1 files changed, 52 insertions, 32 deletions

diff --git a/auth_ldap.go b/auth_ldap.go
index bf2a9fb..26d3565 100644
--- a/auth_ldap.go
+++ b/auth_ldap.go
@@ -18,41 +18,17 @@ type LdapPreAuth struct {
 
 func (l LdapPreAuth) WithCreds(username, password string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var e *LdapWrongPasswordError
 
-		// 1. Connect to the server
-		conn, err := ldapConnect(l.WithConfig)
-		if err != nil {
-			l.OnFailure.WithError(err).ServeHTTP(w, r)
-			return
-		}
-		defer conn.Close()
-
-		// 2. Authenticate with provided credentials
-		// @FIXME we should better check the error, it could also be due to an LDAP error
-		err = conn.auth(username, password)
-		if err != nil {
+		access_key, secret_key, err := LdapGetS3(l.WithConfig, username, password)
+		
+		if err == nil {
+			l.OnCreds.WithCreds(access_key, secret_key).ServeHTTP(w, r)
+		} else if errors.As(err, &e) {
 			l.OnWrongPassword.WithError(err).ServeHTTP(w, r)
-			return
-		}
-
-		// 3. Fetch user's profile
-		profile, err := conn.profile()
-		if err != nil {
-			l.OnFailure.WithError(err).ServeHTTP(w, r)
-			return
-		}
-
-		// 4. Basic checks upon users' attributes
-		access_key := profile.GetAttributeValue("garage_s3_access_key")
-		secret_key := profile.GetAttributeValue("garage_s3_secret_key")
-		if access_key == "" || secret_key == "" {
-			err = errors.New(fmt.Sprintf("Either access key or secret key is missing in LDAP for %s", conn.userDn))
-			l.OnFailure.WithError(err).ServeHTTP(w, r)
-			return
+		} else {
+			l.OnFailure.WithError(e).ServeHTTP(w, r)
 		}
-
-		// 5. Send fetched credentials to the next middleware
-		l.OnCreds.WithCreds(access_key, secret_key).ServeHTTP(w, r)
 	})
 }
 
@@ -66,6 +42,50 @@ type ldapConnector struct {
 	userDn string
 }
 
+type LdapError struct {
+	Username string
+	Err error
+}
+func (e *LdapError) Error() string { return "ldap error for "+e.Username+": "+e.Err.Error() }
+type LdapWrongPasswordError struct { LdapError }
+
+func LdapGetS3(c *Config, username, password string) (access_key, secret_key string, werr error) {
+	// 1. Connect to the server
+	conn, err := ldapConnect(c)
+	if err != nil {
+		werr = &LdapError { username, err }
+		return
+	}
+	defer conn.Close()
+
+	// 2. Authenticate with provided credentials
+	// @FIXME we should better check the error, it could also be due to an LDAP error
+	err = conn.auth(username, password)
+	if err != nil {
+		werr = &LdapWrongPasswordError { LdapError { username, err } }
+		return
+	}
+
+	// 3. Fetch user's profile
+	profile, err := conn.profile()
+	if err != nil {
+		werr = &LdapError { username, err }
+		return
+	}
+
+	// 4. Basic checks upon users' attributes
+	access_key = profile.GetAttributeValue("garage_s3_access_key")
+	secret_key = profile.GetAttributeValue("garage_s3_secret_key")
+	if access_key == "" || secret_key == "" {
+		err = errors.New(fmt.Sprintf("Either access key or secret key is missing in LDAP for %s", conn.userDn))
+		werr = &LdapError { username, err }
+		return
+	}
+
+	// 5. Send fetched credentials to the next middleware
+	return
+}
+
 func ldapConnect(c *Config) (ldapConnector, error) {
 	ldapSock, err := ldap.Dial("tcp", c.LdapServer)
 	if err != nil {