blob: 160f260852d071d5e76a652b38f74a8f48a047de [file] [log] [blame]
package main
import (
"context"
"crypto/tls"
"fmt"
"regexp"
"strings"
"github.com/golang/glog"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
ldap "gopkg.in/ldap.v3"
pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
)
var (
reUsername = regexp.MustCompile(`^[a-zA-Z0-9_\.]+$`)
)
func (p *prodvider) Authenticate(ctx context.Context, req *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) {
username := strings.TrimSpace(req.Username)
if username == "" || !reUsername.MatchString(username) {
return nil, status.Error(codes.InvalidArgument, "invalid username")
}
password := req.Password
if password == "" {
return &pb.AuthenticateResponse{
Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS,
}, nil
}
tlsConfig := &tls.Config{}
lconn, err := ldap.DialTLS("tcp", flagLDAPServer, tlsConfig)
if err != nil {
glog.Errorf("ldap.DialTLS: %v", err)
return nil, status.Error(codes.Unavailable, "could not context LDAP")
}
defer lconn.Close()
dn := fmt.Sprintf(flagLDAPBindDN, username)
err = lconn.Bind(dn, password)
if err != nil {
if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
return &pb.AuthenticateResponse{
Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS,
}, nil
}
glog.Errorf("ldap.Bind: %v", err)
return nil, status.Error(codes.Unavailable, "could not query LDAP")
}
groups, err := p.groupMemberships(lconn, username)
if err != nil {
return nil, err
}
if !groups["kubernetes-users"] && !groups["staff"] {
return nil, status.Error(codes.PermissionDenied, "not part of staff or kubernetes-users")
}
err = p.kubernetesSetupUser(ctx, username)
if err != nil {
glog.Errorf("kubernetesSetupUser(%v): %v", username, err)
return nil, status.Error(codes.Unavailable, "could not set up objects in Kubernetes")
}
kubernetesKeys, err := p.kubernetesCreds(username)
if err != nil {
glog.Errorf("kubernetesCreds(%q): %v", username, err)
return nil, status.Error(codes.Unavailable, "could not generate k8s keys")
}
hspkiKeys, err := p.hspkiCreds(ctx, username)
if err != nil {
glog.Errorf("hspkiCreds(%q): %v", username, err)
return nil, status.Error(codes.Unavailable, "could not generate hspki keys")
}
return &pb.AuthenticateResponse{
Result: pb.AuthenticateResponse_RESULT_AUTHENTICATED,
KubernetesKeys: kubernetesKeys,
HspkiKeys: hspkiKeys,
}, nil
}
func (p *prodvider) groupMemberships(lconn *ldap.Conn, username string) (map[string]bool, error) {
searchRequest := ldap.NewSearchRequest(
flagLDAPGroupSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(uniqueMember=%s)", fmt.Sprintf(flagLDAPBindDN, username)),
[]string{"dn", "cn"},
nil,
)
sr, err := lconn.Search(searchRequest)
if err != nil {
glog.Errorf("ldap.Search: %v", err)
return nil, status.Error(codes.Unavailable, "could not query LDAP for group")
}
res := make(map[string]bool)
for _, entry := range sr.Entries {
cn := entry.GetAttributeValue("cn")
res[cn] = true
}
return res, nil
}