|
|
|
@ -26,6 +26,7 @@ class SudoController extends LDAPController {
|
|
|
|
|
return next(new LDAP.InsufficientAccessRightsError())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const iam_targets = this.parse_iam_targets(req.filter)
|
|
|
|
|
if ( req.scope === 'base' ) {
|
|
|
|
|
// If scope is base, check if the base DN matches the filter.
|
|
|
|
|
// If so, return it. Else, return empty.
|
|
|
|
@ -34,12 +35,12 @@ class SudoController extends LDAPController {
|
|
|
|
|
const user = await this.get_resource_from_dn(req.dn)
|
|
|
|
|
|
|
|
|
|
// Make sure the user is ldap visible && match the filter
|
|
|
|
|
if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo()) ) {
|
|
|
|
|
if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
|
res.send({
|
|
|
|
|
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
|
|
|
|
attributes: await user.to_sudo(),
|
|
|
|
|
attributes: await user.to_sudo(iam_targets),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
} else if ( req.scope === 'one' ) {
|
|
|
|
@ -55,12 +56,12 @@ class SudoController extends LDAPController {
|
|
|
|
|
if ( req.dn.equals(user.sudo_dn) || user.sudo_dn.parent().equals(req.dn) ) {
|
|
|
|
|
|
|
|
|
|
// Check if the filter matches
|
|
|
|
|
if ( req.filter.matches(await user.to_sudo()) ) {
|
|
|
|
|
if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
|
res.send({
|
|
|
|
|
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
|
|
|
|
attributes: await user.to_sudo(),
|
|
|
|
|
attributes: await user.to_sudo(iam_targets),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -79,12 +80,12 @@ class SudoController extends LDAPController {
|
|
|
|
|
if ( req.dn.equals(user.sudo_dn) || req.dn.parentOf(user.sudo_dn) ) {
|
|
|
|
|
|
|
|
|
|
// Check if filter matches
|
|
|
|
|
if ( req.filter.matches(await user.to_sudo()) ) {
|
|
|
|
|
if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
|
|
|
|
|
|
|
|
|
// If so, send the object
|
|
|
|
|
res.send({
|
|
|
|
|
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
|
|
|
|
attributes: await user.to_sudo(),
|
|
|
|
|
attributes: await user.to_sudo(iam_targets),
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -98,6 +99,20 @@ class SudoController extends LDAPController {
|
|
|
|
|
return next()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
parse_iam_targets(filter, target_ids = []) {
|
|
|
|
|
if ( Array.isArray(filter?.filters) ) {
|
|
|
|
|
for ( const sub_filter of filter.filters ) {
|
|
|
|
|
target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
|
|
|
|
|
}
|
|
|
|
|
} else if ( filter?.attribute ) {
|
|
|
|
|
if ( filter.attribute === 'iamtarget' ) {
|
|
|
|
|
target_ids.push(filter.value)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return target_ids
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
get_cn_from_dn(dn) {
|
|
|
|
|
try {
|
|
|
|
|
if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
|
|
|
|
@ -108,8 +123,7 @@ class SudoController extends LDAPController {
|
|
|
|
|
async get_resource_from_dn(sudo_dn) {
|
|
|
|
|
const cn = this.get_cn_from_dn(sudo_dn)
|
|
|
|
|
if ( cn ) {
|
|
|
|
|
const user = this.User.findOne({uid: cn.substr(5), ldap_visible: true})
|
|
|
|
|
if ( user && (await user.has_sudo()) ) return user
|
|
|
|
|
return this.User.findOne({uid: cn.substr(5), ldap_visible: true})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|