outposts/ldap: use configured certificate for LDAPS when all providers' certificates are identical

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-12-28 19:15:29 +01:00
parent f0e121c064
commit ff13b4bb46
No known key found for this signature in database
3 changed files with 11 additions and 2 deletions

View file

@ -34,6 +34,7 @@ type ProviderInstance struct {
tlsServerName *string
cert *tls.Certificate
certUUID string
outpostName string
outpostPk int32
searchAllowedGroups []*strfmt.UUID

View file

@ -15,6 +15,7 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
return ls.providers[0].cert, nil
}
}
allIdenticalCerts := true
for _, provider := range ls.providers {
if provider.tlsServerName == &info.ServerName {
if provider.cert == nil {
@ -23,6 +24,13 @@ func (ls *LDAPServer) getCertificates(info *tls.ClientHelloInfo) (*tls.Certifica
}
return provider.cert, nil
}
if provider.certUUID != ls.providers[0].certUUID {
allIdenticalCerts = false
}
}
if allIdenticalCerts {
ls.log.WithField("server-name", info.ServerName).Debug("all providers have the same keypair, using keypair")
return ls.providers[0].cert, nil
}
ls.log.WithField("server-name", info.ServerName).Debug("Fallback to default cert")
return ls.defaultCert, nil

View file

@ -70,13 +70,13 @@ func (ls *LDAPServer) Refresh() error {
outpostName: ls.ac.Outpost.Name,
outpostPk: provider.Pk,
}
if provider.Certificate.Get() != nil {
kp := provider.Certificate.Get()
if kp := provider.Certificate.Get(); kp != nil {
err := ls.cs.AddKeypair(*kp)
if err != nil {
ls.log.WithError(err).Warning("Failed to initially fetch certificate")
}
providers[idx].cert = ls.cs.Get(*kp)
providers[idx].certUUID = *kp
}
if *provider.SearchMode.Ptr() == api.LDAPAPIACCESSMODE_CACHED {
providers[idx].searcher = memorysearch.NewMemorySearcher(providers[idx])