CoreID/config/auth.config.js

221 lines
8.0 KiB
JavaScript

const auth_config = {
default_provider: env('AUTH_DEFAULT_PROVIDER', 'flitter'),
default_login_route: '/dash',
iam: {
default_permissions: [
{
target_type: 'machine',
permission: 'sudo',
},
{
target_type: 'machine_group',
permission: 'sudo',
},
],
},
mfa: {
secret_length: env('MFA_SECRET_LENGTH', 20)
},
servers: {
// OAuth2 authorization server
oauth2: {
enable: env('OAUTH2_SERVER_ENABLE', true),
// Grants that are available to clients. Supported types are authorization_code, password
grants: ['authorization_code'],
// Built in data retrieval endpoints. These are protected by user-specific OAuth2 tokens
built_in_endpoints: {
// Get the token user's data
user: {
// enable: env('OAUTH2_SERVER_ENABLE', false),
enable: false,
// Fields to return to the endpoint
// The keys are the keys in the request. The values are the keys in the user.
fields: {
username: 'uid',
id: 'uuid',
// Data is a special key. It's key-value pairs are included,
// unserialized, from the user's JSON data.
data: {
// Fields stored in serialized data can be included here:
// special_field: 'some_json_data_field',
},
},
},
},
},
},
// Auth provider configurations
// You can have multiple of the same 'type' of auth source, but they
// must have unique names. The name is the key of the source config.
// Valid types are (by default): FlitterProvider, LdapProvider, Oauth2Provider
sources: {
// Default, database-backed auth provider
flitter: {
type: 'FlitterProvider',
enable: env('AUTH_FLITTER_ENABLE', true),
registration: env('AUTH_FLITTER_REGISTRATION', true),
min_password_length: env('AUTH_MIN_PASSWORD_LENGTH', 8),
},
// LDAP-backed auth provider
example_ldap: {
type: 'LdapProvider',
enable: env('AUTH_LDAP_ENABLE', false),
host: env('AUTH_LDAP_HOST', 'localhost'),
port: env('AUTH_LDAP_PORT', 389),
secure: env('AUTH_LDAP_BIND_SECURE', false),
bind_dn: env('AUTH_LDAP_BIND_DN', 'uid=auth_agent,ou=people,dc=domain,dc=local'),
bind_secret: env('AUTH_LDAP_BIND_PW'),
user_search_base: env('AUTH_LDAP_SEARCH_BASE', 'ou=people,dc=domain,dc=local'),
user_filter: env('AUTH_LDAP_USER_FILTER', '(uid=%u)'), // %u is the login provided username
min_password_length: env('AUTH_MIN_PASSWORD_LENGTH', 8),
// Maps flitter-auth roles to LDAP groups
role_groups: {
// Should correspond to existing auth roles
// role_name: 'cn=somegroup,ou=groups,dc=domain,dc=local',
},
// Maps user attributes to LDAP data attributes
attributes: {
uid: env('AUTH_LDAP_ATTR_UID', 'uid'),
first_name: env('AUTH_LDAP_ATTR_FIRST_NAME', 'cn'),
last_name: env('AUTH_LDAP_ATTR_LAST_NAME', 'sn'),
email: env('AUTH_LDAP_ATTR_EMAIL', 'mail'),
// Special case - used to determine group memberships
group_membership: env('AUTH_LDAP_ATTR_GROUPS', 'memberOf'),
},
registration: env('AUTH_LDAP_REGISTRATION', false),
// Default attributes for new registered users
// %u can be used to interpolate the registered user's uid
registration_merge_attributes: {
objectClass: ['posixAccount', 'shadowAccount', 'inetOrgPerson'],
sn: '%u',
cn: '%u',
gecos: '%u',
uidNumber: -1,
gidNumber: -1,
homeDirectory: '/dev/null',
},
},
example_oauth: {
type: 'Oauth2Provider',
enable: env('AUTH_OAUTH2_ENABLE', false),
source_name: env('AUTH_OAUTH2_SOURCE_NAME', 'GitHub'),
source_client_id: env('AUTH_OAUTH2_CLIENT_ID'),
source_client_secret: env('AUTH_OAUTH2_CLIENT_SECRET'),
// Login page destination where the user will be redirected to on login
// %c will be interpolated with the client id
// %r will be interpolated with the redirect callback url
// NOTE: This url is the same as the login page - /auth/oauth2/login
source_login_page: env('AUTH_OAUTH2_LOGIN_REDIRECT', 'https://github.com/login/oauth/authorize?client_id=%c'),
// Information about the OAuth2 Callback
callback: {
// URL query parameter name with the authorization_code token
// e.g. ?code=XXXXXXXXXX
token_key: 'code',
},
// Information about the endpoint flitter-auth will use to redeem
// the authorization_code token for a bearer token
source_token: {
endpoint: 'https://github.com/login/oauth/access_token',
// Field name where the authorization_code token will be specified in the request
token_key: 'code',
// Field name for the client id
client_id_key: 'client_id',
// Field name for the client secret
client_secret_key: 'client_secret',
// Field name for the grant_type ('authorization_type')
grant_type_key: 'grant_type',
// Field name where the bearer token will be specified in the response
response_token_key: 'access_token',
},
// Information about the endpoint flitter-auth will use to get
// user information after it retrieves a bearer token
user_data: {
endpoint: 'https://api.github.com/user',
method: 'get', // 'get' or 'post' only
// In the response data, what key is the user data in?
// e.g. if 'data', then {'data': { ... }}
// Set falsy to assume the data exists in the root: { ... }
// data_root: 'data',
// Value that prefixes the token in the 'Authorization: ' header.
// e.g. 'token ' would mean 'token a0fw93ja0w93ja093wj'
// 'Bearer ' would be 'Bearer 0329j0239dj209j3209jd'
token_prefix: 'token ',
// Mapping of user model attributes to OAuth2 return data from the endpoint
// Note that uuid is not allowed, and uid is required
attributes: {
uid: 'login',
},
},
},
},
roles: {
// Roles can be defined here as arrays of permissions:
// 'role_name': [ 'permission1', 'permission2' ],
// Then, users with that role will automatically inherit the permissions.
ldap_admin: ['ldap'],
ldap_client: ['ldap:bind', 'ldap:search'],
coreid_base: ['my:profile'],
saml_admin: ['v1:saml', 'saml'],
radius_admin: ['v1:radius', 'radius'],
base_user: [
// Message Service
'v1:message:banners',
// Permission Checks
'v1:reflect:check_permissions',
// Profile
'v1:profile',
// Password API
'v1:password',
// LDAP Binding
'ldap:bind',
'ldap:search:users:me',
],
root: ['v1', 'ldap', 'saml', 'profile', 'oauth', 'app', 'auth', 'iam', 'radius'],
},
}
module.exports = auth_config