Update LDAP TLS SE with v2 service extension format (#33)

* Update LDAP TLS SE with v2 service extension format --------- Signed-off-by: Warren Fernandes <[email protected]>
strata-io · Nov 15, 2023 · 84f4e67 · 84f4e67
1 parent c2d47b2
commit 84f4e67
Show file tree

Hide file tree

Showing 4 changed files with 162 additions and 34 deletions.
diff --git a/ldap-tls/auth.go b/ldap-tls/auth.go
@@ -3,76 +3,114 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"net/http"
 
-	"maverics/app"
-	"maverics/ldap"
-	"maverics/log"
-	"maverics/secret"
-	"maverics/session"
-)
-
-const (
-	idpName          = "ldap"
-	ldapURL          = "ldap://ldap.examples.com"
-	ldapServerName   = "ldap.examples.com"
-	ldapBaseDN       = "ou=People,dc=examples,dc=com"
-	ldapCASecretName = "ldapCA"
+	ldap3 "github.com/go-ldap/ldap/v3"
+	"github.com/strata-io/service-extension/orchestrator"
 )
 
 // IsAuthenticated determines if the user has been authenticated.
-func IsAuthenticated(ag *app.AppGateway, rw http.ResponseWriter, req *http.Request) bool {
-	log.Debug("se", "determining if user is authenticated")
+func IsAuthenticated(api orchestrator.Orchestrator, _ http.ResponseWriter, _ *http.Request) bool {
+	logger := api.Logger()
+	session, err := api.Session()
+	if err != nil {
+		logger.Error("se", "unable to retrieve session", "error", err.Error())
+		return false
+	}
+	metadata := api.Metadata()
+	idpName := metadata["idpName"].(string)
 
-	if session.GetString(req, fmt.Sprintf("%s.authenticated", idpName)) == "true" {
+	logger.Debug("se", "determining if user is authenticated")
+
+	isAuthenticated, err := session.GetString(fmt.Sprintf("%s.authenticated", idpName))
+	if err != nil {
+		logger.Error(
+			"se", fmt.Sprintf("unable to retrieve session value '%s.authenticated'", idpName),
+			"error", err.Error(),
+		)
+		return false
+	}
+	if isAuthenticated == "true" {
 		return true
 	}
 
 	return false
 }
 
 // Authenticate authenticates the user against the IDP.
-func Authenticate(ag *app.AppGateway, rw http.ResponseWriter, req *http.Request) error {
+func Authenticate(api orchestrator.Orchestrator, rw http.ResponseWriter, req *http.Request) {
+	logger := api.Logger()
+	session, err := api.Session()
+	if err != nil {
+		logger.Error("se", "unable to retrieve session", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
+	}
+	secretProvider, err := api.SecretProvider()
+	if err != nil {
+		logger.Error("se", "unable to retrieve secret provider", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
+	}
+	metadata := api.Metadata()
+	idpName := metadata["idpName"].(string)
+	ldapURL := metadata["ldapURL"].(string)
+	ldapServerName := metadata["ldapServerName"].(string)
+	ldapBaseDN := metadata["ldapBaseDN"].(string)
+	ldapCASecretName := metadata["ldapCASecretName"].(string)
+
 	username, password, ok := req.BasicAuth()
 	if !ok {
-		log.Error("se", "unable to read basic auth headers")
-		return errors.New("unable to read basic auth headers")
+		logger.Error("se", "unable to read basic auth headers")
+		http.Error(rw, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
 	}
 
-	log.Info(
+	logger.Info(
 		"se", "logging user in",
 		"req", req.URL.String(),
 		"username", username,
 	)
 	certPool, err := x509.SystemCertPool()
 	if err != nil {
-		return fmt.Errorf("unable to load system cert pool: %w", err)
+		logger.Error("se", "unable to load system cert pool", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
 	}
-	ldapCACert := secret.GetString(ldapCASecretName)
+	ldapCACert := secretProvider.GetString(ldapCASecretName)
 	certPool.AppendCertsFromPEM([]byte(ldapCACert))
 	tlsCfg := &tls.Config{
 		ServerName: ldapServerName,
 		RootCAs:    certPool,
 	}
 
-	conn, err := ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(tlsCfg))
+	conn, err := ldap3.DialURL(ldapURL, ldap3.DialWithTLSConfig(tlsCfg))
 	if err != nil {
-		return fmt.Errorf("unable to do ldap dial: %w", err)
+		logger.Error("se", "unable to do ldap dial", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
 	}
 	defer conn.Close()
 
 	usernameKey := fmt.Sprintf("uid=%s,%s", username, ldapBaseDN)
 	err = conn.Bind(usernameKey, password)
 	if err != nil {
-		return fmt.Errorf("unable to do ldap bind: %w", err)
+		logger.Error("se", "unable to do ldap bind", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
+	}
+
+	_ = session.SetString(fmt.Sprintf("%s.authenticated", idpName), "true")
+	_ = session.SetString(fmt.Sprintf("%s.cn", idpName), username)
+
+	err = session.Save()
+	if err != nil {
+		logger.Error("se", "unable to save session", "error", err.Error())
+		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
 	}
-	session.Set(req, fmt.Sprintf("%s.authenticated", idpName), "true")
-	session.Set(req, fmt.Sprintf("%s.cn", idpName), username)
-	log.Info("se", "user authenticated", "username", username)
-	return nil
 
-	log.Info("se", "successfully authenticated", "username", username)
-	return nil
+	logger.Info("se", "user successfully authenticated", "username", username)
+	return
 }
diff --git a/ldap-tls/go.mod b/ldap-tls/go.mod
@@ -0,0 +1,15 @@
+module github.com/strata-io/strata-service-extension-examples/ldap-tls
+
+go 1.20
+
+require (
+	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/strata-io/service-extension v0.4.0
+)
+
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
+)
diff --git a/ldap-tls/go.sum b/ldap-tls/go.sum
@@ -0,0 +1,65 @@
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
+github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
+github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/strata-io/service-extension v0.4.0 h1:EBncLpV41HkUpVRStbF+F+YE89u6srqXjInqdZDMtuM=
+github.com/strata-io/service-extension v0.4.0/go.mod h1:AXZz5Rjl5A2KieMuDy9zwsUZlg7PtR1IBeHYuAijb/o=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/ldap-tls/maverics.yaml b/ldap-tls/maverics.yaml
@@ -15,9 +15,11 @@ http:
 logger:
   level: debug
 
-appgateways:
+apps:
   - name: exampleLDAPTLS
-    basePath: /
+    type: proxy
+    routePatterns:
+      - /
     # The 'upstream' used here is purely for demonstration and can be replaced with
     # any URL that is resolvable from the machine the Orchestrator is running on.
     upstream: https://cylog.org
@@ -33,8 +35,16 @@ appgateways:
           isAuthenticatedSE:
             funcName: IsAuthenticated
             file: /etc/maverics/extensions/auth.go
+            metadata:
+              idpName: "ldap"
           authenticateSE:
             funcName: Authenticate
             file: /etc/maverics/extensions/auth.go
+            metadata:
+              idpName: "ldap"
+              ldapURL: "ldap://ldap.examples.com"
+              ldapServerName: "ldap.examples.com"
+              ldapBaseDN: "ou=People,dc=examples,dc=com"
+              ldapCASecretName: "ldapCA"
         authorization:
           allowAll: true