diff options
author | Christoph (Sheogorath) Kern | 2017-12-04 18:57:57 +0100 |
---|---|---|
committer | GitHub | 2017-12-04 18:57:57 +0100 |
commit | 0957f5963b735e9ccde4098265c7fab13dbb216b (patch) | |
tree | 63e288eb3abe096a0156fae96b4be646a9619ffb /lib/web | |
parent | 8112cd6fef740c3bf8f535de860c2e7b8dd51834 (diff) | |
parent | 2db2ff484fb0911ea699c7fc59b8b1ad868ca992 (diff) |
Merge pull request #633 from nakaeeee/saml-auth
Support SAML authentication
Diffstat (limited to 'lib/web')
-rw-r--r-- | lib/web/auth/index.js | 1 | ||||
-rw-r--r-- | lib/web/auth/saml/index.js | 95 |
2 files changed, 96 insertions, 0 deletions
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js index 4b618101..db5ff11d 100644 --- a/lib/web/auth/index.js +++ b/lib/web/auth/index.js @@ -37,6 +37,7 @@ if (config.isMattermostEnable) authRouter.use(require('./mattermost')) if (config.isDropboxEnable) authRouter.use(require('./dropbox')) if (config.isGoogleEnable) authRouter.use(require('./google')) if (config.isLDAPEnable) authRouter.use(require('./ldap')) +if (config.isSAMLEnable) authRouter.use(require('./saml')) if (config.isEmailEnable) authRouter.use(require('./email')) // logout diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js new file mode 100644 index 00000000..386293ae --- /dev/null +++ b/lib/web/auth/saml/index.js @@ -0,0 +1,95 @@ +'use strict' + +const Router = require('express').Router +const passport = require('passport') +const SamlStrategy = require('passport-saml').Strategy +const config = require('../../../config') +const models = require('../../../models') +const logger = require('../../../logger') +const {urlencodedParser} = require('../../utils') +const fs = require('fs') +const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) } + +let samlAuth = module.exports = Router() + +passport.use(new SamlStrategy({ + callbackUrl: config.serverurl + '/auth/saml/callback', + entryPoint: config.saml.idpSsoUrl, + issuer: config.saml.issuer || config.serverurl, + cert: fs.readFileSync(config.saml.idpCert, 'utf-8'), + identifierFormat: config.saml.identifierFormat +}, function (user, done) { + // check authorization if needed + if (config.saml.externalGroups && config.saml.grouptAttribute) { + var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute]) + if (externalGroups.length > 0) { + logger.error('saml permission denied: ' + externalGroups.join(', ')) + return done('Permission denied', null) + } + } + if (config.saml.requiredGroups && config.saml.grouptAttribute) { + if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) { + logger.error('saml permission denied') + return done('Permission denied', null) + } + } + // user creation + var uuid = user[config.saml.attribute.id] || user.nameID + var profile = { + provider: 'saml', + id: 'SAML-' + uuid, + username: user[config.saml.attribute.username] || user.nameID, + emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : [] + } + if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') { + profile.emails.push(user.nameID) + } + var stringifiedProfile = JSON.stringify(profile) + models.User.findOrCreate({ + where: { + profileid: profile.id.toString() + }, + defaults: { + profile: stringifiedProfile + } + }).spread(function (user, created) { + if (user) { + var needSave = false + if (user.profile !== stringifiedProfile) { + user.profile = stringifiedProfile + needSave = true + } + if (needSave) { + user.save().then(function () { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + }) + } else { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + } + } + }).catch(function (err) { + logger.error('saml auth failed: ' + err) + return done(err, null) + }) +})) + +samlAuth.get('/auth/saml', + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.post('/auth/saml/callback', urlencodedParser, + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.get('/auth/saml/metadata', function (req, res) { + res.type('application/xml') + res.send(passport._strategy('saml').generateServiceProviderMetadata()) +}) |