garrettmills
4 years ago
parent
226b90b7bf
commit
68cc90899c
@ -0,0 +1,59 @@
|
||||
const LDAPController = require('./LDAPController')
|
||||
const LDAP = require('ldapjs')
|
||||
|
||||
class UsersController extends LDAPController {
|
||||
static get services() {
|
||||
return [...super.services, 'output', 'ldap_server', 'models']
|
||||
}
|
||||
|
||||
async search_people(req, res, next) {
|
||||
global.ireq = req
|
||||
}
|
||||
|
||||
async bind(req, res, next) {
|
||||
const auth_dn = this.ldap_server.auth_dn()
|
||||
|
||||
// Make sure the DN is valid
|
||||
if ( !req.dn.childOf(auth_dn) ) {
|
||||
return next(new LDAP.InvalidCredentialsError())
|
||||
}
|
||||
|
||||
// Get the user
|
||||
const user = await this.get_user_from_dn(req.dn)
|
||||
if ( !user ) {
|
||||
return next(new LDAP.InvalidCredentialsError())
|
||||
}
|
||||
|
||||
// Make sure the password matches the user record
|
||||
if ( !await user.check_password(req.credentials) ) {
|
||||
return next(new LDAP.InvalidCredentialsError())
|
||||
}
|
||||
|
||||
// Make sure the user has permission to bind
|
||||
if ( !user.can('ldap:bind') ) {
|
||||
return next(new LDAP.InsufficientAccessRightsError())
|
||||
}
|
||||
|
||||
this.output.success(`Successfully bound user ${user.uid} as DN: ${req.dn.format({skipSpace: true})}.`)
|
||||
return res.end()
|
||||
}
|
||||
|
||||
get_uid_from_dn(dn) {
|
||||
const uid_field = this.ldap_server.config.schema.auth.user_id
|
||||
|
||||
try {
|
||||
if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
|
||||
return dn.rdns[0].attrs[uid_field].value
|
||||
} catch (e) {}
|
||||
}
|
||||
|
||||
async get_user_from_dn(dn) {
|
||||
const uid = this.get_uid_from_dn(dn)
|
||||
if ( uid ) {
|
||||
const User = this.models.get('auth:User')
|
||||
return User.findOne({uid})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = UsersController
|
||||
@ -0,0 +1,33 @@
|
||||
const LDAPMiddleware = require('./LDAPMiddleware')
|
||||
const LDAP = require('ldapjs')
|
||||
|
||||
class BindUserMiddleware extends LDAPMiddleware {
|
||||
static get services() {
|
||||
return [...super.services, 'canon', 'output', 'ldap_server']
|
||||
}
|
||||
|
||||
async test(req, res, next) {
|
||||
const bind_dn = req.connection.ldap.bindDN
|
||||
|
||||
if ( bind_dn.equals(this.ldap_server.anonymous()) ) {
|
||||
this.output.warn(`Blocked anonymous LDAP request on user-protected route.`)
|
||||
return next(new LDAP.InsufficientAccessRightsError())
|
||||
}
|
||||
|
||||
const user = this.user_controller().get_uid_from_dn(bind_dn)
|
||||
if ( !user || !user.can('ldap:bind') ) {
|
||||
return next(new LDAP.InvalidCredentialsError())
|
||||
}
|
||||
|
||||
req.user = user
|
||||
req.bindDN = bind_dn
|
||||
|
||||
return next()
|
||||
}
|
||||
|
||||
user_controller() {
|
||||
return this.canon.get('ldap_controller::Users')
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = BindUserMiddleware
|
||||
@ -0,0 +1,15 @@
|
||||
const LDAPMiddleware = require('./LDAPMiddleware')
|
||||
|
||||
class LDAPLoggerMiddleware extends LDAPMiddleware {
|
||||
static get services() {
|
||||
return [...super.services, 'app', 'output']
|
||||
}
|
||||
|
||||
async test(req, res, next) {
|
||||
let bind_dn = req.connection.ldap.bindDN
|
||||
this.output.info(`${req.json.protocolOp} - as ${bind_dn ? bind_dn.format({skipSpace: true}) : 'N/A'} - target ${req.dn.format({skipSpace: true})}`)
|
||||
return next()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = LDAPLoggerMiddleware
|
||||
@ -1,27 +0,0 @@
|
||||
const example_routes = {
|
||||
|
||||
prefix: 'dc=base',
|
||||
|
||||
middleware: [
|
||||
|
||||
],
|
||||
|
||||
search: {
|
||||
|
||||
},
|
||||
|
||||
bind: {
|
||||
|
||||
},
|
||||
|
||||
add: {
|
||||
|
||||
},
|
||||
|
||||
del: {
|
||||
|
||||
},
|
||||
|
||||
}
|
||||
|
||||
module.exports = exports = example_routes
|
||||
@ -0,0 +1,30 @@
|
||||
const users_routes = {
|
||||
|
||||
prefix: false, // false | string
|
||||
|
||||
middleware: [
|
||||
'Logger'
|
||||
],
|
||||
|
||||
search: {
|
||||
'ou=people': [
|
||||
'ldap_middleware::BindUser',
|
||||
'ldap_controller::Users.search_people',
|
||||
],
|
||||
},
|
||||
|
||||
bind: {
|
||||
'ou=people': ['ldap_controller::Users.bind'],
|
||||
},
|
||||
|
||||
add: {
|
||||
|
||||
},
|
||||
|
||||
del: {
|
||||
|
||||
},
|
||||
|
||||
}
|
||||
|
||||
module.exports = exports = users_routes
|
||||
@ -1,31 +0,0 @@
|
||||
/*
|
||||
* HomeLogger Middleware
|
||||
* -------------------------------------------------------------
|
||||
* This is a sample middleware. It simply prints a console message when
|
||||
* the route that it is tied to is accessed. By default, it is called if
|
||||
* the '/' route is accessed. It can be injected in routes globally using
|
||||
* the global mw() function.
|
||||
*/
|
||||
const Middleware = require('libflitter/middleware/Middleware')
|
||||
class HomeLogger extends Middleware {
|
||||
static get services() {
|
||||
return [...super.services, 'output']
|
||||
}
|
||||
|
||||
/*
|
||||
* Run the middleware test.
|
||||
* This method is required by all Flitter middleware.
|
||||
* It should either call the next function in the stack,
|
||||
* or it should handle the response accordingly.
|
||||
*/
|
||||
test(req, res, next, args) {
|
||||
this.output.debug('Home was accessed!')
|
||||
|
||||
/*
|
||||
* Call the next function in the stack.
|
||||
*/
|
||||
next()
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = HomeLogger
|
||||
@ -0,0 +1,60 @@
|
||||
const CanonicalUnit = require('libflitter/canon/CanonicalUnit')
|
||||
const LDAPController = require('../ldap/controllers/LDAPController')
|
||||
const StopError = require('libflitter/errors/StopError')
|
||||
|
||||
class LDAPControllerUnit extends CanonicalUnit {
|
||||
static get name() {
|
||||
return 'ldap_controllers'
|
||||
}
|
||||
|
||||
static get services() {
|
||||
return [...super.services, 'output']
|
||||
}
|
||||
|
||||
constructor(base_directory = './app/ldap/controllers') {
|
||||
super(base_directory)
|
||||
|
||||
this.canonical_item = 'ldap_controller'
|
||||
this.suffix = '.controller.js'
|
||||
}
|
||||
|
||||
async init_canonical_file({app, name, instance}) {
|
||||
if ( instance.prototype instanceof LDAPController ) {
|
||||
this.output.debug(`Registering LDAP controller: ${name}`)
|
||||
return new instance()
|
||||
} else {
|
||||
this.output.error(`LDAP Controller ${name} must extend base class LDAPController.`)
|
||||
throw new StopError(`LDAP Controller ${name} must extend base class LDAPController.`)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Resolve an unqualified canonical name to a registered canonical controller or method.
|
||||
* @param {string} name
|
||||
// * @returns {module:libflitter/controller/Controller~Controller|function}
|
||||
*/
|
||||
get(name) {
|
||||
const name_parts = name.split('.')
|
||||
const controller_instance = this.canonical_items[name_parts[0]]
|
||||
|
||||
if ( name_parts.length > 1 ) {
|
||||
const method_instance = controller_instance[name_parts[1]].bind(controller_instance)
|
||||
|
||||
if ( name_parts > 2 ) {
|
||||
let descending_value = method_instance
|
||||
name_parts.slice(2).forEach(part => {
|
||||
descending_value = descending_value[part]
|
||||
})
|
||||
|
||||
return descending_value
|
||||
} else {
|
||||
return method_instance
|
||||
}
|
||||
}
|
||||
|
||||
// TODO this is a bug in libflitter too!
|
||||
return controller_instance
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = LDAPControllerUnit
|
||||
@ -0,0 +1,41 @@
|
||||
const CanonicalUnit = require('libflitter/canon/CanonicalUnit')
|
||||
const LDAPMiddleware = require('../ldap/middleware/LDAPMiddleware')
|
||||
const StopError = require('libflitter/errors/StopError')
|
||||
|
||||
class LDAPMiddlewareUnit extends CanonicalUnit {
|
||||
static get services() {
|
||||
return [...super.services, 'output']
|
||||
}
|
||||
|
||||
static get name() {
|
||||
return 'ldap_middleware'
|
||||
}
|
||||
|
||||
constructor(base_directory = './app/ldap/middleware') {
|
||||
super(base_directory)
|
||||
|
||||
this.canonical_item = 'ldap_middleware'
|
||||
this.suffix = '.middleware.js'
|
||||
}
|
||||
|
||||
async init_canonical_file({app, name, instance}) {
|
||||
if ( instance.prototype instanceof LDAPMiddleware ) {
|
||||
this.output.debug(`Registering LDAP middleware: ${name}`)
|
||||
return new instance()
|
||||
} else {
|
||||
this.output.error(`LDAP middleware class ${name} must be an instance of LDAPMiddleware.`)
|
||||
throw new StopError(`LDAP middleware class ${name} must be an instance of LDAPMiddleware.`)
|
||||
}
|
||||
}
|
||||
|
||||
get(name) {
|
||||
const item = super.get(name)
|
||||
if ( item instanceof LDAPMiddleware ) {
|
||||
return item.test.bind(item)
|
||||
}
|
||||
|
||||
return item
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = LDAPMiddlewareUnit
|
||||
@ -1,21 +0,0 @@
|
||||
const Unit = require('libflitter/Unit')
|
||||
|
||||
class LDAPRegistry extends Unit {
|
||||
static get name() {
|
||||
return 'ldap_registry'
|
||||
}
|
||||
|
||||
static get services() {
|
||||
return [...super.services, 'output']
|
||||
}
|
||||
|
||||
async go(app) {
|
||||
|
||||
}
|
||||
|
||||
async cleanup(app) {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = LDAPRegistry
|
||||
@ -0,0 +1,101 @@
|
||||
const CanonicalUnit = require('libflitter/canon/CanonicalUnit')
|
||||
|
||||
class LDAPRoutingUnit extends CanonicalUnit {
|
||||
static get name() {
|
||||
return 'ldap_routers'
|
||||
}
|
||||
|
||||
static get services() {
|
||||
return [...super.services, 'output', 'canon', 'ldap_server']
|
||||
}
|
||||
|
||||
constructor(base_directory = './app/ldap/routes') {
|
||||
super(base_directory)
|
||||
|
||||
this.canonical_item = 'ldap_router'
|
||||
this.suffix = '.routes.js'
|
||||
}
|
||||
|
||||
async init_canonical_file({app, name, instance}) {
|
||||
const router_middleware = []
|
||||
if ( !instance ) {
|
||||
this.output.warn(`Skipping LDAP routing file ${name}. No members were exported.`)
|
||||
}
|
||||
|
||||
this.output.info(`Building LDAP routes for router ${name}.`)
|
||||
|
||||
// Load the router-level middleware functions
|
||||
if ( Array.isArray(instance.middleware) ) {
|
||||
for ( const mw of instance.middleware ) {
|
||||
const mw_instance = this.canon.get(`ldap_middleware::${mw}`)
|
||||
if ( !mw_instance ) {
|
||||
const msg = `Unable to create LDAP routes. Invalid or unknown LDAP middleware: ldap_middleware::${mw} in router ${name}.`
|
||||
this.output.error(msg)
|
||||
throw new Error(msg)
|
||||
}
|
||||
|
||||
router_middleware.push(mw_instance)
|
||||
}
|
||||
}
|
||||
|
||||
this.output.debug(`Found ${router_middleware.length} router-level middlewares.`)
|
||||
|
||||
// Determine the prefix (suffix) and total suffix from config
|
||||
let suffix = []
|
||||
if ( instance.prefix && typeof instance.prefix === 'string' ) {
|
||||
suffix.push(instance.prefix)
|
||||
} else if ( instance.prefix !== false ) {
|
||||
this.output.warn(`No prefix specified for LDAP routing file ${name}.`)
|
||||
}
|
||||
|
||||
// If the server has a base DC=...,DC=... &c. suffix, include that
|
||||
if ( this.ldap_server.config.schema.base_dc ) {
|
||||
suffix.push(this.ldap_server.config.schema.base_dc)
|
||||
}
|
||||
|
||||
suffix = suffix.join(',')
|
||||
|
||||
// Load the individual routes
|
||||
const supported_ldap_types = [
|
||||
'search', 'bind', 'add', 'del', 'modify', 'compare', 'modifyDN', 'exop', 'unbind',
|
||||
]
|
||||
|
||||
// Iterate over the various query types that might be in the definition
|
||||
for ( const type of supported_ldap_types ) {
|
||||
if ( typeof instance[type] === 'object' ) {
|
||||
// Iterate over each of the route definitions in the type definition
|
||||
for ( const route_prefix in instance[type] ) {
|
||||
if ( !instance[type].hasOwnProperty(route_prefix) ) continue
|
||||
let route_handlers = instance[type][route_prefix]
|
||||
if ( typeof route_handlers === 'string' ) route_handlers = [route_handlers]
|
||||
|
||||
if ( !Array.isArray(route_handlers) ) {
|
||||
const msg = `Invalid route handlers for route ${route_prefix} (${type}) in router ${name}.`
|
||||
this.output.error(msg)
|
||||
throw new Error(msg)
|
||||
}
|
||||
|
||||
let route_functions = [...router_middleware]
|
||||
// For each of the route handler definitions, resolve the canonical
|
||||
for ( const route_handler_name of route_handlers ) {
|
||||
const route_handler = this.canon.get(route_handler_name)
|
||||
if ( !route_handler || typeof route_handler !== 'function' ) {
|
||||
const msg = `Unable to resolve route handler for route ${route_prefix} (${type}) in router ${name}. Handler name: ${route_handler_name}`
|
||||
this.output.error(msg)
|
||||
throw new Error(msg)
|
||||
}
|
||||
|
||||
route_functions.push(route_handler)
|
||||
}
|
||||
|
||||
this.output.debug(`Registering route ${type} :: ${[route_prefix, suffix].join(',')} with ${route_functions.length} handlers.`)
|
||||
this.ldap_server.server[type]([route_prefix, suffix].join(','), ...route_functions)
|
||||
}
|
||||
} else {
|
||||
this.output.warn(`Missing or invalid LDAP protocol definition ${type} in router ${name}. The protocol will be skipped.`)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = LDAPRoutingUnit
|
||||
@ -1,8 +1,17 @@
|
||||
// LDAP Server Configuration
|
||||
const ldap_server = {
|
||||
|
||||
port: env('LDAP_SERVER_PORT', 389),
|
||||
max_connections: env('LDAP_MAX_CONNECTIONS'),
|
||||
interface: env('LDAP_LISTEN_INTERFACE', '0.0.0.0'),
|
||||
|
||||
schema: {
|
||||
base_dc: env('LDAP_BASE_DC', 'dc=example,dc=com'),
|
||||
authentication_base: env('LDAP_AUTH_BASE', 'ou=people'),
|
||||
auth: {
|
||||
user_id: 'uid',
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = ldap_server
|
||||
|
||||
Loading…
Reference in new issue