Skip to content
This repository has been archived by the owner on Jan 27, 2021. It is now read-only.

Change default settings to be able to run ocis server without any con… #12

Merged
merged 2 commits into from
Mar 18, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/default-settings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: Improve default settings

This helps achieve zero-config in single-binary.

https://github.com/owncloud/ocis-glauth/pull/12
5 changes: 5 additions & 0 deletions changelog/unreleased/generate-dev-certs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Enhancement: Generate temporary ldap certificates if LDAPS is enabled

This change helps to achieve zero-configuration in single-binary mode.

https://github.com/owncloud/ocis-glauth/pull/12
6 changes: 6 additions & 0 deletions changelog/unreleased/tls-endpoint.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Enhancement: Provide additional tls-endpoint

ocis-glauth is now able to concurrently serve a encrypted and an unencrypted ldap-port. Please note that only
SSL (no StarTLS) is supported at the moment.

https://github.com/owncloud/ocis-glauth/pull/12
28 changes: 28 additions & 0 deletions pkg/command/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package command

import (
"context"
"github.com/owncloud/ocis-glauth/pkg/crypto"
"os"
"os/signal"
"strings"
Expand Down Expand Up @@ -245,6 +246,14 @@ func Server(cfg *config.Config) *cli.Command {
},
},
}

if cfg.LDAPS.Enabled {
// GenCert has side effects as it writes 2 files to the binary running location
if err := crypto.GenCert("ldap.crt", "ldap.key", logger); err != nil {
logger.Fatal().Err(err).Msgf("Could not generate test-certificate")
}
}

server, err := glauth.NewServer(
glauth.Logger(log),
glauth.Config(&cfg),
Expand All @@ -267,6 +276,7 @@ func Server(cfg *config.Config) *cli.Command {
case err <- server.ListenAndServe():
return <-err
}

}, func(_ error) {
logger.Info().
Str("transport", "ldap").
Expand All @@ -276,6 +286,24 @@ func Server(cfg *config.Config) *cli.Command {
cancel()
})

gr.Add(func() error {
err := make(chan error)
select {
case <-ctx.Done():
return nil
case err <- server.ListenAndServeTLS():
return <-err
}

}, func(_ error) {
logger.Info().
Str("transport", "ldaps").
Msg("Shutting down server")

server.Shutdown()
cancel()
})

}

{
Expand Down
123 changes: 123 additions & 0 deletions pkg/crypto/gencert.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
package crypto

import (
"crypto/ecdsa"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"net"
"os"
"time"

"github.com/owncloud/ocis-pkg/v2/log"
)

func publicKey(priv interface{}) interface{} {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &k.PublicKey
case *ecdsa.PrivateKey:
return &k.PublicKey
default:
return nil
}
}

func pemBlockForKey(priv interface{}, l log.Logger) *pem.Block {
switch k := priv.(type) {
case *rsa.PrivateKey:
return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}
case *ecdsa.PrivateKey:
b, err := x509.MarshalECPrivateKey(k)
if err != nil {
l.Fatal().Err(err).Msg("Unable to marshal ECDSA private key")
}
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
default:
return nil
}
}

// GenCert generates TLS-Certificates
func GenCert(certName string, keyName string, l log.Logger) error {
var priv interface{}
var err error

priv, err = rsa.GenerateKey(rand.Reader, 2048)

if err != nil {
l.Fatal().Err(err).Msg("Failed to generate private key")
}

notBefore := time.Now()
notAfter := notBefore.Add(24 * time.Hour * 365)

serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
l.Fatal().Err(err).Msg("Failed to generate serial number")
}

template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Corp"},
CommonName: "OCIS",
},
NotBefore: notBefore,
NotAfter: notAfter,

KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}

hosts := []string{"127.0.0.1", "localhost"}
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, h)
}
}

//template.IsCA = true
//template.KeyUsage |= x509.KeyUsageCertSign

derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
if err != nil {
l.Fatal().Err(err).Msg("Failed to create certificate")
}

certOut, err := os.Create(certName)
if err != nil {
l.Fatal().Err(err).Msgf("Failed to open %v for writing", certName)
}
err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
if err != nil {
l.Fatal().Err(err).Msg("Failed to encode certificate")
}
err = certOut.Close()
if err != nil {
l.Fatal().Err(err).Msg("Failed to write cert")
}
l.Info().Msg("Written server.crt")

keyOut, err := os.OpenFile(keyName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
l.Fatal().Err(err).Msgf("Failed to open %v for writing", keyName)
}
err = pem.Encode(keyOut, pemBlockForKey(priv, l))
if err != nil {
l.Fatal().Err(err).Msg("Failed to encode key")
}
err = keyOut.Close()
if err != nil {
l.Fatal().Err(err).Msg("Failed to write key")
}
l.Info().Msgf("Written %v", keyName)
return nil
}
6 changes: 3 additions & 3 deletions pkg/flagset/flagset.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,21 +140,21 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
},
&cli.BoolFlag{
Name: "ldaps-enabled",
Value: false,
Value: true,
Usage: "Enable ldap server",
EnvVars: []string{"GLAUTH_LDAPS_ENABLED"},
Destination: &cfg.Ldaps.Enabled,
},
&cli.StringFlag{
Name: "ldaps-cert",
Value: "certs/server.crt",
Value: "./ldap.crt",
Usage: "path to ldaps certificate in PEM format",
EnvVars: []string{"GLAUTH_LDAPS_CERT"},
Destination: &cfg.Ldaps.Cert,
},
&cli.StringFlag{
Name: "ldaps-key",
Value: "certs/server.key",
Value: "./ldap.key",
Usage: "path to ldaps key in PEM format",
EnvVars: []string{"GLAUTH_LDAPS_KEY"},
Destination: &cfg.Ldaps.Key,
Expand Down