feat(ssl): adding support for ssl certificate ignore.

Merge pull request 'Délai de connexion au serveur LDAP configurable' (#2 ) from ldap-configurable-timeout into develop
Reviewed-on: #2
2023-12-06 11:47:07 +01:00 · 2023-12-06 11:45:30 +01:00 · 2023-12-06 11:43:58 +01:00
5 changed files with 54 additions and 30 deletions
--- a/cmd/werther/main.go
+++ b/cmd/werther/main.go
@ -14,6 +14,8 @@ import (
 	"net/url"
 	"os"

+	"crypto/tls"
+
 	"github.com/i-core/rlog"
 	"github.com/i-core/routegroup"
 	"github.com/i-core/werther/internal/identp"
@ -30,11 +32,12 @@ var version = ""

 // Config is a server's configuration.
 type Config struct {
-	DevMode bool   `envconfig:"dev_mode" default:"false" desc:"a development mode"`
-	Listen  string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
-	Identp  identp.Config
-	LDAP    ldapclient.Config
-	Web     web.Config
+	DevMode              bool   `envconfig:"dev_mode" default:"false" desc:"Enable development mode"`
+	Listen               string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
+	SkipSSLVerifications bool   `envconfig:"skip_ssl_verifications" default:"false" desc:"Disable all ssl verifications if true"`
+	Identp               identp.Config
+	LDAP                 ldapclient.Config
+	Web                  web.Config
 }

 func main() {
@ -80,6 +83,11 @@ func main() {
 		os.Exit(1)
 	}

+	if cnf.SkipSSLVerifications {
+		log.Warn("All ssl verifications are disabled !")
+		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	ldap := ldapclient.New(cnf.LDAP)

 	router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log))
--- a/conf/hydra-werther.conf
+++ b/conf/hydra-werther.conf
@ -116,4 +116,10 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
  # [description] a base path of web pages
  # [type]        String
  # [default]     /
+  # [required]
+
+#WERTHER_LDAP_CONNECTION_TIMEOUT=
+  # [description] LDAP server connection timeout
+  # [type]        Duration
+  # [default]     60s
  # [required]
--- a/internal/hydra/hydra.go
+++ b/internal/hydra/hydra.go
@ -26,6 +26,8 @@ var (
 	ErrChallengeNotFound = errors.New("challenge not found")
 	// ErrChallengeExpired is an error that happens when a challenge is already used.
 	ErrChallengeExpired = errors.New("challenge expired")
+	//ErrServiceUnavailable is an error that happens when the hydra admin service is not available
+	ErrServiceUnavailable = errors.New("Hydra service is Unavailable")
 )

 type reqType string
@ -52,6 +54,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
 	if err != nil {
 		return nil, err
 	}
+
 	u, err := parseURL(hydraURL)
 	if err != nil {
 		return nil, err
@ -145,6 +148,8 @@ func checkResponse(resp *http.Response) error {
 		return ErrChallengeNotFound
 	case 409:
 		return ErrChallengeExpired
+	case 503:
+		return ErrServiceUnavailable
 	default:
 		var rs struct {
 			Message string `json:"error"`
--- a/internal/identp/identp.go
+++ b/internal/identp/identp.go
@ -11,6 +11,7 @@ package identp

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@ -127,7 +128,8 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
 				return
 			}
 			log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err))
+			http.Error(w, errMsg, http.StatusInternalServerError)
 			return
 		}
 		log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)
--- a/internal/ldapclient/ldapclient.go
+++ b/internal/ldapclient/ldapclient.go
@ -48,19 +48,20 @@ type connector interface {

 // Config is a LDAP configuration.
 type Config struct {
-	Endpoints       []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
-	BindDN          string            `envconfig:"binddn" desc:"a LDAP bind DN"`
-	BindPass        string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
-	BaseDN          string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
-	UserSearchQuery string            `envconfig:"user_search_query" desc:"the user search query" default:"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"`
-	AttrClaims      map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
-	RoleBaseDN      string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
-	RoleSearchQuery string            `envconfig:"role_search_query" desc:"the role search query" default:"(|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))"`
-	RoleAttr        string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
-	RoleClaim       string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
-	CacheSize       int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
-	CacheTTL        time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
-	IsTLS           bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
+	Endpoints         []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
+	BindDN            string            `envconfig:"binddn" desc:"a LDAP bind DN"`
+	BindPass          string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
+	BaseDN            string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
+	UserSearchQuery   string            `envconfig:"user_search_query" desc:"the user search query" default:"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"`
+	AttrClaims        map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	RoleBaseDN        string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
+	RoleSearchQuery   string            `envconfig:"role_search_query" desc:"the role search query" default:"(|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))"`
+	RoleAttr          string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
+	RoleClaim         string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
+	CacheSize         int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
+	CacheTTL          time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
+	IsTLS             bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
+	ConnectionTimeout time.Duration     `envconfig:"connection_timeout" default:"60s" desc:"LDAP server connection timeout"`
 }

 // Client is a LDAP client (compatible with Active Directory).
@ -75,11 +76,12 @@ func New(cnf Config) *Client {
 	return &Client{
 		Config: cnf,
 		connector: &ldapConnector{
-			BaseDN:          cnf.BaseDN,
-			UserSearchQuery: cnf.UserSearchQuery,
-			RoleBaseDN:      cnf.RoleBaseDN,
-			IsTLS:           cnf.IsTLS,
-			RoleSearchQuery: cnf.RoleSearchQuery,
+			BaseDN:            cnf.BaseDN,
+			UserSearchQuery:   cnf.UserSearchQuery,
+			RoleBaseDN:        cnf.RoleBaseDN,
+			IsTLS:             cnf.IsTLS,
+			RoleSearchQuery:   cnf.RoleSearchQuery,
+			ConnectionTimeout: cnf.ConnectionTimeout,
 		},
 		cache: freecache.NewCache(cnf.CacheSize * 1024),
 	}
@ -291,15 +293,16 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 }

 type ldapConnector struct {
-	BaseDN          string
-	RoleBaseDN      string
-	IsTLS           bool
-	UserSearchQuery string
-	RoleSearchQuery string
+	BaseDN            string
+	RoleBaseDN        string
+	IsTLS             bool
+	UserSearchQuery   string
+	RoleSearchQuery   string
+	ConnectionTimeout time.Duration
 }

 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
-	d := net.Dialer{Timeout: ldap.DefaultTimeout}
+	d := net.Dialer{Timeout: c.ConnectionTimeout}
 	tcpcn, err := d.DialContext(ctx, "tcp", addr)
 	if err != nil {
 		return nil, err
Author	SHA1	Message	Date
Philippe Caseiro	e3dc22d9a0	feat(ssl): adding support for ssl certificate ignore. Cadoles/hydra-werther/pipeline/head This commit looks good Details	2023-12-06 11:47:07 +01:00
wpetit	592749eebf	Merge pull request 'Délai de connexion au serveur LDAP configurable' (#2 ) from ldap-configurable-timeout into develop Cadoles/hydra-werther/pipeline/head This commit looks good Details Reviewed-on: #2	2023-12-06 11:45:30 +01:00
wpetit	24b66a12ef	feat: add configurable ldap connection timeout Cadoles/hydra-werther/pipeline/head This commit looks good Details Cadoles/hydra-werther/pipeline/pr-develop This commit looks good Details	2023-12-06 11:43:58 +01:00