From ff57d31fdbf69c07f99380089cdf3658a285bdb8 Mon Sep 17 00:00:00 2001
From: Warren Fernandes <warren@strata.io>
Date: Wed, 15 Nov 2023 10:43:26 -0700
Subject: [PATCH] Update LDAP Search SE with updated service extension format
 (#32)

Signed-off-by: Warren Fernandes <warren@strata.io>
---
 ldap-search/go.mod        | 15 +++++++
 ldap-search/go.sum        | 65 +++++++++++++++++++++++++++++
 ldap-search/loadAttrs.go  | 87 +++++++++++++++++++++------------------
 ldap-search/maverics.yaml | 14 +++++--
 4 files changed, 139 insertions(+), 42 deletions(-)
 create mode 100644 ldap-search/go.mod
 create mode 100644 ldap-search/go.sum

diff --git a/ldap-search/go.mod b/ldap-search/go.mod
new file mode 100644
index 0000000..992da6b
--- /dev/null
+++ b/ldap-search/go.mod
@@ -0,0 +1,15 @@
+module github.com/strata-io/strata-service-extension-examples/ldap-search
+
+go 1.20
+
+require (
+	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/strata-io/service-extension v0.4.0
+)
+
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
+)
diff --git a/ldap-search/go.sum b/ldap-search/go.sum
new file mode 100644
index 0000000..33aebc7
--- /dev/null
+++ b/ldap-search/go.sum
@@ -0,0 +1,65 @@
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
+github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
+github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
+github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/strata-io/service-extension v0.4.0 h1:EBncLpV41HkUpVRStbF+F+YE89u6srqXjInqdZDMtuM=
+github.com/strata-io/service-extension v0.4.0/go.mod h1:AXZz5Rjl5A2KieMuDy9zwsUZlg7PtR1IBeHYuAijb/o=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/ldap-search/loadAttrs.go b/ldap-search/loadAttrs.go
index ee79ef0..9f0883a 100644
--- a/ldap-search/loadAttrs.go
+++ b/ldap-search/loadAttrs.go
@@ -8,36 +8,41 @@ import (
 	"net/http"
 	"strings"
 
-	"maverics/app"
-	"maverics/ldap"
-	"maverics/log"
-	"maverics/secret"
-	"maverics/session"
-)
-
-const (
-	// TODO: Adjust these values based on your LDAP configuration.
-	ldapServerName = "ldap.examples.com"
-	ldapBaseDN     = "dc=examples,dc=com"
-	ldapFilterFmt  = "(&(uniquemember=uid=%s,ou=People,dc=examples,dc=com))"
-
-	delimiter = ","
+	ldap3 "github.com/go-ldap/ldap/v3"
+	"github.com/strata-io/service-extension/orchestrator"
+	"github.com/strata-io/service-extension/secret"
 )
 
 // LoadAttrs loads attributes from LDAP and then stores them on the session for later
 // use.
-func LoadAttrs(_ *app.AppGateway, _ http.ResponseWriter, req *http.Request) error {
-	log.Debug("se", "loading attributes from LDAP")
+func LoadAttrs(api orchestrator.Orchestrator, _ http.ResponseWriter, _ *http.Request) error {
+	logger := api.Logger()
+	session, err := api.Session()
+	if err != nil {
+		return fmt.Errorf("unable to retrieve session: %w", err)
+	}
+	secretProvider, err := api.SecretProvider()
+	if err != nil {
+		return fmt.Errorf("unable to get secret provider: %w", err)
+	}
+
+	metadata := api.Metadata()
+	ldapServerName := metadata["ldapServerName"].(string)
+	ldapBaseDN := metadata["ldapBaseDN"].(string)
+	ldapFilterFmt := metadata["ldapFilterFmt"].(string)
+	delimiter := metadata["delimiter"].(string)
 
-	uid := session.GetString(req, "azure.email")
-	if uid == "" {
-		return fmt.Errorf("unable to get uid from session")
+	logger.Info("se", "loading attributes from LDAP")
+
+	uid, err := session.GetString("azure.email")
+	if err != nil {
+		return fmt.Errorf("failed to find user email required for LDAP query: %w", err)
 	}
+
 	filter := fmt.Sprintf(ldapFilterFmt, uid)
-	groupsMap, err := getGroups(ldapBaseDN, filter)
+	groupsMap, err := getGroups(ldapServerName, ldapBaseDN, filter, secretProvider)
 	if err != nil {
-		log.Error("se", "unable to get groups", "error", err.Error())
-		return err
+		return fmt.Errorf("unable to get groups: %w", err)
 	}
 
 	groups := make([]string, 0, len(groupsMap))
@@ -46,28 +51,34 @@ func LoadAttrs(_ *app.AppGateway, _ http.ResponseWriter, req *http.Request) erro
 	}
 
 	list := strings.Join(groups, delimiter)
-	log.Debug(
+	logger.Debug(
 		"se", "setting groups attribute on session",
 		"se.groups", list,
 	)
 
-	session.Set(req, "se.groups", list)
+	err = session.SetString("se.groups", list)
+	if err != nil {
+		return fmt.Errorf("unable to set 'se.groups' in session: %w", err)
+	}
+	err = session.Save()
+	if err != nil {
+		return fmt.Errorf("unable to save session: %w", err)
+	}
 
 	return nil
 }
 
 // getGroups will search the LDAP ldapBaseDN using the provided filter and return a
 // list of unique groups.
-func getGroups(baseDN, filter string) (map[string]struct{}, error) {
-	ldapURL := fmt.Sprintf("ldap://%s", ldapServerName)
-	log.Info("se", "dialing to ldap over tcp", "url", ldapURL)
-	conn, err := ldap.DialURL(ldapURL)
+func getGroups(serverName, baseDN, filter string, secretP secret.Provider) (map[string]struct{}, error) {
+	ldapURL := fmt.Sprintf("ldap://%s", serverName)
+	conn, err := ldap3.DialURL(ldapURL)
 	if err != nil {
-		return nil, fmt.Errorf("unable to dial ldap: %w", err)
+		return nil, fmt.Errorf("unable to dial ldap3: %w", err)
 	}
 	defer conn.Close()
 
-	caCert := secret.GetString("ldapCACert")
+	caCert := secretP.GetString("ldapCACert")
 	certPool, err := x509.SystemCertPool()
 	if err != nil {
 		return nil, fmt.Errorf("unable to get system cert pool: %w", err)
@@ -78,36 +89,34 @@ func getGroups(baseDN, filter string) (map[string]struct{}, error) {
 	}
 	err = conn.StartTLS(&tls.Config{
 		RootCAs:    certPool,
-		ServerName: ldapServerName,
+		ServerName: serverName,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("unable to start tls: %w", err)
 	}
 
-	serviceAccountUsername := secret.GetString("serviceAccountUsername")
-	serviceAccountPassword := secret.GetString("serviceAccountPassword")
+	serviceAccountUsername := secretP.GetString("serviceAccountUsername")
+	serviceAccountPassword := secretP.GetString("serviceAccountPassword")
 	err = conn.Bind(serviceAccountUsername, serviceAccountPassword)
 	if err != nil {
-		return nil, fmt.Errorf("unable to bind ldap: %w", err)
+		return nil, fmt.Errorf("unable to bind ldap3: %w", err)
 	}
 
-	searchReq := ldap.NewSearchRequest(
+	searchReq := ldap3.NewSearchRequest(
 		baseDN, // The base dn to search
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		ldap3.ScopeWholeSubtree, ldap3.NeverDerefAliases, 0, 0, false,
 		filter,         // The filter to apply
 		[]string{"cn"}, // A list attributes to retrieve
 		nil,
 	)
 	searchResult, err := conn.Search(searchReq)
 	if err != nil {
-		return nil, fmt.Errorf("unable to search ldap: %w", err)
+		return nil, fmt.Errorf("unable to search ldap3: %w", err)
 	}
 
 	groups := make(map[string]struct{})
 	for _, entry := range searchResult.Entries {
 		groups[entry.GetAttributeValue("cn")] = struct{}{}
-
-		fmt.Printf("%s: %v\n", entry.DN, entry.GetAttributeValue("cn"))
 	}
 
 	return groups, nil
diff --git a/ldap-search/maverics.yaml b/ldap-search/maverics.yaml
index 7d85897..cae38bb 100644
--- a/ldap-search/maverics.yaml
+++ b/ldap-search/maverics.yaml
@@ -15,20 +15,28 @@ http:
 logger:
   level: debug
 
-appgateways:
+apps:
   - name: exampleLDAPSearchLoadAttrs
-    basePath: /
+    type: proxy
+    routePatterns:
+      - /
     # The 'upstream' used here is purely for demonstration and can be replaced with
     # any URL that is resolvable from the machine the Orchestrator is running on.
     upstream: https://cylog.org
     headers:
-      EXAMPLE-GROUPS: se.groups
+      - name: EXAMPLE-GROUPS
+        value: "{{ se.groups }}"
 
     loadAttrsSE:
       # It is assumed the loadAttrs.go Service Extension file resides in the
       # '/etc/maverics/extensions' directory. To change that, update the 'file' field below.
       funcName: LoadAttrs
       file: /etc/maverics/extensions/loadAttrs.go
+      metadata:
+        ldapServerName: "ldap3.examples.com"
+        ldapBaseDN: "dc=examples,dc=com"
+        ldapFilterFmt: "(&(uniquemember=uid=%s,ou=People,dc=examples,dc=com))"
+        delimiter: ","
 
     policies:
       - location: ~ \.(jpg|png|ico|svg|ttf|js|css|gif)$