diff options
author | Norihito Nakae | 2017-11-28 12:46:58 +0900 |
---|---|---|
committer | Norihito Nakae | 2017-11-28 18:52:24 +0900 |
commit | 4a4ae9d332cff31991d9f63417895fce18717f61 (patch) | |
tree | 21d61db281bd6ebd588a6f1eaabce46f7a067f10 /lib | |
parent | 9c002ce29bf422b5bc136c2028b2fb05e2ab8278 (diff) |
Initial support for SAML authentication
Diffstat (limited to 'lib')
-rw-r--r-- | lib/config/default.js | 16 | ||||
-rw-r--r-- | lib/config/environment.js | 4 | ||||
-rw-r--r-- | lib/config/index.js | 1 | ||||
-rw-r--r-- | lib/models/user.js | 9 | ||||
-rwxr-xr-x | lib/response.js | 2 | ||||
-rw-r--r-- | lib/web/auth/index.js | 1 | ||||
-rw-r--r-- | lib/web/auth/saml/index.js | 96 |
7 files changed, 129 insertions, 0 deletions
diff --git a/lib/config/default.js b/lib/config/default.js index 273bad02..ff1e3a3e 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -98,6 +98,22 @@ module.exports = { searchAttributes: undefined, tlsca: undefined }, + saml: { + idpSsoUrl: undefined, + idpCert: undefined, + issuer: undefined, + callbackUrl: undefined, + identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', + groupAttribute: undefined, + externalGroups: [], + requiredGroups: [], + attribute: { + id: undefined, + username: undefined, + displayName: undefined, + email: undefined + } + }, email: true, allowemailregister: true, allowpdfexport: true diff --git a/lib/config/environment.js b/lib/config/environment.js index 0c272f05..e339832a 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -73,6 +73,10 @@ module.exports = { searchAttributes: process.env.HMD_LDAP_SEARCHATTRIBUTES, tlsca: process.env.HMD_LDAP_TLS_CA }, + saml: { + idpSsoUrl: process.env.HMD_SAML_IDPSSOURL, + idpCert: process.env.HMD_SAML_IDPCERT + }, email: toBooleanConfig(process.env.HMD_EMAIL), allowemailregister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER), allowpdfexport: toBooleanConfig(process.env.HMD_ALLOW_PDF_EXPORT) diff --git a/lib/config/index.js b/lib/config/index.js index addd8ba6..3ac3de53 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -92,6 +92,7 @@ config.isGitHubEnable = config.github.clientID && config.github.clientSecret config.isGitLabEnable = config.gitlab.clientID && config.gitlab.clientSecret config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clientSecret config.isLDAPEnable = config.ldap.url +config.isSAMLEnable = config.saml.idpSsoUrl config.isPDFExportEnable = config.allowpdfexport // generate correct path diff --git a/lib/models/user.js b/lib/models/user.js index 27566def..f421fe43 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -143,6 +143,15 @@ module.exports = function (sequelize, DataTypes) { photo = letterAvatars(profile.username) } break + case 'saml': + if (profile.emails[0]) { + photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + if (bigger) photo += '?s=400' + else photo += '?s=96' + } else { + photo = letterAvatars(profile.username) + } + break } return photo }, diff --git a/lib/response.js b/lib/response.js index 61ce5747..9f3d5a44 100755 --- a/lib/response.js +++ b/lib/response.js @@ -68,6 +68,7 @@ function showIndex (req, res, next) { dropbox: config.isDropboxEnable, google: config.isGoogleEnable, ldap: config.isLDAPEnable, + saml: config.isSAMLEnable, email: config.isEmailEnable, allowemailregister: config.allowemailregister, allowpdfexport: config.allowpdfexport, @@ -100,6 +101,7 @@ function responseHackMD (res, note) { dropbox: config.isDropboxEnable, google: config.isGoogleEnable, ldap: config.isLDAPEnable, + saml: config.isSAMLEnable, email: config.isEmailEnable, allowemailregister: config.allowemailregister, allowpdfexport: config.allowpdfexport diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js index 4b618101..db5ff11d 100644 --- a/lib/web/auth/index.js +++ b/lib/web/auth/index.js @@ -37,6 +37,7 @@ if (config.isMattermostEnable) authRouter.use(require('./mattermost')) if (config.isDropboxEnable) authRouter.use(require('./dropbox')) if (config.isGoogleEnable) authRouter.use(require('./google')) if (config.isLDAPEnable) authRouter.use(require('./ldap')) +if (config.isSAMLEnable) authRouter.use(require('./saml')) if (config.isEmailEnable) authRouter.use(require('./email')) // logout diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js new file mode 100644 index 00000000..575c6f31 --- /dev/null +++ b/lib/web/auth/saml/index.js @@ -0,0 +1,96 @@ +'use strict' + +const Router = require('express').Router +const passport = require('passport') +const SamlStrategy = require('passport-saml').Strategy +const config = require('../../../config') +const models = require('../../../models') +const logger = require('../../../logger') +const {urlencodedParser} = require('../../utils') +const fs = require('fs') +const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) } + +let samlAuth = module.exports = Router() + +passport.use(new SamlStrategy({ + callbackUrl: config.saml.callbackUrl || config.serverurl + '/auth/saml/callback', + entryPoint: config.saml.idpSsoUrl, + issuer: config.saml.issuer || config.serverurl, + cert: fs.readFileSync(config.saml.idpCert, 'utf-8'), + identifierFormat: config.saml.identifierFormat +}, function (user, done) { + // check authorization if needed + if (config.saml.externalGroups && config.saml.grouptAttribute) { + var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute]) + if (externalGroups.length > 0) { + logger.error('saml permission denied: ' + externalGroups.join(', ')) + return done('Permission denied', null) + } + } + if (config.saml.requiredGroups && config.saml.grouptAttribute) { + if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) { + logger.error('saml permission denied') + return done('Permission denied', null) + } + } + // user creation + var uuid = user[config.saml.attribute.id] || user.nameID + var profile = { + provider: 'saml', + id: 'SAML-' + uuid, + username: user[config.saml.attribute.username] || user.nameID, + displayName: user[config.saml.attribute.displayName] || user.nameID, + emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : [] + } + if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') { + profile.emails.push(user.nameID) + } + var stringifiedProfile = JSON.stringify(profile) + models.User.findOrCreate({ + where: { + profileid: profile.id.toString() + }, + defaults: { + profile: stringifiedProfile + } + }).spread(function (user, created) { + if (user) { + var needSave = false + if (user.profile !== stringifiedProfile) { + user.profile = stringifiedProfile + needSave = true + } + if (needSave) { + user.save().then(function () { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + }) + } else { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + } + } + }).catch(function (err) { + logger.error('saml auth failed: ' + err) + return done(err, null) + }) +})) + +samlAuth.get('/auth/saml', + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.post('/auth/saml/callback', urlencodedParser, + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.get('/auth/saml/metadata', function (req, res) { + res.type('application/xml') + res.send(passport._strategy('saml').generateServiceProviderMetadata()) +}) |