outposts/ldap: add dockerfile

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-04-26 15:35:56 +02:00 · 2021-04-26 15:35:56 +02:00 · 91ca90f700
parent b3c8ffb96c
commit 91ca90f700
7 changed files with 72 additions and 14 deletions
--- a/outpost/azure-pipelines.yml
+++ b/outpost/azure-pipelines.yml
@ -51,9 +51,9 @@ stages:
              script: |
                docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
              workingDirectory: 'outpost/'
-  - stage: proxy_build_go
+  - stage: build_go
    jobs:
-      - job: build_go
+      - job: proxy_build_go
        pool:
          vmImage: 'ubuntu-latest'
        steps:
@ -70,9 +70,26 @@ stages:
              command: 'build'
              arguments: './cmd/proxy'
              workingDirectory: 'outpost/'
-  - stage: proxy_build_docker
+      - job: ldap_build_go
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: GoTool@0
            inputs:
              version: '1.16.3'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
              artifactName: 'go_swagger_client'
              path: "outpost/pkg/"
          - task: Go@0
            inputs:
              command: 'build'
              arguments: './cmd/ldap'
              workingDirectory: 'outpost/'
  - stage: build_docker
    jobs:
-      - job: build
+      - job: proxy_build_docker
        pool:
          vmImage: 'ubuntu-latest'
        steps:
@ -97,3 +114,28 @@ stages:
              Dockerfile: 'outpost/proxy.Dockerfile'
              buildContext: 'outpost/'
              tags: "gh-$(branchName)"
      - job: ldap_build_docker
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: GoTool@0
            inputs:
              version: '1.16.3'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
              artifactName: 'go_swagger_client'
              path: "outpost/pkg/"
          - task: Bash@3
            inputs:
              targetType: 'inline'
              script: |
                python ./scripts/az_do_set_branch.py
          - task: Docker@2
            inputs:
              containerRegistry: 'beryjuorg-harbor'
              repository: 'authentik/outpost-ldap'
              command: 'buildAndPush'
              Dockerfile: 'outpost/ldap.Dockerfile'
              buildContext: 'outpost/'
              tags: "gh-$(branchName)"
--- a/outpost/ldap.Dockerfile
+++ b/outpost/ldap.Dockerfile
@ -0,0 +1,13 @@
 FROM golang:1.16.3 AS builder
 WORKDIR /work
 COPY . .
 RUN go build -o /work/ldap ./cmd/ldap
 FROM gcr.io/distroless/base-debian10:debug
 COPY --from=builder /work/ldap /
 ENTRYPOINT ["/ldap"]
--- a/outpost/pkg/ldap/api.go
+++ b/outpost/pkg/ldap/api.go
@ -28,7 +28,7 @@ func (ls *LDAPServer) Refresh() error {
 			appSlug:  *provider.ApplicationSlug,
 			flowSlug: *provider.BindFlowSlug,
 			s:        ls,
-			log:      log.WithField("provider", provider.Name),
+			log:      log.WithField("logger", "authentik.outpost.ldap").WithField("provider", provider.Name),
 		}
 	}
 	ls.providers = providers
--- a/outpost/pkg/ldap/bind.go
+++ b/outpost/pkg/ldap/bind.go
@ -6,15 +6,9 @@ import (
 	"github.com/nmcclain/ldap"
 )
 type UIDResponse struct {
 	UIDFIeld string `json:"uid_field"`
 }
 type PasswordResponse struct {
 	Password string `json:"password"`
 }
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
 	ls.log.WithField("dn", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@ -16,6 +16,14 @@ import (
 	"goauthentik.io/outpost/pkg/client/flows"
 )
 type UIDResponse struct {
 	UIDFIeld string `json:"uid_field"`
 }
 type PasswordResponse struct {
 	Password string `json:"password"`
 }
 func (pi *ProviderInstance) getUsername(dn string) (string, error) {
 	if !strings.HasSuffix(dn, pi.BaseDN) {
 		return "", errors.New("invalid base DN")
@ -59,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	if err != nil {
 		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
 			pi.log.WithField("dn", username).Info("Access denied for user")
-			return ldap.LDAPResultInvalidCredentials, nil
+			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
 		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
--- a/outpost/pkg/ldap/ldap.go
+++ b/outpost/pkg/ldap/ldap.go
@ -35,7 +35,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	s.EnforceLDAP = true
 	ls := &LDAPServer{
 		s:         s,
-		log:       log.WithField("logger", "ldap-server"),
+		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,
 		providers: []*ProviderInstance{},
 	}
--- a/outpost/pkg/ldap/search.go
+++ b/outpost/pkg/ldap/search.go
@ -9,6 +9,7 @@ import (
 )
 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
 	ls.log.WithField("dn", boundDN).Info("search")
 	bd, err := goldap.ParseDN(boundDN)
 	if err != nil {
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")