-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
identityfactory.go
112 lines (93 loc) · 3.64 KB
/
identityfactory.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package ldaputil
import (
"fmt"
"strings"
"gopkg.in/ldap.v2"
"k8s.io/kubernetes/pkg/util/sets"
authapi "github.com/openshift/origin/pkg/auth/api"
serverapi "github.com/openshift/origin/pkg/cmd/server/api"
)
// LDAPUserIdentityFactory creates Identites for LDAP user entries.
type LDAPUserIdentityFactory interface {
IdentityFor(user *ldap.Entry) (identity authapi.UserIdentityInfo, err error)
}
// DefaultLDAPUserIdentityFactory creates Identities for LDAP user entries using an LDAPUserAttributeDefiner
type DefaultLDAPUserIdentityFactory struct {
ProviderName string
Definer LDAPUserAttributeDefiner
}
func (f *DefaultLDAPUserIdentityFactory) IdentityFor(user *ldap.Entry) (identity authapi.UserIdentityInfo, err error) {
uid := f.Definer.ID(user)
if uid == "" {
err = fmt.Errorf("Could not retrieve a non-empty value for ID attributes for dn=%q", user.DN)
return
}
id := authapi.NewDefaultUserIdentityInfo(f.ProviderName, uid)
// Add optional extra attributes if present
if name := f.Definer.Name(user); len(name) != 0 {
id.Extra[authapi.IdentityDisplayNameKey] = name
}
if email := f.Definer.Email(user); len(email) != 0 {
id.Extra[authapi.IdentityEmailKey] = email
}
if prefUser := f.Definer.PreferredUsername(user); len(prefUser) != 0 {
id.Extra[authapi.IdentityPreferredUsernameKey] = prefUser
}
identity = id
return
}
func NewLDAPUserAttributeDefiner(attributeMapping serverapi.LDAPAttributeMapping) LDAPUserAttributeDefiner {
return LDAPUserAttributeDefiner{
attributeMapping: attributeMapping,
}
}
// LDAPUserAttributeDefiner defines the values corresponding to OpenShift Identities in LDAP entries
// by using a deterministic mapping of LDAP entry attributes to OpenShift Identity fields
type LDAPUserAttributeDefiner struct {
// attributeMapping holds the attributes mapped to email, name, preferred username and ID
attributeMapping serverapi.LDAPAttributeMapping
}
// AllAttributes gets all attributes listed in the LDAPUserAttributeDefiner
func (d *LDAPUserAttributeDefiner) AllAttributes() sets.String {
attrs := sets.NewString(d.attributeMapping.Email...)
attrs.Insert(d.attributeMapping.Name...)
attrs.Insert(d.attributeMapping.PreferredUsername...)
attrs.Insert(d.attributeMapping.ID...)
return attrs
}
// Email extracts the email value from an LDAP user entry
func (d *LDAPUserAttributeDefiner) Email(user *ldap.Entry) string {
return GetAttributeValue(user, d.attributeMapping.Email)
}
// Name extracts the name value from an LDAP user entry
func (d *LDAPUserAttributeDefiner) Name(user *ldap.Entry) string {
return GetAttributeValue(user, d.attributeMapping.Name)
}
// PreferredUsername extracts the preferred username value from an LDAP user entry
func (d *LDAPUserAttributeDefiner) PreferredUsername(user *ldap.Entry) string {
return GetAttributeValue(user, d.attributeMapping.PreferredUsername)
}
// ID extracts the ID value from an LDAP user entry
func (d *LDAPUserAttributeDefiner) ID(user *ldap.Entry) string {
return GetAttributeValue(user, d.attributeMapping.ID)
}
// GetAttributeValue finds the first attribute of those given that the LDAP entry has, and
// returns it. GetAttributeValue is able to query the DN as well as Attributes of the LDAP entry.
// If no value is found, the empty string is returned.
func GetAttributeValue(entry *ldap.Entry, attributes []string) string {
for _, k := range attributes {
// Ignore empty attributes
if len(k) == 0 {
continue
}
// Special-case DN, since it's not an attribute
if strings.ToLower(k) == "dn" {
return entry.DN
}
// Otherwise get an attribute and return it if present
if v := entry.GetAttributeValue(k); len(v) > 0 {
return v
}
}
return ""
}