Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Compare commits

base: Starship:0.1.0-rc6
Branches Tags
Starship:master Starship:feature/cd
Starship:ci-26 Starship:ci-25 Starship:ci-24 Starship:ci-23 Starship:ci-22 Starship:ci-21 Starship:ci-20 Starship:ci-19 Starship:ci-18 Starship:ci-17 Starship:ci-16 Starship:ci-15 Starship:ci-14 Starship:ci-13 Starship:ci-12 Starship:ci-11 Starship:ci-10 Starship:ci-09 Starship:ci-08 Starship:ci-07 Starship:ci-06 Starship:ci-05 Starship:ci-04 Starship:ci-03 Starship:ci=02 Starship:ci-01 Starship:0.1.0 Starship:0.1.0-rc8 Starship:0.1.0-rc7 Starship:0.1.0-rc6 Starship:0.1.0-rc5 Starship:0.1.0-rc3 Starship:0.1.0-rc2 Starship:0.1.0-rc1
...
compare: Starship:ci-06
Branches Tags
Starship:master Starship:feature/cd
Starship:ci-26 Starship:ci-25 Starship:ci-24 Starship:ci-23 Starship:ci-22 Starship:ci-21 Starship:ci-20 Starship:ci-19 Starship:ci-18 Starship:ci-17 Starship:ci-16 Starship:ci-15 Starship:ci-14 Starship:ci-13 Starship:ci-12 Starship:ci-11 Starship:ci-10 Starship:ci-09 Starship:ci-08 Starship:ci-07 Starship:ci-06 Starship:ci-05 Starship:ci-04 Starship:ci-03 Starship:ci=02 Starship:ci-01 Starship:0.1.0 Starship:0.1.0-rc8 Starship:0.1.0-rc7 Starship:0.1.0-rc6 Starship:0.1.0-rc5 Starship:0.1.0-rc3 Starship:0.1.0-rc2 Starship:0.1.0-rc1

6 Commits
0.1.0-rc6 ... ci-06

Author SHA1 Message Date
garrettmills
5eb0487c77 Allow oauth2 clients to exercise permissions independent to the user
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 20:22:10 -05:00
garrettmills
3f2680671b Permission middleware log oauth client UUID
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 18:55:21 -05:00
garrettmills
fd06e17d7d Use req.user to check auth instead of req.is_auth
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 18:35:55 -05:00
garrettmills
efdea10b14 Guarantee req.oauth in APIRoute middleware
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 17:19:26 -05:00
garrettmills
ce7349565e Fix LDAP search error for individual users
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 17:06:34 -05:00
garrettmills
a4695a7ecd Checkout master on prod deploy
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-09-14 17:31:59 -05:00
5 changed files with 24 additions and 6 deletions
Expand all files Collapse all files

1
.drone.yml
View File

@@ -24,6 +24,7 @@ steps:
from_secret: deploy_ssh_port from_secret: deploy_ssh_port
script: script:
- cd /home/coreid/CoreID - cd /home/coreid/CoreID
- git checkout master
- git pull - git pull
- git checkout ${DRONE_TAG} - git checkout ${DRONE_TAG}
- git pull - git pull

13
app/ldap/controllers/Users.controller.js
View File

@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
// TODO flitter-orm chunk query // TODO flitter-orm chunk query
// TODO generalize scoped search logic // TODO generalize scoped search logic
async search_people(req, res, next) { async search_people(req, res, next) {
if ( !req.user.can('ldap:search:users') ) { if ( !req.user.can('ldap:search:users:me') ) {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())
} }
const can_search_all = req.user.can('ldap:search:users')
const iam_targets = this.parse_iam_targets(req.filter) const iam_targets = this.parse_iam_targets(req.filter)
if ( req.scope === 'base' ) { if ( req.scope === 'base' ) {
// If scope is base, check if the base DN matches the filter. // If scope is base, check if the base DN matches the filter.
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
const user = await this.get_resource_from_dn(req.dn) const user = await this.get_resource_from_dn(req.dn)
// Make sure the user is ldap visible && match the filter // Make sure the user is ldap visible && match the filter
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) { if (
user
&& user.ldap_visible
&& req.filter.matches(await user.to_ldap(iam_targets))
&& (req.user.id === user.id || can_search_all)
) {
// If so, send the object // If so, send the object
res.send({ res.send({
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
// Fetch the LDAP-visible users // Fetch the LDAP-visible users
const users = await this.User.ldap_directory() const users = await this.User.ldap_directory()
for ( const user of users ) { for ( const user of users ) {
if ( user.id !== req.user.id && !can_search_all ) continue
// Make sure the user os of the appropriate scope // Make sure the user os of the appropriate scope
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) { if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
this.output.debug(`Filter:`) this.output.debug(`Filter:`)
this.output.debug(this.filter_to_obj(req.filter.json)) this.output.debug(this.filter_to_obj(req.filter.json))
for ( const user of users ) { for ( const user of users ) {
if ( user.id !== req.user.id && !can_search_all ) continue
this.output.debug(`Checking ${user.uid}...`) this.output.debug(`Checking ${user.uid}...`)
this.output.debug(`DN: ${user.dn}`) this.output.debug(`DN: ${user.dn}`)
this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`) this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)

7
app/routing/middleware/api/Permission.middleware.js
View File

@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
req, req,
reason, reason,
check, check,
oauth_client_id: req.oauth.client.id, oauth_client_id: req.oauth.client.uuid,
}) })
return res.status(401) return res.status(401)
.message('Insufficient permissions (OAuth2 Client).') .message('Insufficient permissions (OAuth2 Client).')
.api() .api()
} }
// If the oauth2 client has this permission, then allow the request to continue,
// even if the user does not.
// OAuth2Clients need to be able to query users via the API.
return next()
} }
const policy_denied = await Policy.check_user_denied(req.user, check) const policy_denied = await Policy.check_user_denied(req.user, check)

8
app/routing/middleware/auth/APIRoute.middleware.js
View File

@@ -7,9 +7,11 @@ class APIRouteMiddleware extends Middleware {
async test(req, res, next, { allow_token = true, allow_user = true }) { async test(req, res, next, { allow_token = true, allow_user = true }) {
// First, check if there is a user in the session. // First, check if there is a user in the session.
if ( allow_user && req.is_auth ) { if ( allow_user && req.user ) {
return next() return next()
} else if ( allow_token ) { } else if ( allow_token ) {
if ( !req.oauth ) req.oauth = {}
return req.app.oauth2.authorise()(req, res, async e => { return req.app.oauth2.authorise()(req, res, async e => {
if ( e ) return next(e) if ( e ) return next(e)
// Look up the OAuth2 client an inject it into the route // Look up the OAuth2 client an inject it into the route
@@ -51,9 +53,9 @@ class APIRouteMiddleware extends Middleware {
next() next()
}) })
} else {
return res.status(401).api()
} }
return res.status(401).api()
} }
} }

1
config/auth.config.js
View File

@@ -194,6 +194,7 @@ const auth_config = {
// LDAP Binding // LDAP Binding
'ldap:bind', 'ldap:bind',
'ldap:search:users:me',
], ],
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'], root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],