Add IAM support to LDAP filters (iamTarget)

This commit is contained in:
garrettmills 2020-05-20 22:28:30 -05:00
parent b526b8f24d
commit ca11e3afae
No known key found for this signature in database
GPG Key ID: 6ACD58D6ADACFC6E
4 changed files with 35 additions and 12 deletions

View File

@ -1,11 +1,8 @@
- App setup wizard - App setup wizard
- SAML IAM handling
- LDAP IAM handling
- Cobalt form JSON field type - Setting resource - Cobalt form JSON field type - Setting resource
- MFA recovery codes handling - MFA recovery codes handling
- Forgot password handling - Forgot password handling
- Admin password reset mechanism -> flag users as needing PW resets - Admin password reset mechanism -> flag users as needing PW resets
- Make this a general flow for pre-empting user logins
- Cobalt form - when multiselect make selection box taller - Cobalt form - when multiselect make selection box taller
- Cobalt form - after action handlers - Cobalt form - after action handlers
- e.g. after insert perform action - e.g. after insert perform action

View File

@ -185,6 +185,20 @@ class UsersController extends LDAPController {
return this.ldap_server.auth_dn() return this.ldap_server.auth_dn()
} }
parse_iam_targets(filter, target_ids = []) {
if ( Array.isArray(filter?.filters) ) {
for ( const sub_filter of filter.filters ) {
target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
}
} else if ( filter?.attribute ) {
if ( filter.attribute === 'iamtarget' ) {
target_ids.push(filter.value)
}
}
return target_ids
}
// TODO flitter-orm chunk query // TODO flitter-orm chunk query
// TODO generalize scoped search logic // TODO generalize scoped search logic
async search_people(req, res, next) { async search_people(req, res, next) {
@ -192,6 +206,7 @@ class UsersController extends LDAPController {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())
} }
const iam_targets = this.parse_iam_targets(req.filter)
if ( req.scope === 'base' ) { if ( req.scope === 'base' ) {
// If scope is base, check if the base DN matches the filter. // If scope is base, check if the base DN matches the filter.
// If so, return it. Else, return empty. // If so, return it. Else, return empty.
@ -200,17 +215,17 @@ class UsersController extends LDAPController {
const user = await this.get_resource_from_dn(req.dn) const user = await this.get_resource_from_dn(req.dn)
// Make sure the user is ldap visible && match the filter // Make sure the user is ldap visible && match the filter
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap()) ) { if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.dn,//.format(this.configs.get('ldap:server.format')), dn: user.dn,//.format(this.configs.get('ldap:server.format')),
attributes: await user.to_ldap(), attributes: await user.to_ldap(iam_targets),
}) })
this.output.debug({ this.output.debug({
dn: user.dn.format(this.configs.get('ldap:server.format')), dn: user.dn.format(this.configs.get('ldap:server.format')),
attributes: await user.to_ldap(), attributes: await user.to_ldap(iam_targets),
}) })
} else { } else {
this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`) this.output.debug(`User base search failed: either user not found, not visible, or filter mismatch`)
@ -229,12 +244,12 @@ class UsersController extends LDAPController {
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) { if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
// Check if the filter matches // Check if the filter matches
if ( req.filter.matches(await user.to_ldap()) ) { if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.dn,//.format(this.configs.get('ldap:server.format')), dn: user.dn,//.format(this.configs.get('ldap:server.format')),
attributes: await user.to_ldap(), attributes: await user.to_ldap(iam_targets),
}) })
} }
} }
@ -253,12 +268,12 @@ class UsersController extends LDAPController {
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) { if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
// Check if filter matches // Check if filter matches
if ( req.filter.matches(await user.to_ldap()) ) { if ( req.filter.matches(await user.to_ldap(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.dn,//.format(this.configs.get('ldap:server.format')), dn: user.dn,//.format(this.configs.get('ldap:server.format')),
attributes: await user.to_ldap(), attributes: await user.to_ldap(iam_targets),
}) })
} }
} }

View File

@ -153,7 +153,9 @@ class User extends AuthUser {
return Group.find({ active: true, user_ids: this.id }) return Group.find({ active: true, user_ids: this.id })
} }
async to_ldap() { async to_ldap(iam_targets = []) {
const Policy = this.models.get('iam:Policy')
const ldap_data = { const ldap_data = {
uid: this.uid, uid: this.uid,
uuid: this.uuid, uuid: this.uuid,
@ -179,6 +181,15 @@ class User extends AuthUser {
ldap_data.memberof = group_data ldap_data.memberof = group_data
} }
const iamtarget = []
for ( const target_id of iam_targets ) {
if ( await Policy.check_user_access(this, target_id) ) {
iamtarget.push(target_id)
}
}
ldap_data.iamtarget = iamtarget
return ldap_data return ldap_data
} }

View File

@ -4,7 +4,7 @@ const { Model } = require('flitter-orm')
class PolicyModel extends Model { class PolicyModel extends Model {
static get services() { static get services() {
return [...super.services, 'models'] return [...super.services, 'models', 'canon']
} }
static get schema() { static get schema() {