Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 71a21c769369d013972d8dd0a71b83bee3e6848e / . / cluster / prodvider / service.go
blob: 5635ac22748891aa15d1d404bbb3aaf2e556cbd7 [file] [log] [blame]
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]1package main
2
3import (
4 "context"
5 "crypto/tls"
6 "fmt"
7 "regexp"
8 "strings"
9
10 "github.com/golang/glog"
11 "google.golang.org/grpc/codes"
12 "google.golang.org/grpc/status"
13 ldap "gopkg.in/ldap.v3"
14
15 pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
16)
17
18var (
19 reUsername = regexp.MustCompile(`^[a-zA-Z0-9_\.]+$`)
20)
21
22func (p *prodvider) Authenticate(ctx context.Context, req *pb.AuthenticateRequest) (*pb.AuthenticateResponse, error) {
23 username := strings.TrimSpace(req.Username)
24 if username == "" || !reUsername.MatchString(username) {
25 return nil, status.Error(codes.InvalidArgument, "invalid username")
26 }
27
28 password := req.Password
29 if password == "" {
30 return &pb.AuthenticateResponse{
31 Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS,
32 }, nil
33 }
34
35 tlsConfig := &tls.Config{}
36 lconn, err := ldap.DialTLS("tcp", flagLDAPServer, tlsConfig)
37 if err != nil {
38 glog.Errorf("ldap.DialTLS: %v", err)
39 return nil, status.Error(codes.Unavailable, "could not context LDAP")
40 }
41
42 dn := fmt.Sprintf(flagLDAPBindDN, username)
43 err = lconn.Bind(dn, password)
44
45 if err != nil {
46 if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
47 return &pb.AuthenticateResponse{
48 Result: pb.AuthenticateResponse_RESULT_INVALID_CREDENTIALS,
49 }, nil
50 }
51
52 glog.Errorf("ldap.Bind: %v", err)
53 return nil, status.Error(codes.Unavailable, "could not query LDAP")
54 }
55
56 groups, err := p.groupMemberships(lconn, username)
57 if err != nil {
58 return nil, err
59 }
60
61 if !groups["kubernetes-users"] && !groups["staff"] {
62 return nil, status.Error(codes.PermissionDenied, "not part of staff or kubernetes-users")
63 }
64
65 err = p.kubernetesSetupUser(username)
66 if err != nil {
67 glog.Errorf("kubernetesSetupUser(%v): %v", username, err)
68 return nil, status.Error(codes.Unavailable, "could not set up objects in Kubernetes")
69 }
70
71 keys, err := p.kubernetesCreds(username)
72 if err != nil {
73 glog.Errorf("kubernetesCreds(%q): %v", username, err)
74 return nil, status.Error(codes.Unavailable, "could not generate k8s keys")
75 }
76 return &pb.AuthenticateResponse{
77 Result: pb.AuthenticateResponse_RESULT_AUTHENTICATED,
78 KubernetesKeys: keys,
79 }, nil
80}
81
82func (p *prodvider) groupMemberships(lconn *ldap.Conn, username string) (map[string]bool, error) {
83 searchRequest := ldap.NewSearchRequest(
84 flagLDAPGroupSearchBase,
85 ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
86 fmt.Sprintf("(uniqueMember=%s)", fmt.Sprintf(flagLDAPBindDN, username)),
87 []string{"dn", "cn"},
88 nil,
89 )
90
91 sr, err := lconn.Search(searchRequest)
92 if err != nil {
93 glog.Errorf("ldap.Search: %v", err)
94 return nil, status.Error(codes.Unavailable, "could not query LDAP for group")
95 }
96
97 res := make(map[string]bool)
98 for _, entry := range sr.Entries {
99 cn := entry.GetAttributeValue("cn")
100 res[cn] = true
101 }
102
103 return res, nil
104}