From ca11e3afae6f979497a07fb64f43b27445814de4 Mon Sep 17 00:00:00 2001 From: garrettmills Date: Wed, 20 May 2020 22:28:30 -0500 Subject: [PATCH] Add IAM support to LDAP filters (iamTarget) --- TODO.text | 3 --- app/ldap/controllers/Users.controller.js | 29 ++++++++++++++++++------ app/models/auth/User.model.js | 13 ++++++++++- app/models/iam/Policy.model.js | 2 +- 4 files changed, 35 insertions(+), 12 deletions(-) diff --git a/TODO.text b/TODO.text index a8e4b8a..f132b08 100644 --- a/TODO.text +++ b/TODO.text @@ -1,11 +1,8 @@ - App setup wizard -- SAML IAM handling -- LDAP IAM handling - Cobalt form JSON field type - Setting resource - MFA recovery codes handling - Forgot password handling - Admin password reset mechanism -> flag users as needing PW resets - - Make this a general flow for pre-empting user logins - Cobalt form - when multiselect make selection box taller - Cobalt form - after action handlers - e.g. after insert perform action diff --git a/app/ldap/controllers/Users.controller.js b/app/ldap/controllers/Users.controller.js index 991027f..5d2f5bf 100644 --- a/app/ldap/controllers/Users.controller.js +++ b/app/ldap/controllers/Users.controller.js @@ -185,6 +185,20 @@ class UsersController extends LDAPController { return this.ldap_server.auth_dn() } + parse_iam_targets(filter, target_ids = []) { + if ( Array.isArray(filter?.filters) ) { + for ( const sub_filter of filter.filters ) { + target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)] + } + } else if ( filter?.attribute ) { + if ( filter.attribute === 'iamtarget' ) { + target_ids.push(filter.value) + } + } + + return target_ids + } + // TODO flitter-orm chunk query // TODO generalize scoped search logic async search_people(req, res, next) { @@ -192,6 +206,7 @@ class UsersController extends LDAPController { return next(new LDAP.InsufficientAccessRightsError()) } + const iam_targets = this.parse_iam_targets(req.filter) if ( req.scope === 'base' ) { // If scope is base, check if the base DN matches the filter. // If so, return it. Else, return empty. @@ -200,17 +215,17 @@ class UsersController extends LDAPController { const user = await this.get_resource_from_dn(req.dn) // Make sure the user is ldap visible && match the filter - if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap()) ) { + if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) { // If so, send the object res.send({ dn: user.dn,//.format(this.configs.get('ldap:server.format')), - attributes: await user.to_ldap(), + attributes: await user.to_ldap(iam_targets), }) this.output.debug({ dn: user.dn.format(this.configs.get('ldap:server.format')), - attributes: await user.to_ldap(), + attributes: await user.to_ldap(iam_targets), }) } else { this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`) @@ -229,12 +244,12 @@ class UsersController extends LDAPController { if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) { // Check if the filter matches - if ( req.filter.matches(await user.to_ldap()) ) { + if ( req.filter.matches(await user.to_ldap(iam_targets)) ) { // If so, send the object res.send({ dn: user.dn,//.format(this.configs.get('ldap:server.format')), - attributes: await user.to_ldap(), + attributes: await user.to_ldap(iam_targets), }) } } @@ -253,12 +268,12 @@ class UsersController extends LDAPController { if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) { // Check if filter matches - if ( req.filter.matches(await user.to_ldap()) ) { + if ( req.filter.matches(await user.to_ldap(iam_targets)) ) { // If so, send the object res.send({ dn: user.dn,//.format(this.configs.get('ldap:server.format')), - attributes: await user.to_ldap(), + attributes: await user.to_ldap(iam_targets), }) } } diff --git a/app/models/auth/User.model.js b/app/models/auth/User.model.js index c2a62db..2f25ef6 100644 --- a/app/models/auth/User.model.js +++ b/app/models/auth/User.model.js @@ -153,7 +153,9 @@ class User extends AuthUser { return Group.find({ active: true, user_ids: this.id }) } - async to_ldap() { + async to_ldap(iam_targets = []) { + const Policy = this.models.get('iam:Policy') + const ldap_data = { uid: this.uid, uuid: this.uuid, @@ -179,6 +181,15 @@ class User extends AuthUser { ldap_data.memberof = group_data } + const iamtarget = [] + for ( const target_id of iam_targets ) { + if ( await Policy.check_user_access(this, target_id) ) { + iamtarget.push(target_id) + } + } + + ldap_data.iamtarget = iamtarget + return ldap_data } diff --git a/app/models/iam/Policy.model.js b/app/models/iam/Policy.model.js index b8e9529..b3064be 100644 --- a/app/models/iam/Policy.model.js +++ b/app/models/iam/Policy.model.js @@ -4,7 +4,7 @@ const { Model } = require('flitter-orm') class PolicyModel extends Model { static get services() { - return [...super.services, 'models'] + return [...super.services, 'models', 'canon'] } static get schema() {