answers[outpost.StagePassword] = req.BindPW
 
 	passed, err := fe.Execute()
 	if !passed {
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
 	if err != nil {
-		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to execute flow")
+		req.log.WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	access, err := fe.CheckApplicationAccess(pi.appSlug)
 	if !access {
-		pi.log.WithField("bindDN", bindDN).Info("Access denied for user")
+		req.log.Info("Access denied for user")
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
-		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to check access")
+		req.log.WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	pi.log.WithField("bindDN", bindDN).Info("User has access")
+	req.log.Info("User has access")
 	// Get user info to store in context
 	userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
 	if err != nil {
-		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to get user info")
+		req.log.WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	pi.boundUsersMutex.Lock()
-	pi.boundUsers[bindDN] = UserFlags{
+	cs := pi.SearchAccessCheck(userInfo.User)
+	pi.boundUsers[req.BindDN] = UserFlags{
 		UserInfo:  userInfo.User,
-		CanSearch: pi.SearchAccessCheck(userInfo.User),
+		CanSearch: cs != nil,
 	}
+	if pi.boundUsers[req.BindDN].CanSearch {
+		req.log.WithField("group", cs).Info("Allowed access to search")
+	}
+
 	defer pi.boundUsersMutex.Unlock()
 	pi.delayDeleteUserInfo(username)
 	return ldap.LDAPResultSuccess, nil
 }
 
 // SearchAccessCheck Check if the current user is allowed to search
-func (pi *ProviderInstance) SearchAccessCheck(user api.User) bool {
+func (pi *ProviderInstance) SearchAccessCheck(user api.User) *string {
 	for _, group := range user.Groups {
 		for _, allowedGroup := range pi.searchAllowedGroups {
 			pi.log.WithField("userGroup", group.Pk).WithField("allowedGroup", allowedGroup).Trace("Checking search access")
 			if group.Pk == allowedGroup.String() {
-				pi.log.WithField("group", group.Name).Info("Allowed access to search")
-				return true
+				return &group.Name
 			}
 		}
 	}
-	return false
+	return nil
 }
 
 func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {