-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
settings.go
64 lines (56 loc) · 2.03 KB
/
settings.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
// Copyright 2024 The Cockroach Authors.
//
// Licensed as a CockroachDB Enterprise file under the Cockroach Community
// License (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt
package ldapccl
import (
"crypto/x509"
"github.com/cockroachdb/cockroach/pkg/settings"
"github.com/cockroachdb/errors"
)
// All cluster settings necessary for the LDAP authN/authZ feature.
const (
baseLDAPAuthSettingName = "server.ldap_authentication."
LDAPDomainCACertificateSettingName = baseLDAPAuthSettingName + "domain.custom_ca"
LDAPClientTLSCertSettingName = baseLDAPAuthSettingName + "client.tls_certificate"
LDAPClientTLSKeySettingName = baseLDAPAuthSettingName + "client.tls_key"
)
var LDAPDomainCACertificate = settings.RegisterStringSetting(
settings.ApplicationLevel,
LDAPDomainCACertificateSettingName,
"sets the custom root CA for verifying domain certificates when establishing connection with LDAP server",
"",
settings.WithPublic,
settings.WithReportable(false),
settings.Sensitive,
settings.WithValidateString(validateLDAPDomainCACertificate),
)
var LDAPClientTLSCertSetting = settings.RegisterStringSetting(
settings.ApplicationLevel,
LDAPClientTLSCertSettingName,
"sets the client certificate for establishing mTLS connection with LDAP server",
"",
settings.WithPublic,
settings.WithReportable(false),
settings.Sensitive,
)
var LDAPClientTLSKeySetting = settings.RegisterStringSetting(
settings.ApplicationLevel,
LDAPClientTLSKeySettingName,
"sets the client key for establishing mTLS connection with LDAP server",
"",
settings.WithPublic,
settings.WithReportable(false),
settings.Sensitive,
)
func validateLDAPDomainCACertificate(values *settings.Values, s string) error {
if len(s) != 0 {
if ok := x509.NewCertPool().AppendCertsFromPEM([]byte(s)); !ok {
return errors.Newf("LDAP authentication could not parse domain CA cert PEM")
}
}
return nil
}