reverting changes made in 24ba9dc since dynamic group search might induce too much stress on the ldap server and there is a reset command for the client to remove its cached token

Author: vbouchaud

ldap/ldap.go

@@ -61,20 +61,7 @@ func NewInstance(
 	return s
 }
 
-func (s *Ldap) Authenticate(dn, password string) error {
-	l, err := ldap.DialURL(s.ldapURL)
-	if err != nil {
-		return err
-	}
-
-	defer l.Close()
-
-	// Bind as the user to verify their password
-	err = l.Bind(dn, password)
-	return err
-}
-
-func (s *Ldap) Search(username string) (*auth.UserInfo, error) {
+func (s *Ldap) Search(username, password string) (*auth.UserInfo, error) {
 	l, err := ldap.DialURL(s.ldapURL)
 	if err != nil {
 		return nil, err
@@ -114,6 +101,12 @@ func (s *Ldap) Search(username string) (*auth.UserInfo, error) {
 		return nil, fmt.Errorf("Too many entries returned")
 	}
 
+	// Bind as the user to verify their password
+	err = l.Bind(result.Entries[0].DN, password)
+	if err != nil {
+		return nil, err
+	}
+
 	var extra map[string]auth.ExtraValue
 
 	for _, item := range s.extraAttributes {

server/server.go

@@ -98,21 +98,20 @@ func (s *Instance) authenticate() http.HandlerFunc {
 		}
 
 		log.Debug().Str("username", credentials.Username).Msg("Received valid authentication request.")
-		user, err := s.l.Search(credentials.Username)
+		user, err := s.l.Search(credentials.Username, credentials.Password)
 		if err != nil {
 			writeExecCredentialError(res, ErrUnauthorized)
 			return
 		}
 
-		err = s.l.Authenticate(credentials.Username, credentials.Password)
+		log.Debug().Str("username", credentials.Username).Msg("Successfully authenticated.")
+
+		token, err := types.NewToken(user, s.ttl)
 		if err != nil {
-			writeExecCredentialError(res, ErrUnauthorized)
+			writeExecCredentialError(res, ErrServerError)
 			return
 		}
 
-		log.Debug().Str("username", credentials.Username).Msg("Successfully authenticated.")
-
-		token := types.NewToken([]byte(user.UID), s.ttl)
 		tokenData, err := token.Payload(s.k)
 		if err != nil {
 			writeExecCredentialError(res, ErrServerError)
@@ -189,17 +188,9 @@ func (s *Instance) validate() http.HandlerFunc {
 			log.Debug().Msg("TokenReview is not valid.")
 			tr.Status.Authenticated = false
 		} else {
-			username, err := token.GetUsername()
-			if err != nil {
-				log.Debug().Str("error", err.Error()).Msg("Could not extract username.")
-
-				writeTokenReviewError(res, ErrServerError, tr)
-				return
-			}
-
-			user, err := s.l.Search(username)
+			user, err := token.GetUser()
 			if err != nil {
-				log.Debug().Str("error", err.Error()).Msg("Could not get a user from username.")
+				log.Debug().Str("error", err.Error()).Msg("Could not extract user.")
 
 				writeTokenReviewError(res, ErrServerError, tr)
 				return

types/token.go

@@ -3,31 +3,39 @@ package types
 import (
 	"crypto/rsa"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"time"
 
 	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/rs/zerolog/log"
+
+	auth "k8s.io/api/authentication/v1"
 )
 
 type Token struct {
 	token jwt.Token
 }
 
-func NewToken(data []byte, ttl int64) *Token {
+func NewToken(user *auth.UserInfo, ttl int64) (*Token, error) {
 	now := time.Now()
 
+	data, err := json.Marshal(user)
+	if err != nil {
+		return nil, err
+	}
+
 	t := jwt.New()
 	t.Set(jwt.IssuedAtKey, now.Unix())
 	t.Set(jwt.ExpirationKey, now.Add(time.Duration(ttl)*time.Second).Unix())
-	t.Set("username", data)
+	t.Set("user", data)
 
 	token := &Token{
 		token: t,
 	}
 
-	return token
+	return token, nil
 }
 
 func Parse(payload []byte, key *rsa.PrivateKey) (*Token, error) {
@@ -48,19 +56,26 @@ func Parse(payload []byte, key *rsa.PrivateKey) (*Token, error) {
 	return token, nil
 }
 
-func (t *Token) GetUsername() (string, error) {
-	if v, ok := t.token.Get("username"); ok {
+func (t *Token) GetUser() (*auth.UserInfo, error) {
+	if v, ok := t.token.Get("user"); ok {
+		var user auth.UserInfo
+
 		log.Debug().Str("data", fmt.Sprintf("%v", v)).Msg("Got user data.")
 
 		data, err := base64.StdEncoding.WithPadding(base64.NoPadding).DecodeString(fmt.Sprintf("%v", v))
 		if err != nil {
-			return "", err
+			return nil, err
+		}
+
+		err = json.Unmarshal(data, &user)
+		if err != nil {
+			return nil, err
 		}
 
-		return string(data), nil
+		return &user, nil
 	}
 
-	return "", fmt.Errorf("Could not get username attribute of jwt token")
+	return nil, fmt.Errorf("Could not get user attribute of jwt token")
 }
 
 func (t *Token) IsValid() bool {