Remove ldap:Group model

This commit is contained in:
garrettmills 2020-05-20 20:35:17 -05:00
parent ea77402750
commit faab948a6b
No known key found for this signature in database
GPG Key ID: 6ACD58D6ADACFC6E
7 changed files with 41 additions and 99 deletions

View File

@ -11,7 +11,6 @@
- e.g. after insert perform action - e.g. after insert perform action
- e.g. after update perform action, &c. - e.g. after update perform action, &c.
- IAM manage user API scopes - IAM manage user API scopes
- Eliminate LDAP group model, make LDAP server use standard auth group
- OAuth2 -> support refresh tokens - OAuth2 -> support refresh tokens
- Traps -> support session traps; convert MFA challenge to use session trap - Traps -> support session traps; convert MFA challenge to use session trap
- Allow setting user trap from web UI - Allow setting user trap from web UI

View File

@ -14,7 +14,7 @@ class GroupsController extends LDAPController {
constructor() { constructor() {
super() super()
this.Group = this.models.get('ldap:Group') this.Group = this.models.get('auth:Group')
} }
// TODO flitter-orm chunk query // TODO flitter-orm chunk query
@ -106,7 +106,7 @@ class GroupsController extends LDAPController {
async get_resource_from_dn(dn) { async get_resource_from_dn(dn) {
const cn = this.get_cn_from_dn(dn) const cn = this.get_cn_from_dn(dn)
if ( cn ) { if ( cn ) {
return this.Group.findOne({name: cn, ldap_visible: true}) return this.Group.findOne({name: cn, ldap_visible: true, active: true})
} }
} }
} }

View File

@ -22,7 +22,13 @@ class UsersController extends LDAPController {
// Might need to override compare to support special handling for userPassword // Might need to override compare to support special handling for userPassword
// TODO generalize some of the addition logic // TODO generalize some of the addition logic
// TODO rework some of the registration and validation logic
async add_people(req, res, next) { async add_people(req, res, next) {
const Setting = this.models.get('Setting')
if ( !(await Setting.get('auth.allow_registration')) ) {
return next(new LDAP.InsufficientAccessRightsError('Operation not enabled.'))
}
if ( !req.user.can('ldap:add:users') ) { if ( !req.user.can('ldap:add:users') ) {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())
} }
@ -87,6 +93,7 @@ class UsersController extends LDAPController {
} }
// TODO generalize some of the modification logic // TODO generalize some of the modification logic
// TODO rework validation
async modify_people(req, res, next) { async modify_people(req, res, next) {
if ( !req.user.can('ldap:modify:users') ) { if ( !req.user.can('ldap:modify:users') ) {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())

View File

@ -13,37 +13,15 @@ const groups_routes = {
], ],
}, },
/*bind: { bind: {},
'ou=groups': ['ldap_controller::Users.bind'],
},*/
/*add: { add: {},
'ou=groups': [
'ldap_middleware::BindUser',
'ldap_controller::Groups.add_group',
],
},
del: { del: {},
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.delete',
],
},
modify: { modify: {},
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.modify_people',
],
},
compare: { compare: {},
'ou=people': [
'ldap_middleware::BindUser',
'ldap_controller::Users.compare',
],
},*/
} }

View File

@ -1,9 +1,10 @@
const { Model } = require('flitter-orm') const { Model } = require('flitter-orm')
const LDAP = require('ldapjs')
// For organizational purposes only. // For organizational purposes only.
class GroupModel extends Model { class GroupModel extends Model {
static get services() { static get services() {
return [...super.services, 'models'] return [...super.services, 'models', 'ldap_server', 'configs']
} }
static get schema() { static get schema() {
@ -11,6 +12,7 @@ class GroupModel extends Model {
name: String, name: String,
user_ids: [String], user_ids: [String],
active: { type: Boolean, default: true }, active: { type: Boolean, default: true },
ldap_visible: { type: Boolean, default: true },
} }
} }
@ -18,16 +20,35 @@ class GroupModel extends Model {
return this.name.toLowerCase().replace(/\s/g, '_') return this.name.toLowerCase().replace(/\s/g, '_')
} }
get dn() {
return LDAP.parseDN(`cn=${this.name},${this.ldap_server.group_dn().format(this.configs.get('ldap:server.format'))}`)
}
async users() { async users() {
const User = this.models.get('auth:User') const User = this.models.get('auth:User')
return await User.find({ _id: { $in: this.user_ids.map(x => this.constructor.to_object_id(x)) } }) return await User.find({ _id: { $in: this.user_ids.map(x => this.constructor.to_object_id(x)) } })
} }
async to_ldap() {
const users = await this.users()
return {
cn: this.name,
dn: this.dn.format(this.configs.get('ldap:server.format')),
objectClass: 'groupOfNames',
member: users.map(x => x.dn.format(this.configs.get('ldap:server.format'))),
}
}
static async ldap_directory() {
return this.find({ ldap_visible: true, active: true })
}
async to_api() { async to_api() {
return { return {
id: this.id, id: this.id,
name: this.name, name: this.name,
user_ids: this.user_ids, user_ids: this.user_ids,
ldap_visible: this.ldap_visible,
} }
} }
} }

View File

@ -153,16 +153,6 @@ class User extends AuthUser {
return Group.find({ active: true, user_ids: this.id }) return Group.find({ active: true, user_ids: this.id })
} }
async ldap_groups() {
const Group = this.models.get('ldap:Group')
return await Group.find({
$or: [
{ user_ids: this.id },
{ role: { $in: this.roles } },
],
})
}
async to_ldap() { async to_ldap() {
const ldap_data = { const ldap_data = {
uid: this.uid, uid: this.uid,
@ -182,10 +172,11 @@ class User extends AuthUser {
ldap_data[`data${key.substr(4)}`] = `${addl_data[key]}` ldap_data[`data${key.substr(4)}`] = `${addl_data[key]}`
} }
const ldap_groups = await this.ldap_groups() const groups = await this.groups()
if ( ldap_groups.length > 0 ) { if ( groups.length > 0 ) {
ldap_data.memberOf = ldap_groups.map(x => x.dn.format(this.configs.get('ldap:server.format'))) const group_data = groups.map(x => x.dn.format(this.configs.get('ldap:server.format')))
ldap_data.memberof = ldap_groups.map(x => x.dn.format(this.configs.get('ldap:server.format'))) ldap_data.memberOf = group_data
ldap_data.memberof = group_data
} }
return ldap_data return ldap_data

View File

@ -1,54 +0,0 @@
const LDAPBase = require('../LDAPBase')
const LDAP = require('ldapjs')
class GroupModel extends LDAPBase {
static get services() {
return [...super.services, 'configs', 'ldap_server', 'models']
}
static get schema() {
return {
role: String,
user_ids: [String],
name: String,
active: {type: Boolean, default: true},
ldap_visible: {type: Boolean, default: true},
}
}
async to_api() {
return {
id: this.id,
role: this.role,
user_ids: this.user_ids,
name: this.name,
ldap_visible: this.ldap_visible,
}
}
get dn() {
return LDAP.parseDN(`cn=${this.name},${this.ldap_server.group_dn().format(this.configs.get('ldap:server.format'))}`)
}
async users() {
const User = this.models.get('auth:User')
return User.find({
$or: [
{ _id: { $in: this.user_ids.map(x => this.constructor.to_object_id(x)) } },
{ roles: this.role },
],
})
}
async to_ldap() {
const users = await this.users()
return {
cn: this.name,
dn: this.dn.format(this.configs.get('ldap:server.format')),
objectClass: 'groupOfNames',
member: users.map(x => x.dn.format(this.configs.get('ldap:server.format')))
}
}
}
module.exports = exports = GroupModel