Simple LDAP plugin

Author: everesio

Gopkg.lock

@@ -74,5 +74,8 @@ protoc.auth:
 plugin.auth-user:
 	CGO_ENABLED=0 go build -o build/auth-user $(BUILD_FLAGS) -ldflags "$(LDFLAGS)" cmd/plugin-auth-user/main.go
 
+plugin.auth-ldap:
+	CGO_ENABLED=0 go build -o build/auth-ldap $(BUILD_FLAGS) -ldflags "$(LDFLAGS)" cmd/plugin-auth-ldap/main.go
+
 clean:
 	@rm -rf build

Makefile

@@ -14,7 +14,7 @@ responses received from the brokers are replaced by local counterparts.
 For discovered brokers (not configured as the boostrap servers), local listeners are started on random ports.
 The dynamic local listeners feature can be disabled and an additional list of external server mappings can be provided.
 
-The Proxy can terminate TLS traffic and authenticate users locally using SASL/PLAIN. The credentials verification method
+The Proxy can terminate TLS traffic and authenticate users using SASL/PLAIN. The credentials verification method
 is configurable and uses golang plugin system over RPC.
 
 Kafka API calls can be restricted to prevent some operations e.g. topic deletion.
@@ -34,20 +34,19 @@ See:
 
 	build/kafka-proxy server --bootstrap-server-mapping "192.168.99.100:32400,127.0.0.1:32400" \
 	                         --bootstrap-server-mapping "192.168.99.100:32401,127.0.0.1:32401" \
-	                         --bootstrap-server-mapping "192.168.99.100:32402,127.0.0.1:32402"
+	                         --bootstrap-server-mapping "192.168.99.100:32402,127.0.0.1:32402" \
+	                         --dynamic-listeners-disable
+
+	build/kafka-proxy server --bootstrap-server-mapping "192.168.99.100:32400,127.0.0.1:32400" \
+	                         --external-server-mapping "192.168.99.100:32401,127.0.0.1:32402" \
+	                         --external-server-mapping "192.168.99.100:32402,127.0.0.1:32403" \
+	                         --forbidden-api-keys 20
 
     build/kafka-proxy server --bootstrap-server-mapping "kafka-0.grepplabs.com:9093,0.0.0.0:32399" \
                              --tls-enable --tls-insecure-skip-verify \
                              --sasl-enable -sasl-username myuser --sasl-password mysecret
 
-    make clean build plugin.auth-user && build/kafka-proxy server \
-                             --proxy-listener-auth-enable \
-                             --proxy-listener-auth-command build/auth-user \
-                             --proxy-listener-auth-param "--username=my-test-user" \
-                             --proxy-listener-auth-param "--password=my-test-password" \
-                             --dynamic-listeners-disable \
-                             --forbidden-api-keys 20 \
-                             --bootstrap-server-mapping "192.168.99.100:32400,127.0.0.1:32401"
+### Proxy authentication example
 
     make clean build plugin.auth-user && build/kafka-proxy server --proxy-listener-key-file "server-key.pem"  \
                              --proxy-listener-cert-file "server-cert.pem" \
@@ -56,12 +55,16 @@ See:
                              --proxy-listener-auth-enable \
                              --proxy-listener-auth-command build/auth-user \
                              --proxy-listener-auth-param "--username=my-test-user" \
-                             --proxy-listener-auth-param "--password=my-test-password" \                             
-                             --dynamic-listeners-disable \
-                             --forbidden-api-keys 20 \
-                             --bootstrap-server-mapping "192.168.99.100:32400,127.0.0.1:32401" \
-                             --external-server-mapping "192.168.99.100:32401,127.0.0.1:32402" \
-                             --external-server-mapping "192.168.99.100:32402,127.0.0.1:32403"
+                             --proxy-listener-auth-param "--password=my-test-password"
+
+    make clean build plugin.auth-ldap && build/kafka-proxy server \
+                             --proxy-listener-auth-enable \
+                             --proxy-listener-auth-command build/auth-ldap \
+                             --proxy-listener-auth-param "--url=ldaps://ldap.example.com:636" \
+                             --proxy-listener-auth-param "--user-dn=cn=users,dc=exemple,dc=com" \
+                             --proxy-listener-auth-param "--user-attr=uid" \
+                             --bootstrap-server-mapping "192.168.99.100:32400,127.0.0.1:32400"
+
 
 ### What should be done
 
@@ -77,7 +80,7 @@ See:
   3. counter: proxy_connections_total {broker}
   4. counter: proxy_requests_bytes {broker}
   5. counter: proxy_responses_bytes {broker}
-* [X] Pluggable local authentication
+* [X] Pluggable proxy authentication
 * [ ] Deploying Kafka Proxy as a sidecar container
 * [ ] Performance tests and tuning
 * [ ] Socket buffer sizing e.g. SO_RCVBUF = 32768, SO_SNDBUF = 131072

README.md

@@ -78,7 +78,7 @@ func init() {
 	// authentication plugin
 	Server.Flags().BoolVar(&c.Proxy.Auth.Enable, "proxy-listener-auth-enable", false, "Enable SASL/PLAIN listener authentication")
 	Server.Flags().StringVar(&c.Proxy.Auth.Command, "proxy-listener-auth-command", "", "Path to authentication plugin binary")
-	Server.Flags().StringSliceVar(&c.Proxy.Auth.Parameters, "proxy-listener-auth-param", []string{}, "Authentication plugin parameter")
+	Server.Flags().StringArrayVar(&c.Proxy.Auth.Parameters, "proxy-listener-auth-param", []string{}, "Authentication plugin parameter")
 	Server.Flags().StringVar(&c.Proxy.Auth.LogLevel, "proxy-listener-auth-log-level", "trace", "Log level of the auth plugin")
 
 	// kafka

cmd/kafka-proxy/server.go

@@ -0,0 +1,210 @@
+package main
+
+import (
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"github.com/grepplabs/kafka-proxy/plugin/auth/shared"
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-plugin"
+	"github.com/sirupsen/logrus"
+	"gopkg.in/ldap.v2"
+	"net"
+	"net/url"
+	"os"
+	"strings"
+)
+
+//TODO: connection pooling, credential caching (TTL, max number of entries), negative caching
+type LdapAuthenticator struct {
+	Urls      []string
+	StartTLS  bool
+	UPNDomain string
+	UserDN    string
+	UserAttr  string
+}
+
+func (pa LdapAuthenticator) Authenticate(username, password string) (bool, int32, error) {
+	// logrus.Printf("Authenticate request for %s:%s,expected %s:%s ", username, password, pa.username, pa.password)
+	l, err := pa.DialLDAP()
+	if err != nil {
+		logrus.Errorf("user %s ldap dial error %v", username, err)
+		return false, 1, nil
+	}
+	defer l.Close()
+
+	err = l.Bind(pa.getUserBindDN(username), password)
+	if err != nil {
+		if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
+			logrus.Errorf("user %s credentials are invalid", username)
+			return false, 0, nil
+		}
+		logrus.Errorf("user %s ldap bind error %v", username, err)
+		return false, 2, nil
+	}
+	return true, 0, nil
+}
+
+func (pa LdapAuthenticator) getUserBindDN(username string) string {
+
+	if pa.UPNDomain != "" {
+		return fmt.Sprintf("%s@%s", escapeLDAPValue(username), pa.UPNDomain)
+	}
+	return fmt.Sprintf("%s=%s,%s", pa.UserAttr, escapeLDAPValue(username), pa.UserDN)
+}
+
+func escapeLDAPValue(input string) string {
+	// RFC4514 forbids un-escaped:
+	// - leading space or hash
+	// - trailing space
+	// - special characters '"', '+', ',', ';', '<', '>', '\\'
+	// - null
+	for i := 0; i < len(input); i++ {
+		escaped := false
+		if input[i] == '\\' {
+			i++
+			escaped = true
+		}
+		switch input[i] {
+		case '"', '+', ',', ';', '<', '>', '\\':
+			if !escaped {
+				input = input[0:i] + "\\" + input[i:]
+				i++
+			}
+			continue
+		}
+		if escaped {
+			input = input[0:i] + "\\" + input[i:]
+			i++
+		}
+	}
+	if input[0] == ' ' || input[0] == '#' {
+		input = "\\" + input
+	}
+	if input[len(input)-1] == ' ' {
+		input = input[0:len(input)-1] + "\\ "
+	}
+	return input
+}
+func (pa LdapAuthenticator) DialLDAP() (*ldap.Conn, error) {
+	var retErr *multierror.Error
+	var conn *ldap.Conn
+	for _, uut := range pa.Urls {
+		u, err := url.Parse(uut)
+		if err != nil {
+			retErr = multierror.Append(retErr, fmt.Errorf("error parsing url %q: %s", uut, err.Error()))
+			continue
+		}
+		host, port, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			host = u.Host
+		}
+		switch u.Scheme {
+		case "ldap":
+			if port == "" {
+				port = "389"
+			}
+			conn, err = ldap.Dial("tcp", net.JoinHostPort(host, port))
+			if err != nil {
+				break
+			}
+			if conn == nil {
+				err = fmt.Errorf("empty connection after dialing")
+				break
+			}
+			if pa.StartTLS {
+				err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+			}
+		case "ldaps":
+			if port == "" {
+				port = "636"
+			}
+			conn, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), &tls.Config{InsecureSkipVerify: true})
+		default:
+			retErr = multierror.Append(retErr, fmt.Errorf("invalid LDAP scheme in url %q", net.JoinHostPort(host, port)))
+			continue
+		}
+		if err == nil {
+			retErr = nil
+			break
+		}
+		retErr = multierror.Append(retErr, fmt.Errorf("error connecting to host %q: %s", uut, err.Error()))
+	}
+	return conn, retErr.ErrorOrNil()
+}
+
+type pluginMeta struct {
+	url       string
+	startTLS  bool
+	upnDomain string
+	userDN    string
+	userAttr  string
+}
+
+func (f *pluginMeta) flagSet() *flag.FlagSet {
+	fs := flag.NewFlagSet("auth plugin settings", flag.ContinueOnError)
+
+	fs.StringVar(&f.url, "url", "", "LDAP URL to connect to (eg: ldaps://127.0.0.1:636). Multiple URLs can be specified by concatenating them with commas.")
+	fs.BoolVar(&f.startTLS, "start-tls", true, "Issue a StartTLS command after establishing unencrypted connection (optional)")
+	fs.StringVar(&f.upnDomain, "upn-domain", "", "Enables userPrincipalDomain login with [username]@UPNDomain (optional)")
+	fs.StringVar(&f.userDN, "user-dn", "", "LDAP domain to use for users (eg: cn=users,dc=example,dc=org)")
+	fs.StringVar(&f.userAttr, "user-attr", "uid", " Attribute used for users")
+	return fs
+}
+
+func (f *pluginMeta) getUrls() ([]string, error) {
+	result := make([]string, 0)
+	urls := strings.Split(f.url, ",")
+	for _, uut := range urls {
+		u, err := url.Parse(uut)
+		if err != nil {
+			return nil, err
+		}
+		host, port, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			host = u.Host
+		}
+		switch u.Scheme {
+		case "ldap", "ldaps":
+			result = append(result, uut)
+		default:
+			return nil, fmt.Errorf("invalid LDAP scheme in url %q", net.JoinHostPort(host, port))
+		}
+	}
+	if len(result) == 0 {
+		return nil, fmt.Errorf("empty LDAP url list")
+	}
+	return result, nil
+}
+
+func main() {
+
+	pluginMeta := &pluginMeta{}
+	flags := pluginMeta.flagSet()
+	flags.Parse(os.Args[1:])
+
+	urls, err := pluginMeta.getUrls()
+	if err != nil {
+		logrus.Error(err)
+		os.Exit(1)
+	}
+	if pluginMeta.upnDomain == "" && (pluginMeta.userDN == "" || pluginMeta.userAttr == "") {
+		logrus.Errorf("parameters user-dn and user-attr are required")
+		os.Exit(1)
+	}
+
+	plugin.Serve(&plugin.ServeConfig{
+		HandshakeConfig: shared.Handshake,
+		Plugins: map[string]plugin.Plugin{
+			"passwordAuthenticator": &shared.PasswordAuthenticatorPlugin{Impl: &LdapAuthenticator{
+				Urls:      urls,
+				StartTLS:  pluginMeta.startTLS,
+				UPNDomain: pluginMeta.upnDomain,
+				UserDN:    pluginMeta.userDN,
+				UserAttr:  pluginMeta.userAttr,
+			}},
+		},
+		// A non-nil value here enables gRPC serving for this plugin...
+		GRPCServer: plugin.DefaultGRPCServer,
+	})
+}