add support of group/groupOfNames/groupOfUniqueNames (#6 )

added ldap tls connection support (#5 )
identp: fix retrieving the roles claim
2019-11-01 16:24:24 +03:00 · 2019-11-01 15:47:58 +03:00 · 2019-08-06 14:19:02 +03:00 · 2019-07-26 20:20:19 +03:00 · 2019-07-26 19:21:04 +03:00
6 changed files with 126 additions and 87 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -17,7 +17,7 @@ cache:
    - "$GOPATH/pkg/mod"
    - "$GOPATH/bin"

-install: "(cd $HOME && go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.16.0)"
+install: curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.16.0

 script:
  - go test -v -coverprofile=coverage.txt ./...
--- a/README.md
+++ b/README.md
@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
 ```

 To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
+Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
+`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
+
+```bash
+env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles                                                                                     \
+    WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
+    werther
+```
+
 For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].

 **NB** There are cases when we need to create several roles with the same name in LDAP.
@ -233,6 +242,11 @@ For a full example of a login page's template see [source code](internal/web/tem
                    condition: none
            depends_on:
                - hydra
+            healthcheck:
+                test: ["CMD", "curl", "-f", "http://hydra:4445"]
+                interval: 10s
+                timeout: 10s
+                retries: 10
        hydra:
            image: oryd/hydra:v1.0.0-rc.12
            environment:
@ -290,7 +304,7 @@ For a full example of a login page's template see [source code](internal/web/tem

 3. Run the command:
    ```bash
-    docker stack deploy docker-compose.yml auth
+    docker stack deploy -c docker-compose.yml auth
    ```

 4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
@ -348,3 +362,5 @@ The code in this project is licensed under [MIT license][license].
 [oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
 [oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
 [oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
+
+[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2
--- a/cmd/werther/main.go
+++ b/cmd/werther/main.go
@ -11,6 +11,7 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"

 	"github.com/i-core/rlog"
@ -58,6 +59,10 @@ func main() {
 		fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
 		os.Exit(1)
 	}
+	if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
+		fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
+		os.Exit(1)
+	}

 	logFunc := zap.NewProduction
 	if cnf.DevMode {
--- a/go.mod
+++ b/go.mod
@ -19,3 +19,5 @@ require (
 	gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 // indirect
 	gopkg.in/ldap.v2 v2.5.1
 )
+
+go 1.13
--- a/internal/identp/identp.go
+++ b/internal/identp/identp.go
@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
 type Config struct {
 	HydraURL    string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
 	SessionTTL  time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
-	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
+	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 }

 // UserManager is an interface that is used for authentication and providing user's claims.
--- a/internal/ldapclient/ldapclient.go
+++ b/internal/ldapclient/ldapclient.go
@ -9,6 +9,7 @@ package ldapclient

 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@ -57,6 +58,7 @@ type Config struct {
 	RoleClaim  string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
 	CacheSize  int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
 	CacheTTL   time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
+	IsTLS      bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
 }

 // Client is a LDAP client (compatible with Active Directory).
@ -70,7 +72,7 @@ type Client struct {
 func New(cnf Config) *Client {
 	return &Client{
 		Config:    cnf,
-		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN},
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
 		cache:     freecache.NewCache(cnf.CacheSize * 1024),
 	}
 }
@ -296,6 +298,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 type ldapConnector struct {
 	BaseDN     string
 	RoleBaseDN string
+	IsTLS      bool
 }

 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
@ -304,7 +307,17 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
 	if err != nil {
 		return nil, err
 	}
-	ldapcn := ldap.NewConn(tcpcn, false)
+
+	if c.IsTLS {
+		tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
+		if err != nil {
+			return nil, err
+		}
+		tcpcn = tlscn
+	}
+
+	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
+
 	ldapcn.Start()
 	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
 }
@ -331,7 +344,10 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interf
 }

 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf("(&(objectClass=group)(member=%s))", user)
+	query := fmt.Sprintf("(|"+
+		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
+		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
+		")", user)
 	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }
Author	SHA1	Message	Date
Nikolay Stupak	949b123e92	add support of group/groupOfNames/groupOfUniqueNames (#6 )	2019-11-01 16:24:24 +03:00
Kirill Freiman	d8c1f4795d	added ldap tls connection support (#5 )	2019-11-01 15:47:58 +03:00
Nikolay Stupak	b9a1c627a5	identp: fix retrieving the roles claim	2019-08-06 14:19:02 +03:00
dre2004	ee865701c8	Readme alterations YAML needed additional indenting for it to work with docker compose, also the "-c" flag is required.	2019-07-26 20:20:19 +03:00
Nikolay Stupak	6d7dee6175	build: fix loading golangci-lint	2019-07-26 19:21:04 +03:00