diff options
| author | Max Wu | 2017-01-09 00:49:40 +0800 |
|---|---|---|
| committer | GitHub | 2017-01-09 00:49:40 +0800 |
| commit | b13635aac9d42996d0ac9b9b7dcbdf94102c7abe (patch) | |
| tree | 966bdbdd4a359311eae02a86144df8a4307aafb2 | |
| parent | 23a12dd927b66880fa991b377d450455851b69a9 (diff) | |
| parent | 94abfaba7c5b7655eda3d6547144adfa26c90a5f (diff) | |
Merge pull request #279 from alecdwm/ldap-auth
Support for LDAP server authentication
| -rw-r--r-- | README.md | 10 | ||||
| -rw-r--r-- | app.js | 12 | ||||
| -rw-r--r-- | config.json.example | 12 | ||||
| -rw-r--r-- | lib/auth.js | 59 | ||||
| -rw-r--r-- | lib/config.js | 32 | ||||
| -rw-r--r-- | lib/letter-avatars.js | 25 | ||||
| -rw-r--r-- | lib/models/user.js | 11 | ||||
| -rwxr-xr-x | lib/response.js | 2 | ||||
| -rw-r--r-- | package.json | 1 | ||||
| -rw-r--r-- | public/views/index.ejs | 4 | ||||
| -rw-r--r-- | public/views/signin-modal.ejs | 29 |
11 files changed, 191 insertions, 6 deletions
@@ -140,6 +140,14 @@ Environment variables (will overwrite other server configs) | HMD_DROPBOX_CLIENTSECRET | no example | Dropbox API client secret | | HMD_GOOGLE_CLIENTID | no example | Google API client id | | HMD_GOOGLE_CLIENTSECRET | no example | Google API client secret | +| HMD_LDAP_URL | ldap://example.com | url of LDAP server | +| HMD_LDAP_BINDDN | no example | bindDn for LDAP access | +| HMD_LDAP_BINDCREDENTIALS | no example | bindCredentials for LDAP access | +| HMD_LDAP_TOKENSECRET | supersecretkey | secret used for generating access/refresh tokens | +| HMD_LDAP_SEARCHBASE | o=users,dc=example,dc=com | LDAP directory to begin search from | +| HMD_LDAP_SEARCHFILTER | (uid={{username}}) | LDAP filter to search with | +| HMD_LDAP_SEARCHATTRIBUTES | no example | LDAP attributes to search with | +| HMD_LDAP_TLS_CA | no example | Root CA for LDAP TLS in PEM format | | HMD_IMGUR_CLIENTID | no example | Imgur API client id | | HMD_EMAIL | `true` or `false` | set to allow email register and signin | | HMD_IMAGE_UPLOAD_TYPE | `imgur`, `s3` or `filesystem` | Where to upload image. For S3, see our [S3 Image Upload Guide](docs/guides/s3-image-upload.md) | @@ -194,7 +202,7 @@ Third-party integration api key settings | service | settings location | description | | ------- | --------- | ----------- | -| facebook, twitter, github, gitlab, dropbox, google | environment variables or `config.json` | for signin | +| facebook, twitter, github, gitlab, dropbox, google, ldap | environment variables or `config.json` | for signin | | imgur | environment variables or `config.json` | for image upload | | google drive, dropbox | `public/js/config.js` | for export and import | @@ -381,6 +381,18 @@ if (config.google) { failureRedirect: config.serverurl + '/' })); } +// ldap auth +if (config.ldap) { + app.post('/auth/ldap', urlencodedParser, function (req, res, next) { + if (!req.body.username || !req.body.password) return response.errorBadRequest(res); + setReturnToFromReferer(req); + passport.authenticate('ldapauth', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/', + failureFlash: true + })(req, res, next); + }); +} // email auth if (config.email) { app.post('/register', urlencodedParser, function (req, res, next) { diff --git a/config.json.example b/config.json.example index e5e3fc56..57669cf9 100644 --- a/config.json.example +++ b/config.json.example @@ -51,6 +51,18 @@ "clientID": "change this", "clientSecret": "change this" }, + "ldap": { + "url": "ldap://change_this", + "bindDn": null, + "bindCredentials": null, + "tokenSecret": "change this", + "searchBase": "change this", + "searchFilter": "change this", + "searchAttributes": "change this", + "tlsOptions": { + "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback" + } + }, "imgur": { "clientID": "change this" } diff --git a/lib/auth.js b/lib/auth.js index f167cede..4b14e42c 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy; var GitlabStrategy = require('passport-gitlab2').Strategy; var DropboxStrategy = require('passport-dropbox-oauth2').Strategy; var GoogleStrategy = require('passport-google-oauth20').Strategy; +var LdapStrategy = require('passport-ldapauth'); var LocalStrategy = require('passport-local').Strategy; var validator = require('validator'); @@ -110,6 +111,62 @@ if (config.google) { callbackURL: config.serverurl + '/auth/google/callback' }, callback)); } +// ldap +if (config.ldap) { + passport.use(new LdapStrategy({ + server: { + url: config.ldap.url || null, + bindDn: config.ldap.bindDn || null, + bindCredentials: config.ldap.bindCredentials || null, + searchBase: config.ldap.searchBase || null, + searchFilter: config.ldap.searchFilter || null, + searchAttributes: config.ldap.searchAttributes || null, + tlsOptions: config.ldap.tlsOptions || null + }, + }, + function(user, done) { + var profile = { + id: 'LDAP-' + user.uidNumber, + username: user.uid, + displayName: user.displayName, + emails: user.mail ? [user.mail] : [], + avatarUrl: null, + profileUrl: null, + provider: 'ldap', + } + var stringifiedProfile = JSON.stringify(profile); + models.User.findOrCreate({ + where: { + profileid: profile.id.toString() + }, + defaults: { + profile: stringifiedProfile, + } + }).spread(function (user, created) { + if (user) { + var needSave = false; + if (user.profile != stringifiedProfile) { + user.profile = stringifiedProfile; + needSave = true; + } + if (needSave) { + user.save().then(function () { + if (config.debug) + logger.info('user login: ' + user.id); + return done(null, user); + }); + } else { + if (config.debug) + logger.info('user login: ' + user.id); + return done(null, user); + } + } + }).catch(function (err) { + logger.error('ldap auth failed: ' + err); + return done(err, null); + }); + })); +} // email if (config.email) { passport.use(new LocalStrategy({ @@ -130,4 +187,4 @@ if (config.email) { return done(err); }); })); -}
\ No newline at end of file +} diff --git a/lib/config.js b/lib/config.js index 53497f1f..2f6792b7 100644 --- a/lib/config.js +++ b/lib/config.js @@ -95,6 +95,37 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE clientID: process.env.HMD_GOOGLE_CLIENTID, clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET } : config.google || false; +var ldap = config.ldap || ( + process.env.HMD_LDAP_URL || + process.env.HMD_LDAP_BINDDN || + process.env.HMD_LDAP_BINDCREDENTIALS || + process.env.HMD_LDAP_TOKENSECRET || + process.env.HMD_LDAP_SEARCHBASE || + process.env.HMD_LDAP_SEARCHFILTER || + process.env.HMD_LDAP_SEARCHATTRIBUTES +) || false; +if (ldap == true) + ldap = {}; +if (process.env.HMD_LDAP_URL) + ldap.url = process.env.HMD_LDAP_URL; +if (process.env.HMD_LDAP_BINDDN) + ldap.bindDn = process.env.HMD_LDAP_BINDDN; +if (process.env.HMD_LDAP_BINDCREDENTIALS) + ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS; +if (process.env.HMD_LDAP_TOKENSECRET) + ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET; +if (process.env.HMD_LDAP_SEARCHBASE) + ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE; +if (process.env.HMD_LDAP_SEARCHFILTER) + ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER; +if (process.env.HMD_LDAP_SEARCHATTRIBUTES) + ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES; +if (process.env.HMD_LDAP_TLS_CA) { + var ca = { + ca: process.env.HMD_LDAP_TLS_CA + } + ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca +} var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false; var email = process.env.HMD_EMAIL ? (process.env.HMD_EMAIL === 'true') : !!config.email; @@ -156,6 +187,7 @@ module.exports = { gitlab: gitlab, dropbox: dropbox, google: google, + ldap: ldap, imgur: imgur, email: email, imageUploadType: imageUploadType, diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js new file mode 100644 index 00000000..3afa03fe --- /dev/null +++ b/lib/letter-avatars.js @@ -0,0 +1,25 @@ +"use strict"; + +// external modules +var randomcolor = require('randomcolor'); + +// core +module.exports = function(name) { + var color = randomcolor({ + seed: name, + luminosity: 'dark' + }); + var letter = name.substring(0, 1).toUpperCase(); + + var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; + svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">'; + svg += '<g>'; + svg += '<rect width="96" height="96" fill="' + color + '" />'; + svg += '<text font-size="64px" font-family="sans-serif" text-anchor="middle" fill="#ffffff">'; + svg += '<tspan x="48" y="72" stroke-width=".26458px" fill="#ffffff">' + letter + '</tspan>'; + svg += '</text>'; + svg += '</g>'; + svg += '</svg>'; + + return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64'); +}; diff --git a/lib/models/user.js b/lib/models/user.js index aaf344de..7d27242c 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -7,6 +7,7 @@ var scrypt = require('scrypt'); // core var logger = require("../logger.js"); +var letterAvatars = require('../letter-avatars.js'); module.exports = function (sequelize, DataTypes) { var User = sequelize.define("User", { @@ -105,6 +106,16 @@ module.exports = function (sequelize, DataTypes) { case "google": photo = profile.photos[0].value.replace(/(\?sz=)\d*$/i, '$196'); break; + case "ldap": + //no image api provided, + //use gravatar if email exists, + //otherwise generate a letter avatar + if (profile.emails[0]) { + photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + '?s=96'; + } else { + photo = letterAvatars(profile.username); + } + break; } return photo; }, diff --git a/lib/response.js b/lib/response.js index a0dc8b1f..cedee3de 100755 --- a/lib/response.js +++ b/lib/response.js @@ -66,6 +66,7 @@ function showIndex(req, res, next) { gitlab: config.gitlab, dropbox: config.dropbox, google: config.google, + ldap: config.ldap, email: config.email, signin: req.isAuthenticated(), infoMessage: req.flash('info'), @@ -94,6 +95,7 @@ function responseHackMD(res, note) { gitlab: config.gitlab, dropbox: config.dropbox, google: config.google, + ldap: config.ldap, email: config.email }); } diff --git a/package.json b/package.json index 7fb035ab..a13ac979 100644 --- a/package.json +++ b/package.json @@ -85,6 +85,7 @@ "passport-github": "^1.1.0", "passport-gitlab2": "^2.2.0", "passport-google-oauth20": "^1.0.0", + "passport-ldapauth": "^0.6.0", "passport-local": "^1.0.0", "passport-twitter": "^1.0.4", "passport.socketio": "^3.7.0", diff --git a/public/views/index.ejs b/public/views/index.ejs index f8eaeaa8..55c13d2d 100644 --- a/public/views/index.ejs +++ b/public/views/index.ejs @@ -57,7 +57,7 @@ <% if (errorMessage && errorMessage.length > 0) { %> <div class="alert alert-danger" style="max-width: 400px; margin: 0 auto;"><%= errorMessage %></div> <% } %> - <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %> + <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %> <span class="ui-signin"> <br> <a type="button" class="btn btn-lg btn-success ui-signin" data-toggle="modal" data-target=".signin-modal" style="min-width: 170px;"><%= __('Sign In') %></a> @@ -97,7 +97,7 @@ </div> <div id="history" class="section"<% if(!signin) { %> style="display:none;"<% } %>> - <% if(facebook || twitter || github || gitlab || dropbox || google || email) { %> + <% if(facebook || twitter || github || gitlab || dropbox || google || ldap || email) { %> <div class="ui-signin"> <p><%= __('Below is the history from browser') %></p> </div> diff --git a/public/views/signin-modal.ejs b/public/views/signin-modal.ejs index 58d8a690..7c52e0f3 100644 --- a/public/views/signin-modal.ejs +++ b/public/views/signin-modal.ejs @@ -38,7 +38,32 @@ <i class="fa fa-google"></i> <%= __('Sign in via %s', 'Google') %> </a> <% } %> - <% if((facebook || twitter || github || gitlab || dropbox || google) && email) { %> + <% if((facebook || twitter || github || gitlab || dropbox || google) && ldap) { %> + <hr> + <% }%> + <% if(ldap) { %> + <h4>Via LDAP</h4> + <form data-toggle="validator" role="form" class="form-horizontal" method="post" enctype="application/x-www-form-urlencoded"> + <div class="form-group"> + <div class="col-sm-12"> + <input type="username" class="form-control" name="username" placeholder="Username" required> + <span class="help-block control-label with-errors" style="display: inline;"></span> + </div> + </div> + <div class="form-group"> + <div class="col-sm-12"> + <input type="password" class="form-control" name="password" placeholder="Password" required> + <span class="help-block control-label with_errors" style="display: inline;"></span> + </div> + </div> + <div class="form-group"> + <div class="col-sm-12"> + <button type="submit" class="btn btn-primary" formaction="<%- url %>/auth/ldap">Sign in</button> + </div> + </div> + </form> + <% } %> + <% if((facebook || twitter || github || gitlab || dropbox || google || ldap) && email) { %> <hr> <% }%> <% if(email) { %> @@ -67,4 +92,4 @@ </div> </div> </div> -</div>
\ No newline at end of file +</div> |