Update libflitter

.drone.yml

@@ -24,12 +24,33 @@ steps:
         from_secret: deploy_ssh_port
       script:
         - cd /home/coreid/CoreID
+        - git checkout master
+        - git pull
+        - git checkout ${DRONE_TAG}
         - git pull
         - yarn install
     when:
       event:
         - tag
         - promote
+  - name: restart production services
+    image: appleboy/drone-ssh
+    settings:
+      host:
+        from_secret: deploy_ssh_host
+      username:
+        from_secret: deploy_ssh_admin_user
+      key:
+        from_secret: deploy_ssh_key
+      port:
+        from_secret: deploy_ssh_port
+      script:
+        - systemctl restart coreid-www
+        - systemctl restart coreid-jobs
+    when:
+      event:
+        - tag
+        - promote
   - name: send success notifications
     image: plugins/webhook
     settings:

app/ldap/controllers/Users.controller.js

@@ -218,10 +218,12 @@ class UsersController extends LDAPController {
     // TODO flitter-orm chunk query
     // TODO generalize scoped search logic
     async search_people(req, res, next) {
-        if ( !req.user.can('ldap:search:users') ) {
+        if ( !req.user.can('ldap:search:users:me') ) {
             return next(new LDAP.InsufficientAccessRightsError())
         }
 
+        const can_search_all = req.user.can('ldap:search:users')
+
         const iam_targets = this.parse_iam_targets(req.filter)
         if ( req.scope === 'base' ) {
             // If scope is base, check if the base DN matches the filter.
@@ -231,7 +233,12 @@ class UsersController extends LDAPController {
             const user = await this.get_resource_from_dn(req.dn)
 
             // Make sure the user is ldap visible && match the filter
-            if ( user && user.ldap_visible && req.filter.matches(await user.to_ldap(iam_targets)) ) {
+            if (
+                user
+                && user.ldap_visible
+                && req.filter.matches(await user.to_ldap(iam_targets))
+                && (req.user.id === user.id || can_search_all)
+            ) {
 
                 // If so, send the object
                 res.send({
@@ -255,6 +262,7 @@ class UsersController extends LDAPController {
             // Fetch the LDAP-visible users
             const users = await this.User.ldap_directory()
             for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue
 
                 // Make sure the user os of the appropriate scope
                 if ( req.dn.equals(user.dn) || user.dn.parent().equals(req.dn) ) {
@@ -283,6 +291,7 @@ class UsersController extends LDAPController {
             this.output.debug(`Filter:`)
             this.output.debug(this.filter_to_obj(req.filter.json))
             for ( const user of users ) {
+                if ( user.id !== req.user.id && !can_search_all ) continue
                 this.output.debug(`Checking ${user.uid}...`)
                 this.output.debug(`DN: ${user.dn}`)
                 this.output.debug(`Req DN equals: ${req.dn.equals(user.dn)}`)

app/routing/middleware/api/Permission.middleware.js

@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
                     req,
                     reason,
                     check,
-                    oauth_client_id: req.oauth.client.id,
+                    oauth_client_id: req.oauth.client.uuid,
                 })
 
                 return res.status(401)
                     .message('Insufficient permissions (OAuth2 Client).')
                     .api()
             }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
         }
 
         const policy_denied = await Policy.check_user_denied(req.user, check)

app/routing/middleware/auth/APIRoute.middleware.js

@@ -7,9 +7,11 @@ class APIRouteMiddleware extends Middleware {
 
     async test(req, res, next, { allow_token = true, allow_user = true }) {
         // First, check if there is a user in the session.
-        if ( allow_user && req.is_auth ) {
+        if ( allow_user && req.user ) {
             return next()
         } else if ( allow_token ) {
+            if ( !req.oauth ) req.oauth = {}
+
             return req.app.oauth2.authorise()(req, res, async e => {
                 if ( e ) return next(e)
                 // Look up the OAuth2 client an inject it into the route
@@ -51,9 +53,9 @@ class APIRouteMiddleware extends Middleware {
 
                 next()
             })
+        } else {
+            return res.status(401).api()
         }
-
-        return res.status(401).api()
     }
 }
 

config/auth.config.js

@@ -194,6 +194,7 @@ const auth_config = {
 
             // LDAP Binding
             'ldap:bind',
+            'ldap:search:users:me',
         ],
 
         root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam'],

config/server.config.js

@@ -23,6 +23,8 @@ const server_config = {
         level: env("LOGGING_LEVEL", 2),
 
         include_timestamp: env("LOGGING_TIMESTAMP", false),
+
+        api_logging: env('LOG_API_RESPONSES', false),
     },
 
     session: {

package.json

@@ -33,7 +33,7 @@
     "ioredis": "^4.17.1",
     "is-absolute-url": "^3.0.3",
     "ldapjs": "^1.0.2",
-    "libflitter": "^0.53.1",
+    "libflitter": "^0.55.1",
     "moment": "^2.24.0",
     "mongodb": "^3.5.9",
     "nodemailer": "^6.4.6",

yarn.lock

@@ -3235,10 +3235,10 @@ leven@^1.0.2:
   resolved "https://registry.yarnpkg.com/leven/-/leven-1.0.2.tgz#9144b6eebca5f1d0680169f1a6770dcea60b75c3"
   integrity sha1-kUS27ryl8dBoAWnxpncNzqYLdcM=
 
-libflitter@^0.53.1:
-  version "0.53.1"
-  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.53.1.tgz#30b1838763a228fba8b9c820d2cad501c3aa0117"
-  integrity sha512-EK3okZyt0pmnpsZNx2lYOIcwgtmSOEPh4a5xE3pXM9RVc3dtXXscgJ5h9OvLTIN9WfRc7T5VTdpOjeAK6Xmysg==
+libflitter@^0.55.1:
+  version "0.55.1"
+  resolved "https://registry.yarnpkg.com/libflitter/-/libflitter-0.55.1.tgz#5fb35bedee8bc171de082c237d0d0bd0050c7d9f"
+  integrity sha512-XVv/uSpA/Obg3K3MytO0pvAezDeeh+/AZIShisvnSg3L8su6QNOuSoBZIjneIzCuZvDD/kZSCrsBupzr3VhpLA==
   dependencies:
     colors "^1.3.3"
     connect-mongodb-session "^2.2.0"