f6ded84f07
- When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
36 lines
1.2 KiB
Go
36 lines
1.2 KiB
Go
// Copyright 2021 the Pinniped contributors. All Rights Reserved.
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Package ldap contains common LDAP functionality needed by Pinniped.
|
|
package ldap
|
|
|
|
import (
|
|
"context"
|
|
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
|
)
|
|
|
|
// This interface is similar to the k8s token authenticator, but works with username/passwords instead
|
|
// of a single token string.
|
|
//
|
|
// The return values should be as follows.
|
|
// 1. For a successful authentication:
|
|
// - A response which includes the username, uid, and groups in the userInfo. The username and uid must not be blank.
|
|
// - true
|
|
// - nil error
|
|
// 2. For an unsuccessful authentication, e.g. bad username or password:
|
|
// - nil response
|
|
// - false
|
|
// - nil error
|
|
// 3. For an unexpected error, e.g. a network problem:
|
|
// - nil response
|
|
// - false
|
|
// - an error
|
|
// Other combinations of return values must be avoided.
|
|
//
|
|
// See k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go for the token authenticator
|
|
// interface, as well as the Response type.
|
|
type UserAuthenticator interface {
|
|
AuthenticateUser(ctx context.Context, username, password string) (*authenticator.Response, bool, error)
|
|
}
|