56 lines
1.6 KiB
JavaScript
56 lines
1.6 KiB
JavaScript
const User = require('../../models/auth/User.model')
|
|
const Client = require('../../models/radius/Client.model')
|
|
const Application = require('../../models/Application.model')
|
|
const Policy = require('../../models/iam/Policy.model')
|
|
|
|
/**
|
|
* @implements IAuthentication from radius-server
|
|
*/
|
|
class CoreIDAuthentication {
|
|
async authenticate(username, password, packet) {
|
|
// We only allow client-specific secrets to authenticate
|
|
if ( !packet || !packet.secret ) {
|
|
return false;
|
|
}
|
|
|
|
// Try to look up the client
|
|
const client = await Client.findOne({
|
|
active: true,
|
|
secret: packet.secret,
|
|
})
|
|
if ( !client ) {
|
|
return false;
|
|
}
|
|
|
|
// Try to look up the associated application
|
|
const application = await Application.findOne({
|
|
radius_client_ids: client.id,
|
|
})
|
|
if ( !application ) {
|
|
return false;
|
|
}
|
|
|
|
// Try to look up the user
|
|
/** @var {User} */
|
|
const user = await User.findByLogin(username)
|
|
if ( !user ) {
|
|
return false;
|
|
}
|
|
|
|
// Validate the incoming credential
|
|
if ( !(await user.check_credential_string(password)) ) {
|
|
return false;
|
|
}
|
|
|
|
// Don't allow login if the user has a trap set
|
|
if ( user.trap ) {
|
|
return false;
|
|
}
|
|
|
|
// Check the IAM policy engine to make sure the user can access this resource
|
|
return Policy.check_user_access(user, application.id)
|
|
}
|
|
}
|
|
|
|
module.exports = exports = CoreIDAuthentication
|