nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix ldap
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2026-04-21 13:03:08 +10:00
parent 4b1b985862
commit d2a7145a4c
2 changed files with 62 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/auth/ldap.go
+24 -3
View File
@@ -109,11 +109,13 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
} }
if whoami, err := conn.WhoAmI(nil); err != nil { if whoami, err := conn.WhoAmI(nil); err != nil {
identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("whoami_failed:%v", err)) identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("whoami_failed:%v", err))
} else if boundDN := strings.TrimSpace(strings.TrimPrefix(strings.TrimSpace(whoami.AuthzID), "dn:")); boundDN != "" { } else if boundDN := parseWhoAmIDN(whoami.AuthzID); boundDN != "" {
identity.UserDN = boundDN identity.UserDN = boundDN
identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_resolved") identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_resolved")
} else { } else if strings.TrimSpace(whoami.AuthzID) == "" {
identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_empty") identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_empty")
} else {
identity.Diagnostics = append(identity.Diagnostics, "whoami_non_dn_authzid")
} }
entry, lookupStrategy, err := a.lookupUserEntry(conn, username, identity.UserDN) entry, lookupStrategy, err := a.lookupUserEntry(conn, username, identity.UserDN)
@@ -281,7 +283,10 @@ func (a *LDAPAuthenticator) buildTLSConfig() (*tls.Config, error) {
} }
func (a *LDAPAuthenticator) lookupUserEntry(conn *ldap.Conn, username string, userDNHint string) (*ldap.Entry, string, error) { func (a *LDAPAuthenticator) lookupUserEntry(conn *ldap.Conn, username string, userDNHint string) (*ldap.Entry, string, error) {
dnCandidates := compactTrimmedStrings([]string{userDNHint}) dnCandidates := make([]string, 0, 2)
if looksLikeDN(userDNHint) {
dnCandidates = append(dnCandidates, strings.TrimSpace(userDNHint))
}
if looksLikeDN(username) { if looksLikeDN(username) {
dnCandidates = append(dnCandidates, strings.TrimSpace(username)) dnCandidates = append(dnCandidates, strings.TrimSpace(username))
} }
@@ -378,6 +383,22 @@ func looksLikeDN(value string) bool {
return strings.Contains(value, "=") && strings.Contains(value, ",") return strings.Contains(value, "=") && strings.Contains(value, ",")
} }
func parseWhoAmIDN(authzID string) string {
authzID = strings.TrimSpace(authzID)
if authzID == "" {
return ""
}
lower := strings.ToLower(authzID)
if strings.HasPrefix(lower, "dn:") {
authzID = strings.TrimSpace(authzID[3:])
}
if !looksLikeDN(authzID) {
return ""
}
return authzID
}
func principalCandidates(username string) []string { func principalCandidates(username string) []string {
username = strings.TrimSpace(username) username = strings.TrimSpace(username)
if username == "" { if username == "" {
internal/auth/ldap_test.go
+38
View File
@@ -86,3 +86,41 @@ func TestBuildGroupMembershipFilter(t *testing.T) {
t.Fatalf("unexpected group filter:\n got: %s\nwant: %s", filter, expected) t.Fatalf("unexpected group filter:\n got: %s\nwant: %s", filter, expected)
} }
} }
func TestParseWhoAmIDN(t *testing.T) {
tests := []struct {
name string
authzID string
wantDN string
}{
{
name: "dn prefix",
authzID: "dn:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
},
{
name: "dn prefix upper",
authzID: "DN:CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
wantDN: "CN=User,OU=Users,DC=corpau,DC=wbcau,DC=westpac,DC=com,DC=au",
},
{
name: "non dn authzid",
authzID: "u:L075239@corpau.wbcau.westpac.com.au",
wantDN: "",
},
{
name: "plain non dn",
authzID: "L075239@corpau.wbcau.westpac.com.au",
wantDN: "",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
got := parseWhoAmIDN(tc.authzID)
if got != tc.wantDN {
t.Fatalf("unexpected whoami dn parse: got=%q want=%q", got, tc.wantDN)
}
})
}
}