Add IAM support to LDAP filters (iamTarget)

4 years ago · ca11e3afae
parent b526b8f24d
commit ca11e3afae
4 changed files with 35 additions and 12 deletions
--- a/TODO.text
+++ b/TODO.text
@ -1,11 +1,8 @@
 - App setup wizard
- SAML IAM handling
- LDAP IAM handling
 - Cobalt form JSON field type - Setting resource
 - MFA recovery codes handling
 - Forgot password handling
    - Admin password reset mechanism -> flag users as needing PW resets
-    - Make this a general flow for pre-empting user logins
 - Cobalt form - when multiselect make selection box taller
 - Cobalt form - after action handlers
    - e.g. after insert perform action
--- a/app/ldap/controllers/Users.controller.js
+++ b/app/ldap/controllers/Users.controller.js
@ -185,6 +185,20 @@ class UsersController extends LDAPController {
        return this.ldap_server.auth_dn()
    }

+    parse_iam_targets(filter, target_ids = []) {
+        if ( Array.isArray(filter?.filters) ) {
+            for ( const sub_filter of filter.filters ) {
+                target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
+            }
+        } else if ( filter?.attribute ) {
+            if ( filter.attribute === 'iamtarget' ) {
+                target_ids.push(filter.value)
+            }
+        }
+
+        return target_ids
+    }
+
    // TODO flitter-orm chunk query
    // TODO generalize scoped search logic
    async search_people(req, res, next) {
@ -192,6 +206,7 @@ class UsersController extends LDAPController {
            return next(new LDAP.InsufficientAccessRightsError())
        }

+        const iam_targets = this.parse_iam_targets(req.filter)
        if ( req.scope === 'base' ) {
            // If scope is base, check if the base DN matches the filter.
            // If so, return it. Else, return empty.
@ -200,17 +215,17 @@ class UsersController extends LDAPController {
            const user = await this.get_resource_from_dn(req.dn)

            // Make sure the user is ldap visible && match the filter
-            if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap()) ) {
+            if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {

                // If so, send the object
                res.send({
                    dn: user.dn,//.format(this.configs.get('ldap:server.format')),
-                    attributes: await user.to_ldap(),
+                    attributes: await user.to_ldap(iam_targets),
                })

                this.output.debug({
                    dn: user.dn.format(this.configs.get('ldap:server.format')),
-                    attributes: await user.to_ldap(),
+                    attributes: await user.to_ldap(iam_targets),
                })
            } else {
                this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`)
@ -229,12 +244,12 @@ class UsersController extends LDAPController {
                if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {

                    // Check if the filter matches
-                    if ( req.filter.matches(await user.to_ldap()) ) {
+                    if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {

                        // If so, send the object
                        res.send({
                            dn: user.dn,//.format(this.configs.get('ldap:server.format')),
-                            attributes: await user.to_ldap(),
+                            attributes: await user.to_ldap(iam_targets),
                        })
                    }
                }
@ -253,12 +268,12 @@ class UsersController extends LDAPController {
                if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {

                    // Check if filter matches
-                    if ( req.filter.matches(await user.to_ldap()) ) {
+                    if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {

                        // If so, send the object
                        res.send({
                            dn: user.dn,//.format(this.configs.get('ldap:server.format')),
-                            attributes: await user.to_ldap(),
+                            attributes: await user.to_ldap(iam_targets),
                        })
                    }
                }
--- a/app/models/auth/User.model.js
+++ b/app/models/auth/User.model.js
@ -153,7 +153,9 @@ class User extends AuthUser {
        return Group.find({ active: true, user_ids: this.id })
    }

-    async to_ldap() {
+    async to_ldap(iam_targets = []) {
+        const Policy = this.models.get('iam:Policy')
+
        const ldap_data = {
            uid: this.uid,
            uuid: this.uuid,
@ -179,6 +181,15 @@ class User extends AuthUser {
            ldap_data.memberof = group_data
        }

+        const iamtarget = []
+        for ( const target_id of iam_targets ) {
+            if ( await Policy.check_user_access(this, target_id) ) {
+                iamtarget.push(target_id)
+            }
+        }
+
+        ldap_data.iamtarget = iamtarget
+
        return ldap_data
    }

--- a/app/models/iam/Policy.model.js
+++ b/app/models/iam/Policy.model.js
@ -4,7 +4,7 @@ const { Model } = require('flitter-orm')

 class PolicyModel extends Model {
    static get services() {
-        return [...super.services, 'models']
+        return [...super.services, 'models', 'canon']
    }

    static get schema() {