Compare commits

...

3 Commits

Author SHA1 Message Date
Philippe Caseiro e3dc22d9a0 feat(ssl): adding support for ssl certificate ignore.
Cadoles/hydra-werther/pipeline/head This commit looks good Details
2023-12-06 11:47:07 +01:00
wpetit 592749eebf Merge pull request 'Délai de connexion au serveur LDAP configurable' (#2) from ldap-configurable-timeout into develop
Cadoles/hydra-werther/pipeline/head This commit looks good Details
Reviewed-on: #2
2023-12-06 11:45:30 +01:00
wpetit 24b66a12ef feat: add configurable ldap connection timeout
Cadoles/hydra-werther/pipeline/head This commit looks good Details
Cadoles/hydra-werther/pipeline/pr-develop This commit looks good Details
2023-12-06 11:43:58 +01:00
5 changed files with 54 additions and 30 deletions

View File

@ -14,6 +14,8 @@ import (
"net/url" "net/url"
"os" "os"
"crypto/tls"
"github.com/i-core/rlog" "github.com/i-core/rlog"
"github.com/i-core/routegroup" "github.com/i-core/routegroup"
"github.com/i-core/werther/internal/identp" "github.com/i-core/werther/internal/identp"
@ -30,8 +32,9 @@ var version = ""
// Config is a server's configuration. // Config is a server's configuration.
type Config struct { type Config struct {
DevMode bool `envconfig:"dev_mode" default:"false" desc:"a development mode"` DevMode bool `envconfig:"dev_mode" default:"false" desc:"Enable development mode"`
Listen string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"` Listen string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
SkipSSLVerifications bool `envconfig:"skip_ssl_verifications" default:"false" desc:"Disable all ssl verifications if true"`
Identp identp.Config Identp identp.Config
LDAP ldapclient.Config LDAP ldapclient.Config
Web web.Config Web web.Config
@ -80,6 +83,11 @@ func main() {
os.Exit(1) os.Exit(1)
} }
if cnf.SkipSSLVerifications {
log.Warn("All ssl verifications are disabled !")
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
}
ldap := ldapclient.New(cnf.LDAP) ldap := ldapclient.New(cnf.LDAP)
router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log)) router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log))

View File

@ -117,3 +117,9 @@ WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
# [type] String # [type] String
# [default] / # [default] /
# [required] # [required]
#WERTHER_LDAP_CONNECTION_TIMEOUT=
# [description] LDAP server connection timeout
# [type] Duration
# [default] 60s
# [required]

View File

@ -26,6 +26,8 @@ var (
ErrChallengeNotFound = errors.New("challenge not found") ErrChallengeNotFound = errors.New("challenge not found")
// ErrChallengeExpired is an error that happens when a challenge is already used. // ErrChallengeExpired is an error that happens when a challenge is already used.
ErrChallengeExpired = errors.New("challenge expired") ErrChallengeExpired = errors.New("challenge expired")
//ErrServiceUnavailable is an error that happens when the hydra admin service is not available
ErrServiceUnavailable = errors.New("Hydra service is Unavailable")
) )
type reqType string type reqType string
@ -52,6 +54,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
if err != nil { if err != nil {
return nil, err return nil, err
} }
u, err := parseURL(hydraURL) u, err := parseURL(hydraURL)
if err != nil { if err != nil {
return nil, err return nil, err
@ -145,6 +148,8 @@ func checkResponse(resp *http.Response) error {
return ErrChallengeNotFound return ErrChallengeNotFound
case 409: case 409:
return ErrChallengeExpired return ErrChallengeExpired
case 503:
return ErrServiceUnavailable
default: default:
var rs struct { var rs struct {
Message string `json:"error"` Message string `json:"error"`

View File

@ -11,6 +11,7 @@ package identp
import ( import (
"context" "context"
"fmt"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
@ -127,7 +128,8 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
return return
} }
log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge) log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge)
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err))
http.Error(w, errMsg, http.StatusInternalServerError)
return return
} }
log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject) log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)

View File

@ -61,6 +61,7 @@ type Config struct {
CacheSize int `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"` CacheSize int `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
CacheTTL time.Duration `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"` CacheTTL time.Duration `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
IsTLS bool `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"` IsTLS bool `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
ConnectionTimeout time.Duration `envconfig:"connection_timeout" default:"60s" desc:"LDAP server connection timeout"`
} }
// Client is a LDAP client (compatible with Active Directory). // Client is a LDAP client (compatible with Active Directory).
@ -80,6 +81,7 @@ func New(cnf Config) *Client {
RoleBaseDN: cnf.RoleBaseDN, RoleBaseDN: cnf.RoleBaseDN,
IsTLS: cnf.IsTLS, IsTLS: cnf.IsTLS,
RoleSearchQuery: cnf.RoleSearchQuery, RoleSearchQuery: cnf.RoleSearchQuery,
ConnectionTimeout: cnf.ConnectionTimeout,
}, },
cache: freecache.NewCache(cnf.CacheSize * 1024), cache: freecache.NewCache(cnf.CacheSize * 1024),
} }
@ -296,10 +298,11 @@ type ldapConnector struct {
IsTLS bool IsTLS bool
UserSearchQuery string UserSearchQuery string
RoleSearchQuery string RoleSearchQuery string
ConnectionTimeout time.Duration
} }
func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) { func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
d := net.Dialer{Timeout: ldap.DefaultTimeout} d := net.Dialer{Timeout: c.ConnectionTimeout}
tcpcn, err := d.DialContext(ctx, "tcp", addr) tcpcn, err := d.DialContext(ctx, "tcp", addr)
if err != nil { if err != nil {
return nil, err return nil, err