Cadoles/hydra-werther
10
0
Fork 0
Code Issues Pull Requests Projects Releases 4 Wiki Activity

Compare commits

base: Cadoles:v1.0.0
Branches Tags
Cadoles:develop Cadoles:master Cadoles:staging Cadoles:dist/ubuntu/bionic/develop Cadoles:dist/ubuntu/bionic/staging
Cadoles:2025.2.17-stable.1544.8ded23c Cadoles:2025.2.17-testing.1544.8ded23c Cadoles:2025.2.17-develop.1544.8ded23c Cadoles:2023.12.6-stable.1421.15a4717 Cadoles:2023.12.6-testing.1421.15a4717 Cadoles:2023.12.6-develop.1421.15a4717 Cadoles:2023.12.6-develop.1447.7edc889 Cadoles:2023.12.6-develop.1347.7edc889 Cadoles:2023.12.6-jenkinsrelease.1334.b9bc218 Cadoles:2023.12.6-develop.1202.d74f812 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-2 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-4 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-3 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-1 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-2 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-0 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-0 Cadoles:pkg/deb/ubuntu-bionic/1.2.1-0 Cadoles:v1.2.1 Cadoles:v1.2.0 Cadoles:v1.1.1 Cadoles:v1.1.0 Cadoles:v1.0.1 Cadoles:v1.0.0 Cadoles:1.2.1-2-7-gd74f812 Cadoles:1.2.1-2-6-g885d18e Cadoles:1.2.1-2-4-g592749e Cadoles:1.2.1-2-2-g194c186 Cadoles:1.2.1-2-1-gb940aae
..
compare: Cadoles:v1.1.1
Branches Tags
Cadoles:develop Cadoles:master Cadoles:staging Cadoles:dist/ubuntu/bionic/develop Cadoles:dist/ubuntu/bionic/staging
Cadoles:2025.2.17-stable.1544.8ded23c Cadoles:2025.2.17-testing.1544.8ded23c Cadoles:2025.2.17-develop.1544.8ded23c Cadoles:2023.12.6-stable.1421.15a4717 Cadoles:2023.12.6-testing.1421.15a4717 Cadoles:2023.12.6-develop.1421.15a4717 Cadoles:2023.12.6-develop.1447.7edc889 Cadoles:2023.12.6-develop.1347.7edc889 Cadoles:2023.12.6-jenkinsrelease.1334.b9bc218 Cadoles:2023.12.6-develop.1202.d74f812 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-2 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-4 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-3 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-1 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-2 Cadoles:pkg/dev/ubuntu-bionic/1.2.1-0 Cadoles:pkg/staging/ubuntu-bionic/1.2.1-0 Cadoles:pkg/deb/ubuntu-bionic/1.2.1-0 Cadoles:v1.2.1 Cadoles:v1.2.0 Cadoles:v1.1.1 Cadoles:v1.1.0 Cadoles:v1.0.1 Cadoles:v1.0.0 Cadoles:1.2.1-2-7-gd74f812 Cadoles:1.2.1-2-6-g885d18e Cadoles:1.2.1-2-4-g592749e Cadoles:1.2.1-2-2-g194c186 Cadoles:1.2.1-2-1-gb940aae

7 Commits
v1.0.0 ... v1.1.1

Author SHA1 Message Date
Nikolay Stupak
9ffd6c0747 web: include UI fonts to the static 2019-11-28 16:25:51 +03:00
kf_dolgopolov
8381b9226e upgrade golang version at Dockerfile according to version from go.mod 2019-11-07 16:23:17 +03:00
Nikolay Stupak
949b123e92 add support of group/groupOfNames/groupOfUniqueNames (#6) 2019-11-01 16:24:24 +03:00
Kirill Freiman
d8c1f4795d added ldap tls connection support (#5) 2019-11-01 15:47:58 +03:00
Nikolay Stupak
b9a1c627a5 identp: fix retrieving the roles claim 2019-08-06 14:19:02 +03:00
dre2004
ee865701c8 Readme alterations 
YAML needed additional indenting for it to work with docker compose, also the "-c" flag is required.
 2019-07-26 20:20:19 +03:00
Nikolay Stupak
6d7dee6175 build: fix loading golangci-lint 2019-07-26 19:21:04 +03:00
12 changed files with 535 additions and 96 deletions
Expand all files Collapse all files

2
.travis.yml
View File

@ -17,7 +17,7 @@ cache:
- "$GOPATH/pkg/mod"
- "$GOPATH/bin"
install: "(cd $HOME && go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.16.0)"
install: curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.16.0
script:
- go test -v -coverprofile=coverage.txt ./...

2
Dockerfile
View File

@ -3,7 +3,7 @@
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.
FROM golang:1.12-alpine AS build
FROM golang:1.13-alpine AS build
ARG VERSION
ARG GOPROXY

180
README.md
View File

@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
```
To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
```bash
env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles \
WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
werther
```
For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].
**NB** There are cases when we need to create several roles with the same name in LDAP.
@ -204,93 +213,98 @@ For a full example of a login page's template see [source code](internal/web/tem
```yaml
version: "3"
services:
hydra-client:
image: oryd/hydra:v1.0.0-rc.12
environment:
HYDRA_ADMIN_URL: http://hydra:4445
command:
- clients
- create
- --skip-tls-verify
- --id
- test-client
- --secret
- test-secret
- --response-types
- id_token,token,"id_token token"
- --grant-types
- implicit
- --scope
- openid,profile,email
- --callbacks
- http://localhost:3000
- --post-logout-callbacks
- http://localhost:3000/post-logout-callback
networks:
- hydra-net
deploy:
restart_policy:
condition: none
depends_on:
- hydra
hydra:
image: oryd/hydra:v1.0.0-rc.12
environment:
URLS_SELF_ISSUER: http://localhost:4444
URLS_SELF_PUBLIC: http://localhost:4444
URLS_LOGIN: http://localhost:8080/auth/login
URLS_CONSENT: http://localhost:8080/auth/consent
URLS_LOGOUT: http://localhost:8080/auth/logout
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
DSN: memory
command: serve all --dangerous-force-http
networks:
- hydra-net
ports:
- "4444:4444"
- "4445:4445"
deploy:
restart_policy:
condition: on-failure
depends_on:
- werther
werther:
image: icoreru/werther:v1.0.0
environment:
WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
WERTHER_LDAP_ENDPOINTS: ldap:389
WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
WERTHER_LDAP_BINDPW: password
WERTHER_LDAP_BASEDN: "dc=example,dc=com"
WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
networks:
- hydra-net
ports:
- "8080:8080"
deploy:
restart_policy:
condition: on-failure
depends_on:
- ldap
ldap:
image: pgarrett/ldap-alpine
volumes:
- "./ldap.ldif:/ldif/ldap.ldif"
networks:
- hydra-net
ports:
- "389:389"
deploy:
restart_policy:
condition: on-failure
hydra-client:
image: oryd/hydra:v1.0.0-rc.12
environment:
HYDRA_ADMIN_URL: http://hydra:4445
command:
- clients
- create
- --skip-tls-verify
- --id
- test-client
- --secret
- test-secret
- --response-types
- id_token,token,"id_token token"
- --grant-types
- implicit
- --scope
- openid,profile,email
- --callbacks
- http://localhost:3000
- --post-logout-callbacks
- http://localhost:3000/post-logout-callback
networks:
- hydra-net
deploy:
restart_policy:
condition: none
depends_on:
- hydra
healthcheck:
test: ["CMD", "curl", "-f", "http://hydra:4445"]
interval: 10s
timeout: 10s
retries: 10
hydra:
image: oryd/hydra:v1.0.0-rc.12
environment:
URLS_SELF_ISSUER: http://localhost:4444
URLS_SELF_PUBLIC: http://localhost:4444
URLS_LOGIN: http://localhost:8080/auth/login
URLS_CONSENT: http://localhost:8080/auth/consent
URLS_LOGOUT: http://localhost:8080/auth/logout
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
DSN: memory
command: serve all --dangerous-force-http
networks:
- hydra-net
ports:
- "4444:4444"
- "4445:4445"
deploy:
restart_policy:
condition: on-failure
depends_on:
- werther
werther:
image: icoreru/werther:v1.0.0
environment:
WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
WERTHER_LDAP_ENDPOINTS: ldap:389
WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
WERTHER_LDAP_BINDPW: password
WERTHER_LDAP_BASEDN: "dc=example,dc=com"
WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
networks:
- hydra-net
ports:
- "8080:8080"
deploy:
restart_policy:
condition: on-failure
depends_on:
- ldap
ldap:
image: pgarrett/ldap-alpine
volumes:
- "./ldap.ldif:/ldif/ldap.ldif"
networks:
- hydra-net
ports:
- "389:389"
deploy:
restart_policy:
condition: on-failure
networks:
hydra-net:
```
3. Run the command:
```bash
docker stack deploy docker-compose.yml auth
docker stack deploy -c docker-compose.yml auth
```
4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
@ -347,4 +361,6 @@ The code in this project is licensed under [MIT license][license].
[oidc-spec-additional-claims]: https://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims
[oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
[oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
[oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2

5
cmd/werther/main.go
View File

@ -11,6 +11,7 @@ import (
"flag"
"fmt"
"net/http"
"net/url"
"os"
"github.com/i-core/rlog"
@ -58,6 +59,10 @@ func main() {
fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
os.Exit(1)
}
if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
os.Exit(1)
}
logFunc := zap.NewProduction
if cnf.DevMode {

2
go.mod
View File

@ -19,3 +19,5 @@ require (
gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 // indirect
gopkg.in/ldap.v2 v2.5.1
)
go 1.13

2
internal/identp/identp.go
View File

@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
type Config struct {
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
}
// UserManager is an interface that is used for authentication and providing user's claims.

22
internal/ldapclient/ldapclient.go
View File

@ -9,6 +9,7 @@ package ldapclient
import (
"context"
"crypto/tls"
"encoding/json"
"fmt"
"net"
@ -57,6 +58,7 @@ type Config struct {
RoleClaim string `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
CacheSize int `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
CacheTTL time.Duration `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
IsTLS bool `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
}
// Client is a LDAP client (compatible with Active Directory).
@ -70,7 +72,7 @@ type Client struct {
func New(cnf Config) *Client {
return &Client{
Config: cnf,
connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN},
connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
cache: freecache.NewCache(cnf.CacheSize * 1024),
}
}
@ -296,6 +298,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
type ldapConnector struct {
BaseDN string
RoleBaseDN string
IsTLS bool
}
func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
@ -304,7 +307,17 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
if err != nil {
return nil, err
}
ldapcn := ldap.NewConn(tcpcn, false)
if c.IsTLS {
tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
if err != nil {
return nil, err
}
tcpcn = tlscn
}
ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
ldapcn.Start()
return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
}
@ -331,7 +344,10 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interf
}
func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
query := fmt.Sprintf("(&(objectClass=group)(member=%s))", user)
query := fmt.Sprintf("(|"+
"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
")", user)
return c.searchEntries(c.RoleBaseDN, query, attrs)
}

376
internal/web/templates.go
View File

File diff suppressed because one or more lines are too long

BIN
internal/web/templates/static/fonts/Roboto-Light.ttf Normal file
View File

Binary file not shown.

BIN
internal/web/templates/static/fonts/Roboto-Light.woff Normal file
View File

Binary file not shown.

BIN
internal/web/templates/static/fonts/Roboto-Light.woff2 Normal file
View File

Binary file not shown.

40
internal/web/templates/static/style.css
View File

@ -1,4 +1,40 @@
@import url(https://fonts.googleapis.com/css?family=Roboto:300);
/* cyrillic-ext */
@font-face {
font-family: 'Roboto';
font-style: normal;
font-weight: 400;
src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
}
/* cyrillic */
@font-face {
font-family: 'Roboto';
font-style: normal;
font-weight: 400;
src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
}
/* latin-ext */
@font-face {
font-family: 'Roboto';
font-style: normal;
font-weight: 400;
src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
}
/* latin */
@font-face {
font-family: 'Roboto';
font-style: normal;
font-weight: 400;
src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC,
U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
html {
box-sizing: border-box;
@ -88,7 +124,7 @@ html {
}
.form button:active {
background: #2384a3;
background: #2384a3;
}
.form .message {