Compare commits
3 commits
61a94cbf1c
...
deba20f503
| Author | SHA1 | Date | |
|---|---|---|---|
| deba20f503 | |||
| fe4b3cf671 | |||
| ad16084d47 |
2 changed files with 39 additions and 36 deletions
12
README.md
12
README.md
|
|
@ -37,7 +37,7 @@ chldapasswd [flags] generate-lost-password-link <uid>
|
||||||
| `-bind` | `127.0.0.1:8080` | Listen address |
|
| `-bind` | `127.0.0.1:8080` | Listen address |
|
||||||
| `-baseurl` | `/` | URL prefix (for reverse-proxy subpath deployment) |
|
| `-baseurl` | `/` | URL prefix (for reverse-proxy subpath deployment) |
|
||||||
| `-config` | _(none)_ | Path to a JSON config file for LDAP settings |
|
| `-config` | _(none)_ | Path to a JSON config file for LDAP settings |
|
||||||
| `-public-url` | _(none)_ | Base URL used in password reset emails |
|
| `-public-url` | `https://ldap.nemunai.re` | Base URL used in password reset emails |
|
||||||
| `-brand-name` | `chldapasswd` | Brand name shown in the UI |
|
| `-brand-name` | `chldapasswd` | Brand name shown in the UI |
|
||||||
| `-brand-logo` | _(none)_ | URL of a logo image shown in the UI |
|
| `-brand-logo` | _(none)_ | URL of a logo image shown in the UI |
|
||||||
| `-addy-api-secret` | _(none)_ | HMAC secret for the alias API |
|
| `-addy-api-secret` | _(none)_ | HMAC secret for the alias API |
|
||||||
|
|
@ -76,7 +76,7 @@ The `-config` flag accepts a JSON file whose fields map directly to the `LDAP` s
|
||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"Host": "auth.example.com",
|
"Host": "ldap.example.com",
|
||||||
"Port": 636,
|
"Port": 636,
|
||||||
"Ssl": true,
|
"Ssl": true,
|
||||||
"BaseDN": "dc=example,dc=com",
|
"BaseDN": "dc=example,dc=com",
|
||||||
|
|
@ -109,13 +109,13 @@ The alias API is compatible with the addy.io API format. Tokens are HMAC-SHA224
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
# Create alias
|
# Create alias
|
||||||
curl -X POST https://auth.example.com/api/v1/aliases \
|
curl -X POST https://ldap.example.com/api/v1/aliases \
|
||||||
-H "Authorization: Bearer <token>" \
|
-H "Authorization: Bearer <token>" \
|
||||||
-H "Content-Type: application/json" \
|
-H "Content-Type: application/json" \
|
||||||
-d '{"domain": "example.com"}'
|
-d '{"domain": "example.com"}'
|
||||||
|
|
||||||
# Delete alias
|
# Delete alias
|
||||||
curl -X DELETE https://auth.example.com/api/v1/aliases/abc123%40example.com \
|
curl -X DELETE https://ldap.example.com/api/v1/aliases/abc123%40example.com \
|
||||||
-H "Authorization: Bearer <token>"
|
-H "Authorization: Bearer <token>"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
@ -133,7 +133,7 @@ The `dextpl/` directory contains a matching theme for [Dex](https://dexidp.io/)
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker run -d \
|
docker run -d \
|
||||||
-e LDAP_HOST=auth.example.com \
|
-e LDAP_HOST=ldap.example.com \
|
||||||
-e LDAP_PORT=636 \
|
-e LDAP_PORT=636 \
|
||||||
-e LDAP_SSL=true \
|
-e LDAP_SSL=true \
|
||||||
-e LDAP_BASEDN=dc=example,dc=com \
|
-e LDAP_BASEDN=dc=example,dc=com \
|
||||||
|
|
@ -142,7 +142,7 @@ docker run -d \
|
||||||
-e SMTP_HOST=smtp.example.com \
|
-e SMTP_HOST=smtp.example.com \
|
||||||
-e SMTP_PORT=587 \
|
-e SMTP_PORT=587 \
|
||||||
-e SMTP_FROM=noreply@example.com \
|
-e SMTP_FROM=noreply@example.com \
|
||||||
-e PUBLIC_URL=https://auth.example.com \
|
-e PUBLIC_URL=https://ldap.example.com \
|
||||||
-p 8080:8080 \
|
-p 8080:8080 \
|
||||||
nemunaire/chldapasswd
|
nemunaire/chldapasswd
|
||||||
```
|
```
|
||||||
|
|
|
||||||
63
main.go
63
main.go
|
|
@ -17,7 +17,7 @@ import (
|
||||||
"syscall"
|
"syscall"
|
||||||
)
|
)
|
||||||
|
|
||||||
var myPublicURL = ""
|
var myPublicURL = "https://ldap.nemunai.re"
|
||||||
var devMode bool
|
var devMode bool
|
||||||
var brandName = "chldapasswd"
|
var brandName = "chldapasswd"
|
||||||
var brandLogo = ""
|
var brandLogo = ""
|
||||||
|
|
@ -35,7 +35,7 @@ var myLDAP = LDAP{
|
||||||
Port: 389,
|
Port: 389,
|
||||||
BaseDN: "dc=example,dc=com",
|
BaseDN: "dc=example,dc=com",
|
||||||
MailPort: 587,
|
MailPort: 587,
|
||||||
MailFrom: "noreply@example.com",
|
MailFrom: "noreply@nemunai.re",
|
||||||
}
|
}
|
||||||
|
|
||||||
type ResponseWriterPrefix struct {
|
type ResponseWriterPrefix struct {
|
||||||
|
|
@ -79,34 +79,37 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
baseURL := "/"
|
var bind = flag.String("bind", "127.0.0.1:8080", "Bind port/socket")
|
||||||
bind := "127.0.0.1:8080"
|
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
|
||||||
|
var configfile = flag.String("config", "", "path to the configuration file")
|
||||||
|
var publicURL = flag.String("public-url", myPublicURL, "Public base URL used in password reset emails")
|
||||||
|
var dev = flag.Bool("dev", false, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
|
||||||
|
var bname = flag.String("brand-name", "chldapasswd", "Brand name displayed in the UI")
|
||||||
|
var blogo = flag.String("brand-logo", "", "URL of brand logo displayed in the UI (added to CSP img-src)")
|
||||||
|
flag.Parse()
|
||||||
|
|
||||||
|
myPublicURL = *publicURL
|
||||||
|
devMode = *dev
|
||||||
|
brandName = *bname
|
||||||
|
brandLogo = *blogo
|
||||||
if val, ok := os.LookupEnv("BRAND_NAME"); ok {
|
if val, ok := os.LookupEnv("BRAND_NAME"); ok {
|
||||||
brandName = val
|
brandName = val
|
||||||
}
|
}
|
||||||
if val, ok := os.LookupEnv("BRAND_LOGO"); ok {
|
if val, ok := os.LookupEnv("BRAND_LOGO"); ok {
|
||||||
brandLogo = val
|
brandLogo = val
|
||||||
}
|
}
|
||||||
|
|
||||||
var configfile = flag.String("config", "", "path to the configuration file")
|
|
||||||
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
|
|
||||||
flag.StringVar(&bind, "bind", bind, "Bind port/socket")
|
|
||||||
flag.StringVar(&brandName, "brand-name", brandName, "Brand name displayed in the UI")
|
|
||||||
flag.StringVar(&brandLogo, "brand-logo", brandLogo, "URL of brand logo displayed in the UI (added to CSP img-src)")
|
|
||||||
flag.BoolVar(&devMode, "dev", devMode, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
|
|
||||||
flag.StringVar(&myPublicURL, "public-url", myPublicURL, "Public base URL used in password reset emails")
|
|
||||||
flag.Parse()
|
|
||||||
|
|
||||||
if devMode {
|
if devMode {
|
||||||
log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
|
log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sanitize options
|
// Sanitize options
|
||||||
if baseURL != "/" {
|
log.Println("Checking paths...")
|
||||||
baseURL = path.Clean(baseURL)
|
if *baseURL != "/" {
|
||||||
|
tmp := path.Clean(*baseURL)
|
||||||
|
baseURL = &tmp
|
||||||
} else {
|
} else {
|
||||||
baseURL = ""
|
tmp := ""
|
||||||
|
baseURL = &tmp
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load config file
|
// Load config file
|
||||||
|
|
@ -228,20 +231,20 @@ func main() {
|
||||||
signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
|
signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
|
||||||
|
|
||||||
// Register handlers
|
// Register handlers
|
||||||
http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", baseURL), serveAltchaJS)
|
http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", *baseURL), serveAltchaJS)
|
||||||
http.HandleFunc(fmt.Sprintf("GET %s/style.css", baseURL), serveStyleCSS)
|
http.HandleFunc(fmt.Sprintf("GET %s/style.css", *baseURL), serveStyleCSS)
|
||||||
http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", baseURL), serveAltchaChallenge)
|
http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", *baseURL), serveAltchaChallenge)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/{$}", baseURL), changePassword)
|
http.HandleFunc(fmt.Sprintf("%s/{$}", *baseURL), changePassword)
|
||||||
http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", baseURL), addyAliasAPI)
|
http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", *baseURL), addyAliasAPI)
|
||||||
http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", baseURL), addyAliasAPIDelete)
|
http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", *baseURL), addyAliasAPIDelete)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/auth", baseURL), httpBasicAuth)
|
http.HandleFunc(fmt.Sprintf("%s/auth", *baseURL), httpBasicAuth)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/login", baseURL), tryLogin)
|
http.HandleFunc(fmt.Sprintf("%s/login", *baseURL), tryLogin)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/change", baseURL), changePassword)
|
http.HandleFunc(fmt.Sprintf("%s/change", *baseURL), changePassword)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/reset", baseURL), resetPassword)
|
http.HandleFunc(fmt.Sprintf("%s/reset", *baseURL), resetPassword)
|
||||||
http.HandleFunc(fmt.Sprintf("%s/lost", baseURL), lostPassword)
|
http.HandleFunc(fmt.Sprintf("%s/lost", *baseURL), lostPassword)
|
||||||
|
|
||||||
srv := &http.Server{
|
srv := &http.Server{
|
||||||
Addr: bind,
|
Addr: *bind,
|
||||||
Handler: securityHeaders(http.DefaultServeMux),
|
Handler: securityHeaders(http.DefaultServeMux),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -250,7 +253,7 @@ func main() {
|
||||||
log.Fatal(srv.ListenAndServe())
|
log.Fatal(srv.ListenAndServe())
|
||||||
}()
|
}()
|
||||||
log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN)
|
log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN)
|
||||||
log.Printf("Ready, listening on %s", bind)
|
log.Printf("Ready, listening on %s", *bind)
|
||||||
|
|
||||||
// Wait shutdown signal
|
// Wait shutdown signal
|
||||||
<-interrupt
|
<-interrupt
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue