Fix user bind error constructor

Update libflitte
Increase error stack trace limit
2020-10-18 23:04:01 -05:00 · 2020-10-18 22:11:23 -05:00 · 2020-10-18 22:07:12 -05:00 · 2020-10-18 22:06:08 -05:00 · 2020-10-18 21:44:53 -05:00 · 2020-10-18 21:31:46 -05:00
10 changed files with 60 additions and 14 deletions
--- a/app/ldap/controllers/LDAPController.js
+++ b/app/ldap/controllers/LDAPController.js
@@ -50,7 +50,7 @@ class LDAPController extends Injectable {
        const item = await this.get_resource_from_dn(req.dn)
        if ( !item ) {
            this.output.debug(`Bind failure: ${req.dn} not found`)
-            return next(new LDAP.NoSuchObject())
+            return next(new LDAP.NoSuchObjectError())
        }

        // If the object is can-able, make sure it can bind
--- a/app/ldap/controllers/Users.controller.js
+++ b/app/ldap/controllers/Users.controller.js
@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
    // TODO flitter-orm chunk query
    // TODO generalize scoped search logic
    async search_people(req, res, next) {
-        if ( !req.user.can('ldap:search:users') ) {
+        if ( !req.user.can('ldap:search:users:me') ) {
            return next(new LDAP.InsufficientAccessRightsError())
        }

+        const can_search_all = req.user.can('ldap:search:users')
+
        const iam_targets = this.parse_iam_targets(req.filter)
        if ( req.scope === 'base' ) {
            // If scope is base, check if the base DN matches the filter.
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
            const user = await this.get_resource_from_dn(req.dn)

            // Make sure the user is ldap visible && match the filter
-            if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
+            if (
+                user
+                && user.ldap_visible
+                && req.filter.matches(await user.to_ldap(iam_targets))
+                && (req.user.id === user.id || can_search_all)
+            ) {

                // If so, send the object
                res.send({
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
            // Fetch the LDAP-visible users
            const users = await this.User.ldap_directory()
            for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue

                // Make sure the user os of the appropriate scope
                if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
            this.output.debug(`Filter:`)
            this.output.debug(this.filter_to_obj(req.filter.json))
            for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue
                this.output.debug(`Checking ${user.uid}...`)
                this.output.debug(`DN: ${user.dn}`)
                this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)
@@ -290,6 +299,7 @@ class UsersController extends LDAPController {

                // Make sure the user is of appropriate scope
                if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
+                    this.output.debug(await user.to_ldap())
                    this.output.debug(`Matches sub scope. Matches filter? ${req.filter.matches(await user.to_ldap(iam_targets))}`)

                    // Check if filter matches
--- a/app/routing/middleware/api/Permission.middleware.js
+++ b/app/routing/middleware/api/Permission.middleware.js
@@ -8,22 +8,34 @@ class PermissionMiddleware extends Middleware {
    async test(req, res, next, { check }) {
        const Policy = this.models.get('iam:Policy')

+        req.additional_api_log_data.permission_check = check
+
        // If the request was authorized using an OAuth2 bearer token,
        // make sure the associated client has permission to access this endpoint.
        if ( req?.oauth?.client ) {
            if ( !req.oauth.client.can(check) ) {
                const reason = 'oauth-permission-fail'
-                await this.activity.api_access_denial({
+                const fail_activity = await this.activity.api_access_denial({
                    req,
                    reason,
                    check,
-                    oauth_client_id: req.oauth.client.id,
+                    oauth_client_id: req.oauth.client.uuid,
                })

+                req.additional_api_log_data.permission_check_succeeded = false
+                req.additional_api_log_data.permission_check_activity_id = fail_activity.id
+
                return res.status(401)
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }
+
+            req.additional_api_log_data.permission_check_succeeded = true
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
@@ -33,13 +45,18 @@ class PermissionMiddleware extends Middleware {
        if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
            // Record the failed API access
            const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
-            await this.activity.api_access_denial({ req, reason, check })
+            const fail_activity = await this.activity.api_access_denial({ req, reason, check })
+
+            req.additional_api_log_data.permission_check_succeeded = false
+            req.additional_api_log_data.permission_check_reason = reason
+            req.additional_api_log_data.permission_check_activity_id = fail_activity.id

            return res.status(401)
                .message('Insufficient permissions.')
                .api()
        }

+        req.additional_api_log_data.permission_check_succeeded = true
        return next()
    }
 }
--- a/app/routing/middleware/auth/APIRoute.middleware.js
+++ b/app/routing/middleware/auth/APIRoute.middleware.js
@@ -6,12 +6,21 @@ class APIRouteMiddleware extends Middleware {
    }

    async test(req, res, next, { allow_token = true, allow_user = true }) {
+        if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
+
        // First, check if there is a user in the session.
-        if ( allow_user && req.is_auth ) {
+        if ( allow_user && req.user ) {
+            req.additional_api_log_data.authorized_by = 'user'
            return next()
        } else if ( allow_token ) {
+            if ( !req.oauth ) req.oauth = {}
+            req.additional_api_log_data.attempted_token_auth = true
+
            return req.app.oauth2.authorise()(req, res, async e => {
                if ( e ) return next(e)
+
+                req.additional_api_log_data.authorized_by = 'token'
+
                // Look up the OAuth2 client an inject it into the route
                if ( req.user && req.user.id ) {
                    const User = this.models.get('auth:User')
@@ -42,6 +51,9 @@ class APIRouteMiddleware extends Middleware {
                            .message('This OAuth2 client is no longer authorized.')
                            .api()

+                    req.additional_api_log_data.token_client_id = client.uuid
+                    req.additional_api_log_data.token = bearer
+
                    req.oauth.token = token
                    req.oauth.client = client
                } else
@@ -51,9 +63,9 @@ class APIRouteMiddleware extends Middleware {

                next()
            })
+        } else {
+            return res.status(401).api()
        }
-
-        return res.status(401).api()
    }
 }

--- a/app/services/activity.service.js
+++ b/app/services/activity.service.js
@@ -36,6 +36,7 @@ class ActivityService extends Service {
        }

        await activity.save()
+        return activity
    }

    async mfa_enable({ req }) {
--- a/app/unit/SettingsUnit.js
+++ b/app/unit/SettingsUnit.js
@@ -10,6 +10,7 @@ class SettingsUnit extends Unit {
    }

    async go(app) {
+        Error.stackTraceLimit = 50
        app.express.set('trust proxy', true)

        const Setting = this.models.get('Setting')
--- a/config/auth.config.js
+++ b/config/auth.config.js
@@ -194,6 +194,7 @@ const auth_config = {

            // LDAP Binding
            'ldap:bind',
+            'ldap:search:users:me',
        ],

        root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
--- a/config/server.config.js
+++ b/config/server.config.js
@@ -23,6 +23,10 @@ const server_config = {
        level: env("LOGGING_LEVEL", 2),

        include_timestamp: env("LOGGING_TIMESTAMP", false),
+
+        api_logging: env('LOG_API_RESPONSES', false),
+
+        error_logging: env('LOG_REQUEST_ERRORS', true),
    },

    session: {
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
    "ioredis": "^4.17.1",
    "is-absolute-url": "^3.0.3",
    "ldapjs": "^1.0.2",
-    "libflitter": "^0.53.1",
+    "libflitter": "^0.56.1",
    "moment": "^2.24.0",
    "mongodb": "^3.5.9",
    "nodemailer": "^6.4.6",
--- a/yarn.lock
+++ b/yarn.lock
@@ -3235,10 +3235,10 @@ leven@^1.0.2:
  resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
  integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=

-libflitter@^0.53.1:
-  version "0.53.1"
-  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.1.tgz#30b1838763a228fba8b9c820d2cad501c3aa0117"
-  integrity sha512-EK3okZyt0pmnpsZNx2lYOIcwgtmSOEPh4a5xE3pXM9RVc3dtXXscgJ5h9OvLTIN9WfRc7T5VTdpOjeAK6Xmysg==
+libflitter@^0.56.1:
+  version "0.56.1"
+  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.56.1.tgz#250166027b9cab727c9deb6b1fa1865428b1eafb"
+  integrity sha512-QikFtFRa9okKOjOio5ehpQ6hyacCoMbtOlqcXt4I7uU3lntBeP5qSbz1q3x1wUY/AdBc2k70+Eg8BcpGmBEs4Q==
  dependencies:
    colors "^1.3.3"
    connect-mongodb-session "^2.2.0"
Author	SHA1	Message	Date
garrettmills	2d97b77bbf	Fix user bind error constructor All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 23:04:01 -05:00
garrettmills	5916222f7b	Update libflitte All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 22:11:23 -05:00
garrettmills	bb79d52911	Increase error stack trace limit All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-18 22:07:12 -05:00
garrettmills	2e05ec77c8	Increase error stack trace limit All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-18 22:06:08 -05:00
garrettmills	433af8261f	Add debug output All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-18 21:44:53 -05:00
garrettmills	59d831c61f	Update libflitter and enable database error logging All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 21:31:46 -05:00
garrettmills	fac3431375	Add api authorization logging All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 21:07:42 -05:00
garrettmills	7c8a05aa4f	Update libflitter All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 21:00:59 -05:00
garrettmills	1cd306157a	Update libflitter and add config to log API responses All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 20:49:19 -05:00
garrettmills	5eb0487c77	Allow oauth2 clients to exercise permissions independent to the user All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 20:22:10 -05:00
garrettmills	3f2680671b	Permission middleware log oauth client UUID All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 18:55:21 -05:00
garrettmills	fd06e17d7d	Use req.user to check auth instead of req.is_auth All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 18:35:55 -05:00
garrettmills	efdea10b14	Guarantee req.oauth in APIRoute middleware All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 17:19:26 -05:00
garrettmills	ce7349565e	Fix LDAP search error for individual users All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-18 17:06:34 -05:00