Merge branch 'support/2020.6'

README.md

@@ -18,6 +18,8 @@ In Octopus Deploy, navigate to Configuration -> Settings -> LDAP.
 |---|---|---|
 |Server|The plain hostname of the LDAP server.|localhost|
 |Port|The port to access the LDAP server.|389|
+|Use SSL|Whether to use Secure Socket Layer to connect to LDAP.|False|
+|Ignore SSL errors|Whether to ignore certificate validation errors.|False|
 |Username|The distinguished name of the user that the extension will use when connecting to the LDAP server.|cn=query,dc=example,dc=org|
 |Password|The password of the user specified above.|***|
 |Base DN|The root distinguished name (DN) to use when running queries.|dc=example,dc=org|
@@ -46,7 +48,6 @@ Refer to the [Octopus Documentation][5] for more information.
 This is a first version with a basic set of features. If you need more, feel free to contribute - I'm happy to accept a pull request.
 
 - Automatic user creation is always enabled.
-- SSL connection not tested and probably won't work.
 
 [1]: https://octopus.com
 [2]: https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard

source/Server/Configuration/ILdapConfigurationStore.cs

@@ -13,6 +13,14 @@ public interface ILdapConfigurationStore : IExtensionConfigurationStore<LdapConf
 
         void SetPort(int port);
 
+        void SetUseSsl(bool useSsl);
+
+        bool GetUseSsl();
+
+        void SetIgnoreSslErrors(bool ignoreSslErrors);
+
+        bool GetIgnoreSslErrors();
+
         string GetConnectUsername();
 
         void SetConnectUsername(string username);

source/Server/Configuration/LdapConfiguration.cs

@@ -13,6 +13,10 @@ public LdapConfiguration() : base(LdapConfigurationStore.SingletonId, "Ldap", "T
 
         public int Port { get; set; } = 389;
 
+        public bool UseSsl { get; set; }
+
+        public bool IgnoreSslErrors { get; set; }
+
         public string ConnectUsername { get; set; }
 
         public SensitiveString ConnectPassword { get; set; }

source/Server/Configuration/LdapConfigurationResource.cs

@@ -1,6 +1,6 @@
-using Octopus.Server.Extensibility.Extensions.Infrastructure.Configuration;
-using Octopus.Server.MessageContracts;
-using Octopus.Server.MessageContracts.Attributes;
+using Octopus.Data.Resources;
+using Octopus.Data.Resources.Attributes;
+using Octopus.Server.Extensibility.Extensions.Infrastructure.Configuration;
 using System.ComponentModel;
 
 namespace Octopus.Server.Extensibility.Authentication.Ldap.Configuration
@@ -9,6 +9,8 @@ public class LdapConfigurationResource : ExtensionConfigurationResource
     {
         public const string ServerDescription = "Set the server URL.";
         public const string PortDescription = "Set the port using to connect.";
+        public const string UseSslDescription = "Sets whether to use Secure Socket Layer to connect to LDAP.";
+        public const string IgnoreSslErrorsDescription = "Sets whether to ignore certificate validation errors.";
         public const string UsernameDescription = "Set the user DN to query LDAP.";
         public const string PasswordDescription = "Set the password to query LDAP.";
         public const string BaseDnDescription = "Set the root distinguished name (DN) to query LDAP.";
@@ -27,6 +29,16 @@ public class LdapConfigurationResource : ExtensionConfigurationResource
         [Writeable]
         public int Port { get; set; }
 
+        [DisplayName("Use SSL")]
+        [Description(UseSslDescription)]
+        [Writeable]
+        public bool UseSsl { get; set; }
+
+        [DisplayName("Ignore SSL errors")]
+        [Description(IgnoreSslErrorsDescription)]
+        [Writeable]
+        public bool IgnoreSslErrors { get; set; }
+
         [DisplayName("Username")]
         [Description(UsernameDescription)]
         [Writeable]

source/Server/Configuration/LdapConfigurationSettings.cs

@@ -27,6 +27,8 @@ public override IEnumerable<IConfigurationValue> GetConfigurationValues()
             yield return new ConfigurationValue<bool>("Octopus.WebPortal.LdapIsEnabled", isEnabled, isEnabled, "Is Enabled");
             yield return new ConfigurationValue<string>("Octopus.WebPortal.LdapServer", ConfigurationDocumentStore.GetServer(), isEnabled && !string.IsNullOrWhiteSpace(ConfigurationDocumentStore.GetServer()), "Server");
             yield return new ConfigurationValue<int>("Octopus.WebPortal.LdapPort", ConfigurationDocumentStore.GetPort(), isEnabled, "Port");
+            yield return new ConfigurationValue<bool>("Octopus.WebPortal.LdapUseSsl", ConfigurationDocumentStore.GetUseSsl(), isEnabled, "Use SSL");
+            yield return new ConfigurationValue<bool>("Octopus.WebPortal.LdapIgnoreSslErrors", ConfigurationDocumentStore.GetIgnoreSslErrors(), isEnabled, "Ignore SSL errors");
             yield return new ConfigurationValue<string>("Octopus.WebPortal.LdapUsername", ConfigurationDocumentStore.GetConnectUsername(), isEnabled, "Username");
             yield return new ConfigurationValue<SensitiveString>("Octopus.WebPortal.LdapPassword", ConfigurationDocumentStore.GetConnectPassword(), isEnabled, "Password");
             yield return new ConfigurationValue<string>("Octopus.WebPortal.LdapBaseDn", ConfigurationDocumentStore.GetBaseDn(), isEnabled, "Base DN");

source/Server/Configuration/LdapConfigurationStore.cs

@@ -34,6 +34,26 @@ public void SetPort(int port)
             SetProperty(doc => doc.Port = port);
         }
 
+        public void SetUseSsl(bool useSsl)
+        {
+            SetProperty(doc => doc.UseSsl = useSsl);
+        }
+
+        public bool GetUseSsl()
+        {
+            return GetProperty(doc => doc.UseSsl);
+        }
+
+        public void SetIgnoreSslErrors(bool ignoreSslErrors)
+        {
+            SetProperty(doc => doc.IgnoreSslErrors = ignoreSslErrors);
+        }
+
+        public bool GetIgnoreSslErrors()
+        {
+            return GetProperty(doc => doc.IgnoreSslErrors);
+        }
+
         public string GetConnectUsername()
         {
             return GetProperty(doc => doc.ConnectUsername);

source/Server/Configuration/LdapConfigureCommands.cs

@@ -38,6 +38,18 @@ public IEnumerable<ConfigureCommandOption> GetOptions()
                 ldapConfiguration.Value.SetPort(port);
                 log.Info("LDAP Port set to: " + port);
             });
+            yield return new ConfigureCommandOption("ldapUseSsl=", LdapConfigurationResource.UseSslDescription, v =>
+            {
+                bool.TryParse(v, out var useSsl);
+                ldapConfiguration.Value.SetUseSsl(useSsl);
+                log.Info("LDAP UseSsl set to: " + useSsl);
+            });
+            yield return new ConfigureCommandOption("ldapIgnoreSslErrors=", LdapConfigurationResource.IgnoreSslErrorsDescription, v =>
+            {
+                bool.TryParse(v, out var ignoreSslErrors);
+                ldapConfiguration.Value.SetIgnoreSslErrors(ignoreSslErrors);
+                log.Info("LDAP IgnoreSslErrors set to: " + ignoreSslErrors);
+            });
             yield return new ConfigureCommandOption("ldapUsername=", LdapConfigurationResource.UsernameDescription, v =>
             {
                 ldapConfiguration.Value.SetConnectUsername(v);

source/Server/Identities/IdentityCreator.cs

@@ -1,5 +1,4 @@
 using Octopus.Data.Model.User;
-using Octopus.Server.Extensibility.Authentication.Model;
 using Octopus.Server.Extensibility.Authentication.Resources.Identities;
 
 namespace Octopus.Server.Extensibility.Authentication.Ldap.Identities

source/Server/Ldap/LdapContextProvider.cs

@@ -1,21 +1,38 @@
 using Novell.Directory.Ldap;
+using Octopus.Diagnostics;
 using Octopus.Server.Extensibility.Authentication.Ldap.Configuration;
 using System;
+using System.Linq;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 
 namespace Octopus.Server.Extensibility.Authentication.Ldap
 {
     public class LdapContextProvider : ILdapContextProvider
     {
         private readonly Lazy<ILdapConfigurationStore> ldapConfiguration;
+        private readonly ILog log;
 
-        public LdapContextProvider(Lazy<ILdapConfigurationStore> ldapConfiguration)
+        public LdapContextProvider(
+            Lazy<ILdapConfigurationStore> ldapConfiguration,
+            ILog log
+            )
         {
             this.ldapConfiguration = ldapConfiguration;
+            this.log = log;
         }
 
         public LdapContext GetContext()
         {
-            var con = new LdapConnection();
+            var options = new LdapConnectionOptions();
+
+            if (ldapConfiguration.Value.GetUseSsl())
+            {
+                options.UseSsl();
+                options.ConfigureRemoteCertificateValidationCallback(RemoteCertificateValidation);
+            }
+
+            var con = new LdapConnection(options);
             con.Connect(ldapConfiguration.Value.GetServer(), ldapConfiguration.Value.GetPort());
             con.Bind(ldapConfiguration.Value.GetConnectUsername(), ldapConfiguration.Value.GetConnectPassword().Value);
 
@@ -33,5 +50,24 @@ public LdapContext GetContext()
                 UserPrincipalNameAttribute = ldapConfiguration.Value.GetUserPrincipalNameAttribute()
             };
         }
+
+        private bool RemoteCertificateValidation(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
+        {
+            if (sslPolicyErrors == SslPolicyErrors.None)
+                return true;
+
+            if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNotAvailable))
+                log.ErrorFormat("LDAP certificate validation failed: RemoteCertificateNotAvailable, {0}", certificate.ToString());
+            if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch))
+                log.ErrorFormat("LDAP certificate validation failed: RemoteCertificateNameMismatch, {0}", certificate.ToString());
+            if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateChainErrors))
+            {
+                log.ErrorFormat("LDAP certificate validation failed: RemoteCertificateChainErrors\n{0}",
+                    string.Join('\n', chain.ChainStatus.Select(x => x.StatusInformation).ToList())
+                    );
+            }
+
+            return ldapConfiguration.Value.GetIgnoreSslErrors();
+        }
     }
 }

source/Server/Ldap/UserLookup.cs

@@ -1,7 +1,7 @@
-using Octopus.Server.Extensibility.Authentication.Extensions;
+using Octopus.Data.Resources.Users;
+using Octopus.Server.Extensibility.Authentication.Extensions;
 using Octopus.Server.Extensibility.Authentication.Ldap.Configuration;
 using Octopus.Server.Extensibility.Authentication.Ldap.Identities;
-using Octopus.Server.Extensibility.Authentication.Model;
 using Octopus.Server.Extensibility.Results;
 using System.Linq;
 using System.Threading;

source/Server/LdapAuthenticationProvider.cs

@@ -5,7 +5,6 @@
 using Octopus.Server.Extensibility.Authentication.Ldap.Identities;
 using Octopus.Server.Extensibility.Authentication.Resources;
 using Octopus.Server.Extensibility.Authentication.Resources.Identities;
-using Octopus.Server.MessageContracts;
 
 namespace Octopus.Server.Extensibility.Authentication.Ldap
 {

source/Server/Server.csproj

@@ -16,8 +16,10 @@
     <PackageLicenseFile>LICENSE.md</PackageLicenseFile>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Octopus.Configuration" Version="4.0.0" />
-    <PackageReference Include="Octopus.Server.Extensibility.Authentication" Version="10.0.3" />
+    <PackageReference Include="Octopus.Configuration" Version="3.0.0" />
+    <PackageReference Include="Octopus.Diagnostics" Version="1.3.5" />
+    <PackageReference Include="Octopus.Server.Extensibility" Version="11.0.0" />
+    <PackageReference Include="Octopus.Server.Extensibility.Authentication" Version="10.0.1" />
     <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0" />
   </ItemGroup>
   <ItemGroup>