diff options
Diffstat (limited to 'auth_ldap.go')
| -rw-r--r-- | auth_ldap.go | 84 |
1 files changed, 52 insertions, 32 deletions
diff --git a/auth_ldap.go b/auth_ldap.go index bf2a9fb..26d3565 100644 --- a/auth_ldap.go +++ b/auth_ldap.go @@ -18,41 +18,17 @@ type LdapPreAuth struct { func (l LdapPreAuth) WithCreds(username, password string) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var e *LdapWrongPasswordError - // 1. Connect to the server - conn, err := ldapConnect(l.WithConfig) - if err != nil { - l.OnFailure.WithError(err).ServeHTTP(w, r) - return - } - defer conn.Close() - - // 2. Authenticate with provided credentials - // @FIXME we should better check the error, it could also be due to an LDAP error - err = conn.auth(username, password) - if err != nil { + access_key, secret_key, err := LdapGetS3(l.WithConfig, username, password) + + if err == nil { + l.OnCreds.WithCreds(access_key, secret_key).ServeHTTP(w, r) + } else if errors.As(err, &e) { l.OnWrongPassword.WithError(err).ServeHTTP(w, r) - return - } - - // 3. Fetch user's profile - profile, err := conn.profile() - if err != nil { - l.OnFailure.WithError(err).ServeHTTP(w, r) - return - } - - // 4. Basic checks upon users' attributes - access_key := profile.GetAttributeValue("garage_s3_access_key") - secret_key := profile.GetAttributeValue("garage_s3_secret_key") - if access_key == "" || secret_key == "" { - err = errors.New(fmt.Sprintf("Either access key or secret key is missing in LDAP for %s", conn.userDn)) - l.OnFailure.WithError(err).ServeHTTP(w, r) - return + } else { + l.OnFailure.WithError(e).ServeHTTP(w, r) } - - // 5. Send fetched credentials to the next middleware - l.OnCreds.WithCreds(access_key, secret_key).ServeHTTP(w, r) }) } @@ -66,6 +42,50 @@ type ldapConnector struct { userDn string } +type LdapError struct { + Username string + Err error +} +func (e *LdapError) Error() string { return "ldap error for "+e.Username+": "+e.Err.Error() } +type LdapWrongPasswordError struct { LdapError } + +func LdapGetS3(c *Config, username, password string) (access_key, secret_key string, werr error) { + // 1. Connect to the server + conn, err := ldapConnect(c) + if err != nil { + werr = &LdapError { username, err } + return + } + defer conn.Close() + + // 2. Authenticate with provided credentials + // @FIXME we should better check the error, it could also be due to an LDAP error + err = conn.auth(username, password) + if err != nil { + werr = &LdapWrongPasswordError { LdapError { username, err } } + return + } + + // 3. Fetch user's profile + profile, err := conn.profile() + if err != nil { + werr = &LdapError { username, err } + return + } + + // 4. Basic checks upon users' attributes + access_key = profile.GetAttributeValue("garage_s3_access_key") + secret_key = profile.GetAttributeValue("garage_s3_secret_key") + if access_key == "" || secret_key == "" { + err = errors.New(fmt.Sprintf("Either access key or secret key is missing in LDAP for %s", conn.userDn)) + werr = &LdapError { username, err } + return + } + + // 5. Send fetched credentials to the next middleware + return +} + func ldapConnect(c *Config) (ldapConnector, error) { ldapSock, err := ldap.Dial("tcp", c.LdapServer) if err != nil { |