| package main |
| |
| import ( |
| "context" |
| "crypto/tls" |
| "fmt" |
| "regexp" |
| "strings" |
| |
| "github.com/golang/glog" |
| "google.golang.org/grpc/codes" |
| "google.golang.org/grpc/status" |
| ldap "gopkg.in/ldap.v3" |
| |
| pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto" |
| ) |
| |
| var ( |
| reUsername = regexp.MustCompile(`^[a-zA-Z0-9_\.]+$`) |
| ) |
| |
| func (p *prodvider) Authenticate(ctx context.Context, req *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) { |
| username := strings.TrimSpace(req.Username) |
| if username == "" || !reUsername.MatchString(username) { |
| return nil, status.Error(codes.InvalidArgument, "invalid username") |
| } |
| |
| password := req.Password |
| if password == "" { |
| return &pb.AuthenticateResponse{ |
| Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS, |
| }, nil |
| } |
| |
| tlsConfig := &tls.Config{} |
| lconn, err := ldap.DialTLS("tcp", flagLDAPServer, tlsConfig) |
| if err != nil { |
| glog.Errorf("ldap.DialTLS: %v", err) |
| return nil, status.Error(codes.Unavailable, "could not context LDAP") |
| } |
| defer lconn.Close() |
| |
| dn := fmt.Sprintf(flagLDAPBindDN, username) |
| err = lconn.Bind(dn, password) |
| |
| if err != nil { |
| if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) { |
| return &pb.AuthenticateResponse{ |
| Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS, |
| }, nil |
| } |
| |
| glog.Errorf("ldap.Bind: %v", err) |
| return nil, status.Error(codes.Unavailable, "could not query LDAP") |
| } |
| |
| groups, err := p.groupMemberships(lconn, username) |
| if err != nil { |
| return nil, err |
| } |
| |
| if !groups["kubernetes-users"] && !groups["staff"] { |
| return nil, status.Error(codes.PermissionDenied, "not part of staff or kubernetes-users") |
| } |
| |
| err = p.kubernetesSetupUser(ctx, username) |
| if err != nil { |
| glog.Errorf("kubernetesSetupUser(%v): %v", username, err) |
| return nil, status.Error(codes.Unavailable, "could not set up objects in Kubernetes") |
| } |
| |
| kubernetesKeys, err := p.kubernetesCreds(username) |
| if err != nil { |
| glog.Errorf("kubernetesCreds(%q): %v", username, err) |
| return nil, status.Error(codes.Unavailable, "could not generate k8s keys") |
| } |
| |
| hspkiKeys, err := p.hspkiCreds(ctx, username) |
| if err != nil { |
| glog.Errorf("hspkiCreds(%q): %v", username, err) |
| return nil, status.Error(codes.Unavailable, "could not generate hspki keys") |
| } |
| |
| return &pb.AuthenticateResponse{ |
| Result: pb.AuthenticateResponse_RESULT_AUTHENTICATED, |
| KubernetesKeys: kubernetesKeys, |
| HspkiKeys: hspkiKeys, |
| }, nil |
| } |
| |
| func (p *prodvider) groupMemberships(lconn *ldap.Conn, username string) (map[string]bool, error) { |
| searchRequest := ldap.NewSearchRequest( |
| flagLDAPGroupSearchBase, |
| ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, |
| fmt.Sprintf("(uniqueMember=%s)", fmt.Sprintf(flagLDAPBindDN, username)), |
| []string{"dn", "cn"}, |
| nil, |
| ) |
| |
| sr, err := lconn.Search(searchRequest) |
| if err != nil { |
| glog.Errorf("ldap.Search: %v", err) |
| return nil, status.Error(codes.Unavailable, "could not query LDAP for group") |
| } |
| |
| res := make(map[string]bool) |
| for _, entry := range sr.Entries { |
| cn := entry.GetAttributeValue("cn") |
| res[cn] = true |
| } |
| |
| return res, nil |
| } |