Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Compare commits

base: Starship:ci-03
Branches Tags
Starship:master Starship:feature/cd
Starship:ci-26 Starship:ci-25 Starship:ci-24 Starship:ci-23 Starship:ci-22 Starship:ci-21 Starship:ci-20 Starship:ci-19 Starship:ci-18 Starship:ci-17 Starship:ci-16 Starship:ci-15 Starship:ci-14 Starship:ci-13 Starship:ci-12 Starship:ci-11 Starship:ci-10 Starship:ci-09 Starship:ci-08 Starship:ci-07 Starship:ci-06 Starship:ci-05 Starship:ci-04 Starship:ci-03 Starship:ci=02 Starship:ci-01 Starship:0.1.0 Starship:0.1.0-rc8 Starship:0.1.0-rc7 Starship:0.1.0-rc6 Starship:0.1.0-rc5 Starship:0.1.0-rc3 Starship:0.1.0-rc2 Starship:0.1.0-rc1
..
compare: Starship:ci-12
Branches Tags
Starship:master Starship:feature/cd
Starship:ci-26 Starship:ci-25 Starship:ci-24 Starship:ci-23 Starship:ci-22 Starship:ci-21 Starship:ci-20 Starship:ci-19 Starship:ci-18 Starship:ci-17 Starship:ci-16 Starship:ci-15 Starship:ci-14 Starship:ci-13 Starship:ci-12 Starship:ci-11 Starship:ci-10 Starship:ci-09 Starship:ci-08 Starship:ci-07 Starship:ci-06 Starship:ci-05 Starship:ci-04 Starship:ci-03 Starship:ci=02 Starship:ci-01 Starship:0.1.0 Starship:0.1.0-rc8 Starship:0.1.0-rc7 Starship:0.1.0-rc6 Starship:0.1.0-rc5 Starship:0.1.0-rc3 Starship:0.1.0-rc2 Starship:0.1.0-rc1

12 Commits
ci-03 ... ci-12

Author SHA1 Message Date
garrettmills
2d97b77bbf Fix user bind error constructor
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 23:04:01 -05:00
garrettmills
5916222f7b Update libflitte
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 22:11:23 -05:00
garrettmills
bb79d52911 Increase error stack trace limit
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-18 22:07:12 -05:00
garrettmills
2e05ec77c8 Increase error stack trace limit
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-18 22:06:08 -05:00
garrettmills
433af8261f Add debug output
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-10-18 21:44:53 -05:00
garrettmills
59d831c61f Update libflitter and enable database error logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 21:31:46 -05:00
garrettmills
fac3431375 Add api authorization logging
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 21:07:42 -05:00
garrettmills
7c8a05aa4f Update libflitter
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 21:00:59 -05:00
garrettmills
1cd306157a Update libflitter and add config to log API responses
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 20:49:19 -05:00
garrettmills
5eb0487c77 Allow oauth2 clients to exercise permissions independent to the user
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 20:22:10 -05:00
garrettmills
3f2680671b Permission middleware log oauth client UUID
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 18:55:21 -05:00
garrettmills
fd06e17d7d Use req.user to check auth instead of req.is_auth
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/tag Build is passing
Details
2020-10-18 18:35:55 -05:00
9 changed files with 47 additions and 12 deletions
Expand all files Collapse all files

2
app/ldap/controllers/LDAPController.js
View File

@@ -50,7 +50,7 @@ class LDAPController extends Injectable {
const item = await this.get_resource_from_dn(req.dn)
if ( !item ) {
this.output.debug(`Bind failure: ${req.dn} not found`)
return next(new LDAP.NoSuchObject())
return next(new LDAP.NoSuchObjectError())
}
// If the object is can-able, make sure it can bind

1
app/ldap/controllers/Users.controller.js
View File

@@ -299,6 +299,7 @@ class UsersController extends LDAPController {
// Make sure the user is of appropriate scope
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
this.output.debug(await user.to_ldap())
this.output.debug(`Matches sub scope. Matches filter? ${req.filter.matches(await user.to_ldap(iam_targets))}`)
// Check if filter matches

23
app/routing/middleware/api/Permission.middleware.js
View File

@@ -8,22 +8,34 @@ class PermissionMiddleware extends Middleware {
async test(req, res, next, { check }) {
const Policy = this.models.get('iam:Policy')
req.additional_api_log_data.permission_check = check
// If the request was authorized using an OAuth2 bearer token,
// make sure the associated client has permission to access this endpoint.
if ( req?.oauth?.client ) {
if ( !req.oauth.client.can(check) ) {
const reason = 'oauth-permission-fail'
await this.activity.api_access_denial({
const fail_activity = await this.activity.api_access_denial({
req,
reason,
check,
oauth_client_id: req.oauth.client.id,
oauth_client_id: req.oauth.client.uuid,
})
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401)
.message('Insufficient permissions (OAuth2 Client).')
.api()
}
req.additional_api_log_data.permission_check_succeeded = true
// If the oauth2 client has this permission, then allow the request to continue,
// even if the user does not.
// OAuth2Clients need to be able to query users via the API.
return next()
}
const policy_denied = await Policy.check_user_denied(req.user, check)
@@ -33,13 +45,18 @@ class PermissionMiddleware extends Middleware {
if ( policy_denied || (!req.user.can(check) && !policy_access) ) {
// Record the failed API access
const reason = policy_denied ? 'iam-denial' : (!req.user.can(check) ? 'user-permission-fail' : 'iam-not-granted')
await this.activity.api_access_denial({ req, reason, check })
const fail_activity = await this.activity.api_access_denial({ req, reason, check })
req.additional_api_log_data.permission_check_succeeded = false
req.additional_api_log_data.permission_check_reason = reason
req.additional_api_log_data.permission_check_activity_id = fail_activity.id
return res.status(401)
.message('Insufficient permissions.')
.api()
}
req.additional_api_log_data.permission_check_succeeded = true
return next()
}
}

17
app/routing/middleware/auth/APIRoute.middleware.js
View File

@@ -6,13 +6,21 @@ class APIRouteMiddleware extends Middleware {
}
async test(req, res, next, { allow_token = true, allow_user = true }) {
if ( !req.additional_api_log_data ) req.additional_api_log_data = {}
// First, check if there is a user in the session.
if ( allow_user && req.is_auth ) {
if ( allow_user && req.user ) {
req.additional_api_log_data.authorized_by = 'user'
return next()
} else if ( allow_token ) {
if ( !req.oauth ) req.oauth = {}
req.additional_api_log_data.attempted_token_auth = true
return req.app.oauth2.authorise()(req, res, async e => {
if ( e ) return next(e)
req.additional_api_log_data.authorized_by = 'token'
// Look up the OAuth2 client an inject it into the route
if ( req.user && req.user.id ) {
const User = this.models.get('auth:User')
@@ -43,6 +51,9 @@ class APIRouteMiddleware extends Middleware {
.message('This OAuth2 client is no longer authorized.')
.api()
req.additional_api_log_data.token_client_id = client.uuid
req.additional_api_log_data.token = bearer
req.oauth.token = token
req.oauth.client = client
} else
@@ -52,9 +63,9 @@ class APIRouteMiddleware extends Middleware {
next()
})
} else {
return res.status(401).api()
}
return res.status(401).api()
}
}

1
app/services/activity.service.js
View File

@@ -36,6 +36,7 @@ class ActivityService extends Service {
}
await activity.save()
return activity
}
async mfa_enable({ req }) {

1
app/unit/SettingsUnit.js
View File

@@ -10,6 +10,7 @@ class SettingsUnit extends Unit {
}
async go(app) {
Error.stackTraceLimit = 50
app.express.set('trust proxy', true)
const Setting = this.models.get('Setting')

4
config/server.config.js
View File

@@ -23,6 +23,10 @@ const server_config = {
level: env("LOGGING_LEVEL", 2),
include_timestamp: env("LOGGING_TIMESTAMP", false),
api_logging: env('LOG_API_RESPONSES', false),
error_logging: env('LOG_REQUEST_ERRORS', true),
},
session: {

2
package.json
View File

@@ -33,7 +33,7 @@
"ioredis": "^4.17.1",
"is-absolute-url": "^3.0.3",
"ldapjs": "^1.0.2",
"libflitter": "^0.53.1",
"libflitter": "^0.56.1",
"moment": "^2.24.0",
"mongodb": "^3.5.9",
"nodemailer": "^6.4.6",

8
yarn.lock
View File

@@ -3235,10 +3235,10 @@ leven@^1.0.2:
resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
libflitter@^0.53.1:
version "0.53.1"
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.1.tgz#30b1838763a228fba8b9c820d2cad501c3aa0117"
integrity sha512-EK3okZyt0pmnpsZNx2lYOIcwgtmSOEPh4a5xE3pXM9RVc3dtXXscgJ5h9OvLTIN9WfRc7T5VTdpOjeAK6Xmysg==
libflitter@^0.56.1:
version "0.56.1"
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.56.1.tgz#250166027b9cab727c9deb6b1fa1865428b1eafb"
integrity sha512-QikFtFRa9okKOjOio5ehpQ6hyacCoMbtOlqcXt4I7uU3lntBeP5qSbz1q3x1wUY/AdBc2k70+Eg8BcpGmBEs4Q==
dependencies:
colors "^1.3.3"
connect-mongodb-session "^2.2.0"