Make sudo access managed via IAM rather than group checkmark
This commit is contained in:
@@ -26,6 +26,7 @@ class SudoController extends LDAPController {
|
||||
return next(new LDAP.InsufficientAccessRightsError())
|
||||
}
|
||||
|
||||
const iam_targets = this.parse_iam_targets(req.filter)
|
||||
if ( req.scope === 'base' ) {
|
||||
// If scope is base, check if the base DN matches the filter.
|
||||
// If so, return it. Else, return empty.
|
||||
@@ -34,12 +35,12 @@ class SudoController extends LDAPController {
|
||||
const user = await this.get_resource_from_dn(req.dn)
|
||||
|
||||
// Make sure the user is ldap visible && match the filter
|
||||
if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo()) ) {
|
||||
if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
||||
|
||||
// If so, send the object
|
||||
res.send({
|
||||
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
||||
attributes: await user.to_sudo(),
|
||||
attributes: await user.to_sudo(iam_targets),
|
||||
})
|
||||
}
|
||||
} else if ( req.scope === 'one' ) {
|
||||
@@ -55,12 +56,12 @@ class SudoController extends LDAPController {
|
||||
if ( req.dn.equals(user.sudo_dn) || user.sudo_dn.parent().equals(req.dn) ) {
|
||||
|
||||
// Check if the filter matches
|
||||
if ( req.filter.matches(await user.to_sudo()) ) {
|
||||
if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
||||
|
||||
// If so, send the object
|
||||
res.send({
|
||||
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
||||
attributes: await user.to_sudo(),
|
||||
attributes: await user.to_sudo(iam_targets),
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -79,12 +80,12 @@ class SudoController extends LDAPController {
|
||||
if ( req.dn.equals(user.sudo_dn) || req.dn.parentOf(user.sudo_dn) ) {
|
||||
|
||||
// Check if filter matches
|
||||
if ( req.filter.matches(await user.to_sudo()) ) {
|
||||
if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
|
||||
|
||||
// If so, send the object
|
||||
res.send({
|
||||
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
|
||||
attributes: await user.to_sudo(),
|
||||
attributes: await user.to_sudo(iam_targets),
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -98,6 +99,20 @@ class SudoController extends LDAPController {
|
||||
return next()
|
||||
}
|
||||
|
||||
parse_iam_targets(filter, target_ids = []) {
|
||||
if ( Array.isArray(filter?.filters) ) {
|
||||
for ( const sub_filter of filter.filters ) {
|
||||
target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
|
||||
}
|
||||
} else if ( filter?.attribute ) {
|
||||
if ( filter.attribute === 'iamtarget' ) {
|
||||
target_ids.push(filter.value)
|
||||
}
|
||||
}
|
||||
|
||||
return target_ids
|
||||
}
|
||||
|
||||
get_cn_from_dn(dn) {
|
||||
try {
|
||||
if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
|
||||
@@ -108,8 +123,7 @@ class SudoController extends LDAPController {
|
||||
async get_resource_from_dn(sudo_dn) {
|
||||
const cn = this.get_cn_from_dn(sudo_dn)
|
||||
if ( cn ) {
|
||||
const user = this.User.findOne({uid: cn.substr(5), ldap_visible: true})
|
||||
if ( user && (await user.has_sudo()) ) return user
|
||||
return this.User.findOne({uid: cn.substr(5), ldap_visible: true})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user