search

pinepain / ldap-auth-proxy

A simple drop-in HTTP proxy for transparent LDAP authentication which is also a HTTP auth backend.
MIT License
75 stars 16 forks source link

Added functionality to send LDAP mappings upstream #16

Closed djolly-fuze closed 3 years ago

djolly-fuze commented 4 years ago

Applications like MySQL Orchestrator have fairly primitive security but can respond differently with a username passed to it via request headers. https://github.com/github/orchestrator/blob/master/docs/security.md

When running in proxy mode, the ldap-auth-proxy needs to send the LDAP Mapped headers upstream as well, for this to work effectively.

pinepain commented 4 years ago

Hi @djolly-fuze, thank you for contribution. I like the feature, though I think it's not always necessary to pass headers to upstream and it could be even non-secure to send one or all headers, depends on a particular use case. Do you think having upstream headers specified explicitly, alike HEADERS_MAP could do a better job?

djolly-fuze commented 4 years ago

I'm completely OK with it being a separate variable like UPSTREAM_HEADERS_MAP. My Golang skills are enough to make small changes but probably not enough to implement a new feature like this, but I can give it a shot.

pinepain commented 4 years ago

I'm not an expert either, but together we can make it a bit better.

My idea is that based on headers, ideally we are good to populate request headers somewhere here https://github.com/pinepain/ldap-auth-proxy/blob/master/ldap_auth_proxy.go#L183, but as we don't have auth data there, we may find out sth else. I like the way you did with extending writeAttributes() and with separate upstream headers in mind, currently I'm thinking about creating writeAttributes-alike function for writing request headers to proxy them down. At this point I'm not sure whether it's a good idea to enforce X- prefix for user-specified headers, as I think explicit is better than implicit (same for attributes, actually, but it goes our of scope of this PR). The UPSTREAM_HEADERS_MAP env variable could map to LDAPAuthProxy.UpstreamHeadersMap which is alike LDAPAuthProxy.HeadersMap (declared at https://github.com/pinepain/ldap-auth-proxy/blob/master/ldap_auth_proxy.go#L28 and populated at https://github.com/pinepain/ldap-auth-proxy/blob/master/ldap_auth_proxy.go#L68). The env variable itself is alike HEADERS_MAP which is declared at https://github.com/pinepain/ldap-auth-proxy/blob/master/config.go#L30. Hope, it will help. Please, let me know if you will need any assistance.

pinepain commented 3 years ago

Closing due to lack of the progress