17119: make controller understand filter groups.

[arvados.git] / lib / controller / localdb / login_ldap.go

diff --git a/lib/controller/localdb/login_ldap.go b/lib/controller/localdb/login_ldap.go
index 44e42ac4050e0bdb31035941916921bed8defa98..49f557ae5b9ce50a8f7c3ceb59cc0fb31b50e187 100644 (file)
--- a/lib/controller/localdb/login_ldap.go
+++ b/lib/controller/localdb/login_ldap.go
@@ -21,8 +21,8 @@ import (
 )
 
 type ldapLoginController struct {
-       Cluster    *arvados.Cluster
-       RailsProxy *railsProxy
+       Cluster *arvados.Cluster
+       Parent  *Conn
 }
 
 func (ctrl *ldapLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
@@ -38,6 +38,9 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
        conf := ctrl.Cluster.Login.LDAP
        errFailed := httpserver.ErrorWithStatus(fmt.Errorf("LDAP: Authentication failure (with username %q and password)", opts.Username), http.StatusUnauthorized)
 
+       if conf.SearchAttribute == "" {
+               return arvados.APIClientAuthorization{}, errors.New("config error: SearchAttribute is blank")
+       }
        if opts.Password == "" {
                log.WithField("username", opts.Username).Error("refusing to authenticate with empty password")
                return arvados.APIClientAuthorization{}, errFailed
@@ -89,11 +92,10 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
                }
        }
 
-       if conf.SearchAttribute == "" {
-               return arvados.APIClientAuthorization{}, errors.New("config error: must provide SearchAttribute")
+       search := fmt.Sprintf("(%s=%s)", ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
+       if conf.SearchFilters != "" {
+               search = fmt.Sprintf("(&%s%s)", conf.SearchFilters, search)
        }
-
-       search := fmt.Sprintf("(&%s(%s=%s))", conf.SearchFilters, ldap.EscapeFilter(conf.SearchAttribute), ldap.EscapeFilter(username))
        log = log.WithField("search", search)
        req := ldap.NewSearchRequest(
                conf.SearchBase,
@@ -105,7 +107,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
        if ldap.IsErrorWithCode(err, ldap.LDAPResultNoResultsReturned) ||
                ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) ||
                (err == nil && len(resp.Entries) == 0) {
-               log.WithError(err).Debug("ldap lookup returned no results")
+               log.WithError(err).Info("ldap lookup returned no results")
                return arvados.APIClientAuthorization{}, errFailed
        } else if err != nil {
                log.WithError(err).Error("ldap lookup failed")
@@ -130,7 +132,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
        // Now that we have the DN, try authenticating.
        err = l.Bind(userdn, opts.Password)
        if err != nil {
-               log.WithError(err).Warn("ldap user authentication failed")
+               log.WithError(err).Info("ldap user authentication failed")
                return arvados.APIClientAuthorization{}, errFailed
        }
        log.Debug("ldap authentication succeeded")
@@ -141,7 +143,7 @@ func (ctrl *ldapLoginController) UserAuthenticate(ctx context.Context, opts arva
                return arvados.APIClientAuthorization{}, errors.New("authentication succeeded but ldap returned no email address")
        }
 
-       return createAPIClientAuthorization(ctx, ctrl.RailsProxy, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
+       return ctrl.Parent.CreateAPIClientAuthorization(ctx, ctrl.Cluster.SystemRootToken, rpc.UserSessionAuthInfo{
                Email:     email,
                FirstName: attrs["givenname"],
                LastName:  attrs["sn"],