Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Flesh out users OU (works with Gitea simple LDAP now!!)

Browse Source
This commit is contained in:
garrettmills
2020-04-20 22:46:19 -05:00
parent 68cc90899c
commit 175c335542
16 changed files with 1988 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
app/ldap/controllers/LDAPController.js
View File

@@ -1,7 +1,105 @@
const { Injectable } = require('flitter-di')
const { ImplementationError } = require('libflitter')
const LDAP = require('ldapjs')
class LDAPController extends Injectable {
resource_type = 'items'
// TODO make use of this better
check_attribute = 'ldap_visible' // or false
static get services() {
return [...super.services, 'ldap_server', 'ldap_dn_format']
}
async compare(req, res, next) {
if ( !req.user.can(`ldap:compare:${this.resource_type}`)) {
return next(new LDAP.InsufficientAccessRightsError())
}
// Make sure the resource exists
const item = await this.get_resource_from_dn(req.dn)
if ( !item ) {
return next(LDAP.NoSuchObjectError())
}
// Make sure it has the requested attribute
const value = item.to_ldap()[req.attribute]
if ( typeof value === 'undefined' ) {
return next(new LDAP.NoSuchAttributeError())
}
// Check if it matches the request value
const values = Array.isArray(value) ? value : [value]
const matches = values.some(x => x === req.value)
res.end(matches)
return next()
}
async bind(req, res, next) {
const auth_dn = this.ldap_server.auth_dn()
// Make sure the DN is valid
if ( !req.dn.childOf(auth_dn) ) {
return next(new LDAP.InvalidCredentialsError('Cannot bind to DN outsize of the authentication base.'))
}
// Get the item
const item = await this.get_resource_from_dn(req.dn)
if ( !item ) {
return next(new LDAP.NoSuchObject())
}
// If the object is can-able, make sure it can bind
if ( typeof item.can === 'function' && !item.can('ldap:bind') ) {
return next(new LDAP.InsufficientAccessRightsError())
}
// Make sure the password matches the resource record
if ( !await item.check_password(req.credentials) ) {
return next(new LDAP.InvalidCredentialsError())
}
this.output.success(`Successfully bound resource as DN: ${req.dn.format(this.ldap_dn_format)}.`)
res.end()
return next()
}
async delete(req, res, next) {
if ( !req.user.can(`ldap:delete:${this.resource_type}`) ) {
return next(new LDAP.InsufficientAccessRightsError())
}
// Get the base DN
const base_dn = await this.get_base_dn()
// Make sure it's a parent of the request DN
if ( !base_dn.parentOf(req.dn) ) {
this.output.warn(`Attempted to perform resource deletion on invalid DN: ${req.dn.format(this.ldap_dn_format)}`)
return next(new LDAP.InsufficientAccessRightsError(`Target DN must be a member of the base DN: ${base_dn.format(this.ldap_dn_format)}.`))
}
// Fetch the resource (error if not found)
const item = await this.get_resource_from_dn(req.dn)
if ( !item ) {
return next(new LDAP.NoSuchObjectError())
}
// Delete it - TODO full soft delete, or just ldap_visible = false?
await item.delete()
res.end()
return next()
}
async get_resource_from_dn(dn) {
throw new ImplementationError()
}
async get_base_dn() {
throw new ImplementationError()
}
}
module.exports = exports = LDAPController

271
app/ldap/controllers/Users.controller.js
View File

@@ -1,41 +1,258 @@
const LDAPController = require('./LDAPController')
const LDAP = require('ldapjs')
const bcrypt = require('bcrypt')
class UsersController extends LDAPController {
static get services() {
return [...super.services, 'output', 'ldap_server', 'models']
return [
...super.services,
'output',
'ldap_server',
'models',
'ldap_dn_format',
'auth'
]
}
async search_people(req, res, next) {
global.ireq = req
constructor() {
super()
this.User = this.models.get('auth:User')
}
async bind(req, res, next) {
const auth_dn = this.ldap_server.auth_dn()
// Might need to override compare to support special handling for userPassword
// Make sure the DN is valid
if ( !req.dn.childOf(auth_dn) ) {
return next(new LDAP.InvalidCredentialsError())
}
// Get the user
const user = await this.get_user_from_dn(req.dn)
if ( !user ) {
return next(new LDAP.InvalidCredentialsError())
}
// Make sure the password matches the user record
if ( !await user.check_password(req.credentials) ) {
return next(new LDAP.InvalidCredentialsError())
}
// Make sure the user has permission to bind
if ( !user.can('ldap:bind') ) {
// TODO generalize some of the addition logic
async add_people(req, res, next) {
if ( !req.user.can('ldap:add:users') ) {
return next(new LDAP.InsufficientAccessRightsError())
}
this.output.success(`Successfully bound user ${user.uid} as DN: ${req.dn.format({skipSpace: true})}.`)
return res.end()
// make sure the add DN is in the auth_dn
const auth_dn = this.ldap_server.auth_dn()
if ( !auth_dn.parentOf(req.dn) ) {
this.output.warn(`Attempted to perform user insertion on invalid DN: ${req.dn.format(this.ldap_dn_format)}`)
return next(new LDAP.InsufficientAccessRightsError())
}
// make sure the user object doesn't already exist
const existing_user = await this.get_resource_from_dn(req.dn)
if ( existing_user ) {
return next(new LDAP.EntryAlreadyExistsError())
}
// build the user object from the request attributes
const req_data = req.toObject().attributes
const register_data = {
first_name: req_data.cn ? req_data.cn[0] : '',
last_name: req_data.sn ? req_data.sn[0] : '',
email: req_data.mail ? req_data.mail[0] : '',
username: req_data.uid ? req_data.uid[0] : '',
password: req_data.userpassword ? req_data.userpassword[0] : '',
}
// TODO add data fields
// Make sure the data uid matches the request DN
if ( this.get_uid_from_dn(req.dn) !== register_data.username ) {
this.output.error(`Attempted to register user where request DN's UID differs from the registration data: (${this.get_uid_from_dn(req.dn)} !== ${register_data.username})`)
return next(new LDAP.ObjectclassViolationError(`Attempted to register user where request DN's UID differs from the registration data!`))
}
// Get the auth provider!
const flitter = this.auth.get_provider('flitter')
// Make sure required fields are provided
const reg_errors = await flitter.validate_registration(register_data)
const other_required_fields = ['first_name', 'last_name', 'email']
for ( const field of other_required_fields ) {
if ( !register_data[field] ) reg_errors.push(`Missing field: ${field}`)
}
if ( reg_errors.length > 0 ) {
this.output.error(`Error(s) encountered during LDAP user registration: ${reg_errors.join('; ')}`)
return next(new LDAP.ObjectclassViolationError(`Object add validation failure: ${reg_errors.join('; ')}`))
}
// save the user object
const registration_args = await flitter.get_registration_args(register_data)
delete register_data.username
delete register_data.password
registration_args[1] = {...register_data, ...registration_args[1]}
const new_user = await flitter.register(...registration_args)
this.output.success(`Created new LDAP user: ${new_user.uid}`)
res.end()
return next()
}
// TODO generalize some of the modification logic
async modify_people(req, res, next) {
if ( !req.user.can('ldap:modify:users') ) {
return next(new LDAP.InsufficientAccessRightsError())
}
if ( req.changes.length <= 0 ) {
return next(new LDAP.ProtocolError('Must specify at least one change.'))
}
// Make sure it's under the user auth DN
const auth_dn = this.ldap_server.auth_dn()
if ( !auth_dn.parentOf(req.dn) ) {
this.output.warn(`Attempted to perform user modify on invalid DN: ${req.dn.format(this.ldap_dn_format)}`)
return next(new LDAP.InsufficientAccessRightsError())
}
// Get the target user
const user = await this.get_resource_from_dn(req.dn)
if ( !user ) {
return next(new LDAP.NoSuchObjectError())
}
// Iterate over the changes
const allow_replace = ['cn', 'sn', 'mail', 'userPassword']
for ( const change of req.changes ) {
const change_data = change.json.modification
if ( change.operation === 'add' ) {
if ( !change_data.type.startsWith('data_') ) {
return next(new LDAP.OperationsError(`Addition of non 'data_' fields is not permitted.`))
}
const key = `ldap${change_data.type.substr(4)}`
const val = change_data.vals
if ( typeof user.data_get(key) !== 'undefined' ) {
return next(new LDAP.AttributeOrValueExistsError())
}
user.data_set(key, val)
} else if ( change.operation === 'replace' ) {
if ( !allow_replace.includes(change_data.type) || change_data.type.startsWith('data_') ) {
return next(new LDAP.OperationsError(`Modification of the ${change_data.type} field is not permitted.`))
}
if ( change_data.type.startsWith('data_') ) {
const key = `ldap${change_data.type.substr(4)}`
const val = change_data.vals
user.data_set(key, val)
} else if ( change_data.type === 'cn' ) {
user.first_name = change_data.vals[0]
} else if ( change_data.type === 'sn' ) {
user.last_name = change_data.vals[0]
} else if ( change_data.type === 'mail' ) {
// Validate the e-mail address
if ( !this.ldap_server.validate_email(change_data.vals[0]) ) {
return next(new LDAP.OperationsError(`Unable to make modification: mail must be a valid e-mail address.`))
}
user.email = change_data.vals[0]
} else if ( change_data.type === 'userPassword' ) {
// Validate the password
if ( change_data.vals[0].length < 8 ) {
return next(new LDAP.OperationsError(`Unable to make modification: userPassword must be at least 8 characters.`))
}
// Hash the password before update
user.password = await bcrypt.hash(change_data.vals[0], 10)
}
} else if ( change.operation === 'delete' ) {
if ( !change_data.type.startsWith('data_') ) {
return next(new LDAP.OperationsError(`Deletion of non 'data_' fields is not permitted.`))
}
const key = `ldap${change_data.type.substr(4)}`
const json_obj = JSON.parse(user.data)
delete json_obj[key]
user.data = JSON.stringify(json_obj)
} else {
return next(new LDAP.ProtocolError(`Invalid/unknown modify operation: ${change.operation}`))
}
}
await user.save()
res.end()
return next()
}
async get_base_dn() {
return this.ldap_server.auth_dn()
}
// TODO flitter-orm chunk query
// TODO generalize scoped search logic
async search_people(req, res, next) {
if ( !req.user.can('ldap:search:users') ) {
return next(new LDAP.InsufficientAccessRightsError())
}
if ( req.scope === 'base' ) {
// If scope is base, check if the base DN matches the filter.
// If so, return it. Else, return empty.
this.output.debug(`Running base DN search for users with DN: ${req.dn.format(this.ldap_dn_format)}`)
// Make sure the user is ldap visible && match the filter
if ( req.user.ldap_visible && req.filter.matches(req.user.to_ldap()) ) {
// If so, send the object
res.send({
dn: req.user.dn.format(this.ldap_dn_format),
attributes: req.user.to_ldap(),
})
}
} else if ( req.scope === 'one' ) {
// If scope is one, find all entries that are the immediate
// subordinates of the base DN that match the filter.
this.output.debug(`Running one DN search for users with DN: ${req.dn.format(this.ldap_dn_format)}`)
// Fetch the LDAP-visible users
const users = await this.User.ldap_directory()
for ( const user of users ) {
// Make sure the user os of the appropriate scope
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
// Check if the filter matches
if ( req.filter.matches(user.to_ldap()) ) {
// If so, send the object
res.send({
dn: user.dn.format(this.ldap_dn_format),
attributes: user.to_ldap(),
})
}
}
}
} else if ( req.scope === 'sub' ) {
// If scope is sub, find all entries that are subordinates
// of the base DN at any level and match the filter.
this.output.debug(`Running sub DN search for users with DN: ${req.dn.format(this.ldap_dn_format)}`)
// Fetch the users as LDAP objects
const users = await this.User.ldap_directory()
for ( const user of users ) {
// Make sure the user is of appropriate scope
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
// Check if filter matches
if ( req.filter.matches(user.to_ldap()) ) {
// If so, send the object
res.send({
dn: user.dn.format(this.ldap_dn_format),
attributes: user.to_ldap(),
})
}
}
}
} else {
this.output.error(`Attempted to perform LDAP search with invalid scope: ${req.scope}`)
return next(new LDAP.OtherError('Attempted to perform LDAP search with invalid scope.'))
}
res.end()
return next()
}
get_uid_from_dn(dn) {
@@ -47,11 +264,11 @@ class UsersController extends LDAPController {
} catch (e) {}
}
async get_user_from_dn(dn) {
async get_resource_from_dn(dn) {
const uid = this.get_uid_from_dn(dn)
if ( uid ) {
const User = this.models.get('auth:User')
return User.findOne({uid})
return User.findOne({uid, ldap_visible: true})
}
}
}

2
app/ldap/middleware/BindUser.middleware.js
View File

@@ -14,7 +14,7 @@ class BindUserMiddleware extends LDAPMiddleware {
return next(new LDAP.InsufficientAccessRightsError())
}
const user = this.user_controller().get_uid_from_dn(bind_dn)
const user = await this.user_controller().get_resource_from_dn(bind_dn)
if ( !user || !user.can('ldap:bind') ) {
return next(new LDAP.InvalidCredentialsError())
}

4
app/ldap/middleware/Logger.middleware.js
View File

@@ -2,12 +2,12 @@ const LDAPMiddleware = require('./LDAPMiddleware')
class LDAPLoggerMiddleware extends LDAPMiddleware {
static get services() {
return [...super.services, 'app', 'output']
return [...super.services, 'app', 'output', 'ldap_dn_format']
}
async test(req, res, next) {
let bind_dn = req.connection.ldap.bindDN
this.output.info(`${req.json.protocolOp} - as ${bind_dn ? bind_dn.format({skipSpace: true}) : 'N/A'} - target ${req.dn.format({skipSpace: true})}`)
this.output.info(`${req.json.protocolOp} - as ${bind_dn ? bind_dn.format(this.ldap_dn_format) : 'N/A'} - target ${req.dn.format(this.ldap_dn_format)}`)
return next()
}
}

22
app/ldap/routes/users.routes.js
View File

@@ -18,11 +18,31 @@ const users_routes = {
},
add: {
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.add_people',
],
},
del: {
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.delete',
],
},
modify: {
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.modify_people',
],
},
compare: {
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.compare',
],
},
}