Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Optional and Configurable LDAP User/Session Management Support and Re…
…worked Pluggable Auth Driver Interface (#9750) * Initial commit of LDAP Auth driver support with toml config docs and parser driver, pluggable auth interface defined and localauth (default) moved to scoped module * 'orm sessions.UserManager' to 'um sessions.UserManager' * Add missing checks for the UserApiTokenEnabled config field for token related calls, rename ServerTls to ServerTLS * Update docs toml LDAP section to clarify how the fields are used and specify LDAP terminology * Clarify LDAP 'cn' in toml docs for LDAP * Fix WebServer TOML and config definitions, split types for WebServerLDAPSecrets to following config and secret toml convention, improved error handling on startup for missing WebServer and LDAP fields * Error application startup if authentication method is not one of the valid options, instead of defaulting to local * Don't export unneeded ldapGroupMembersListToUser in ldap module * Bugfixes for LDAP find user when no results of passed email, address the two ways local CLI can attempt auth using local client for LDAP implementation of createSession, moved ErrNotSupported up to authentication types level so router can expose to API response when type message * Rework LDAP function to check if list of provided query emails possess the 'active' attribute/group in a single query. Now returns list of bools one to one for the passed in emails array and correctly handles the case for querying more than one email at a time, changing function return signature from just error * Update LDAP field naming for Cn, Dn to Go convention CN, DN in toml and types, tidy god mod, fix path imports for test files, fix toml comments * Post merge toml module rename LDAP model fixes Populate test config and test secrets toml file with new LDAP config fields, use secrets parse type for LDAPSecrets interface * Update top level application struct to accomodate new sibling AuthProvider field to preserve always available local admin auth This commit splits the newly added UserManager interface (now renamed) into two interfaces where the existing local user ORM auth provider covers the implementation for the required always available Admin commands. These are used when configuring the node initially (creating the admin user) or assuming the admin role from the command line, which should work locally as well regardless of the configured Authentication Provider. Renamed new UserManager interface to AuthenticationProvider, which no longer has the boilerplate Admin prefix functions. * Update all err comparison checks for ErrNotSupported to errors.Is * go generate mocks * Tidy unecessary string cast, bump ldap library to latest and use v3, test forward compatibility, mod tidy * Clean up auth provider config switch statement * Update checked in test txtar output * Update gql test and mocks with new authprovider mock, updated in mock struct. Add missing TestPassword call * Update remaining test config toml files with new WebServer LDAP fields, populated where test case makes sense, add toml config validation checks on parse for LDAP fields non empty, update LDAP Server field to Models Secret URL, add parsing test for secrets * Update LDAP module with missing API token implementation - creation, use, and deletion Bugfixes and logic improvements for LDAP session reaper/upstream sync. Reaper now correctly syncs roles and users from upstream via sleeper task tied to LDAP auth actions. User sessions and API tokens are correctly removed when the expire TTL is met, the local LDAP sessions and API tokens role is updated and synced with the state of the upstream LDAP server as part of the logic of this sleeper task, and if a user is no longer present in any of the defined groups they are automatically removed from the LDAP sessions and API tokens tables (checked on cadence of sleeper task Work call) Update LDAP webconfigToken duration to match wrapped models.Duration type Add const for LDAPUniqueMemberAttribute/uniqueMember in ldapauth module Add info logger connection attempt message in case of hang on node startup Fix expired LDAP api tokens purge issue Nicer error for session missing / expired on attempt of sesion token use (remove error within stdout) * Add missing support for local CLI user and auth when using LDAP Authentication module Fixed edge cases for FindUser, check local users table as well, local user API Token creation and support Add localauth_user flag for ldap specific tables to support node usage by the initial required local admin user, add logic in CreateSession * Update config UpstreamSyncInterval and UpstreamSyncRateLimit functionality for LDAP Sync daemon Implement .Work call on timer for LDAP sync in the background, independent of Auth related calls. The implementation of SleeperTask calls Work when hooked into Auth events, being called on login or logout. Now if UpstreamSyncInterval is defined as non 0, a background timer call will call the sync function, respecting the new UpstreamSyncRateLimit field * LDAP Fix for checks of optional isactive property on group query, find user functionality, and admin functions Bug fix for ldap driver not supporting local admin users case of change password and list users, FindUser functionality can now return matches of local admin users List Users now includes local users and works as expected for upstream LDAP users who have any of the defined groups required for node access. Bugfix for group search query in both the sync and ldap providers modules. Factored out group query functionality for both call sites Set Password support for only local admin users as functionality is still supported and required when using LDAP auth, upstream user modification remains unsupported Bugfix for shell local initialization not using local admin auth ORM, causing issue with initial assume user step in ListUsers * bump migration file index * remove incorrect rebased merge resolution for Explorer removal * Change default config definitions for LDAP 'Is Active' attribute checks to empty, as not all LDAP providers will use 'ActiveAttribute', or retain group member access when inactive. Fix error handling in find users for case when NoRows, dont log error automatically with Transaction middleware * Simplify sessions purge sql exec using pq.Array instead of manually generating placeholders, and Regenerate mocks * Merge go mod require groups, gotidy * Rename changed authentication provider session ORM in test files, fix config test reordering, add missing mock, update const err strings * Add mock value for one test case of config ldap is active attribute, revert purge sessions api token test file, migrate to new errors module and update how errors are wrapped, lowercase all error messages * Factor out unsupported action error message in user controller with new errUnsupportedForAuth type * Rebase, update migration index * Update config_test full case, error case for missing fields * Fix tests with missing Mocks for cmd shell, config resolver, and sessions localauth Missing mocks for LocalAdminUsersORM Revert change unrelated to LDAP feature in AuthorizedUserWithSession (refactored) Fix leaked internal error over HTTP response + test case for delete user Fix mocks and missing TestPassword call cases for graphql mutation tests, update incorrect password test case Add expected LDAP config fields for config resolver tests * Bump migration file index for ldap tables * Linter fixes - application.go localAdminUsersORM in initialized one line Fix config sesion timeout interface naming (r -> l) Typos fix in ldap.go docstring Rework logic in checkErr for FindUser logic of testing admin table query before failing (rework to avoid error shadowing) Invert logic for err != nil in case for local admin user found Fix missing errors.Is comparison for sessions.ErrUserSessionExpired in ldap module Run docs generate Fix typo in txtar test LDAP config * Add missing ldap fields to warnings.txtar, fix err shadowing linter errors in ldap.go and sync.go Run go mod tidy * Fix linter import order and groupings * More import ordering lint * Rebase, bump sql migraiton index * use correct guregu/null.v4 version * Implement test cases for ldap module, create LDAP client and LDAPConn wrapper interfaces and mocks New LDAPClient and LDAPConn interfaces allow test mocks to handle Bind and Search functionality. the ldap implementation has been updated to store the ldapClient (still ephemeral single use, like a factory) in the struct such that the test harness can swap the implementation with the mocks. Create helpers_test.go following codebase convention to allow a Setter method to be defined for the ldapClient field, but separated from the production build. This allows the ldap struct and field properties to remain unexported. Test helper contains test mock configand helper constructor function New ldap_test.go module with cases for ldap query functionality and local admin support assertions ldap.go module improvements, return struct in constructor instead of interface type for authentication provider, define user facing error consts (test assertion), store ldapClient in struct, nicer error handling for user not found in FindUser, fix err shadowing reuse error in token expired case, fix typos in ListUsers LDAP Sync rework for new ldapclient field, use new interface to support mocking Remove dangling commited localauth orm.mock, which was being imported by a missed test. Test now imports the correct mock (new authentication provider mocks) * Updated CHANGELOG.md * Update go.mod * Linter fixes UserNoLDAPGroups -> ErrUserNoLDAPGroups, shadowing * module -> package, format package docstring properly for ldapauth to support godoc render Remove redundant LDAP prefix for UniqueMemberAttribute * Remove rebased gomod line * define const NodeAdmins* for mocked tests in helpers_test, reference [WebServer].AuthenticationMethod in changelog * Add missing returns in sync Work call when failed to establish LDAP connection as it is required for the sync functionality, flip return flow in TestPassword for admin fallback * Updating naming and address nits LocalAdminUsersORM -> BasicAdminUsersORM, regenerate mocks Save indent in WebServer ValidateConfig when ldapauth Update comments and rename CreateEphemeralClient -> CreateEphemeralConnection * Add missed go generate Application change for BasicAdminUsersORM rename
- Loading branch information
