feat(authentication): ldap connection pooling

This implements optional LDAP connection pooling to optimize the speed of LDAP transactions. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
authelia · Apr 22, 2024 · 599fce6 · 599fce6
1 parent 98970a2
commit 599fce6
Show file tree

Hide file tree

Showing 26 changed files with 2,310 additions and 2,147 deletions.
diff --git a/cmd/authelia-scripts/cmd/gen.go b/cmd/authelia-scripts/cmd/gen.go
diff --git a/docs/content/integration/openid-connect/wikijs/index.md b/docs/content/integration/openid-connect/wikijs/index.md
@@ -2,7 +2,7 @@
 title: "Wiki.js"
 description: "Integrating Wiki.js with the Authelia OpenID Connect 1.0 Provider."
 summary: ""
-date: 2024-04-18T10:36:12+10:00
+date: 2024-04-18T15:25:09+10:00
 draft: false
 images: []
 weight: 620

diff --git a/docs/data/configkeys.json b/docs/data/configkeys.json
@@ -304,6 +304,26 @@
         "secret": true,
         "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_CERTIFICATE_CHAIN_FILE"
     },
+    {
+        "path": "authentication_backend.ldap.pooling.enable",
+        "secret": false,
+        "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_ENABLE"
+    },
+    {
+        "path": "authentication_backend.ldap.pooling.count",
+        "secret": false,
+        "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_COUNT"
+    },
+    {
+        "path": "authentication_backend.ldap.pooling.retries",
+        "secret": false,
+        "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_RETRIES"
+    },
+    {
+        "path": "authentication_backend.ldap.pooling.timeout",
+        "secret": false,
+        "env": "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_POOLING_TIMEOUT"
+    },
     {
         "path": "authentication_backend.ldap.base_dn",
         "secret": false,

diff --git a/docs/static/schemas/latest/json-schema/configuration.json b/docs/static/schemas/latest/json-schema/configuration.json
@@ -713,6 +713,11 @@
           "title": "TLS",
           "description": "The LDAP directory server TLS connection properties."
         },
+        "pooling": {
+          "$ref": "#/$defs/AuthenticationBackendLDAPPooling",
+          "title": "Pooling",
+          "description": "The LDAP Connection Pooling properties."
+        },
         "base_dn": {
           "type": "string",
           "title": "Base DN",
@@ -821,6 +826,44 @@
       "type": "object",
       "description": "AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes."
     },
+    "AuthenticationBackendLDAPPooling": {
+      "properties": {
+        "enable": {
+          "type": "boolean",
+          "title": "Enable",
+          "description": "Enable LDAP connection pooling.",
+          "default": false
+        },
+        "count": {
+          "type": "integer",
+          "title": "Count",
+          "description": "The number of connections to keep open for LDAP connection pooling.",
+          "default": 5
+        },
+        "retries": {
+          "type": "integer",
+          "title": "Retries",
+          "description": "The number of attempts to retrieve a connection from the pool during the timeout.",
+          "default": 2
+        },
+        "timeout": {
+          "oneOf": [
+            {
+              "type": "string",
+              "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
+            },
+            {
+              "type": "integer",
+              "description": "The duration in seconds"
+            }
+          ],
+          "title": "Timeout",
+          "description": "The duration of time to wait for a connection to become available in the connection pool."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "AuthenticationBackendPasswordReset": {
       "properties": {
         "disable": {

diff --git a/docs/static/schemas/v4.38/json-schema/configuration.json b/docs/static/schemas/v4.38/json-schema/configuration.json
@@ -713,6 +713,11 @@
           "title": "TLS",
           "description": "The LDAP directory server TLS connection properties."
         },
+        "pooling": {
+          "$ref": "#/$defs/AuthenticationBackendLDAPPooling",
+          "title": "Pooling",
+          "description": "The LDAP Connection Pooling properties."
+        },
         "base_dn": {
           "type": "string",
           "title": "Base DN",
@@ -821,6 +826,44 @@
       "type": "object",
       "description": "AuthenticationBackendLDAPAttributes represents the configuration related to LDAP server attributes."
     },
+    "AuthenticationBackendLDAPPooling": {
+      "properties": {
+        "enable": {
+          "type": "boolean",
+          "title": "Enable",
+          "description": "Enable LDAP connection pooling.",
+          "default": false
+        },
+        "count": {
+          "type": "integer",
+          "title": "Count",
+          "description": "The number of connections to keep open for LDAP connection pooling.",
+          "default": 5
+        },
+        "retries": {
+          "type": "integer",
+          "title": "Retries",
+          "description": "The number of attempts to retrieve a connection from the pool during the timeout.",
+          "default": 2
+        },
+        "timeout": {
+          "oneOf": [
+            {
+              "type": "string",
+              "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$"
+            },
+            {
+              "type": "integer",
+              "description": "The duration in seconds"
+            }
+          ],
+          "title": "Timeout",
+          "description": "The duration of time to wait for a connection to become available in the connection pool."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "AuthenticationBackendPasswordReset": {
       "properties": {
         "disable": {

diff --git a/internal/authentication/file_user_provider_database_mock_test.go b/internal/authentication/file_user_provider_database_mock_test.go
diff --git a/internal/authentication/file_user_provider_test.go b/internal/authentication/file_user_provider_test.go
@@ -705,7 +705,7 @@ func TestDatabaseError(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		defer ctrl.Finish()
 
-		mock := NewMockFileUserDatabase(ctrl)
+		mock := NewMockFileUserProviderDatabase(ctrl)
 
 		provider.database = mock
 

diff --git a/internal/authentication/gen.go b/internal/authentication/gen.go
@@ -3,7 +3,8 @@ package authentication
 // This file is used to generate mocks. You can generate all mocks using the
 // command `go generate github.com/authelia/authelia/v4/internal/authentication`.
 
-//go:generate mockgen -package authentication -destination ldap_client_mock_test.go -mock_names LDAPClient=MockLDAPClient github.com/authelia/authelia/v4/internal/authentication LDAPClient
-//go:generate mockgen -package authentication -destination ldap_client_factory_mock_test.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
-//go:generate mockgen -package authentication -destination file_user_provider_database_mock_test.go -mock_names FileUserDatabase=MockFileUserDatabase github.com/authelia/authelia/v4/internal/authentication FileUserDatabase
-//go:generate mockgen -package authentication -destination file_user_provider_hash_mock_test.go -mock_names Hash=MockHash github.com/go-crypt/crypt/algorithm Hash
+//go:generate mockgen -package authentication -destination mock_ldap_client_test.go -mock_names Client=MockLDAPClient github.com/go-ldap/ldap/v3 Client
+//go:generate mockgen -package authentication -destination mock_ldap_client_dialer_test.go -mock_names LDAPClientDialer=MockLDAPClientDialer github.com/authelia/authelia/v4/internal/authentication LDAPClientDialer
+//go:generate mockgen -package authentication -destination mock_ldap_client_factory_test.go -mock_names LDAPClientFactory=MockLDAPClientFactory github.com/authelia/authelia/v4/internal/authentication LDAPClientFactory
+//go:generate mockgen -package authentication -destination mock_file_user_provider_database_test.go -mock_names FileUserProviderDatabase=MockFileUserProviderDatabase github.com/authelia/authelia/v4/internal/authentication FileUserProviderDatabase
+//go:generate mockgen -package authentication -destination mock_hash_test.go -mock_names Hash=MockHash github.com/go-crypt/crypt/algorithm Hash
diff --git a/internal/authentication/ldap_client_dialer.go b/internal/authentication/ldap_client_dialer.go
@@ -0,0 +1,23 @@
+package authentication
+
+import "github.com/go-ldap/ldap/v3"
+
+// LDAPClientDialer is an abstract type that dials a ldap.Client.
+type LDAPClientDialer interface {
+	// DialURL takes a single address and dials it returning the ldap.Client.
+	DialURL(addr string, opts ...ldap.DialOpt) (client ldap.Client, err error)
+}
+
+// NewLDAPConnectionDialerStandard returns a new *LDAPClientDialerStandard.
+func NewLDAPConnectionDialerStandard() *LDAPClientDialerStandard {
+	return &LDAPClientDialerStandard{}
+}
+
+// LDAPClientDialerStandard is a concrete type that dials a ldap.Client and returns it, implementing the
+// LDAPClientDialer.
+type LDAPClientDialerStandard struct{}
+
+// DialURL takes a single address and dials it returning the ldap.Client.
+func (d *LDAPClientDialerStandard) DialURL(addr string, opts ...ldap.DialOpt) (client ldap.Client, err error) {
+	return ldap.DialURL(addr, opts...)
+}