* Add support for TLS

* Add support for refreshing the database periodically in the background
* Add support to set refresh interval used for periodical refresh and for how often it should be refreshed on demand

Author: BlackVoid

Dockerfile

@@ -20,7 +20,7 @@ COPY ./run.py .
 RUN chmod ugo+x ./entrypoint.sh
 
 # Open appropriate ports
-EXPOSE 1389
+EXPOSE 1389, 1636
 
 # Run the server
 ENTRYPOINT ["./entrypoint.sh"]

README.md

@@ -24,6 +24,18 @@ from the `docker` directory.
 You can use a Redis server to store generated `uidNumber` and `gidNumber` values in a more persistent way.
 To do this, you will need to provide the `--redis-host` and `--redis-port` arguments to `run.py`.
 
+### Configure background refresh [Optional]
+
+By default Apricot will refresh on demand when the data is older than 60 seconds.
+If it takes a long time to fetch all users and groups, or you want to ensure that each request prompty gets a respose, you may want to configure background refresh to have it periodically be refreshed in the background.
+
+This is enabled with the `--background-refresh` flag, which uses the `--refresh-interval=60` parameter as the interval to refresh the ldap database. 
+
+### Using TLS [Optional]
+
+You can set up a TLS listener to communicate with encryption enabled over the configured port.
+To enable it you need to configure the tls port ex. `--tls-port=1636`, and provide a path to the pem files for the certificate `--tls-certificate=<path>` and the private key `--tls-private-key=<path>`.
+
 ## Outputs
 
 This will create an LDAP tree that looks like this:

apricot/apricot_server.py

@@ -1,9 +1,9 @@
 import inspect
 import sys
-from typing import Any, cast
+from typing import Any, cast, Optional
 
-from twisted.internet import reactor
-from twisted.internet.endpoints import serverFromString
+from twisted.internet import reactor, task
+from twisted.internet.endpoints import serverFromString, quoteStringArgument
 from twisted.internet.interfaces import IReactorCore, IStreamServerEndpoint
 from twisted.python import log
 
@@ -21,10 +21,15 @@ def __init__(
         domain: str,
         port: int,
         enable_group_of_groups: bool,
+        refresh_interval: int,
+        background_refresh: bool,
         *,
         debug: bool = False,
         redis_host: str | None = None,
         redis_port: int | None = None,
+        tls_port: Optional[int] = None,
+        tls_certificate: Optional[str] = None,
+        tls_private_key: Optional[str] = None,
         **kwargs: Any,
     ) -> None:
         self.debug = debug
@@ -63,14 +68,29 @@ def __init__(
         # Create an LDAPServerFactory
         if self.debug:
             log.msg("Creating an LDAPServerFactory.")
-        factory = OAuthLDAPServerFactory(domain, oauth_client, enable_group_of_groups)
+        factory = OAuthLDAPServerFactory(domain, oauth_client, enable_group_of_groups, refresh_interval, background_refresh)
+
+        if background_refresh:
+            if self.debug:
+                log.msg(f"Starting background refresh (interval={factory.adaptor.refresh_interval})")
+            loop = task.LoopingCall(factory.adaptor.refresh)
+            loop.start(factory.adaptor.refresh_interval)
 
         # Attach a listening endpoint
         if self.debug:
-            log.msg("Attaching a listening endpoint.")
+            log.msg("Attaching a listening endpoint (plain).")
         endpoint: IStreamServerEndpoint = serverFromString(reactor, f"tcp:{port}")
         endpoint.listen(factory)
 
+        # Attach a listening endpoint
+        if tls_port:
+            if not (tls_certificate or tls_private_key):
+                raise ValueError("No TLS certificate or private key provided. Make sure you provide these parameters or disable TLS by not providing the TLS port")
+            if self.debug:
+                log.msg("Attaching a listening endpoint (TLS).")
+            ssl_endpoint: IStreamServerEndpoint = serverFromString(reactor, f"ssl:{tls_port}:privateKey={quoteStringArgument(tls_private_key)}:certKey={quoteStringArgument(tls_certificate)}")
+            ssl_endpoint.listen(factory)
+
         # Load the Twisted reactor
         self.reactor = cast(IReactorCore, reactor)
 

apricot/ldap/oauth_ldap_server_factory.py

@@ -8,14 +8,15 @@
 
 
 class OAuthLDAPServerFactory(ServerFactory):
-    def __init__(self, domain: str, oauth_client: OAuthClient, enable_group_of_groups: bool):
+    def __init__(self, domain: str, oauth_client: OAuthClient, enable_group_of_groups: bool, refresh_interval: int,
+                 background_refresh: bool):
         """
         Initialise an LDAPServerFactory
 
         @param oauth_client: An OAuth client used to construct the LDAP tree
         """
         # Create an LDAP lookup tree
-        self.adaptor = OAuthLDAPTree(domain, oauth_client, enable_group_of_groups)
+        self.adaptor = OAuthLDAPTree(domain, oauth_client, enable_group_of_groups, refresh_interval, background_refresh)
 
     def __repr__(self) -> str:
         return f"{self.__class__.__name__} using adaptor {self.adaptor}"

apricot/ldap/oauth_ldap_tree.py

@@ -14,7 +14,8 @@
 class OAuthLDAPTree:
 
     def __init__(
-        self, domain: str, oauth_client: OAuthClient, enable_group_of_groups: bool, refresh_interval: int = 60
+        self, domain: str, oauth_client: OAuthClient, enable_group_of_groups: bool, refresh_interval: int = 60,
+            background_refresh: bool = False
     ) -> None:
         """
         Initialise an OAuthLDAPTree
@@ -30,6 +31,7 @@ def __init__(
         self.refresh_interval = refresh_interval
         self.root_: OAuthLDAPEntry | None = None
         self.enable_group_of_groups = enable_group_of_groups
+        self.background_refresh = background_refresh
 
     @property
     def dn(self) -> DistinguishedName:
@@ -42,9 +44,14 @@ def root(self) -> OAuthLDAPEntry:
 
         @return: An OAuthLDAPEntry for the tree
         """
+        if not self.background_refresh:
+            self.refresh()
+        return self.root_
+
+    def refresh(self):
         if (
-            not self.root_
-            or (time.monotonic() - self.last_update) > self.refresh_interval
+                not self.root_
+                or (time.monotonic() - self.last_update) > self.refresh_interval
         ):
             # Update users and groups from the OAuth server
             log.msg("Retrieving OAuth data.")
@@ -81,7 +88,6 @@ def root(self) -> OAuthLDAPEntry:
             # Set last updated time
             log.msg("Finished building LDAP tree.")
             self.last_update = time.monotonic()
-        return self.root_
 
     def __repr__(self) -> str:
         return f"{self.__class__.__name__} with backend {self.oauth_client.__class__.__name__}"

docker/docker-compose.yaml

@@ -14,6 +14,7 @@ services:
       REDIS_HOST: "redis"
     ports:
       - "1389:1389"
+      - "1636:1636"
     restart: always
 
   redis:

docker/entrypoint.sh

@@ -41,10 +41,32 @@ if [ -n "${DISABLE_GROUP_OF_GROUPS}" ]; then
     EXTRA_OPTS="${EXTRA_OPTS} --disable-group-of-groups"
 fi
 
+if [ -n "${BACKGROUND_REFRESH}" ]; then
+    EXTRA_OPTS="${EXTRA_OPTS} --background-refresh"
+fi
+
+if [ -n "${REFRESH_INTERVAL}" ]; then
+    EXTRA_OPTS="${EXTRA_OPTS} --refresh-interval $REFRESH_INTERVAL"
+fi
+
 if [ -n "${ENTRA_TENANT_ID}" ]; then
     EXTRA_OPTS="${EXTRA_OPTS} --entra-tenant-id $ENTRA_TENANT_ID"
 fi
 
+
+
+if [ -n "${TLS_PORT}" ]; then
+    if [ -z "${TLS_CERTIFICATE}" ]; then
+        echo "$(date +'%Y-%m-%d %H:%M:%S+0000') [-] TLS_CERTIFICATE environment variable is not set"
+        exit 1
+    fi
+    if [ -z "${TLS_PRIVATE_KEY}" ]; then
+        echo "$(date +'%Y-%m-%d %H:%M:%S+0000') [-] TLS_PRIVATE_KEY environment variable is not set"
+        exit 1
+    fi
+    EXTRA_OPTS="${EXTRA_OPTS} --tls-port $TLS_PORT --tls-certificate $TLS_CERTIFICATE --tls-private-key $TLS_PRIVATE_KEY"
+fi
+
 if [ -n "${REDIS_HOST}" ]; then
     if [ -z "${REDIS_PORT}" ]; then
         REDIS_PORT="6379"

run.py

@@ -15,11 +15,17 @@
         parser.add_argument("-d", "--domain", type=str, help="Which domain users belong to.")
         parser.add_argument("-i", "--client-id", type=str, help="OAuth client ID.")
         parser.add_argument("-p", "--port", type=int, default=1389, help="Port to run on.")
+        parser.add_argument("--tls-port", type=int, default=None, help="Port to run on with encryption.")
         parser.add_argument("-s", "--client-secret", type=str, help="OAuth client secret.")
         parser.add_argument("--disable-group-of-groups", action="store_false",
                              dest="enable_group_of_groups", default=True,
                              help="Disable creation of group-of-groups.")
         parser.add_argument("--debug", action="store_true", help="Enable debug logging.")
+        parser.add_argument("--refresh-interval", type=int, default=60,
+                            help="How often to refresh the database in seconds")
+        parser.add_argument("--background-refresh", action="store_true", default=False,
+                            help="Refresh in the background instead of as needed per request")
+
         # Options for Microsoft Entra backend
         entra_group = parser.add_argument_group("Microsoft Entra")
         entra_group.add_argument("-t", "--entra-tenant-id", type=str, help="Microsoft Entra tenant ID.", required=False)
@@ -32,6 +38,10 @@
         redis_group = parser.add_argument_group("Redis")
         redis_group.add_argument("--redis-host", type=str, help="Host for Redis server.")
         redis_group.add_argument("--redis-port", type=int, help="Port for Redis server.")
+        # Options for TLS
+        redis_group = parser.add_argument_group("TLS")
+        redis_group.add_argument("--tls-certificate", type=str, help="Location of TLS certificate (pem).")
+        redis_group.add_argument("--tls-private-key", type=str, help="Location of TLS private key (pem).")
         # Parse arguments
         args = parser.parse_args()