mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-08 07:11:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check TLS bundle before dialing for performance reasons, and add godoc to clarify intent

Browse Source 
Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Joshua T Casey
2024-10-02 14:53:20 -05:00
committed by Joshua Casey
parent bb00587bd7
commit 629f89d95b
1 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/upstreamldap/upstreamldap.go
View File

@@ -314,7 +314,7 @@ func (p *Provider) dial(ctx context.Context) (Conn, error) {
// Unfortunately, the go-ldap library does not seem to support dialing with a context.Context,
// so we implement it ourselves, heavily inspired by ldap.DialURL.
func (p *Provider) dialTLS(ctx context.Context, addr endpointaddr.HostPort) (Conn, error) {
tlsConfig, err := p.tlsConfig()
tlsConfig, err := p.validateAndBuildTLSConfig()
if err != nil {
return nil, ldap.NewError(ldap.ErrorNetwork, err)
}
@@ -334,8 +334,18 @@ func (p *Provider) dialTLS(ctx context.Context, addr endpointaddr.HostPort) (Con
// Unfortunately, the go-ldap library does not seem to support dialing with a context.Context,
// so we implement it ourselves, heavily inspired by ldap.DialURL.
func (p *Provider) dialStartTLS(ctx context.Context, addr endpointaddr.HostPort) (Conn, error) {
// start with a plaintext tcp connection which will then be upgraded to
// and LDAP connection over TLS.
// Validate TLS configuration before dialing, even though we perform a plaintext (non-TLS) dial.
// That way we can avoid the more expensive dial operation if this returns an error.
tlsConfig, err := p.validateAndBuildTLSConfig()
if err != nil {
return nil, ldap.NewError(ldap.ErrorNetwork, err)
}
// Unfortunately, this seems to be required for StartTLS, even though it is not needed for regular TLS.
tlsConfig.ServerName = addr.Host
// Start with a plaintext tcp connection which will then be upgraded to
// an LDAP connection over TLS.
c, err := netDialer().DialContext(ctx, "tcp", addr.Endpoint())
if err != nil {
return nil, ldap.NewError(ldap.ErrorNetwork, err)
@@ -343,12 +353,6 @@ func (p *Provider) dialStartTLS(ctx context.Context, addr endpointaddr.HostPort)
conn := ldap.NewConn(c, false)
conn.Start()
tlsConfig, err := p.tlsConfig()
if err != nil {
return nil, ldap.NewError(ldap.ErrorNetwork, err)
}
// Unfortunately, this seems to be required for StartTLS, even though it is not needed for regular TLS.
tlsConfig.ServerName = addr.Host
err = conn.StartTLS(tlsConfig)
if err != nil {
return nil, err
@@ -361,7 +365,7 @@ func netDialer() *net.Dialer {
return &net.Dialer{Timeout: time.Minute}
}
func (p *Provider) tlsConfig() (*tls.Config, error) {
func (p *Provider) validateAndBuildTLSConfig() (*tls.Config, error) {
var rootCAs *x509.CertPool
if p.c.CABundle != nil {
rootCAs = x509.NewCertPool()