coredns-ldap/setup.go
2020-06-10 03:03:59 -05:00

242 lines
5.3 KiB
Go

package ldap
import (
"fmt"
"strconv"
"sync"
"time"
"github.com/coredns/coredns/core/dnsserver"
"github.com/coredns/coredns/plugin"
"github.com/coredns/coredns/plugin/metrics"
clog "github.com/coredns/coredns/plugin/pkg/log"
"github.com/coredns/coredns/plugin/pkg/upstream"
"github.com/caddyserver/caddy"
)
const pluginName = "ldap"
// Define log to be a logger with the plugin name in it.
// nolint: gochecknoglobals
var log = clog.NewWithPlugin(pluginName)
// init registers this plugin.
// nolint: gochecknoinits
func init() { plugin.Register(pluginName, setup) }
// setup is the function that gets called when the config parser see the token "ldap". Setup is responsible
// for parsing any extra options the ldap plugin may have. The first token this function sees is "ldap".
func setup(c *caddy.Controller) error {
// parse corefile config
l, err := ldapParse(c)
if err != nil {
return plugin.Error(pluginName, err)
}
err = l.InitClient()
if err != nil {
return plugin.Error(pluginName, err)
}
// add prometheus metrics on startup
c.OnStartup(func() error {
// add plugin-global metric once
once.Do(func() {
metrics.MustRegister(c, requestCount)
})
return nil
})
// Add the Plugin to CoreDNS, so Servers can use it in their plugin chain.
dnsserver.GetConfig(c).AddPlugin(func(next plugin.Handler) plugin.Handler {
l.Next = next
return l
})
return nil
}
// nolint: gochecknoglobals
var once sync.Once
func ldapParse(c *caddy.Controller) (*Ldap, error) {
var (
ldap *Ldap
err error
)
i := 0
for c.Next() {
if i > 0 {
return nil, plugin.ErrOnce
}
i++
ldap, err = ParseStanza(c)
if err != nil {
return ldap, err
}
}
return ldap, nil
}
// ParseStanza parses a ldap stanza.
// nolint: funlen, gocognit, gocyclo
func ParseStanza(c *caddy.Controller) (*Ldap, error) {
zoneNames := c.RemainingArgs()
if len(zoneNames) != 0 {
for i := 0; i < len(zoneNames); i++ {
zoneNames[i] = plugin.Host(zoneNames[i]).Normalize()
}
} else {
zoneNames = make([]string, len(c.ServerBlockKeys))
for i := 0; i < len(zoneNames); i++ {
zoneNames[i] = plugin.Host(c.ServerBlockKeys[i]).Normalize()
}
}
ldap := New(zoneNames)
ldap.Upstream = upstream.New()
for c.NextBlock() {
switch c.Val() {
// RFC 4516 URL
case "ldap_url":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.ldapURL = c.Val()
case "paging_limit":
if !c.NextArg() {
return nil, c.ArgErr()
}
pagingLimit, err := strconv.ParseUint(c.Val(), 10, 0)
if err != nil {
return nil, c.Errf("paging_limit: %w", err)
}
ldap.pagingLimit = uint32(pagingLimit)
case "base_dn":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.searchRequest.BaseDN = c.Val() // ou=ae-dir
case "filter":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.searchRequest.Filter = c.Val() // (objectClass=aeNwDevice)
case "attributes":
c.Next()
for c.NextBlock() {
switch c.Val() {
case "fqdn":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.searchRequest.Attributes = append(ldap.searchRequest.Attributes, c.Val())
ldap.fqdnAttr = c.Val() // aeFqdn
case "ip4":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.searchRequest.Attributes = append(ldap.searchRequest.Attributes, c.Val())
ldap.ip4Attr = c.Val() // ipHostNumber
default:
return nil, c.Errf("unknown attributes property '%s'", c.Val())
}
}
continue
case "username":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.username = c.Val()
case "password":
if !c.NextArg() {
return nil, c.ArgErr()
}
ldap.password = c.Val()
case "sasl":
ldap.sasl = true
case "ttl":
if !c.NextArg() {
return nil, c.ArgErr()
}
ttl, err := time.ParseDuration(c.Val())
if err != nil {
return nil, c.Errf("ttl: %w", err)
}
ldap.ttl = ttl
case "sync_interval":
if !c.NextArg() {
return nil, c.ArgErr()
}
syncInterval, err := time.ParseDuration(c.Val())
if err != nil {
return nil, c.Errf("sync_interval: %w", err)
}
ldap.syncInterval = syncInterval
case "fallthrough":
ldap.Fall.SetZonesFromArgs(c.RemainingArgs())
default:
return nil, c.Errf("unknown property '%s'", c.Val())
}
}
// validate non-default ldap values ...
if ldap.ldapURL == "" {
return nil, c.Err("ldap_url cannot be empty")
}
if ldap.searchRequest.BaseDN == "" {
return nil, c.Err("base_dn cannot be empty")
}
if ldap.searchRequest.Filter == "" {
return nil, c.Err("filter cannot be empty")
}
if ldap.fqdnAttr == "" {
return nil, c.Err("fqdn attribute cannot be empty")
}
if ldap.ip4Attr == "" {
return nil, c.Err("ip4 attribute cannot be empty")
}
// if only one of password and username set
if (ldap.username == "") != (ldap.password == "") {
return nil, c.Err("if not using sasl, both, username and password must be set")
}
// if both username/password and sasl are set
if ldap.username != "" && ldap.sasl {
fmt.Printf("666 %#v\t%#v", ldap.username, ldap.sasl)
return nil, c.Err("cannot use sasl and username based authentication at the same time")
}
// if neither username/password nor sasl are set
if ldap.username == "" && !ldap.sasl {
return nil, c.Err("authenticate either via username/pwassword or sasl")
}
return ldap, nil
}