Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
fcbf25e3ce
|
|||
|
084ec7bbc1
|
|||
|
6b3339a883
|
|||
|
8f1bbfef56
|
|||
|
e400e16ccc
|
|||
|
97096f619f
|
|||
|
2d97b77bbf
|
|||
|
5916222f7b
|
|||
|
bb79d52911
|
|||
|
2e05ec77c8
|
|||
|
433af8261f
|
@@ -18,6 +18,11 @@ class CoreIDAdapter {
|
||||
expiresAt = new Date(Date.now() + (expiresIn * 1000))
|
||||
}
|
||||
|
||||
if ( payload.uid ) {
|
||||
payload.originalUid = payload.uid
|
||||
payload.uid = payload.uid.toLowerCase()
|
||||
}
|
||||
|
||||
await this.coll().updateOne(
|
||||
{ _id },
|
||||
{ $set: { payload, ...(expiresAt ? { expiresAt } : undefined) } },
|
||||
@@ -34,6 +39,11 @@ class CoreIDAdapter {
|
||||
).limit(1).next()
|
||||
|
||||
if (!result) return undefined
|
||||
|
||||
if ( result?.payload?.originalUid ) {
|
||||
result.payload.uid = result.payload.originalUid
|
||||
}
|
||||
|
||||
return result.payload
|
||||
}
|
||||
|
||||
@@ -49,11 +59,16 @@ class CoreIDAdapter {
|
||||
|
||||
async findByUid(uid) {
|
||||
const result = await this.coll().find(
|
||||
{ 'payload.uid': uid },
|
||||
{ 'payload.uid': uid.toLowerCase() },
|
||||
{ payload: 1 },
|
||||
).limit(1).next()
|
||||
|
||||
if (!result) return undefined
|
||||
|
||||
if ( result?.payload?.originalUid ) {
|
||||
result.payload.uid = result.payload.originalUid
|
||||
}
|
||||
|
||||
return result.payload
|
||||
}
|
||||
|
||||
|
||||
@@ -43,7 +43,7 @@ class FlitterProfileMapper {
|
||||
getClaims() {
|
||||
const claims = {}
|
||||
|
||||
claims[this.map.nameIdentifier] = this.user.uid
|
||||
claims[this.map.nameIdentifier] = this.user.uid.toLowerCase()
|
||||
claims[this.map.email] = this.user.email
|
||||
claims[this.map.name] = `${this.user.first_name} ${this.user.last_name}`
|
||||
claims[this.map.givenname] = this.user.first_name
|
||||
@@ -54,7 +54,7 @@ class FlitterProfileMapper {
|
||||
}
|
||||
|
||||
getNameIdentifier() {
|
||||
return { nameIdentifier: this.user.uid }
|
||||
return { nameIdentifier: this.user.uid.toLowerCase() }
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -119,14 +119,12 @@ class OpenIDController extends Controller {
|
||||
uid, prompt, params, session,
|
||||
} = await this.openid_connect.provider.interactionDetails(req, res)
|
||||
|
||||
console.log({uid, prompt, params, session})
|
||||
|
||||
const name = prompt.name
|
||||
if ( typeof this[name] !== 'function' ) {
|
||||
return this.fail(res, 'Sorry, something has gone wrong.')
|
||||
}
|
||||
|
||||
return this[name](req, res, { uid, prompt, params, session })
|
||||
return this[name](req, res, { uid: uid.toLowerCase(), prompt, params, session })
|
||||
}
|
||||
|
||||
async consent(req, res, { uid, prompt, params, session }) {
|
||||
@@ -172,7 +170,7 @@ class OpenIDController extends Controller {
|
||||
{
|
||||
text: req.T('common.grant'),
|
||||
action: 'redirect',
|
||||
next: `/openid/interaction/${uid}/grant`,
|
||||
next: `/openid/interaction/${uid.toLowerCase()}/grant`,
|
||||
},
|
||||
],
|
||||
})
|
||||
@@ -180,7 +178,7 @@ class OpenIDController extends Controller {
|
||||
}
|
||||
|
||||
async login(req, res, { uid, prompt, params, session }) {
|
||||
return res.redirect(`/openid/interaction/${uid}/start-session`)
|
||||
return res.redirect(`/openid/interaction/${uid.toLowerCase()}/start-session`)
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -71,7 +71,7 @@ class AuthController extends Controller {
|
||||
const user = new User({
|
||||
first_name: req.body.first_name,
|
||||
last_name: req.body.last_name,
|
||||
uid: req.body.uid,
|
||||
uid: req.body.uid.toLowerCase(),
|
||||
email: req.body.email,
|
||||
trap: 'password_reset', // Force user to reset password
|
||||
})
|
||||
@@ -297,7 +297,7 @@ class AuthController extends Controller {
|
||||
.api()
|
||||
|
||||
const user = new User({
|
||||
uid: req.body.uid,
|
||||
uid: req.body.uid.toLowerCase(),
|
||||
email: req.body.email,
|
||||
first_name: req.body.first_name,
|
||||
last_name: req.body.last_name,
|
||||
@@ -417,7 +417,7 @@ class AuthController extends Controller {
|
||||
|
||||
user.first_name = req.body.first_name
|
||||
user.last_name = req.body.last_name
|
||||
user.uid = req.body.uid
|
||||
user.uid = req.body.uid.toLowerCase()
|
||||
user.email = req.body.email
|
||||
|
||||
if ( req.body.tagline )
|
||||
@@ -493,7 +493,7 @@ class AuthController extends Controller {
|
||||
|
||||
if ( is_valid ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findOne({uid: req.body.username})
|
||||
const user = await User.findOne({uid: req.body.username.toLowerCase()})
|
||||
if ( !user || !user.can_login ) is_valid = false
|
||||
}
|
||||
|
||||
@@ -511,7 +511,7 @@ class AuthController extends Controller {
|
||||
const data = {}
|
||||
if ( req.body.username ) {
|
||||
const existing_user = await User.findOne({
|
||||
uid: req.body.username,
|
||||
uid: req.body.username.toLowerCase(),
|
||||
})
|
||||
|
||||
data.username_taken = !!existing_user
|
||||
@@ -544,7 +544,8 @@ class AuthController extends Controller {
|
||||
.message(req.T('auth.unable_to_complete'))
|
||||
.api({ errors })
|
||||
|
||||
const login_args = await flitter.get_login_args(req.body)
|
||||
const [username, ...other_args] = await flitter.get_login_args(req.body)
|
||||
const login_args = [username.toLowerCase(), ...other_args]
|
||||
const user = await flitter.login.apply(flitter, login_args)
|
||||
|
||||
if ( !user )
|
||||
|
||||
@@ -96,7 +96,7 @@ class LDAPController extends Controller {
|
||||
|
||||
// Make sure the uid is free
|
||||
const User = this.models.get('auth:User')
|
||||
const existing_user = await User.findOne({ uid: req.body.uid })
|
||||
const existing_user = await User.findOne({ uid: req.body.uid.toLowerCase() })
|
||||
if ( existing_user )
|
||||
return res.status(400)
|
||||
.message(req.T('api.user_already_exists'))
|
||||
@@ -113,7 +113,7 @@ class LDAPController extends Controller {
|
||||
// Create the client
|
||||
const Client = this.models.get('ldap:Client')
|
||||
const client = await Client.create({
|
||||
uid: req.body.uid,
|
||||
uid: req.body.uid.toLowerCase(),
|
||||
password: req.body.password,
|
||||
name: req.body.name,
|
||||
})
|
||||
@@ -210,16 +210,16 @@ class LDAPController extends Controller {
|
||||
}
|
||||
|
||||
// Update the uid
|
||||
if ( req.body.uid !== user.uid ) {
|
||||
if ( req.body.uid.toLowerCase() !== user.uid ) {
|
||||
// Make sure the UID is free
|
||||
const User = this.models.get('auth:User')
|
||||
const existing_user = await User.findOne({ uid: req.body.uid })
|
||||
const existing_user = await User.findOne({ uid: req.body.uid.toLowerCase() })
|
||||
if ( existing_user )
|
||||
return res.status(400)
|
||||
.message(req.T('api.user_already_exists'))
|
||||
.api()
|
||||
|
||||
user.uid = req.body.uid
|
||||
user.uid = req.body.uid.toLowerCase()
|
||||
}
|
||||
|
||||
// Update the password
|
||||
|
||||
@@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
|
||||
const StarshipClient = this.models.get('oauth:Client')
|
||||
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
||||
|
||||
// Make sure the user has IAM access before proceeding
|
||||
const Application = this.models.get('Application')
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
||||
if ( !application ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
}
|
||||
|
||||
req.user.authorize(starship_client)
|
||||
await req.user.save()
|
||||
return super.authorize_post(req, res, next)
|
||||
@@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
|
||||
const StarshipClient = this.models.get('oauth:Client')
|
||||
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
||||
|
||||
// Make sure the user has IAM access before proceeding
|
||||
const Application = this.models.get('Application')
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
||||
if ( !application ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
||||
this.output.warning('IAM Denial!')
|
||||
return this.Vue.auth_message(res, {
|
||||
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
||||
next_destination: '/dash',
|
||||
})
|
||||
}
|
||||
|
||||
if ( req.user.has_authorized(starship_client) ) {
|
||||
return this.Vue.invoke_action(res, {
|
||||
text: 'Grant Access',
|
||||
|
||||
@@ -67,7 +67,7 @@ class SAMLController extends Controller {
|
||||
key: await this.saml.private_key(),
|
||||
protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
||||
clearIdPSession: done => {
|
||||
this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`)
|
||||
this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid.toLowerCase()}`)
|
||||
req.saml.participants.clear().then(async () => {
|
||||
if ( this.saml.config().slo.end_coreid_session ) {
|
||||
await req.user.logout(req)
|
||||
|
||||
@@ -50,7 +50,7 @@ class LDAPController extends Injectable {
|
||||
const item = await this.get_resource_from_dn(req.dn)
|
||||
if ( !item ) {
|
||||
this.output.debug(`Bind failure: ${req.dn} not found`)
|
||||
return next(new LDAP.NoSuchObject())
|
||||
return next(new LDAP.NoSuchObjectError())
|
||||
}
|
||||
|
||||
// If the object is can-able, make sure it can bind
|
||||
|
||||
@@ -52,7 +52,7 @@ class UsersController extends LDAPController {
|
||||
first_name: req_data.cn ? req_data.cn[0] : '',
|
||||
last_name: req_data.sn ? req_data.sn[0] : '',
|
||||
email: req_data.mail ? req_data.mail[0] : '',
|
||||
username: req_data.uid ? req_data.uid[0] : '',
|
||||
username: req_data.uid ? req_data.uid[0].toLowerCase() : '',
|
||||
password: req_data.userpassword ? req_data.userpassword[0] : '',
|
||||
}
|
||||
|
||||
@@ -299,6 +299,7 @@ class UsersController extends LDAPController {
|
||||
|
||||
// Make sure the user is of appropriate scope
|
||||
if ( req.dn.equals(user.dn) || req.dn.parentOf(user.dn) ) {
|
||||
this.output.debug(await user.to_ldap())
|
||||
this.output.debug(`Matches sub scope. Matches filter? ${req.filter.matches(await user.to_ldap(iam_targets))}`)
|
||||
|
||||
// Check if filter matches
|
||||
@@ -326,7 +327,7 @@ class UsersController extends LDAPController {
|
||||
|
||||
try {
|
||||
if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
|
||||
return dn.rdns[0].attrs[uid_field].value
|
||||
return dn.rdns[0].attrs[uid_field].value.toLowerCase()
|
||||
} catch (e) {}
|
||||
}
|
||||
|
||||
@@ -334,7 +335,7 @@ class UsersController extends LDAPController {
|
||||
const uid = this.get_uid_from_dn(dn)
|
||||
if ( uid ) {
|
||||
const User = this.models.get('auth:User')
|
||||
return User.findOne({uid, ldap_visible: true})
|
||||
return User.findOne({uid: uid.toLowerCase(), ldap_visible: true})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -173,7 +173,7 @@ class User extends AuthUser {
|
||||
const Policy = this.models.get('iam:Policy')
|
||||
|
||||
const ldap_data = {
|
||||
uid: this.uid,
|
||||
uid: this.uid.toLowerCase(),
|
||||
uuid: this.uuid,
|
||||
cn: this.first_name,
|
||||
sn: this.last_name,
|
||||
@@ -213,7 +213,7 @@ class User extends AuthUser {
|
||||
}
|
||||
|
||||
get dn() {
|
||||
return LDAP.parseDN(`uid=${this.uid},${this.ldap_server.auth_dn().format(this.configs.get('ldap:server.format'))}`)
|
||||
return LDAP.parseDN(`uid=${this.uid.toLowerCase()},${this.ldap_server.auth_dn().format(this.configs.get('ldap:server.format'))}`)
|
||||
}
|
||||
|
||||
// The following are used by OpenID connect
|
||||
@@ -227,15 +227,15 @@ class User extends AuthUser {
|
||||
given_name: this.first_name,
|
||||
locale: 'en_US', // TODO
|
||||
name: `${this.first_name} ${this.last_name}`,
|
||||
preferred_username: this.uid,
|
||||
username: this.uid,
|
||||
preferred_username: this.uid.toLowerCase(),
|
||||
username: this.uid.toLowerCase(),
|
||||
}
|
||||
}
|
||||
|
||||
static async findByLogin(login) {
|
||||
return this.findOne({
|
||||
active: true,
|
||||
uid: login,
|
||||
uid: login.toLowerCase(),
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
@@ -118,7 +118,7 @@ class PolicyModel extends Model {
|
||||
if ( this.entity_type === 'user' ) {
|
||||
const User = this.models.get('auth:User')
|
||||
const user = await User.findById(this.entity_id)
|
||||
entity_display = `User: ${user.last_name}, ${user.first_name} (${user.uid})`
|
||||
entity_display = `User: ${user.last_name}, ${user.first_name} (${user.uid.toLowerCase()})`
|
||||
} else if ( this.entity_type === 'group' ) {
|
||||
const Group = this.models.get('auth:Group')
|
||||
const group = await Group.findById(this.entity_id)
|
||||
|
||||
@@ -19,7 +19,7 @@ class ClientModel extends Model {
|
||||
const user = new User({
|
||||
first_name: name,
|
||||
last_name: '(LDAP Agent)',
|
||||
uid,
|
||||
uid: uid.toLowerCase(),
|
||||
roles: ['ldap_client'],
|
||||
})
|
||||
|
||||
@@ -58,7 +58,7 @@ class ClientModel extends Model {
|
||||
id: this.id,
|
||||
name: this.name,
|
||||
user_id: user.id,
|
||||
uid: user.uid,
|
||||
uid: user.uid.toLowerCase(),
|
||||
last_invocation: this.last_invocation,
|
||||
permissions: [...user.permissions, ...role_permissions],
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@ class SessionParticipantStore extends Injectable {
|
||||
async issue({ service_provider }) {
|
||||
const sp = new this.SessionParticipant({
|
||||
service_provider_id: service_provider.id,
|
||||
name_id: this.request.user.uid,
|
||||
name_id: this.request.user.uid.toLowerCase(),
|
||||
// session_index: this.get_index(),
|
||||
slo_url: service_provider.slo_url,
|
||||
// TODO sp_cert,
|
||||
|
||||
@@ -10,7 +10,7 @@ class MFAService extends Service {
|
||||
secret(user) {
|
||||
return speakeasy.generateSecret({
|
||||
length: this.configs.get('auth.mfa.secret_length') ?? 20,
|
||||
name: `${this.configs.get('app.name')} (${user.uid})`,
|
||||
name: `${this.configs.get('app.name')} (${user.uid.toLowerCase()})`,
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
@@ -25,7 +25,7 @@ class VueService extends Service {
|
||||
user: {
|
||||
first_name: req.user.first_name,
|
||||
last_name: req.user.last_name,
|
||||
username: req.user.uid,
|
||||
username: req.user.uid.toLowerCase(),
|
||||
email: req.user.email,
|
||||
tagline: req.user.tagline,
|
||||
user_id: req.user.id,
|
||||
|
||||
@@ -28,7 +28,7 @@ class OpenIDConnectUnit extends Unit {
|
||||
clients: [],
|
||||
interactions: {
|
||||
interactions,
|
||||
url: (ctx, interaction) => `/openid/interaction/${ctx.oidc.uid}`,
|
||||
url: (ctx, interaction) => `/openid/interaction/${ctx.oidc.uid.toLowerCase()}`,
|
||||
},
|
||||
cookies: {
|
||||
long: { signed: true, maxAge: 24 * 60 * 60 * 1000 }, // 1 day, ms
|
||||
|
||||
@@ -10,6 +10,7 @@ class SettingsUnit extends Unit {
|
||||
}
|
||||
|
||||
async go(app) {
|
||||
Error.stackTraceLimit = 50
|
||||
app.express.set('trust proxy', true)
|
||||
|
||||
const Setting = this.models.get('Setting')
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
"ioredis": "^4.17.1",
|
||||
"is-absolute-url": "^3.0.3",
|
||||
"ldapjs": "^1.0.2",
|
||||
"libflitter": "^0.56.0",
|
||||
"libflitter": "^0.56.1",
|
||||
"moment": "^2.24.0",
|
||||
"mongodb": "^3.5.9",
|
||||
"nodemailer": "^6.4.6",
|
||||
|
||||
@@ -3235,10 +3235,10 @@ leven@^1.0.2:
|
||||
resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
|
||||
integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
|
||||
|
||||
libflitter@^0.56.0:
|
||||
version "0.56.0"
|
||||
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.56.0.tgz#1ff04b7749d55e7a011149b8a6cae561b8e800d8"
|
||||
integrity sha512-AwCmTZaKPOQqDWiASvxMuWaexBYxuKpY/QMVnrVdW/VXT5eW0rIf+bJy6RdQGiH8GzlB3442+U4yl4VWNfeKsQ==
|
||||
libflitter@^0.56.1:
|
||||
version "0.56.1"
|
||||
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.56.1.tgz#250166027b9cab727c9deb6b1fa1865428b1eafb"
|
||||
integrity sha512-QikFtFRa9okKOjOio5ehpQ6hyacCoMbtOlqcXt4I7uU3lntBeP5qSbz1q3x1wUY/AdBc2k70+Eg8BcpGmBEs4Q==
|
||||
dependencies:
|
||||
colors "^1.3.3"
|
||||
connect-mongodb-session "^2.2.0"
|
||||
|
||||
Reference in New Issue
Block a user