diff --git a/.drone-manifest.yml b/.drone-manifest.yml new file mode 100644 index 0000000..20f93dd --- /dev/null +++ b/.drone-manifest.yml @@ -0,0 +1,22 @@ +image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}} +{{#if build.tags}} +tags: +{{#each build.tags}} + - {{this}} +{{/each}} +{{/if}} +manifests: + - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-amd64 + platform: + architecture: amd64 + os: linux + - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm64 + platform: + architecture: arm64 + os: linux + variant: v8 + - image: happydomain/checker-ldap:{{#if build.tag}}{{trimPrefix "v" build.tag}}-{{/if}}linux-arm + platform: + architecture: arm + os: linux + variant: v7 diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..b1415d2 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,187 @@ +--- +kind: pipeline +type: docker +name: build-amd64 + +platform: + os: linux + arch: amd64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-ldap + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-ldap + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +--- +kind: pipeline +type: docker +name: build-arm64 + +platform: + os: linux + arch: arm64 + +steps: + - name: checker build + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_BRANCH}-${DRONE_COMMIT}" + CGO_ENABLED: 0 + when: + event: + exclude: + - tag + + - name: checker build tag + image: golang:1-alpine + commands: + - apk add --no-cache git make + - make + environment: + CHECKER_VERSION: "${DRONE_SEMVER}" + CGO_ENABLED: 0 + when: + event: + - tag + + - name: publish on Docker Hub + image: plugins/docker + settings: + repo: happydomain/checker-ldap + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_BRANCH}-${DRONE_COMMIT} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + exclude: + - tag + + - name: publish on Docker Hub (tag) + image: plugins/docker + settings: + repo: happydomain/checker-ldap + auto_tag: true + auto_tag_suffix: ${DRONE_STAGE_OS}-${DRONE_STAGE_ARCH} + dockerfile: Dockerfile + build_args: + - CHECKER_VERSION=${DRONE_SEMVER} + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - tag + +trigger: + event: + - cron + - push + - tag + +--- +kind: pipeline +name: docker-manifest + +platform: + os: linux + arch: arm64 + +steps: + - name: publish on Docker Hub + image: plugins/manifest + settings: + auto_tag: true + ignore_missing: true + spec: .drone-manifest.yml + username: + from_secret: docker_username + password: + from_secret: docker_password + +trigger: + branch: + exclude: + - renovate/* + event: + - cron + - push + - tag + +depends_on: + - build-amd64 + - build-arm64 diff --git a/README.md b/README.md index ff42106..1b66b14 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,26 @@ For each of `_ldap._tcp` (with fallback to port 389) and `_ldaps._tcp` | `bind_password` | no | Secret. Bound only after TLS is established; never sent over cleartext. | | `base_dn` | no | Base DN to test read access against. Requires a successful authenticated bind. | +## Rules + +| Code | Description | Severity | +|---------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------| +| `ldap.has_srv` | Verifies that _ldap._tcp / _ldaps._tcp SRV records are published and resolvable. | WARNING | +| `ldap.endpoint_reachable` | Verifies that every discovered LDAP endpoint accepts a TCP connection. | CRITICAL | +| `ldap.has_encrypted_transport` | Verifies that at least one reachable endpoint offers an encrypted channel (LDAPS or StartTLS). | CRITICAL | +| `ldap.starttls_supported` | Verifies that StartTLS is offered and succeeds on every reachable plain LDAP endpoint. | CRITICAL | +| `ldap.ldaps_handshake` | Verifies that the direct TLS handshake succeeds on every LDAPS endpoint. | CRITICAL | +| `ldap.starttls_on_ldaps` | Flags servers that needlessly advertise StartTLS on the implicit-TLS LDAPS port. | INFO | +| `ldap.ipv6_reachable` | Verifies at least one endpoint is reachable over IPv6. | INFO | +| `ldap.refuses_plain_bind` | Verifies the directory refuses authentication attempts over a cleartext channel. | CRITICAL | +| `ldap.anonymous_search_blocked` | Flags directories that allow anonymous search of the naming context (information disclosure). | WARNING | +| `ldap.rootdse_readable` | Verifies the RootDSE is readable over TLS and advertises naming contexts. | WARNING | +| `ldap.sasl_mechanisms` | Reviews the supportedSASLMechanisms posture (presence of strong mechanisms, absence of password-equivalent ones). | WARNING | +| `ldap.protocol_version` | Flags servers that still advertise the deprecated LDAPv2 protocol. | WARNING | +| `ldap.bind_credentials` | Verifies the supplied bind credentials are accepted by the directory (only runs when bind_dn is set). | CRITICAL | +| `ldap.base_dn_read` | Verifies the bound account can read the supplied base DN (only runs when base_dn is set and bind succeeded). | CRITICAL | +| `ldap.tls_quality` | Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the LDAP service. | CRITICAL | + ## License MIT (see `LICENSE` and `NOTICE`).