1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
16 "git.arvados.org/arvados.git/lib/controller/rpc"
17 "git.arvados.org/arvados.git/sdk/go/arvados"
18 "git.arvados.org/arvados.git/sdk/go/ctxlog"
19 "git.arvados.org/arvados.git/sdk/go/httpserver"
20 "github.com/go-ldap/ldap"
23 type ldapLoginController struct {
24 Cluster *arvados.Cluster
25 RailsProxy *railsProxy
28 func (ctrl *ldapLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
29 return noopLogout(ctrl.Cluster, opts)
32 func (ctrl *ldapLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
33 return arvados.LoginResponse{}, errors.New("interactive login is not available")
36 func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
37 log := ctxlog.FromContext(ctx)
38 conf := ctrl.Cluster.Login.LDAP
39 errFailed := httpserver.ErrorWithStatus(fmt.Errorf("LDAP: Authentication failure (with username %q and password)", opts.Username), http.StatusUnauthorized)
41 if opts.Password == "" {
42 log.WithField("username", opts.Username).Error("refusing to authenticate with empty password")
43 return arvados.APIClientAuthorization{}, errFailed
46 log = log.WithField("URL", conf.URL.String())
47 l, err := ldap.DialURL(conf.URL.String())
49 log.WithError(err).Error("ldap connection failed")
50 return arvados.APIClientAuthorization{}, err
55 var tlsconfig tls.Config
57 tlsconfig.InsecureSkipVerify = true
59 if host, _, err := net.SplitHostPort(conf.URL.Host); err != nil {
60 // Assume SplitHostPort error means
61 // port was not specified
62 tlsconfig.ServerName = conf.URL.Host
64 tlsconfig.ServerName = host
67 err = l.StartTLS(&tlsconfig)
69 log.WithError(err).Error("ldap starttls failed")
70 return arvados.APIClientAuthorization{}, err
74 username := opts.Username
75 if at := strings.Index(username, "@"); at >= 0 {
76 if conf.StripDomain == "*" || strings.ToLower(conf.StripDomain) == strings.ToLower(username[at+1:]) {
77 username = username[:at]
80 if conf.AppendDomain != "" && !strings.Contains(username, "@") {
81 username = username + "@" + conf.AppendDomain
84 if conf.SearchBindUser != "" {
85 err = l.Bind(conf.SearchBindUser, conf.SearchBindPassword)
87 log.WithError(err).WithField("user", conf.SearchBindUser).Error("ldap authentication failed")
88 return arvados.APIClientAuthorization{}, err
92 if conf.SearchAttribute == "" {
93 return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute")
96 search := fmt.Sprintf("(&%s(%s=%s))", conf.SearchFilters, ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
97 log = log.WithField("search", search)
98 req := ldap.NewSearchRequest(
100 ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 1, 0, false,
102 []string{"DN", "givenName", "SN", conf.EmailAttribute, conf.UsernameAttribute},
104 resp, err := l.Search(req)
105 if ldap.IsErrorWithCode(err, ldap.LDAPResultNoResultsReturned) ||
106 ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) ||
107 (err == nil && len(resp.Entries) == 0) {
108 log.WithError(err).Debug("ldap lookup returned no results")
109 return arvados.APIClientAuthorization{}, errFailed
110 } else if err != nil {
111 log.WithError(err).Error("ldap lookup failed")
112 return arvados.APIClientAuthorization{}, err
114 userdn := resp.Entries[0].DN
116 log.Warn("refusing to authenticate with empty dn")
117 return arvados.APIClientAuthorization{}, errFailed
119 log = log.WithField("DN", userdn)
121 attrs := map[string]string{}
122 for _, attr := range resp.Entries[0].Attributes {
123 if attr == nil || len(attr.Values) == 0 {
126 attrs[strings.ToLower(attr.Name)] = attr.Values[0]
128 log.WithField("attrs", attrs).Debug("ldap search succeeded")
130 // Now that we have the DN, try authenticating.
131 err = l.Bind(userdn, opts.Password)
133 log.WithError(err).Warn("ldap user authentication failed")
134 return arvados.APIClientAuthorization{}, errFailed
136 log.Debug("ldap authentication succeeded")
138 email := attrs[strings.ToLower(conf.EmailAttribute)]
140 log.Errorf("ldap returned no email address in %q attribute", conf.EmailAttribute)
141 return arvados.APIClientAuthorization{}, errors.New("authentication succeeded but ldap returned no email address")
144 return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
146 FirstName: attrs["givenname"],
147 LastName: attrs["sn"],
148 Username: attrs[strings.ToLower(conf.UsernameAttribute)],