open-vault/builtin/credential/ldap/backend.go

206 lines
5.5 KiB
Go
Raw Normal View History

package ldap
import (
"context"
2015-05-08 07:28:26 +00:00
"fmt"
"strings"
2016-05-31 23:42:54 +00:00
"github.com/hashicorp/vault/helper/ldaputil"
2015-07-27 18:24:12 +00:00
"github.com/hashicorp/vault/helper/mfa"
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
b := Backend()
if err := b.Setup(ctx, conf); err != nil {
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
return nil, err
}
return b, nil
}
func Backend() *backend {
var b backend
b.Backend = &framework.Backend{
Help: backendHelp,
PathsSpecial: &logical.Paths{
2016-05-31 23:42:54 +00:00
Root: mfa.MFARootPaths(),
Unauthenticated: []string{
"login/*",
},
SealWrapStorage: []string{
"config",
},
},
Paths: append([]*framework.Path{
pathConfig(&b),
pathGroups(&b),
pathGroupsList(&b),
pathUsers(&b),
pathUsersList(&b),
2015-07-27 18:24:12 +00:00
},
mfa.MFAPaths(b.Backend, pathLogin(&b))...,
),
AuthRenew: b.pathLoginRenew,
BackendType: logical.TypeCredential,
}
return &b
}
type backend struct {
*framework.Backend
}
func (b *backend) Login(ctx context.Context, req *logical.Request, username string, password string) ([]string, *logical.Response, []string, error) {
2015-05-08 07:28:26 +00:00
cfg, err := b.Config(ctx, req)
2015-05-08 07:28:26 +00:00
if err != nil {
return nil, nil, nil, err
2015-05-08 07:28:26 +00:00
}
if cfg == nil {
return nil, logical.ErrorResponse("ldap backend not configured"), nil, nil
2015-05-08 07:28:26 +00:00
}
ldapClient := ldaputil.Client{
Logger: b.Logger(),
LDAP: ldaputil.NewLDAP(),
}
c, err := ldapClient.DialLDAP(cfg)
2015-05-08 07:28:26 +00:00
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil, nil
2015-05-08 07:28:26 +00:00
}
if c == nil {
return nil, logical.ErrorResponse("invalid connection returned from LDAP dial"), nil, nil
}
// Clean connection
defer c.Close()
userBindDN, err := ldapClient.GetUserBindDN(cfg, c, username)
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil, nil
}
2016-08-19 20:45:17 +00:00
if b.Logger().IsDebug() {
b.Logger().Debug("user binddn fetched", "username", username, "binddn", userBindDN)
2016-08-19 20:45:17 +00:00
}
if cfg.DenyNullBind && len(password) == 0 {
return nil, logical.ErrorResponse("password cannot be of zero length when passwordless binds are being denied"), nil, nil
}
// Try to bind as the login user. This is where the actual authentication takes place.
if len(password) > 0 {
err = c.Bind(userBindDN, password)
} else {
err = c.UnauthenticatedBind(userBindDN)
}
if err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("LDAP bind failed: %v", err)), nil, nil
}
// We re-bind to the BindDN if it's defined because we assume
// the BindDN should be the one to search, not the user logging in.
if cfg.BindDN != "" && cfg.BindPassword != "" {
if err := c.Bind(cfg.BindDN, cfg.BindPassword); err != nil {
return nil, logical.ErrorResponse(fmt.Sprintf("Encountered an error while attempting to re-bind with the BindDN User: %s", err.Error())), nil, nil
}
if b.Logger().IsDebug() {
b.Logger().Debug("re-bound to original binddn")
}
}
userDN, err := ldapClient.GetUserDN(cfg, c, userBindDN)
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil, nil
}
ldapGroups, err := ldapClient.GetLdapGroups(cfg, c, userDN, username)
if err != nil {
return nil, logical.ErrorResponse(err.Error()), nil, nil
}
2016-08-19 20:45:17 +00:00
if b.Logger().IsDebug() {
b.Logger().Debug("groups fetched from server", "num_server_groups", len(ldapGroups), "server_groups", ldapGroups)
2016-08-19 20:45:17 +00:00
}
ldapResponse := &logical.Response{
Data: map[string]interface{}{},
}
if len(ldapGroups) == 0 {
errString := fmt.Sprintf(
"no LDAP groups found in groupDN '%s'; only policies from locally-defined groups available",
cfg.GroupDN)
ldapResponse.AddWarning(errString)
}
var allGroups []string
canonicalUsername := username
cs := *cfg.CaseSensitiveNames
if !cs {
canonicalUsername = strings.ToLower(username)
}
// Import the custom added groups from ldap backend
user, err := b.User(ctx, req.Storage, canonicalUsername)
if err == nil && user != nil && user.Groups != nil {
2016-08-19 20:45:17 +00:00
if b.Logger().IsDebug() {
b.Logger().Debug("adding local groups", "num_local_groups", len(user.Groups), "local_groups", user.Groups)
2016-08-19 20:45:17 +00:00
}
allGroups = append(allGroups, user.Groups...)
}
// Merge local and LDAP groups
allGroups = append(allGroups, ldapGroups...)
canonicalGroups := allGroups
// If not case sensitive, lowercase all
if !cs {
canonicalGroups = make([]string, len(allGroups))
for i, v := range allGroups {
canonicalGroups[i] = strings.ToLower(v)
}
}
// Retrieve policies
var policies []string
for _, groupName := range canonicalGroups {
group, err := b.Group(ctx, req.Storage, groupName)
if err == nil && group != nil {
policies = append(policies, group.Policies...)
}
}
if user != nil && user.Policies != nil {
policies = append(policies, user.Policies...)
}
// Policies from each group may overlap
policies = strutil.RemoveDuplicates(policies, true)
if len(policies) == 0 {
errStr := "user is not a member of any authorized group"
if len(ldapResponse.Warnings) > 0 {
errStr = fmt.Sprintf("%s; additionally, %s", errStr, ldapResponse.Warnings[0])
}
ldapResponse.Data["error"] = errStr
return nil, ldapResponse, nil, nil
}
return policies, ldapResponse, allGroups, nil
}
const backendHelp = `
The "ldap" credential provider allows authentication querying
a LDAP server, checking username and password, and associating groups
to set of policies.
Configuration of the server is done through the "config" and "groups"
endpoints by a user with root access. Authentication is then done
2018-03-20 18:54:10 +00:00
by supplying the two fields for "login".
`