Add support for sudo

app/models/auth/Group.model.js

@@ -59,6 +59,17 @@ class GroupModel extends Model {
         }
     }
 
+    static async sudo_directory() {
+        const groups = await this.find({ ldap_visible: true, active: true, grants_sudo: true })
+
+        let users = []
+        for ( const group of groups ) {
+            users = [...users, ...(await group.users())]
+        }
+
+        return users
+    }
+
     static async ldap_directory() {
         const User = this.prototype.models.get('auth:User')
         const groups = await this.find({ ldap_visible: true, active: true })

app/models/auth/User.model.js

@@ -187,6 +187,23 @@ class User extends AuthUser {
         this.get_provider().logout(request)
     }
 
+    async has_sudo() {
+        const groups = await this.groups()
+        return groups.some(group => group.grants_sudo)
+    }
+
+    async to_sudo() {
+        return {
+            objectClass: ['sudoRole'],
+            objectclass: ['sudoRole'],
+            cn: `sudo_${this.uid.toLowerCase()}`,
+            sudoUser: this.uid.toLowerCase(),
+            sudoHost: 'ALL',
+            sudoRunAs: 'ALL',
+            sudoCommand: 'ALL',
+        }
+    }
+
     async to_ldap(iam_targets = []) {
         const Policy = this.models.get('iam:Policy')
 
@@ -249,6 +266,10 @@ class User extends AuthUser {
         return LDAP.parseDN(`uid=${this.uid.toLowerCase()},${this.ldap_server.auth_dn().format(this.configs.get('ldap:server.format'))}`)
     }
 
+    get sudo_dn() {
+        return LDAP.parseDN(`cn=sudo_${this.uid.toLowerCase()},${this.ldap_server.sudo_dn().format(this.configs.get('ldap:server.format'))}`)
+    }
+
     // The following are used by OpenID connect
 
     async claims(use, scope) {