-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support LDAP authentication #101
base: master
Are you sure you want to change the base?
Conversation
This commit adds LDAP as a credential backend, with a caching layer in front of it so as not to try to authenticate every single request.
|
||
type key int | ||
|
||
var infoKey key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this need to be package global? It's never written?
} | ||
} | ||
|
||
type key int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks unused?
Thanks @HackAttack ! Apologies for the delay on the review. Overall looks great :-) |
timeout := c.config.CacheTime | ||
// Don't cache a negative result for a long time; likely wrong password | ||
if !authed { | ||
timeout = 5 * time.Second |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of Curiosity: Why cache a negative result at all?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you build with invalid auth and large -j value, I guess you don't want to make several hundred LDAP requests before the client notices and stops/cancels the remaining jobs.
defer ce.Unlock() | ||
if ce.authed != nil { | ||
return *ce.authed | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ce.Lock()
defer ce.Unlock()
if ce.authed != nil {
return *ce.authed
}
Could this be changed to the below?
authed := ce.authed
if authed != nil {
return authed
}
ce.Lock()
defer ce.Unlock()
That way you don't have to acquire a lock in the case where it was cached?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think this should have a nice fast-path, but this suggestion might need some tweaking to avoid multiple identical queries in quick succession: after obtaining the lock, ce.authed should be re-checked.
if c.LDAP.UsernameAttribute == "" { | ||
c.LDAP.UsernameAttribute = "uid" | ||
} | ||
if c.LDAP.CacheTime == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe check <= 0 here?
return &Cache{ | ||
config: config, | ||
BasicAuth: &auth.BasicAuth{ | ||
Realm: "Bazel remote cache", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a configuration option?
If anyone is watching this PR, I'd be really interested if this works for you. I am happy to rebase and merge it if this brings value to people. |
are there any show stoppers from preventing a merge besides the review comments? |
Wow, I completely and utterly forgot about this! This was one or two companies ago so I don’t know that I have a good way to test this now. I assume I verified it to work at the time, but it’s been a while… |
No worries. May you could at least rebase your branch to the latest master? In best case some of the review comments could be fixed right away, but this won't be necessary for testing I assume. |
If anyone wants to rebase and/or resubmit a newer version of this, please also add some automated tests. |
This PR adds LDAP as a credential backend, with a caching layer in front of it so as not to try to authenticate every single request.
Resolves #100