github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/skymarshal/skycmd/ldap_flags.go (about) 1 package skycmd 2 3 import ( 4 "encoding/json" 5 "errors" 6 7 "github.com/concourse/dex/connector/ldap" 8 "github.com/concourse/flag" 9 multierror "github.com/hashicorp/go-multierror" 10 ) 11 12 func init() { 13 RegisterConnector(&Connector{ 14 id: "ldap", 15 config: &LDAPFlags{}, 16 teamConfig: &LDAPTeamFlags{}, 17 }) 18 } 19 20 type LDAPFlags struct { 21 DisplayName string `long:"display-name" description:"The auth provider name displayed to users on the login page"` 22 Host string `long:"host" description:"(Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on the TLS configuration. 389 or 636."` 23 BindDN string `long:"bind-dn" description:"(Required) Bind DN for searching LDAP users and groups. Typically this is a read-only user."` 24 BindPW string `long:"bind-pw" description:"(Required) Bind Password for the user specified by 'bind-dn'"` 25 InsecureNoSSL bool `long:"insecure-no-ssl" description:"Required if LDAP host does not use TLS."` 26 InsecureSkipVerify bool `long:"insecure-skip-verify" description:"Skip certificate verification"` 27 StartTLS bool `long:"start-tls" description:"Start on insecure port, then negotiate TLS"` 28 CACert flag.File `long:"ca-cert" description:"CA certificate"` 29 30 UserSearch struct { 31 BaseDN string `long:"user-search-base-dn" description:"BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'"` 32 Filter string `long:"user-search-filter" description:"Optional filter to apply when searching the directory. For example '(objectClass=person)'"` 33 Username string `long:"user-search-username" description:"Attribute to match against the inputted username. This will be translated and combined with the other filter as '(<attr>=<username>)'."` 34 Scope string `long:"user-search-scope" description:"Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'."` 35 IDAttr string `long:"user-search-id-attr" description:"A mapping of attributes on the user entry to claims. Defaults to 'uid'."` 36 EmailAttr string `long:"user-search-email-attr" description:"A mapping of attributes on the user entry to claims. Defaults to 'mail'."` 37 NameAttr string `long:"user-search-name-attr" description:"A mapping of attributes on the user entry to claims."` 38 } 39 40 GroupSearch struct { 41 BaseDN string `long:"group-search-base-dn" description:"BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'"` 42 Filter string `long:"group-search-filter" description:"Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'"` 43 Scope string `long:"group-search-scope" description:"Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'."` 44 UserAttr string `long:"group-search-user-attr" description:"Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)"` 45 GroupAttr string `long:"group-search-group-attr" description:"Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)"` 46 NameAttr string `long:"group-search-name-attr" description:"The attribute of the group that represents its name."` 47 } 48 } 49 50 func (flag *LDAPFlags) Name() string { 51 if flag.DisplayName != "" { 52 return flag.DisplayName 53 } 54 return "LDAP" 55 } 56 57 func (flag *LDAPFlags) Validate() error { 58 var errs *multierror.Error 59 60 if flag.Host == "" { 61 errs = multierror.Append(errs, errors.New("Missing host")) 62 } 63 64 if flag.BindDN == "" { 65 errs = multierror.Append(errs, errors.New("Missing bind-dn")) 66 } 67 68 if flag.BindPW == "" { 69 errs = multierror.Append(errs, errors.New("Missing bind-pw")) 70 } 71 72 return errs.ErrorOrNil() 73 } 74 75 func (flag *LDAPFlags) Serialize(redirectURI string) ([]byte, error) { 76 if err := flag.Validate(); err != nil { 77 return nil, err 78 } 79 80 ldapConfig := ldap.Config{ 81 Host: flag.Host, 82 BindDN: flag.BindDN, 83 BindPW: flag.BindPW, 84 InsecureNoSSL: flag.InsecureNoSSL, 85 InsecureSkipVerify: flag.InsecureSkipVerify, 86 StartTLS: flag.StartTLS, 87 RootCA: flag.CACert.Path(), 88 } 89 90 ldapConfig.UserSearch.BaseDN = flag.UserSearch.BaseDN 91 ldapConfig.UserSearch.Filter = flag.UserSearch.Filter 92 ldapConfig.UserSearch.Username = flag.UserSearch.Username 93 ldapConfig.UserSearch.Scope = flag.UserSearch.Scope 94 ldapConfig.UserSearch.IDAttr = flag.UserSearch.IDAttr 95 ldapConfig.UserSearch.EmailAttr = flag.UserSearch.EmailAttr 96 ldapConfig.UserSearch.NameAttr = flag.UserSearch.NameAttr 97 98 ldapConfig.GroupSearch.BaseDN = flag.GroupSearch.BaseDN 99 ldapConfig.GroupSearch.Filter = flag.GroupSearch.Filter 100 ldapConfig.GroupSearch.Scope = flag.GroupSearch.Scope 101 ldapConfig.GroupSearch.UserAttr = flag.GroupSearch.UserAttr 102 ldapConfig.GroupSearch.GroupAttr = flag.GroupSearch.GroupAttr 103 ldapConfig.GroupSearch.NameAttr = flag.GroupSearch.NameAttr 104 105 return json.Marshal(ldapConfig) 106 } 107 108 type LDAPTeamFlags struct { 109 Users []string `json:"users" long:"user" description:"A whitelisted LDAP user" value-name:"USERNAME"` 110 Groups []string `json:"groups" long:"group" description:"A whitelisted LDAP group" value-name:"GROUP_NAME"` 111 } 112 113 func (flag *LDAPTeamFlags) GetUsers() []string { 114 return flag.Users 115 } 116 117 func (flag *LDAPTeamFlags) GetGroups() []string { 118 return flag.Groups 119 }