diff --git a/.changeset/wicked-teachers-hide.md b/.changeset/wicked-teachers-hide.md new file mode 100644 index 0000000000..c93b9e0848 --- /dev/null +++ b/.changeset/wicked-teachers-hide.md @@ -0,0 +1,5 @@ +--- +'@backstage/plugin-catalog-backend-module-ldap': minor +--- + +Added the possibility to pass TLS configuration to ldap connection diff --git a/plugins/catalog-backend-module-ldap/api-report.md b/plugins/catalog-backend-module-ldap/api-report.md index 3c6cd4849b..90e58b3fb2 100644 --- a/plugins/catalog-backend-module-ldap/api-report.md +++ b/plugins/catalog-backend-module-ldap/api-report.md @@ -82,6 +82,7 @@ export class LdapClient { logger: Logger, target: string, bind?: BindConfig, + tls?: TLSConfig, ): Promise; getRootDSE(): Promise; getVendor(): Promise; @@ -154,6 +155,7 @@ export class LdapOrgReaderProcessor implements CatalogProcessor { // @public export type LdapProviderConfig = { target: string; + tls?: TLSConfig; bind?: BindConfig; users: UserConfig; groups: GroupConfig; @@ -192,6 +194,11 @@ export function readLdapOrg( groups: GroupEntity[]; }>; +// @public +export type TLSConfig = { + rejectUnauthorized?: boolean; +}; + // @public export type UserConfig = { dn: string; diff --git a/plugins/catalog-backend-module-ldap/config.d.ts b/plugins/catalog-backend-module-ldap/config.d.ts index 8ae3145811..eb9564f20d 100644 --- a/plugins/catalog-backend-module-ldap/config.d.ts +++ b/plugins/catalog-backend-module-ldap/config.d.ts @@ -50,6 +50,14 @@ export interface Config { secret: string; }; + /** + * TLS settings + */ + tls?: { + // Node TLS rejectUnauthorized + rejectUnauthorized?: boolean; + }; + /** * The settings that govern the reading and interpretation of users. */ @@ -273,6 +281,14 @@ export interface Config { secret: string; }; + /** + * TLS settings + */ + tls?: { + // Node TLS rejectUnauthorized + rejectUnauthorized?: boolean; + }; + /** * The settings that govern the reading and interpretation of users. */ diff --git a/plugins/catalog-backend-module-ldap/src/ldap/client.ts b/plugins/catalog-backend-module-ldap/src/ldap/client.ts index e778b0cfe4..a9283ecb94 100644 --- a/plugins/catalog-backend-module-ldap/src/ldap/client.ts +++ b/plugins/catalog-backend-module-ldap/src/ldap/client.ts @@ -18,7 +18,7 @@ import { ForwardedError } from '@backstage/errors'; import ldap, { Client, SearchEntry, SearchOptions } from 'ldapjs'; import { cloneDeep } from 'lodash'; import { Logger } from 'winston'; -import { BindConfig } from './config'; +import { BindConfig, TLSConfig } from './config'; import { errorString } from './util'; import { ActiveDirectoryVendor, @@ -40,8 +40,12 @@ export class LdapClient { logger: Logger, target: string, bind?: BindConfig, + tls?: TLSConfig, ): Promise { - const client = ldap.createClient({ url: target }); + const client = ldap.createClient({ + url: target, + tlsOptions: tls, + }); // We want to have a catch-all error handler at the top, since the default // behavior of the client is to blow up the entire process when it fails, diff --git a/plugins/catalog-backend-module-ldap/src/ldap/config.test.ts b/plugins/catalog-backend-module-ldap/src/ldap/config.test.ts index 292e9a218e..28c842294f 100644 --- a/plugins/catalog-backend-module-ldap/src/ldap/config.test.ts +++ b/plugins/catalog-backend-module-ldap/src/ldap/config.test.ts @@ -80,6 +80,7 @@ describe('readLdapConfig', () => { { target: 'target', bind: { dn: 'bdn', secret: 's' }, + tls: { rejectUnauthorized: false }, users: { dn: 'udn', options: { @@ -139,6 +140,7 @@ describe('readLdapConfig', () => { { target: 'target', bind: { dn: 'bdn', secret: 's' }, + tls: { rejectUnauthorized: false }, users: { dn: 'udn', options: { diff --git a/plugins/catalog-backend-module-ldap/src/ldap/config.ts b/plugins/catalog-backend-module-ldap/src/ldap/config.ts index 370c9491b3..9ae4b9ed8d 100644 --- a/plugins/catalog-backend-module-ldap/src/ldap/config.ts +++ b/plugins/catalog-backend-module-ldap/src/ldap/config.ts @@ -30,6 +30,8 @@ export type LdapProviderConfig = { // The prefix of the target that this matches on, e.g. // "ldaps://ds.example.net", with no trailing slash. target: string; + // TLS settings + tls?: TLSConfig; // The settings to use for the bind command. If none are specified, the bind // command is not issued. bind?: BindConfig; @@ -39,6 +41,16 @@ export type LdapProviderConfig = { groups: GroupConfig; }; +/** + * TLS settings + * + * @public + */ +export type TLSConfig = { + // Node TLS rejectUnauthorized + rejectUnauthorized?: boolean; +}; + /** * The settings to use for the a command. * @@ -185,6 +197,17 @@ export function readLdapConfig(config: Config): LdapProviderConfig[] { }); } + function readTlsConfig( + c: Config | undefined, + ): LdapProviderConfig['tls'] | undefined { + if (!c) { + return undefined; + } + return { + rejectUnauthorized: c.getOptionalBoolean('rejectUnauthorized'), + }; + } + function readBindConfig( c: Config | undefined, ): LdapProviderConfig['bind'] | undefined { @@ -312,6 +335,7 @@ export function readLdapConfig(config: Config): LdapProviderConfig[] { return providerConfigs.map(c => { const newConfig = { target: trimEnd(c.getString('target'), '/'), + tls: readTlsConfig(c.getOptionalConfig('tls')), bind: readBindConfig(c.getOptionalConfig('bind')), users: readUserConfig(c.getConfig('users')), groups: readGroupConfig(c.getConfig('groups')), diff --git a/plugins/catalog-backend-module-ldap/src/ldap/index.ts b/plugins/catalog-backend-module-ldap/src/ldap/index.ts index c3aace492f..6d7800fbfd 100644 --- a/plugins/catalog-backend-module-ldap/src/ldap/index.ts +++ b/plugins/catalog-backend-module-ldap/src/ldap/index.ts @@ -22,6 +22,7 @@ export type { GroupConfig, UserConfig, BindConfig, + TLSConfig, } from './config'; export type { LdapVendor } from './vendors'; export { diff --git a/plugins/catalog-backend-module-ldap/src/processors/LdapOrgEntityProvider.ts b/plugins/catalog-backend-module-ldap/src/processors/LdapOrgEntityProvider.ts index b31b7ae266..b38ea51cc0 100644 --- a/plugins/catalog-backend-module-ldap/src/processors/LdapOrgEntityProvider.ts +++ b/plugins/catalog-backend-module-ldap/src/processors/LdapOrgEntityProvider.ts @@ -179,6 +179,7 @@ export class LdapOrgEntityProvider implements EntityProvider { this.options.logger, this.options.provider.target, this.options.provider.bind, + this.options.provider.tls, ); const { users, groups } = await readLdapOrg( diff --git a/plugins/catalog-backend-module-ldap/src/processors/LdapOrgReaderProcessor.ts b/plugins/catalog-backend-module-ldap/src/processors/LdapOrgReaderProcessor.ts index 74a7e153b9..fcfdb43eb1 100644 --- a/plugins/catalog-backend-module-ldap/src/processors/LdapOrgReaderProcessor.ts +++ b/plugins/catalog-backend-module-ldap/src/processors/LdapOrgReaderProcessor.ts @@ -103,6 +103,7 @@ export class LdapOrgReaderProcessor implements CatalogProcessor { this.logger, provider.target, provider.bind, + provider.tls, ); const { users, groups } = await readLdapOrg( client,