From fa69c918b23e6a766c8ddc59355fa5da18eff602 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <srenatus@chef.io>
Date: Tue, 7 Nov 2017 10:28:21 +0100
Subject: [PATCH] password connectors: allow overriding the username attribute
 (password prompt)

This allows users of the LDAP connector to give users of Dex' login
prompt an idea of what they should enter for a username.

Before, irregardless of how the LDAP connector was set up, the prompt
was

    Username
    [_________________]

    Password
    [_________________]

Now, this is configurable, and can be used to say "MyCorp SSO Login" if
that's what it is.

If it's not configured, it will default to "Username".

For the passwordDB connector (local users), it is set to "Email
Address", since this is what it uses.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
---
 Documentation/ldap-connector.md |  4 ++++
 connector/connector.go          |  3 +++
 connector/ldap/ldap.go          |  9 +++++++++
 connector/ldap/ldap_test.go     | 25 +++++++++++++++++++++++++
 connector/mock/connectortest.go |  2 ++
 examples/config-ldap.yaml       |  6 ++++--
 server/handlers.go              | 12 ++++++++++--
 server/server.go                |  4 ++++
 server/server_test.go           | 10 ++++++++++
 server/templates.go             | 12 +++++++-----
 web/templates/password.html     |  6 +++---
 11 files changed, 81 insertions(+), 12 deletions(-)

diff --git a/Documentation/ldap-connector.md b/Documentation/ldap-connector.md
index 761d87d5..0a0813c7 100644
--- a/Documentation/ldap-connector.md
+++ b/Documentation/ldap-connector.md
@@ -90,6 +90,10 @@ connectors:
     bindDN: uid=seviceaccount,cn=users,dc=example,dc=com
     bindPW: password
 
+    # The attribute to display in the provided password prompt. If unset, will
+    # display "Username"
+    usernamePrompt: SSO Username
+
     # User search maps a username and password entered by a user to a LDAP entry.
     userSearch:
       # BaseDN to start the search from. It will translate to the query
diff --git a/connector/connector.go b/connector/connector.go
index bc5f3b18..c442c54a 100644
--- a/connector/connector.go
+++ b/connector/connector.go
@@ -39,7 +39,10 @@ type Identity struct {
 
 // PasswordConnector is an interface implemented by connectors which take a
 // username and password.
+// Prompt() is used to inform the handler what to display in the password
+// template. If this returns an empty string, it'll default to "Username".
 type PasswordConnector interface {
+	Prompt() string
 	Login(ctx context.Context, s Scopes, username, password string) (identity Identity, validPassword bool, err error)
 }
 
diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index 5d19a51d..585907cc 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -77,6 +77,11 @@ type Config struct {
 	BindDN string `json:"bindDN"`
 	BindPW string `json:"bindPW"`
 
+	// UsernamePrompt allows users to override the username attribute (displayed
+	// in the username/password prompt). If unset, the handler will use
+	// "Username".
+	UsernamePrompt string `json:"usernamePrompt"`
+
 	// User entry search configuration.
 	UserSearch struct {
 		// BsaeDN to start the search from. For example "cn=users,dc=example,dc=com"
@@ -545,3 +550,7 @@ func (c *ldapConnector) groups(ctx context.Context, user ldap.Entry) ([]string,
 	}
 	return groupNames, nil
 }
+
+func (c *ldapConnector) Prompt() string {
+	return c.UsernamePrompt
+}
diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go
index 3b903856..23ad593b 100644
--- a/connector/ldap/ldap_test.go
+++ b/connector/ldap/ldap_test.go
@@ -437,6 +437,31 @@ userpassword: foo
 	runTests(t, schema, connectLDAPS, c, tests)
 }
 
+func TestUsernamePrompt(t *testing.T) {
+	tests := map[string]struct {
+		config   Config
+		expected string
+	}{
+		"with usernamePrompt unset it returns \"\"": {
+			config:   Config{},
+			expected: "",
+		},
+		"with usernamePrompt set it returns that": {
+			config:   Config{UsernamePrompt: "Email address"},
+			expected: "Email address",
+		},
+	}
+
+	for n, d := range tests {
+		t.Run(n, func(t *testing.T) {
+			conn := &ldapConnector{Config: d.config}
+			if actual := conn.Prompt(); actual != d.expected {
+				t.Errorf("expected %v, got %v", d.expected, actual)
+			}
+		})
+	}
+}
+
 // runTests runs a set of tests against an LDAP schema. It does this by
 // setting up an OpenLDAP server and injecting the provided scheme.
 //
diff --git a/connector/mock/connectortest.go b/connector/mock/connectortest.go
index 18abd820..4a8b1257 100644
--- a/connector/mock/connectortest.go
+++ b/connector/mock/connectortest.go
@@ -110,3 +110,5 @@ func (p passwordConnector) Login(ctx context.Context, s connector.Scopes, userna
 	}
 	return identity, false, nil
 }
+
+func (p passwordConnector) Prompt() string { return "" }
diff --git a/examples/config-ldap.yaml b/examples/config-ldap.yaml
index 513a0005..6b423ddf 100644
--- a/examples/config-ldap.yaml
+++ b/examples/config-ldap.yaml
@@ -15,11 +15,13 @@ connectors:
 
     # No TLS for this setup.
     insecureNoSSL: true
-    
+
     # This would normally be a read-only user.
     bindDN: cn=admin,dc=example,dc=org
     bindPW: admin
-    
+
+    usernamePrompt: Email Address
+
     userSearch:
       baseDN: ou=People,dc=example,dc=org
       filter: "(objectClass=person)"
diff --git a/server/handlers.go b/server/handlers.go
index 345cd496..c265e0b1 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -250,7 +250,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 			}
 			http.Redirect(w, r, callbackURL, http.StatusFound)
 		case connector.PasswordConnector:
-			if err := s.templates.password(w, r.URL.String(), "", false); err != nil {
+			if err := s.templates.password(w, r.URL.String(), "", usernamePrompt(conn), false); err != nil {
 				s.logger.Errorf("Server template error: %v", err)
 			}
 		case connector.SAMLConnector:
@@ -298,7 +298,7 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		if !ok {
-			if err := s.templates.password(w, r.URL.String(), username, true); err != nil {
+			if err := s.templates.password(w, r.URL.String(), username, usernamePrompt(passwordConnector), true); err != nil {
 				s.logger.Errorf("Server template error: %v", err)
 			}
 			return
@@ -1005,3 +1005,11 @@ func (s *Server) tokenErrHelper(w http.ResponseWriter, typ string, description s
 		s.logger.Errorf("token error response: %v", err)
 	}
 }
+
+// Check for username prompt override from connector. Defaults to "Username".
+func usernamePrompt(conn connector.PasswordConnector) string {
+	if attr := conn.Prompt(); attr != "" {
+		return attr
+	}
+	return "Username"
+}
diff --git a/server/server.go b/server/server.go
index e0b7d359..f915b5ac 100644
--- a/server/server.go
+++ b/server/server.go
@@ -344,6 +344,10 @@ func (db passwordDB) Refresh(ctx context.Context, s connector.Scopes, identity c
 	return identity, nil
 }
 
+func (db passwordDB) Prompt() string {
+	return "Email Address"
+}
+
 // newKeyCacher returns a storage which caches keys so long as the next
 func newKeyCacher(s storage.Storage, now func() time.Time) storage.Storage {
 	if now == nil {
diff --git a/server/server_test.go b/server/server_test.go
index a67cfbf4..b5f73363 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -1017,6 +1017,16 @@ func TestPasswordDB(t *testing.T) {
 
 }
 
+func TestPasswordDBUsernamePrompt(t *testing.T) {
+	s := memory.New(logger)
+	conn := newPasswordDB(s)
+
+	expected := "Email Address"
+	if actual := conn.Prompt(); actual != expected {
+		t.Errorf("expected %v, got %v", expected, actual)
+	}
+}
+
 type storageWithKeysTrigger struct {
 	storage.Storage
 	f func()
diff --git a/server/templates.go b/server/templates.go
index 4c11e2c4..aff4568c 100644
--- a/server/templates.go
+++ b/server/templates.go
@@ -139,6 +139,7 @@ func loadTemplates(c webConfig, templatesDir string) (*templates, error) {
 		"issuer": func() string { return c.issuer },
 		"logo":   func() string { return c.logoURL },
 		"url":    func(s string) string { return join(c.issuerURL, s) },
+		"lower":  strings.ToLower,
 	}
 
 	tmpls, err := template.New("").Funcs(funcs).ParseFiles(filenames...)
@@ -189,12 +190,13 @@ func (t *templates) login(w http.ResponseWriter, connectors []connectorInfo) err
 	return renderTemplate(w, t.loginTmpl, data)
 }
 
-func (t *templates) password(w http.ResponseWriter, postURL, lastUsername string, lastWasInvalid bool) error {
+func (t *templates) password(w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid bool) error {
 	data := struct {
-		PostURL  string
-		Username string
-		Invalid  bool
-	}{postURL, lastUsername, lastWasInvalid}
+		PostURL        string
+		Username       string
+		UsernamePrompt string
+		Invalid        bool
+	}{postURL, lastUsername, usernamePrompt, lastWasInvalid}
 	return renderTemplate(w, t.passwordTmpl, data)
 }
 
diff --git a/web/templates/password.html b/web/templates/password.html
index 7a6c8aa6..bd2e954d 100644
--- a/web/templates/password.html
+++ b/web/templates/password.html
@@ -5,9 +5,9 @@
   <form method="post" action="{{ .PostURL }}">
     <div class="theme-form-row">
       <div class="theme-form-label">
-        <label for="userid">Username</label>
+        <label for="userid">{{ .UsernamePrompt }}</label>
       </div>
-	  <input tabindex="1" required id="login" name="login" type="text" class="theme-form-input" placeholder="username" {{ if .Username }} value="{{ .Username }}" {{ else }} autofocus {{ end }}/>
+	  <input tabindex="1" required id="login" name="login" type="text" class="theme-form-input" placeholder="{{ .UsernamePrompt | lower }}" {{ if .Username }} value="{{ .Username }}" {{ else }} autofocus {{ end }}/>
     </div>
     <div class="theme-form-row">
       <div class="theme-form-label">
@@ -18,7 +18,7 @@
 
     {{ if .Invalid }}
       <div id="login-error" class="dex-error-box">
-        Invalid username and password.
+        Invalid {{ .UsernamePrompt }} and password.
       </div>
     {{ end }}