open-vault/builtin/credential/ldap/path_config.go

package ldap

import (
	"fmt"
	"net"
	"net/url"
	"strings"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	"github.com/vanackere/ldap"
)

func pathConfig(b *backend) *framework.Path {
	return &framework.Path{
		Pattern: `config`,
		Fields: map[string]*framework.FieldSchema{
			"url": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "ldap URL to connect to (default: ldap://127.0.0.1)",
			},
			"userdn": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",
			},
			"groupdn": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org)",
			},
			"userattr": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Attribute used for users (default: cn)",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.ReadOperation:  b.pathConfigRead,
			logical.WriteOperation: b.pathConfigWrite,
		},

		HelpSynopsis:    pathConfigHelpSyn,
		HelpDescription: pathConfigHelpDesc,
	}
}

func (b *backend) Config(req *logical.Request) (*ConfigEntry, error) {
	entry, err := req.Storage.Get("config")
	if err != nil {
		return nil, err
	}
	if entry == nil {
		return nil, nil
	}
	var result ConfigEntry
	result.SetDefaults()
	if err := entry.DecodeJSON(&result); err != nil {
		return nil, err
	}
	return &result, nil
}

func (b *backend) pathConfigRead(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {

	cfg, err := b.Config(req)
	if err != nil {
		return nil, err
	}
	if cfg == nil {
		return nil, nil
	}

	return &logical.Response{
		Data: map[string]interface{}{
			"url":      cfg.Url,
			"userdn":   cfg.UserDN,
			"groupdn":  cfg.GroupDN,
			"userattr": cfg.UserAttr,
		},
	}, nil
}

func (b *backend) pathConfigWrite(
	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {

	cfg := &ConfigEntry{}
	url := d.Get("url").(string)
	if url != "" {
		cfg.Url = strings.ToLower(url)
	}
	userattr := d.Get("userattr").(string)
	if userattr != "" {
		cfg.UserAttr = strings.ToLower(userattr)
	}
	userdn := d.Get("userdn").(string)
	if userdn != "" {
		cfg.UserDN = userdn
	}
	groupdn := d.Get("groupdn").(string)
	if groupdn != "" {
		cfg.GroupDN = groupdn
	}

	// Try to connect to the LDAP server, to validate the URL configuration
	// We can also check the URL at this stage, as anything else would probably
	// require authentication.
	conn, cerr := cfg.DialLDAP()
	if cerr != nil {
		return logical.ErrorResponse(cerr.Error()), nil
	}
	conn.Close()

	entry, err := logical.StorageEntryJSON("config", cfg)
	if err != nil {
		return nil, err
	}
	if err := req.Storage.Put(entry); err != nil {
		return nil, err
	}

	return nil, nil
}

type ConfigEntry struct {
	Url      string
	UserDN   string
	GroupDN  string
	UserAttr string
}

func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {

	u, err := url.Parse(c.Url)
	if err != nil {
		return nil, err
	}
	host, port, err := net.SplitHostPort(u.Host)
	if err != nil {
		host = u.Host
	}

	var conn *ldap.Conn
	switch u.Scheme {
	case "ldap":
		if port == "" {
			port = "389"
		}
		conn, err = ldap.Dial("tcp", host+":"+port)
	case "ldaps":
		if port == "" {
			port = "636"
		}
		conn, err = ldap.DialTLS("tcp", host+":"+port, nil)
	default:
		return nil, fmt.Errorf("invalid LDAP scheme")
	}
	if err != nil {
		return nil, fmt.Errorf("cannot connect to LDAP: %v", err)
	}

	return conn, nil
}

func (c *ConfigEntry) SetDefaults() {
	c.Url = "ldap://127.0.0.1"
	c.UserAttr = "cn"
}

const pathConfigHelpSyn = `
Configure the LDAP server to connect to.
`

const pathConfigHelpDesc = `
This endpoint allows you to configure the LDAP server to connect to, and give
basic information of the schema of that server.

The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former
case, an unencrypted connection will be done, with default port 389; in the latter
case, a SSL connection will be done, with default port 636.
`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`package ldap`

			`import (`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`"fmt"`
			`"net"`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`"net/url"`
			`"strings"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`"github.com/vanackere/ldap"`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`)`

			`func pathConfig(b backend) framework.Path {`
			`return &framework.Path{`
			Pattern: `config`,
			`Fields: map[string]*framework.FieldSchema{`
			`"url": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "ldap URL to connect to (default: ldap://127.0.0.1)",`
			`},`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`"userdn": &framework.FieldSchema{`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`Type: framework.TypeString,`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)",`
			`},`
			`"groupdn": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "LDAP domain to use for groups (eg: ou=Groups,dc=example,dc=org)",`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`},`
			`"userattr": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Attribute used for users (default: cn)",`
			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
			`logical.ReadOperation: b.pathConfigRead,`
			`logical.WriteOperation: b.pathConfigWrite,`
			`},`

			`HelpSynopsis: pathConfigHelpSyn,`
			`HelpDescription: pathConfigHelpDesc,`
			`}`
			`}`

			`func (b backend) Config(req logical.Request) (*ConfigEntry, error) {`
			`entry, err := req.Storage.Get("config")`
			`if err != nil {`
			`return nil, err`
			`}`
			`if entry == nil {`
			`return nil, nil`
			`}`
			`var result ConfigEntry`
			`result.SetDefaults()`
			`if err := entry.DecodeJSON(&result); err != nil {`
			`return nil, err`
			`}`
			`return &result, nil`
			`}`

			`func (b *backend) pathConfigRead(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`

			`cfg, err := b.Config(req)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if cfg == nil {`
			`return nil, nil`
			`}`

			`return &logical.Response{`
			`Data: map[string]interface{}{`
			`"url": cfg.Url,`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`"userdn": cfg.UserDN,`
			`"groupdn": cfg.GroupDN,`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`"userattr": cfg.UserAttr,`
			`},`
			`}, nil`
			`}`

			`func (b *backend) pathConfigWrite(`
			`req logical.Request, d framework.FieldData) (*logical.Response, error) {`

			`cfg := &ConfigEntry{}`
			`url := d.Get("url").(string)`
			`if url != "" {`
			`cfg.Url = strings.ToLower(url)`
			`}`
			`userattr := d.Get("userattr").(string)`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`if userattr != "" {`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`cfg.UserAttr = strings.ToLower(userattr)`
			`}`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`userdn := d.Get("userdn").(string)`
			`if userdn != "" {`
			`cfg.UserDN = userdn`
			`}`
			`groupdn := d.Get("groupdn").(string)`
			`if groupdn != "" {`
			`cfg.GroupDN = groupdn`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`

Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`// Try to connect to the LDAP server, to validate the URL configuration`
			`// We can also check the URL at this stage, as anything else would probably`
			`// require authentication.`
			`conn, cerr := cfg.DialLDAP()`
			`if cerr != nil {`
			`return logical.ErrorResponse(cerr.Error()), nil`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`conn.Close()`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00
			`entry, err := logical.StorageEntryJSON("config", cfg)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if err := req.Storage.Put(entry); err != nil {`
			`return nil, err`
			`}`

			`return nil, nil`
			`}`

			`type ConfigEntry struct {`
			`Url string`
auth/ldap: implement authorization via LDAP groups 2015-05-06 23:49:26 +00:00			`UserDN string`
			`GroupDN string`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`UserAttr string`
			`}`

Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`func (c ConfigEntry) DialLDAP() (ldap.Conn, error) {`

Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`u, err := url.Parse(c.Url)`
			`if err != nil {`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`return nil, err`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`host, port, err := net.SplitHostPort(u.Host)`
			`if err != nil {`
			`host = u.Host`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00
			`var conn *ldap.Conn`
			`switch u.Scheme {`
			`case "ldap":`
			`if port == "" {`
			`port = "389"`
			`}`
			`conn, err = ldap.Dial("tcp", host+":"+port)`
			`case "ldaps":`
			`if port == "" {`
			`port = "636"`
			`}`
			`conn, err = ldap.DialTLS("tcp", host+":"+port, nil)`
			`default:`
			`return nil, fmt.Errorf("invalid LDAP scheme")`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`
Attempt connection to LDAP server at login time. Also switch to a LDAP library fork which fixes a panic when shutting down a connection immediately. 2015-05-06 22:39:02 +00:00			`if err != nil {`
			`return nil, fmt.Errorf("cannot connect to LDAP: %v", err)`
			`}`

			`return conn, nil`
Initial implementation of the LDAP credential backend 2015-05-06 01:54:27 +00:00			`}`

			`func (c *ConfigEntry) SetDefaults() {`
			`c.Url = "ldap://127.0.0.1"`
			`c.UserAttr = "cn"`
			`}`

			const pathConfigHelpSyn = `
			`Configure the LDAP server to connect to.`
			`

			const pathConfigHelpDesc = `
			`This endpoint allows you to configure the LDAP server to connect to, and give`
			`basic information of the schema of that server.`

			`The LDAP URL can use either the "ldap://" or "ldaps://" schema. In the former`
			`case, an unencrypted connection will be done, with default port 389; in the latter`
			`case, a SSL connection will be done, with default port 636.`
			`