* [gentoo-commits] repo/gentoo:master commit in: sys-auth/docker_auth/files/
@ 2016-12-25 13:08 Manuel Rüger
0 siblings, 0 replies; 4+ messages in thread
From: Manuel Rüger @ 2016-12-25 13:08 UTC (permalink / raw
To: gentoo-commits
commit: c15c135426948c0d79253539682fcc49de2853a2
Author: Manuel Rüger <mrueg <AT> gentoo <DOT> org>
AuthorDate: Sun Dec 25 13:08:14 2016 +0000
Commit: Manuel Rüger <mrueg <AT> gentoo <DOT> org>
CommitDate: Sun Dec 25 13:08:14 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c15c1354
sys-auth/docker_auth: Fix comment
Package-Manager: portage-2.3.3
sys-auth/docker_auth/files/docker_auth.confd | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-auth/docker_auth/files/docker_auth.confd b/sys-auth/docker_auth/files/docker_auth.confd
index 0a3a03d..9185f37 100644
--- a/sys-auth/docker_auth/files/docker_auth.confd
+++ b/sys-auth/docker_auth/files/docker_auth.confd
@@ -1,2 +1,2 @@
-# arguments for docker-registry
+# arguments for docker auth
command_args="/etc/docker_auth/config.yml"
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/docker_auth/files/
@ 2017-12-06 13:25 Michael Palimaka
0 siblings, 0 replies; 4+ messages in thread
From: Michael Palimaka @ 2017-12-06 13:25 UTC (permalink / raw
To: gentoo-commits
commit: 8f32aaece51aeeb7adaa038196d0c7870c0803f4
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sat Dec 2 17:00:47 2017 +0000
Commit: Michael Palimaka <kensington <AT> gentoo <DOT> org>
CommitDate: Wed Dec 6 13:25:05 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f32aaec
sys-auth/docker_auth: remove unused patch
Closes: https://github.com/gentoo/gentoo/pull/6403
.../files/docker_auth-ldap-group-support.patch | 363 ---------------------
1 file changed, 363 deletions(-)
diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-group-support.patch b/sys-auth/docker_auth/files/docker_auth-ldap-group-support.patch
deleted file mode 100644
index 69858872f49..00000000000
--- a/sys-auth/docker_auth/files/docker_auth-ldap-group-support.patch
+++ /dev/null
@@ -1,363 +0,0 @@
-From 4a33badac6b74617dfe3797a716a6907cf018b27 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Mon, 27 Feb 2017 19:09:52 +1300
-Subject: [PATCH 1/3] Initial proof of concept mapping memberOf CN to the label
- groups #63
-
----
- auth_server/authn/ldap_auth.go | 73 ++++++++++++++++++++++++++++++++++--------
- 1 file changed, 60 insertions(+), 13 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index f8fc08f..42f5ad0 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -17,7 +17,6 @@
- package authn
-
- import (
-- "bytes"
- "crypto/tls"
- "fmt"
- "io/ioutil"
-@@ -71,10 +70,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- account = la.escapeAccountInput(account)
-
- filter := la.getFilter(account)
-- accountEntryDN, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &[]string{})
-+
-+ // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
-+ groupAttribute := "memberOf"
-+ dnAndGroupAttr := []string{"DN", groupAttribute}
-+
-+ entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
- if uSearchErr != nil {
- return false, nil, uSearchErr
- }
-+ if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
-+ return false, nil, NoMatch // User does not exist
-+ }
-+
-+ accountEntryDN := entryAttrMap["DN"][0]
- if accountEntryDN == "" {
- return false, nil, NoMatch // User does not exist
- }
-@@ -93,6 +102,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- return false, nil, bindErr
- }
-
-+ // Extract group names from the attribute values
-+ if entryAttrMap[groupAttribute] != nil {
-+ rawGroups := entryAttrMap[groupAttribute]
-+ labels := make(map[string][]string)
-+ var groups []string
-+ for _, value := range rawGroups {
-+ cn := la.getCNFromDN(value)
-+ groups = append(groups, cn)
-+ }
-+ labels["groups"] = groups
-+
-+ return true, labels, nil
-+ }
-+
- return true, nil, nil
- }
-
-@@ -170,9 +193,9 @@ func (la *LDAPAuth) getFilter(account string) string {
-
- //ldap search and return required attributes' value from searched entries
- //default return entry's DN value if you leave attrs array empty
--func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, error) {
-+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
- if l == nil {
-- return "", fmt.Errorf("No ldap connection!")
-+ return nil, fmt.Errorf("No ldap connection!")
- }
- glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
- searchRequest := ldap.NewSearchRequest(
-@@ -183,30 +206,54 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
- nil)
- sr, err := l.Search(searchRequest)
- if err != nil {
-- return "", err
-+ return nil, err
- }
-
- if len(sr.Entries) == 0 {
-- return "", nil // User does not exist
-+ return nil, nil // User does not exist
- } else if len(sr.Entries) > 1 {
-- return "", fmt.Errorf("Too many entries returned.")
-+ return nil, fmt.Errorf("Too many entries returned.")
- }
-
-- var buffer bytes.Buffer
-+ result := make(map[string][]string)
- for _, entry := range sr.Entries {
-+
- if len(*attrs) == 0 {
- glog.V(2).Infof("Entry DN = %s", entry.DN)
-- buffer.WriteString(entry.DN)
-+ result["DN"] = []string{entry.DN}
- } else {
- for _, attr := range *attrs {
-- values := strings.Join(entry.GetAttributeValues(attr), " ")
-- glog.V(2).Infof("Entry %s = %s", attr, values)
-- buffer.WriteString(values)
-+ var values []string
-+ if attr == "DN" {
-+ // DN is excluded from attributes
-+ values = []string{entry.DN}
-+ } else {
-+ values = entry.GetAttributeValues(attr)
-+ }
-+ valuesString := strings.Join(values, "\n")
-+ glog.V(2).Infof("Entry %s = %s", attr, valuesString)
-+ result[attr] = values
-+ }
-+ }
-+ }
-+
-+ return result, nil
-+}
-+
-+func (la *LDAPAuth) getCNFromDN(dn string) string {
-+ parsedDN, err := ldap.ParseDN(dn)
-+ if err != nil || len(parsedDN.RDNs) > 0 {
-+ for _, rdn := range parsedDN.RDNs {
-+ for _, rdnAttr := range rdn.Attributes {
-+ if rdnAttr.Type == "CN" {
-+ return rdnAttr.Value
-+ }
- }
- }
- }
-
-- return buffer.String(), nil
-+ // else try using raw DN
-+ return dn
- }
-
- func (la *LDAPAuth) Stop() {
-
-From ddde2fa779e746d7e74cd972a4c6795c72f17ee6 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Tue, 28 Feb 2017 18:09:55 +1300
-Subject: [PATCH 2/3] Apply attribute mapping from configuration
-
----
- auth_server/authn/ldap_auth.go | 125 ++++++++++++++++++++++++-----------------
- 1 file changed, 74 insertions(+), 51 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index 42f5ad0..6f733a2 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -26,16 +26,22 @@ import (
- "github.com/golang/glog"
- )
-
-+type LabelMap struct {
-+ Attribute string `yaml:"attribute,omitempty"`
-+ ParseCN bool `yaml:"parse_cn,omitempty"`
-+}
-+
- type LDAPAuthConfig struct {
-- Addr string `yaml:"addr,omitempty"`
-- TLS string `yaml:"tls,omitempty"`
-- InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
-- Base string `yaml:"base,omitempty"`
-- Filter string `yaml:"filter,omitempty"`
-- BindDN string `yaml:"bind_dn,omitempty"`
-- BindPasswordFile string `yaml:"bind_password_file,omitempty"`
-- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-- GroupFilter string `yaml:"group_filter,omitempty"`
-+ Addr string `yaml:"addr,omitempty"`
-+ TLS string `yaml:"tls,omitempty"`
-+ InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
-+ Base string `yaml:"base,omitempty"`
-+ Filter string `yaml:"filter,omitempty"`
-+ BindDN string `yaml:"bind_dn,omitempty"`
-+ BindPasswordFile string `yaml:"bind_password_file,omitempty"`
-+ LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
-+ GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-+ GroupFilter string `yaml:"group_filter,omitempty"`
- }
-
- type LDAPAuth struct {
-@@ -71,22 +77,19 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
-
- filter := la.getFilter(account)
-
-- // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
-- groupAttribute := "memberOf"
-- dnAndGroupAttr := []string{"DN", groupAttribute}
-+ labelAttributes, labelsConfigErr := la.getLabelAttributes()
-+ if labelsConfigErr != nil {
-+ return false, nil, labelsConfigErr
-+ }
-
-- entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
-+ accountEntryDN, entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &labelAttributes)
- if uSearchErr != nil {
- return false, nil, uSearchErr
- }
-- if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
-- return false, nil, NoMatch // User does not exist
-- }
--
-- accountEntryDN := entryAttrMap["DN"][0]
- if accountEntryDN == "" {
- return false, nil, NoMatch // User does not exist
- }
-+
- // Bind as the user to verify their password
- if len(accountEntryDN) > 0 {
- err := l.Bind(accountEntryDN, string(password))
-@@ -102,21 +105,13 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- return false, nil, bindErr
- }
-
-- // Extract group names from the attribute values
-- if entryAttrMap[groupAttribute] != nil {
-- rawGroups := entryAttrMap[groupAttribute]
-- labels := make(map[string][]string)
-- var groups []string
-- for _, value := range rawGroups {
-- cn := la.getCNFromDN(value)
-- groups = append(groups, cn)
-- }
-- labels["groups"] = groups
--
-- return true, labels, nil
-+ // Extract labels from the attribute values
-+ labels, labelsExtractErr := la.getLabelsFromMap(entryAttrMap)
-+ if labelsExtractErr != nil {
-+ return false, nil, labelsExtractErr
- }
-
-- return true, nil, nil
-+ return true, labels, nil
- }
-
- func (la *LDAPAuth) bindReadOnlyUser(l *ldap.Conn) error {
-@@ -193,9 +188,9 @@ func (la *LDAPAuth) getFilter(account string) string {
-
- //ldap search and return required attributes' value from searched entries
- //default return entry's DN value if you leave attrs array empty
--func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
-+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, map[string][]string, error) {
- if l == nil {
-- return nil, fmt.Errorf("No ldap connection!")
-+ return "", nil, fmt.Errorf("No ldap connection!")
- }
- glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
- searchRequest := ldap.NewSearchRequest(
-@@ -206,38 +201,66 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
- nil)
- sr, err := l.Search(searchRequest)
- if err != nil {
-- return nil, err
-+ return "", nil, err
- }
-
- if len(sr.Entries) == 0 {
-- return nil, nil // User does not exist
-+ return "", nil, nil // User does not exist
- } else if len(sr.Entries) > 1 {
-- return nil, fmt.Errorf("Too many entries returned.")
-+ return "", nil, fmt.Errorf("Too many entries returned.")
- }
-
-- result := make(map[string][]string)
-+ attributes := make(map[string][]string)
-+ var entryDn string
- for _, entry := range sr.Entries {
--
-+ entryDn = entry.DN
- if len(*attrs) == 0 {
-- glog.V(2).Infof("Entry DN = %s", entry.DN)
-- result["DN"] = []string{entry.DN}
-+ glog.V(2).Infof("Entry DN = %s", entryDn)
- } else {
- for _, attr := range *attrs {
-- var values []string
-- if attr == "DN" {
-- // DN is excluded from attributes
-- values = []string{entry.DN}
-- } else {
-- values = entry.GetAttributeValues(attr)
-- }
-- valuesString := strings.Join(values, "\n")
-- glog.V(2).Infof("Entry %s = %s", attr, valuesString)
-- result[attr] = values
-+ values := entry.GetAttributeValues(attr)
-+ glog.V(2).Infof("Entry %s = %s", attr, strings.Join(values, "\n"))
-+ attributes[attr] = values
- }
- }
- }
-
-- return result, nil
-+ return entryDn, attributes, nil
-+}
-+
-+func (la *LDAPAuth) getLabelAttributes() ([]string, error) {
-+ labelAttributes := make([]string, len(la.config.LabelMaps))
-+ i := 0
-+ for key, mapping := range la.config.LabelMaps {
-+ if mapping.Attribute == "" {
-+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
-+ }
-+ labelAttributes[i] = mapping.Attribute
-+ i++
-+ }
-+ return labelAttributes, nil
-+}
-+
-+func (la *LDAPAuth) getLabelsFromMap(attrMap map[string][]string) (map[string][]string, error) {
-+ labels := make(map[string][]string)
-+ for key, mapping := range la.config.LabelMaps {
-+ if mapping.Attribute == "" {
-+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
-+ }
-+
-+ mappingValues := attrMap[mapping.Attribute]
-+ if mappingValues != nil {
-+ if mapping.ParseCN {
-+ // shorten attribute to its common name
-+ for i, value := range mappingValues {
-+ cn := la.getCNFromDN(value)
-+ mappingValues[i] = cn
-+ }
-+ }
-+ labels[key] = mappingValues
-+ }
-+ }
-+ return labels, nil
- }
-
- func (la *LDAPAuth) getCNFromDN(dn string) string {
-
-From cd37001980267a99a9faa19f1927891af63acb90 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Tue, 28 Feb 2017 18:27:16 +1300
-Subject: [PATCH 3/3] Remove unused configuration fields, never implemented?
-
----
- auth_server/authn/ldap_auth.go | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index 6f733a2..9c8bcb8 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -40,8 +40,6 @@ type LDAPAuthConfig struct {
- BindDN string `yaml:"bind_dn,omitempty"`
- BindPasswordFile string `yaml:"bind_password_file,omitempty"`
- LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
-- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-- GroupFilter string `yaml:"group_filter,omitempty"`
- }
-
- type LDAPAuth struct {
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/docker_auth/files/
@ 2018-07-11 11:32 Tony Vroon
0 siblings, 0 replies; 4+ messages in thread
From: Tony Vroon @ 2018-07-11 11:32 UTC (permalink / raw
To: gentoo-commits
commit: 7e1fd280c0c89470fbcbc2c82756cfeb9132ba9a
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sun Jul 8 08:56:52 2018 +0000
Commit: Tony Vroon <chainsaw <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 11:32:37 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e1fd280
sys-auth/docker_auth: remove unused patches
Closes: https://github.com/gentoo/gentoo/pull/9124
.../files/docker_auth-ldap-cacert.patch | 67 ----
.../files/docker_auth-ldap-group-support-1.patch | 394 ---------------------
2 files changed, 461 deletions(-)
diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch b/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch
deleted file mode 100644
index e43e9e6ca88..00000000000
--- a/sys-auth/docker_auth/files/docker_auth-ldap-cacert.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 5505de31a91aea88e0cf623ec8edfd928b5432a7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Manuel=20R=C3=BCger?= <mrueg@gentoo.org>
-Date: Mon, 18 Sep 2017 14:02:38 +0200
-Subject: [PATCH] Set custom CA certificate for ldap cert verification
-
-Code taken from: https://github.com/hashicorp/go-rootcerts/blob/master/rootcerts.go
-Original author: Paul Hinze <phinze@phinze.com>
----
- auth_server/authn/ldap_auth.go | 17 ++++++++++++++++-
- examples/reference.yml | 2 ++
- 2 files changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index 3bdf7c3..a3425ed 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -19,6 +19,7 @@ package authn
- import (
- "bytes"
- "crypto/tls"
-+ "crypto/x509"
- "fmt"
- "io/ioutil"
- "strings"
-@@ -31,6 +32,7 @@ type LDAPAuthConfig struct {
- Addr string `yaml:"addr,omitempty"`
- TLS string `yaml:"tls,omitempty"`
- InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
-+ CACertificate string `yaml:"ca_certificate,omitempty"`
- Base string `yaml:"base,omitempty"`
- Filter string `yaml:"filter,omitempty"`
- BindDN string `yaml:"bind_dn,omitempty"`
-@@ -140,7 +142,20 @@ func (la *LDAPAuth) ldapConnection() (*ldap.Conn, error) {
- tlsConfig := &tls.Config{InsecureSkipVerify: true}
- if !la.config.InsecureTLSSkipVerify {
- addr := strings.Split(la.config.Addr, ":")
-- tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]}
-+ if la.config.CACertificate != "" {
-+ pool := x509.NewCertPool()
-+ pem, err := ioutil.ReadFile(la.config.CACertificate)
-+ if err != nil {
-+ return nil, fmt.Errorf("Error loading CA File: %s", err)
-+ }
-+ ok := pool.AppendCertsFromPEM(pem)
-+ if !ok {
-+ return nil, fmt.Errorf("Error loading CA File: Couldn't parse PEM in: %s", la.config.CACertificate)
-+ }
-+ tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0], RootCAs: pool}
-+ } else {
-+ tlsConfig = &tls.Config{InsecureSkipVerify: false, ServerName: addr[0]}
-+ }
- }
-
- if la.config.TLS == "" || la.config.TLS == "none" || la.config.TLS == "starttls" {
-diff --git a/examples/reference.yml b/examples/reference.yml
-index 3090978..769cc91 100644
---- a/examples/reference.yml
-+++ b/examples/reference.yml
-@@ -131,6 +131,8 @@ ldap_auth:
- tls: always
- # set to true to allow insecure tls
- insecure_tls_skip_verify: false
-+ # set this to specify the ca certificate path
-+ ca_cert:
- # In case bind DN and password is required for querying user information,
- # specify them here. Plain text password is read from the file.
- bind_dn:
diff --git a/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch b/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch
deleted file mode 100644
index f9e98f410c8..00000000000
--- a/sys-auth/docker_auth/files/docker_auth-ldap-group-support-1.patch
+++ /dev/null
@@ -1,394 +0,0 @@
-From 4a33badac6b74617dfe3797a716a6907cf018b27 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Mon, 27 Feb 2017 19:09:52 +1300
-Subject: [PATCH 1/4] Initial proof of concept mapping memberOf CN to the label
- groups #63
-
----
- auth_server/authn/ldap_auth.go | 73 ++++++++++++++++++++++++++++++++++--------
- 1 file changed, 60 insertions(+), 13 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index f8fc08f..42f5ad0 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -17,7 +17,6 @@
- package authn
-
- import (
-- "bytes"
- "crypto/tls"
- "fmt"
- "io/ioutil"
-@@ -71,10 +70,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- account = la.escapeAccountInput(account)
-
- filter := la.getFilter(account)
-- accountEntryDN, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &[]string{})
-+
-+ // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
-+ groupAttribute := "memberOf"
-+ dnAndGroupAttr := []string{"DN", groupAttribute}
-+
-+ entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
- if uSearchErr != nil {
- return false, nil, uSearchErr
- }
-+ if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
-+ return false, nil, NoMatch // User does not exist
-+ }
-+
-+ accountEntryDN := entryAttrMap["DN"][0]
- if accountEntryDN == "" {
- return false, nil, NoMatch // User does not exist
- }
-@@ -93,6 +102,20 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- return false, nil, bindErr
- }
-
-+ // Extract group names from the attribute values
-+ if entryAttrMap[groupAttribute] != nil {
-+ rawGroups := entryAttrMap[groupAttribute]
-+ labels := make(map[string][]string)
-+ var groups []string
-+ for _, value := range rawGroups {
-+ cn := la.getCNFromDN(value)
-+ groups = append(groups, cn)
-+ }
-+ labels["groups"] = groups
-+
-+ return true, labels, nil
-+ }
-+
- return true, nil, nil
- }
-
-@@ -170,9 +193,9 @@ func (la *LDAPAuth) getFilter(account string) string {
-
- //ldap search and return required attributes' value from searched entries
- //default return entry's DN value if you leave attrs array empty
--func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, error) {
-+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
- if l == nil {
-- return "", fmt.Errorf("No ldap connection!")
-+ return nil, fmt.Errorf("No ldap connection!")
- }
- glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
- searchRequest := ldap.NewSearchRequest(
-@@ -183,30 +206,54 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
- nil)
- sr, err := l.Search(searchRequest)
- if err != nil {
-- return "", err
-+ return nil, err
- }
-
- if len(sr.Entries) == 0 {
-- return "", nil // User does not exist
-+ return nil, nil // User does not exist
- } else if len(sr.Entries) > 1 {
-- return "", fmt.Errorf("Too many entries returned.")
-+ return nil, fmt.Errorf("Too many entries returned.")
- }
-
-- var buffer bytes.Buffer
-+ result := make(map[string][]string)
- for _, entry := range sr.Entries {
-+
- if len(*attrs) == 0 {
- glog.V(2).Infof("Entry DN = %s", entry.DN)
-- buffer.WriteString(entry.DN)
-+ result["DN"] = []string{entry.DN}
- } else {
- for _, attr := range *attrs {
-- values := strings.Join(entry.GetAttributeValues(attr), " ")
-- glog.V(2).Infof("Entry %s = %s", attr, values)
-- buffer.WriteString(values)
-+ var values []string
-+ if attr == "DN" {
-+ // DN is excluded from attributes
-+ values = []string{entry.DN}
-+ } else {
-+ values = entry.GetAttributeValues(attr)
-+ }
-+ valuesString := strings.Join(values, "\n")
-+ glog.V(2).Infof("Entry %s = %s", attr, valuesString)
-+ result[attr] = values
-+ }
-+ }
-+ }
-+
-+ return result, nil
-+}
-+
-+func (la *LDAPAuth) getCNFromDN(dn string) string {
-+ parsedDN, err := ldap.ParseDN(dn)
-+ if err != nil || len(parsedDN.RDNs) > 0 {
-+ for _, rdn := range parsedDN.RDNs {
-+ for _, rdnAttr := range rdn.Attributes {
-+ if rdnAttr.Type == "CN" {
-+ return rdnAttr.Value
-+ }
- }
- }
- }
-
-- return buffer.String(), nil
-+ // else try using raw DN
-+ return dn
- }
-
- func (la *LDAPAuth) Stop() {
-
-From ddde2fa779e746d7e74cd972a4c6795c72f17ee6 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Tue, 28 Feb 2017 18:09:55 +1300
-Subject: [PATCH 2/4] Apply attribute mapping from configuration
-
----
- auth_server/authn/ldap_auth.go | 125 ++++++++++++++++++++++++-----------------
- 1 file changed, 74 insertions(+), 51 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index 42f5ad0..6f733a2 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -26,16 +26,22 @@ import (
- "github.com/golang/glog"
- )
-
-+type LabelMap struct {
-+ Attribute string `yaml:"attribute,omitempty"`
-+ ParseCN bool `yaml:"parse_cn,omitempty"`
-+}
-+
- type LDAPAuthConfig struct {
-- Addr string `yaml:"addr,omitempty"`
-- TLS string `yaml:"tls,omitempty"`
-- InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
-- Base string `yaml:"base,omitempty"`
-- Filter string `yaml:"filter,omitempty"`
-- BindDN string `yaml:"bind_dn,omitempty"`
-- BindPasswordFile string `yaml:"bind_password_file,omitempty"`
-- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-- GroupFilter string `yaml:"group_filter,omitempty"`
-+ Addr string `yaml:"addr,omitempty"`
-+ TLS string `yaml:"tls,omitempty"`
-+ InsecureTLSSkipVerify bool `yaml:"insecure_tls_skip_verify,omitempty"`
-+ Base string `yaml:"base,omitempty"`
-+ Filter string `yaml:"filter,omitempty"`
-+ BindDN string `yaml:"bind_dn,omitempty"`
-+ BindPasswordFile string `yaml:"bind_password_file,omitempty"`
-+ LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
-+ GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-+ GroupFilter string `yaml:"group_filter,omitempty"`
- }
-
- type LDAPAuth struct {
-@@ -71,22 +77,19 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
-
- filter := la.getFilter(account)
-
-- // dnAndGroupAttr := []string{"DN"} // example of no groups mapping attribute
-- groupAttribute := "memberOf"
-- dnAndGroupAttr := []string{"DN", groupAttribute}
-+ labelAttributes, labelsConfigErr := la.getLabelAttributes()
-+ if labelsConfigErr != nil {
-+ return false, nil, labelsConfigErr
-+ }
-
-- entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &dnAndGroupAttr)
-+ accountEntryDN, entryAttrMap, uSearchErr := la.ldapSearch(l, &la.config.Base, &filter, &labelAttributes)
- if uSearchErr != nil {
- return false, nil, uSearchErr
- }
-- if len(entryAttrMap) < 1 || entryAttrMap["DN"] == nil || len(entryAttrMap["DN"]) != 1 {
-- return false, nil, NoMatch // User does not exist
-- }
--
-- accountEntryDN := entryAttrMap["DN"][0]
- if accountEntryDN == "" {
- return false, nil, NoMatch // User does not exist
- }
-+
- // Bind as the user to verify their password
- if len(accountEntryDN) > 0 {
- err := l.Bind(accountEntryDN, string(password))
-@@ -102,21 +105,13 @@ func (la *LDAPAuth) Authenticate(account string, password PasswordString) (bool,
- return false, nil, bindErr
- }
-
-- // Extract group names from the attribute values
-- if entryAttrMap[groupAttribute] != nil {
-- rawGroups := entryAttrMap[groupAttribute]
-- labels := make(map[string][]string)
-- var groups []string
-- for _, value := range rawGroups {
-- cn := la.getCNFromDN(value)
-- groups = append(groups, cn)
-- }
-- labels["groups"] = groups
--
-- return true, labels, nil
-+ // Extract labels from the attribute values
-+ labels, labelsExtractErr := la.getLabelsFromMap(entryAttrMap)
-+ if labelsExtractErr != nil {
-+ return false, nil, labelsExtractErr
- }
-
-- return true, nil, nil
-+ return true, labels, nil
- }
-
- func (la *LDAPAuth) bindReadOnlyUser(l *ldap.Conn) error {
-@@ -193,9 +188,9 @@ func (la *LDAPAuth) getFilter(account string) string {
-
- //ldap search and return required attributes' value from searched entries
- //default return entry's DN value if you leave attrs array empty
--func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (map[string][]string, error) {
-+func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, attrs *[]string) (string, map[string][]string, error) {
- if l == nil {
-- return nil, fmt.Errorf("No ldap connection!")
-+ return "", nil, fmt.Errorf("No ldap connection!")
- }
- glog.V(2).Infof("Searching...basedDN:%s, filter:%s", *baseDN, *filter)
- searchRequest := ldap.NewSearchRequest(
-@@ -206,38 +201,66 @@ func (la *LDAPAuth) ldapSearch(l *ldap.Conn, baseDN *string, filter *string, att
- nil)
- sr, err := l.Search(searchRequest)
- if err != nil {
-- return nil, err
-+ return "", nil, err
- }
-
- if len(sr.Entries) == 0 {
-- return nil, nil // User does not exist
-+ return "", nil, nil // User does not exist
- } else if len(sr.Entries) > 1 {
-- return nil, fmt.Errorf("Too many entries returned.")
-+ return "", nil, fmt.Errorf("Too many entries returned.")
- }
-
-- result := make(map[string][]string)
-+ attributes := make(map[string][]string)
-+ var entryDn string
- for _, entry := range sr.Entries {
--
-+ entryDn = entry.DN
- if len(*attrs) == 0 {
-- glog.V(2).Infof("Entry DN = %s", entry.DN)
-- result["DN"] = []string{entry.DN}
-+ glog.V(2).Infof("Entry DN = %s", entryDn)
- } else {
- for _, attr := range *attrs {
-- var values []string
-- if attr == "DN" {
-- // DN is excluded from attributes
-- values = []string{entry.DN}
-- } else {
-- values = entry.GetAttributeValues(attr)
-- }
-- valuesString := strings.Join(values, "\n")
-- glog.V(2).Infof("Entry %s = %s", attr, valuesString)
-- result[attr] = values
-+ values := entry.GetAttributeValues(attr)
-+ glog.V(2).Infof("Entry %s = %s", attr, strings.Join(values, "\n"))
-+ attributes[attr] = values
- }
- }
- }
-
-- return result, nil
-+ return entryDn, attributes, nil
-+}
-+
-+func (la *LDAPAuth) getLabelAttributes() ([]string, error) {
-+ labelAttributes := make([]string, len(la.config.LabelMaps))
-+ i := 0
-+ for key, mapping := range la.config.LabelMaps {
-+ if mapping.Attribute == "" {
-+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
-+ }
-+ labelAttributes[i] = mapping.Attribute
-+ i++
-+ }
-+ return labelAttributes, nil
-+}
-+
-+func (la *LDAPAuth) getLabelsFromMap(attrMap map[string][]string) (map[string][]string, error) {
-+ labels := make(map[string][]string)
-+ for key, mapping := range la.config.LabelMaps {
-+ if mapping.Attribute == "" {
-+ return nil, fmt.Errorf("Label %s is missing 'attribute' to map from", key)
-+ }
-+
-+ mappingValues := attrMap[mapping.Attribute]
-+ if mappingValues != nil {
-+ if mapping.ParseCN {
-+ // shorten attribute to its common name
-+ for i, value := range mappingValues {
-+ cn := la.getCNFromDN(value)
-+ mappingValues[i] = cn
-+ }
-+ }
-+ labels[key] = mappingValues
-+ }
-+ }
-+ return labels, nil
- }
-
- func (la *LDAPAuth) getCNFromDN(dn string) string {
-
-From cd37001980267a99a9faa19f1927891af63acb90 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Tue, 28 Feb 2017 18:27:16 +1300
-Subject: [PATCH 3/4] Remove unused configuration fields, never implemented?
-
----
- auth_server/authn/ldap_auth.go | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/auth_server/authn/ldap_auth.go b/auth_server/authn/ldap_auth.go
-index 6f733a2..9c8bcb8 100644
---- a/auth_server/authn/ldap_auth.go
-+++ b/auth_server/authn/ldap_auth.go
-@@ -40,8 +40,6 @@ type LDAPAuthConfig struct {
- BindDN string `yaml:"bind_dn,omitempty"`
- BindPasswordFile string `yaml:"bind_password_file,omitempty"`
- LabelMaps map[string]LabelMap `yaml:"labels,omitempty"`
-- GroupBaseDN string `yaml:"group_base_dn,omitempty"`
-- GroupFilter string `yaml:"group_filter,omitempty"`
- }
-
- type LDAPAuth struct {
-
-From 2fd43be4e5c2cfe177d9e1d36bcd1b29f4d6f262 Mon Sep 17 00:00:00 2001
-From: Kevin <kcd83@users.noreply.github.com>
-Date: Fri, 1 Sep 2017 22:50:19 +1200
-Subject: [PATCH 4/4] Add LDAP label map examples to the reference config
-
----
- examples/reference.yml | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/examples/reference.yml b/examples/reference.yml
-index b8bb08c..40c5762 100644
---- a/examples/reference.yml
-+++ b/examples/reference.yml
-@@ -134,6 +134,16 @@ ldap_auth:
- # User query settings. ${account} is expanded from auth request
- base: o=example.com
- filter: (&(uid=${account})(objectClass=person))
-+ # Labels can be mapped from LDAP attributes
-+ labels:
-+ # Add the user's title to a label called title
-+ title:
-+ attribute: title
-+ # Add the user's memberOf values to a label called groups
-+ groups:
-+ attribute: memberOf
-+ # Special handling to simplify the values to just the common name
-+ parse_cn: true
-
- mongo_auth:
- # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/docker_auth/files/
@ 2019-10-07 22:06 Zac Medico
0 siblings, 0 replies; 4+ messages in thread
From: Zac Medico @ 2019-10-07 22:06 UTC (permalink / raw
To: gentoo-commits
commit: aabc390f019a496de056014f5d51d20b9a05ba53
Author: Zac Medico <zmedico <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 7 22:05:01 2019 +0000
Commit: Zac Medico <zmedico <AT> gentoo <DOT> org>
CommitDate: Mon Oct 7 22:06:01 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aabc390f
sys-auth/docker_auth: sync confd command_args with init script
Package-Manager: Portage-2.3.76, Repoman-2.3.17
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>
sys-auth/docker_auth/files/docker_auth.confd | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-auth/docker_auth/files/docker_auth.confd b/sys-auth/docker_auth/files/docker_auth.confd
index 9185f376b0d..096572cd845 100644
--- a/sys-auth/docker_auth/files/docker_auth.confd
+++ b/sys-auth/docker_auth/files/docker_auth.confd
@@ -1,2 +1,2 @@
# arguments for docker auth
-command_args="/etc/docker_auth/config.yml"
+command_args="--log_dir /var/log/${RC_SVCNAME} /etc/docker_auth/config.yml"
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-10-07 22:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-07 22:06 [gentoo-commits] repo/gentoo:master commit in: sys-auth/docker_auth/files/ Zac Medico
-- strict thread matches above, loose matches on Subject: below --
2018-07-11 11:32 Tony Vroon
2017-12-06 13:25 Michael Palimaka
2016-12-25 13:08 Manuel Rüger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox