kindred/silo
1
1
Fork 0
Code Issues 30 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9dabaf5796fa19683c7e28e29315a18f02bb4252
silo/internal/auth/ldap.go
Forbes 4f0107f1b2 feat(auth): add authentication, RBAC, API tokens, and default admin 
Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2
2026-01-31 11:20:12 -06:00

108 lines
2.8 KiB
Go
Raw Blame History

package auth
import (
"context"
"crypto/tls"
"fmt"
ldapv3 "github.com/go-ldap/ldap/v3"
)
// LDAPConfig holds settings for the LDAP backend.
type LDAPConfig struct {
URL string
BaseDN string
UserSearchDN string
BindDN string
BindPassword string
UserAttr string
EmailAttr string
DisplayAttr string
GroupAttr string
RoleMapping map[string][]string // role -> list of group DNs
TLSSkipVerify bool
}
// LDAPBackend authenticates via LDAP simple bind against FreeIPA.
type LDAPBackend struct {
cfg LDAPConfig
}
// NewLDAPBackend creates an LDAP authentication backend.
func NewLDAPBackend(cfg LDAPConfig) *LDAPBackend {
return &LDAPBackend{cfg: cfg}
}
// Name returns "ldap".
func (b *LDAPBackend) Name() string { return "ldap" }
// Authenticate verifies credentials against the LDAP server.
func (b *LDAPBackend) Authenticate(_ context.Context, username, password string) (*User, error) {
if username == "" || password == "" {
return nil, fmt.Errorf("username and password required")
}
conn, err := ldapv3.DialURL(b.cfg.URL, ldapv3.DialWithTLSConfig(&tls.Config{
InsecureSkipVerify: b.cfg.TLSSkipVerify,
}))
if err != nil {
return nil, fmt.Errorf("ldap dial: %w", err)
}
defer conn.Close()
// Build user DN and bind with user credentials
userDN := fmt.Sprintf("%s=%s,%s", b.cfg.UserAttr, ldapv3.EscapeFilter(username), b.cfg.UserSearchDN)
if err := conn.Bind(userDN, password); err != nil {
return nil, fmt.Errorf("ldap bind failed: %w", err)
}
// Search for user attributes
searchReq := ldapv3.NewSearchRequest(
userDN,
ldapv3.ScopeBaseObject, ldapv3.NeverDerefAliases, 1, 10, false,
"(objectClass=*)",
[]string{b.cfg.EmailAttr, b.cfg.DisplayAttr, b.cfg.GroupAttr},
nil,
)
sr, err := conn.Search(searchReq)
if err != nil || len(sr.Entries) == 0 {
return nil, fmt.Errorf("ldap user search failed: %w", err)
}
entry := sr.Entries[0]
email := entry.GetAttributeValue(b.cfg.EmailAttr)
displayName := entry.GetAttributeValue(b.cfg.DisplayAttr)
if displayName == "" {
displayName = username
}
groups := entry.GetAttributeValues(b.cfg.GroupAttr)
role := b.resolveRole(groups)
return &User{
Username: username,
DisplayName: displayName,
Email: email,
Role: role,
AuthSource: "ldap",
}, nil
}
// resolveRole maps LDAP group memberships to a Silo role.
// Checks in priority order: admin > editor > viewer.
func (b *LDAPBackend) resolveRole(groups []string) string {
groupSet := make(map[string]struct{}, len(groups))
for _, g := range groups {
groupSet[g] = struct{}{}
}
for _, role := range []string{RoleAdmin, RoleEditor, RoleViewer} {
for _, requiredGroup := range b.cfg.RoleMapping[role] {
if _, ok := groupSet[requiredGroup]; ok {
return role
}
}
}
return RoleViewer
}
Reference in New Issue View Git Blame Copy Permalink