CoreID/app/ldap/controllers/Sudo.controller.js

const LDAPController = require('./LDAPController')
const LDAP = require('ldapjs')

class SudoController extends LDAPController {
    static get services() {
        return [
            ...super.services,
            'output',
            'ldap_server',
            'models',
            'configs',
            'auth'
        ]
    }

    constructor() {
        super()
        this.Group = this.models.get('auth:Group')
        this.User = this.models.get('auth:User')
    }

    // TODO flitter-orm chunk query
    // TODO generalize scoped search logic
    async search_sudo(req, res, next) {
        if ( !req.user.can('ldap:search:sudo') ) {
            return next(new LDAP.InsufficientAccessRightsError())
        }

        console.log('[SUDO SEARCH]', req.filter.toString())
        const sudo_hosts = this.parse_sudo_hosts(req.filter)
        console.log('[SUDO HOSTS]', sudo_hosts)
        const iam_targets = await this.get_targets_from_hosts(sudo_hosts)
        console.log('[SUDO IAM]', iam_targets)

        if ( req.scope === 'base' ) {
            // If scope is base, check if the base DN matches the filter.
            // If so, return it. Else, return empty.
            this.output.debug(`Running base DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

            const user = await this.get_resource_from_dn(req.dn)

            // Make sure the user is ldap visible && match the filter
            if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo(iam_targets)) ) {

                // If so, send the object
                res.send({
                    dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
                    attributes: await user.to_sudo(iam_targets),
                })
            }
        } else if ( req.scope === 'one' ) {
            // If scope is one, find all entries that are the immediate
            // subordinates of the base DN that match the filter.
            this.output.debug(`Running one DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

            // Fetch the LDAP-visible users
            const users = await this.Group.sudo_directory()
            for ( const user of users ) {

                // Make sure the user os of the appropriate scope
                if ( req.dn.equals(user.sudo_dn) || user.sudo_dn.parent().equals(req.dn) ) {

                    // Check if the filter matches
                    if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {

                        // If so, send the object
                        res.send({
                            dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
                            attributes: await user.to_sudo(iam_targets),
                        })
                    }
                }
            }

        } else if ( req.scope === 'sub' ) {
            // If scope is sub, find all entries that are subordinates
            // of the base DN at any level and match the filter.
            this.output.debug(`Running sub DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

            // Fetch the users as LDAP objects
            const users = await this.Group.sudo_directory()
            for ( const user of users ) {

                // Make sure the user is of appropriate scope
                if ( req.dn.equals(user.sudo_dn) || req.dn.parentOf(user.sudo_dn) ) {

                    // Check if filter matches
                    if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {

                        // If so, send the object
                        res.send({
                            dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
                            attributes: await user.to_sudo(iam_targets),
                        })
                    }
                }
            }
        } else {
            this.output.error(`Attempted to perform LDAP search with invalid scope: ${req.scope}`)
            return next(new LDAP.OtherError('Attempted to perform LDAP search with invalid scope.'))
        }

        res.end()
        return next()
    }

    parse_sudo_hosts(filter, target_hosts = []) {
        if ( Array.isArray(filter?.filters) ) {
            for ( const sub_filter of filter.filters ) {
                target_hosts = [...target_hosts, ...this.parse_sudo_hosts(sub_filter)]
            }
        } else if ( filter?.attribute ) {
            if ( filter.attribute === 'sudohost' ) {
                target_hosts.push(filter.value)
            }
        }

        return target_hosts
    }

    async get_targets_from_hosts(sudo_hosts) {
        const Machine = this.models.get('ldap:Machine')
        const machines = await Machine.find({
            active: true,
            ldap_visible: true,
            host_name: {
                $in: sudo_hosts.filter(x => x.toLowerCase() !== 'all' && x.indexOf('*') < 0),
            }
        })

        return machines.map(x => x.id)
    }

    get_cn_from_dn(dn) {
        try {
            if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
            return dn.rdns[0].attrs.cn.value
        } catch (e) { console.log('Error parsing CN from DN', e) }
    }

    async get_resource_from_dn(sudo_dn) {
        const cn = this.get_cn_from_dn(sudo_dn)
        if ( cn ) {
            return this.User.findOne({uid: cn.substr(5), ldap_visible: true})
        }
    }
}

module.exports = exports = SudoController
Add support for sudo 2021-03-11 05:43:16 +00:00			`const LDAPController = require('./LDAPController')`
			`const LDAP = require('ldapjs')`

			`class SudoController extends LDAPController {`
			`static get services() {`
			`return [`
			`...super.services,`
			`'output',`
			`'ldap_server',`
			`'models',`
			`'configs',`
			`'auth'`
			`]`
			`}`

			`constructor() {`
			`super()`
			`this.Group = this.models.get('auth:Group')`
			`this.User = this.models.get('auth:User')`
			`}`

			`// TODO flitter-orm chunk query`
			`// TODO generalize scoped search logic`
			`async search_sudo(req, res, next) {`
			`if ( !req.user.can('ldap:search:sudo') ) {`
			`return next(new LDAP.InsufficientAccessRightsError())`
			`}`

Debugging 2021-04-15 17:51:23 +00:00			`console.log('[SUDO SEARCH]', req.filter.toString())`
Look up IAM from sudo hosts 2021-04-15 18:00:13 +00:00			`const sudo_hosts = this.parse_sudo_hosts(req.filter)`
			`console.log('[SUDO HOSTS]', sudo_hosts)`
			`const iam_targets = await this.get_targets_from_hosts(sudo_hosts)`
			`console.log('[SUDO IAM]', iam_targets)`
Debugging 2021-04-15 17:51:23 +00:00
Add support for sudo 2021-03-11 05:43:16 +00:00			`if ( req.scope === 'base' ) {`
			`// If scope is base, check if the base DN matches the filter.`
			`// If so, return it. Else, return empty.`
			this.output.debug(`Running base DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

			`const user = await this.get_resource_from_dn(req.dn)`

			`// Make sure the user is ldap visible && match the filter`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo(iam_targets)) ) {`
Add support for sudo 2021-03-11 05:43:16 +00:00
			`// If so, send the object`
			`res.send({`
			`dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`attributes: await user.to_sudo(iam_targets),`
Add support for sudo 2021-03-11 05:43:16 +00:00			`})`
			`}`
			`} else if ( req.scope === 'one' ) {`
			`// If scope is one, find all entries that are the immediate`
			`// subordinates of the base DN that match the filter.`
			this.output.debug(`Running one DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

			`// Fetch the LDAP-visible users`
			`const users = await this.Group.sudo_directory()`
			`for ( const user of users ) {`

			`// Make sure the user os of the appropriate scope`
			`if ( req.dn.equals(user.sudo_dn) \|\| user.sudo_dn.parent().equals(req.dn) ) {`

			`// Check if the filter matches`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {`
Add support for sudo 2021-03-11 05:43:16 +00:00
			`// If so, send the object`
			`res.send({`
			`dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`attributes: await user.to_sudo(iam_targets),`
Add support for sudo 2021-03-11 05:43:16 +00:00			`})`
			`}`
			`}`
			`}`

			`} else if ( req.scope === 'sub' ) {`
			`// If scope is sub, find all entries that are subordinates`
			`// of the base DN at any level and match the filter.`
			this.output.debug(`Running sub DN search for sudo with DN: ${req.dn.format(this.configs.get('ldap:server.format'))}`)

			`// Fetch the users as LDAP objects`
			`const users = await this.Group.sudo_directory()`
			`for ( const user of users ) {`

			`// Make sure the user is of appropriate scope`
			`if ( req.dn.equals(user.sudo_dn) \|\| req.dn.parentOf(user.sudo_dn) ) {`

			`// Check if filter matches`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {`
Add support for sudo 2021-03-11 05:43:16 +00:00
			`// If so, send the object`
			`res.send({`
			`dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`attributes: await user.to_sudo(iam_targets),`
Add support for sudo 2021-03-11 05:43:16 +00:00			`})`
			`}`
			`}`
			`}`
			`} else {`
			this.output.error(`Attempted to perform LDAP search with invalid scope: ${req.scope}`)
			`return next(new LDAP.OtherError('Attempted to perform LDAP search with invalid scope.'))`
			`}`

			`res.end()`
			`return next()`
			`}`

Look up IAM from sudo hosts 2021-04-15 18:00:13 +00:00			`parse_sudo_hosts(filter, target_hosts = []) {`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`if ( Array.isArray(filter?.filters) ) {`
			`for ( const sub_filter of filter.filters ) {`
Fix recursive method call in sudo controller 2021-04-15 18:02:18 +00:00			`target_hosts = [...target_hosts, ...this.parse_sudo_hosts(sub_filter)]`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`}`
			`} else if ( filter?.attribute ) {`
Look up IAM from sudo hosts 2021-04-15 18:00:13 +00:00			`if ( filter.attribute === 'sudohost' ) {`
			`target_hosts.push(filter.value)`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`}`
			`}`

Look up IAM from sudo hosts 2021-04-15 18:00:13 +00:00			`return target_hosts`
			`}`

			`async get_targets_from_hosts(sudo_hosts) {`
			`const Machine = this.models.get('ldap:Machine')`
			`const machines = await Machine.find({`
			`active: true,`
			`ldap_visible: true,`
			`host_name: {`
			`$in: sudo_hosts.filter(x => x.toLowerCase() !== 'all' && x.indexOf('*') < 0),`
			`}`
			`})`

			`return machines.map(x => x.id)`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`}`

Add support for sudo 2021-03-11 05:43:16 +00:00			`get_cn_from_dn(dn) {`
			`try {`
			`if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)`
			`return dn.rdns[0].attrs.cn.value`
			`} catch (e) { console.log('Error parsing CN from DN', e) }`
			`}`

			`async get_resource_from_dn(sudo_dn) {`
			`const cn = this.get_cn_from_dn(sudo_dn)`
			`if ( cn ) {`
Make sudo access managed via IAM rather than group checkmark 2021-04-15 15:56:11 +00:00			`return this.User.findOne({uid: cn.substr(5), ldap_visible: true})`
Add support for sudo 2021-03-11 05:43:16 +00:00			`}`
			`}`
			`}`

			`module.exports = exports = SudoController`