CoreID/app/controllers/api/v1/LDAP.controller.js

343 lines
11 KiB
JavaScript
Raw Normal View History

2020-05-12 01:26:09 +00:00
const { Controller } = require('libflitter')
const zxcvbn = require('zxcvbn')
class LDAPController extends Controller {
static get services() {
2020-05-22 03:56:48 +00:00
return [...super.services, 'models', 'utility', 'configs']
}
async get_config(req, res, next) {
// ldap port
// user base dn
// group base dn
const config = this.configs.get('ldap:server')
return res.api({
port: config.port,
base_dc: config.schema.base_dc,
authentication_base: config.schema.authentication_base,
group_base: config.schema.group_base,
login_field: config.schema.auth.user_id,
})
2020-05-12 01:26:09 +00:00
}
async get_clients(req, res, next) {
const Client = this.models.get('ldap:Client')
const clients = await Client.find({active: true})
const data = []
for ( const client of clients ) {
if ( !req.user.can(`ldap:client:${client.id}:view`) ) continue
data.push(await client.to_api())
}
return res.api(data)
}
async get_groups(req, res, next) {
const Group = this.models.get('ldap:Group')
const groups = await Group.find({active: true})
const data = []
for ( const group of groups ) {
if ( !req.user.can(`ldap:group:${group.id}:view`) ) continue
data.push(await group.to_api())
}
return res.api(data)
}
async get_client(req, res, next) {
const Client = this.models.get('ldap:Client')
const client = await Client.findById(req.params.id)
if ( !client || !client.active )
return res.status(404)
.message(req.T('api.client_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:client:${client.id}:view`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
return res.api(await client.to_api())
}
async get_group(req, res, next) {
const Group = this.models.get('ldap:Group')
const group = await Group.findById(req.params.id)
if ( !group || !group.active )
return res.status(404)
.message(req.T('api.group_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:group:${group.id}:view`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
return res.api(await group.to_api())
}
async create_client(req, res, next) {
if ( !req.user.can('ldap:client:create') )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
// validate inputs
const required_fields = ['name', 'uid', 'password']
for ( const field of required_fields ) {
if ( !req.body[field] )
return res.status(400)
.message(`${req.T('api.missing_field')} ${field}`)
2020-05-12 01:26:09 +00:00
}
// Make sure the uid is free
const User = this.models.get('auth:User')
const existing_user = await User.findOne({ uid: req.body.uid })
if ( existing_user )
return res.status(400)
.message(req.T('api.user_already_exists'))
2020-05-12 01:26:09 +00:00
.api()
// Verify password complexity
const min_score = 3
const result = zxcvbn(req.body.password)
if ( result.score < min_score )
return res.status(400)
.message(req.T('auth.password_complexity_fail').replace('MIN_SCORE', min_score))
2020-05-12 01:26:09 +00:00
.api()
// Create the client
const Client = this.models.get('ldap:Client')
const client = await Client.create({
uid: req.body.uid,
password: req.body.password,
name: req.body.name,
})
return res.api(await client.to_api())
}
async create_group(req, res, next) {
console.log(req.body)
if ( !req.user.can(`ldap:group:create`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
// validate inputs
const required_fields = ['role', 'name']
for ( const field of required_fields ) {
if ( !req.body[field] )
return res.status(400)
.message(`${req.T('api.missing_field')} ${field}`)
2020-05-12 01:26:09 +00:00
.api()
}
// Make sure the group name is free
const Group = this.models.get('ldap:Group')
const User = this.models.get('auth:User')
const existing_group = await Group.findOne({ name: req.body.name })
if ( existing_group )
return res.status(400)
.message(req.T('api.group_already_exists'))
2020-05-12 01:26:09 +00:00
.api()
// Make sure the role exists
if ( !this.configs.get('auth.roles')[req.body.role] )
return res.status(400)
.message(`${req.T('common.invalid')} role.`)
2020-05-12 01:26:09 +00:00
.api()
const group = new Group({
name: req.body.name,
role: req.body.role,
})
if ( 'ldap_visible' in req.body ) group.ldap_visible = !!req.body.ldap_visible
if ( 'user_ids' in req.body ) {
// Attempt to parse the user_ids
const parsed = typeof req.body.user_ids === 'string' ? this.utility.infer(req.body.user_ids) : req.body.user_ids
const user_ids = Array.isArray(parsed) ? parsed : [parsed]
// Make sure all the user IDs are valid
for ( const user_id of user_ids ) {
const user = await User.findById(user_id)
if ( !user )
return res.status(400)
.message(`${req.T('common.invalid')} user_id: ${user_id}`)
2020-05-12 01:26:09 +00:00
.api()
}
group.user_ids = user_ids
}
await group.save()
return res.api(await group.to_api())
}
async update_client(req, res, next) {
const Client = this.models.get('ldap:Client')
const client = await Client.findById(req.params.id)
if ( !client || !client.active )
return res.status(404)
.message(req.T('api.client_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:client:${client.id}:update`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
const required_fields = ['name', 'uid']
for ( const field of required_fields ) {
if ( !req.body[field] )
return res.status(400)
.message(`${req.T('api.missing_field')} ${field}`)
2020-05-12 01:26:09 +00:00
.api()
}
const user = await client.user()
// Update the name
if ( req.body.name !== client.name ) {
client.name = req.body.name
user.first_name = req.body.name
}
// Update the uid
if ( req.body.uid !== user.uid ) {
// Make sure the UID is free
const User = this.models.get('auth:User')
const existing_user = await User.findOne({ uid: req.body.uid })
if ( existing_user )
return res.status(400)
.message(req.T('api.user_already_exists'))
2020-05-12 01:26:09 +00:00
.api()
user.uid = req.body.uid
}
// Update the password
if ( req.body.password && !(await user.check_password(req.body.password)) ) {
// Verify the password's complexity
const min_score = 3
const result = zxcvbn(req.body.password)
if ( result.score < min_score )
return res.status(400)
.message(req.T('auth.password_complexity_fail').replace('MIN_SCORE', min_score))
2020-05-12 01:26:09 +00:00
.api()
await user.reset_password(req.body.password)
}
await user.save()
await client.save()
return res.api()
}
async update_group(req, res, next) {
const User = await this.models.get('auth:User')
const Group = await this.models.get('ldap:Group')
const group = await Group.findById(req.params.id)
if ( !group || !group.active )
return res.status(404)
.message(req.T('api.group_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:group:${group.id}:update`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
const required_fields = ['role', 'name']
for ( const field of required_fields ) {
if ( !req.body[field] )
return res.status(400)
.message(`${req.T('api.missing_field')} ${field}`)
2020-05-12 01:26:09 +00:00
.api()
}
// Make sure the name is free
const existing_group = await Group.findOne({ name: req.body.name })
if ( existing_group && existing_group.id !== group.id )
return res.status(400)
.message(req.T('api.group_already_exists'))
2020-05-12 01:26:09 +00:00
.api()
group.name = req.body.name
group.role = req.body.name
group.ldap_visible = !!req.body.ldap_visible
if ( req.body.user_ids ) {
const parsed = typeof req.body.user_ids === 'string' ? this.utility.infer(req.body.user_ids) : req.body.user_ids
const user_ids = Array.isArray(parsed) ? parsed : [parsed]
for ( const user_id of user_ids ) {
const user = await User.findById(user_id)
if ( !user )
return res.status(400)
.message(`${req.T('common.invalid')} user_id: ${user_id}`)
2020-05-12 01:26:09 +00:00
.api()
}
group.user_ids = user_ids
} else {
group.user_ids = []
}
await group.save()
return res.api()
}
async delete_client(req, res, next) {
const Client = this.models.get('ldap:Client')
const client = await Client.findById(req.params.id)
if ( !client || !client.active )
return res.status(404)
.message(req.T('api.client_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:client:${client.id}:delete`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
const user = await client.user()
client.active = false
user.active = false
user.block_login = true
await user.save()
await client.save()
return res.api()
}
async delete_group(req, res, next) {
const Group = this.models.get('ldap:Group')
const group = await Group.findById(req.params.id)
if ( !group || !group.active )
return res.status(404)
.message(req.T('api.group_not_found'))
2020-05-12 01:26:09 +00:00
.api()
if ( !req.user.can(`ldap:group:${group.id}:delete`) )
return res.status(401)
.message(req.T('api.insufficient_permissions'))
2020-05-12 01:26:09 +00:00
.api()
group.active = false
await group.save()
return res.api()
}
}
module.exports = exports = LDAPController