Compare commits
10 Commits
feature/cd
...
ci-08
| Author | SHA1 | Date | |
|---|---|---|---|
7c8a05aa4f
|
|||
|
1cd306157a
|
|||
|
5eb0487c77
|
|||
|
3f2680671b
|
|||
|
fd06e17d7d
|
|||
|
efdea10b14
|
|||
|
ce7349565e
|
|||
|
a4695a7ecd
|
|||
|
fcb5b58b11
|
|||
|
96a614c1af
|
21
.drone.yml
21
.drone.yml
@@ -24,12 +24,33 @@ steps:
|
|||||||
from_secret: deploy_ssh_port
|
from_secret: deploy_ssh_port
|
||||||
script:
|
script:
|
||||||
- cd /home/coreid/CoreID
|
- cd /home/coreid/CoreID
|
||||||
|
- git checkout master
|
||||||
|
- git pull
|
||||||
|
- git checkout ${DRONE_TAG}
|
||||||
- git pull
|
- git pull
|
||||||
- yarn install
|
- yarn install
|
||||||
when:
|
when:
|
||||||
event:
|
event:
|
||||||
- tag
|
- tag
|
||||||
- promote
|
- promote
|
||||||
|
- name: restart production services
|
||||||
|
image: appleboy/drone-ssh
|
||||||
|
settings:
|
||||||
|
host:
|
||||||
|
from_secret: deploy_ssh_host
|
||||||
|
username:
|
||||||
|
from_secret: deploy_ssh_admin_user
|
||||||
|
key:
|
||||||
|
from_secret: deploy_ssh_key
|
||||||
|
port:
|
||||||
|
from_secret: deploy_ssh_port
|
||||||
|
script:
|
||||||
|
- systemctl restart coreid-www
|
||||||
|
- systemctl restart coreid-jobs
|
||||||
|
when:
|
||||||
|
event:
|
||||||
|
- tag
|
||||||
|
- promote
|
||||||
- name: send success notifications
|
- name: send success notifications
|
||||||
image: plugins/webhook
|
image: plugins/webhook
|
||||||
settings:
|
settings:
|
||||||
|
|||||||
@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
|
|||||||
// TODO flitter-orm chunk query
|
// TODO flitter-orm chunk query
|
||||||
// TODO generalize scoped search logic
|
// TODO generalize scoped search logic
|
||||||
async search_people(req, res, next) {
|
async search_people(req, res, next) {
|
||||||
if ( !req.user.can('ldap:search:users') ) {
|
if ( !req.user.can('ldap:search:users:me') ) {
|
||||||
return next(new LDAP.InsufficientAccessRightsError())
|
return next(new LDAP.InsufficientAccessRightsError())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const can_search_all = req.user.can('ldap:search:users')
|
||||||
|
|
||||||
const iam_targets = this.parse_iam_targets(req.filter)
|
const iam_targets = this.parse_iam_targets(req.filter)
|
||||||
if ( req.scope === 'base' ) {
|
if ( req.scope === 'base' ) {
|
||||||
// If scope is base, check if the base DN matches the filter.
|
// If scope is base, check if the base DN matches the filter.
|
||||||
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
|
|||||||
const user = await this.get_resource_from_dn(req.dn)
|
const user = await this.get_resource_from_dn(req.dn)
|
||||||
|
|
||||||
// Make sure the user is ldap visible && match the filter
|
// Make sure the user is ldap visible && match the filter
|
||||||
if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
|
if (
|
||||||
|
user
|
||||||
|
&& user.ldap_visible
|
||||||
|
&& req.filter.matches(await user.to_ldap(iam_targets))
|
||||||
|
&& (req.user.id === user.id || can_search_all)
|
||||||
|
) {
|
||||||
|
|
||||||
// If so, send the object
|
// If so, send the object
|
||||||
res.send({
|
res.send({
|
||||||
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
|
|||||||
// Fetch the LDAP-visible users
|
// Fetch the LDAP-visible users
|
||||||
const users = await this.User.ldap_directory()
|
const users = await this.User.ldap_directory()
|
||||||
for ( const user of users ) {
|
for ( const user of users ) {
|
||||||
|
if ( user.id !== req.user.id && !can_search_all ) continue
|
||||||
|
|
||||||
// Make sure the user os of the appropriate scope
|
// Make sure the user os of the appropriate scope
|
||||||
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
|
if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
|
||||||
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
|
|||||||
this.output.debug(`Filter:`)
|
this.output.debug(`Filter:`)
|
||||||
this.output.debug(this.filter_to_obj(req.filter.json))
|
this.output.debug(this.filter_to_obj(req.filter.json))
|
||||||
for ( const user of users ) {
|
for ( const user of users ) {
|
||||||
|
if ( user.id !== req.user.id && !can_search_all ) continue
|
||||||
this.output.debug(`Checking ${user.uid}...`)
|
this.output.debug(`Checking ${user.uid}...`)
|
||||||
this.output.debug(`DN: ${user.dn}`)
|
this.output.debug(`DN: ${user.dn}`)
|
||||||
this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)
|
this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)
|
||||||
|
|||||||
@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
|
|||||||
req,
|
req,
|
||||||
reason,
|
reason,
|
||||||
check,
|
check,
|
||||||
oauth_client_id: req.oauth.client.id,
|
oauth_client_id: req.oauth.client.uuid,
|
||||||
})
|
})
|
||||||
|
|
||||||
return res.status(401)
|
return res.status(401)
|
||||||
.message('Insufficient permissions (OAuth2 Client).')
|
.message('Insufficient permissions (OAuth2 Client).')
|
||||||
.api()
|
.api()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If the oauth2 client has this permission, then allow the request to continue,
|
||||||
|
// even if the user does not.
|
||||||
|
// OAuth2Clients need to be able to query users via the API.
|
||||||
|
return next()
|
||||||
}
|
}
|
||||||
|
|
||||||
const policy_denied = await Policy.check_user_denied(req.user, check)
|
const policy_denied = await Policy.check_user_denied(req.user, check)
|
||||||
|
|||||||
@@ -7,9 +7,11 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
|
|
||||||
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
async test(req, res, next, { allow_token = true, allow_user = true }) {
|
||||||
// First, check if there is a user in the session.
|
// First, check if there is a user in the session.
|
||||||
if ( allow_user && req.is_auth ) {
|
if ( allow_user && req.user ) {
|
||||||
return next()
|
return next()
|
||||||
} else if ( allow_token ) {
|
} else if ( allow_token ) {
|
||||||
|
if ( !req.oauth ) req.oauth = {}
|
||||||
|
|
||||||
return req.app.oauth2.authorise()(req, res, async e => {
|
return req.app.oauth2.authorise()(req, res, async e => {
|
||||||
if ( e ) return next(e)
|
if ( e ) return next(e)
|
||||||
// Look up the OAuth2 client an inject it into the route
|
// Look up the OAuth2 client an inject it into the route
|
||||||
@@ -51,10 +53,10 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
|
|
||||||
next()
|
next()
|
||||||
})
|
})
|
||||||
}
|
} else {
|
||||||
|
|
||||||
return res.status(401).api()
|
return res.status(401).api()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
module.exports = exports = APIRouteMiddleware
|
module.exports = exports = APIRouteMiddleware
|
||||||
|
|||||||
@@ -194,6 +194,7 @@ const auth_config = {
|
|||||||
|
|
||||||
// LDAP Binding
|
// LDAP Binding
|
||||||
'ldap:bind',
|
'ldap:bind',
|
||||||
|
'ldap:search:users:me',
|
||||||
],
|
],
|
||||||
|
|
||||||
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
|
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],
|
||||||
|
|||||||
@@ -23,6 +23,8 @@ const server_config = {
|
|||||||
level: env("LOGGING_LEVEL", 2),
|
level: env("LOGGING_LEVEL", 2),
|
||||||
|
|
||||||
include_timestamp: env("LOGGING_TIMESTAMP", false),
|
include_timestamp: env("LOGGING_TIMESTAMP", false),
|
||||||
|
|
||||||
|
api_logging: env('LOG_API_RESPONSES', false),
|
||||||
},
|
},
|
||||||
|
|
||||||
session: {
|
session: {
|
||||||
|
|||||||
@@ -33,7 +33,7 @@
|
|||||||
"ioredis": "^4.17.1",
|
"ioredis": "^4.17.1",
|
||||||
"is-absolute-url": "^3.0.3",
|
"is-absolute-url": "^3.0.3",
|
||||||
"ldapjs": "^1.0.2",
|
"ldapjs": "^1.0.2",
|
||||||
"libflitter": "^0.53.1",
|
"libflitter": "^0.55.1",
|
||||||
"moment": "^2.24.0",
|
"moment": "^2.24.0",
|
||||||
"mongodb": "^3.5.9",
|
"mongodb": "^3.5.9",
|
||||||
"nodemailer": "^6.4.6",
|
"nodemailer": "^6.4.6",
|
||||||
|
|||||||
@@ -3235,10 +3235,10 @@ leven@^1.0.2:
|
|||||||
resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
|
resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
|
||||||
integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
|
integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
|
||||||
|
|
||||||
libflitter@^0.53.1:
|
libflitter@^0.55.1:
|
||||||
version "0.53.1"
|
version "0.55.1"
|
||||||
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.1.tgz#30b1838763a228fba8b9c820d2cad501c3aa0117"
|
resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.55.1.tgz#5fb35bedee8bc171de082c237d0d0bd0050c7d9f"
|
||||||
integrity sha512-EK3okZyt0pmnpsZNx2lYOIcwgtmSOEPh4a5xE3pXM9RVc3dtXXscgJ5h9OvLTIN9WfRc7T5VTdpOjeAK6Xmysg==
|
integrity sha512-XVv/uSpA/Obg3K3MytO0pvAezDeeh+/AZIShisvnSg3L8su6QNOuSoBZIjneIzCuZvDD/kZSCrsBupzr3VhpLA==
|
||||||
dependencies:
|
dependencies:
|
||||||
colors "^1.3.3"
|
colors "^1.3.3"
|
||||||
connect-mongodb-session "^2.2.0"
|
connect-mongodb-session "^2.2.0"
|
||||||
|
|||||||
Reference in New Issue
Block a user