diff options
Diffstat (limited to 'lib/web/auth')
-rw-r--r-- | lib/web/auth/index.js | 2 | ||||
-rw-r--r-- | lib/web/auth/ldap/index.js | 11 | ||||
-rw-r--r-- | lib/web/auth/mattermost/index.js | 49 | ||||
-rw-r--r-- | lib/web/auth/saml/index.js | 95 |
4 files changed, 155 insertions, 2 deletions
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js index b5ca8434..db5ff11d 100644 --- a/lib/web/auth/index.js +++ b/lib/web/auth/index.js @@ -33,9 +33,11 @@ if (config.isFacebookEnable) authRouter.use(require('./facebook')) if (config.isTwitterEnable) authRouter.use(require('./twitter')) if (config.isGitHubEnable) authRouter.use(require('./github')) if (config.isGitLabEnable) authRouter.use(require('./gitlab')) +if (config.isMattermostEnable) authRouter.use(require('./mattermost')) if (config.isDropboxEnable) authRouter.use(require('./dropbox')) if (config.isGoogleEnable) authRouter.use(require('./google')) if (config.isLDAPEnable) authRouter.use(require('./ldap')) +if (config.isSAMLEnable) authRouter.use(require('./saml')) if (config.isEmailEnable) authRouter.use(require('./email')) // logout diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js index 766c5cbc..cc0d29ad 100644 --- a/lib/web/auth/ldap/index.js +++ b/lib/web/auth/ldap/index.js @@ -23,9 +23,16 @@ passport.use(new LDAPStrategy({ tlsOptions: config.ldap.tlsOptions || null } }, function (user, done) { + var uuid = user.uidNumber || user.uid || user.sAMAccountName + var username = uuid + + if (config.ldap.usernameField && user[config.ldap.usernameField]) { + username = user[config.ldap.usernameField] + } + var profile = { - id: 'LDAP-' + user.uidNumber, - username: user.uid, + id: 'LDAP-' + uuid, + username: username, displayName: user.displayName, emails: user.mail ? [user.mail] : [], avatarUrl: null, diff --git a/lib/web/auth/mattermost/index.js b/lib/web/auth/mattermost/index.js new file mode 100644 index 00000000..9ccf3de5 --- /dev/null +++ b/lib/web/auth/mattermost/index.js @@ -0,0 +1,49 @@ +'use strict' + +const Router = require('express').Router +const passport = require('passport') +const Mattermost = require('mattermost') +const OAuthStrategy = require('passport-oauth2').Strategy +const config = require('../../../config') +const {setReturnToFromReferer, passportGeneralCallback} = require('../utils') + +const mattermost = new Mattermost.Client() + +let mattermostAuth = module.exports = Router() + +let mattermostStrategy = new OAuthStrategy({ + authorizationURL: config.mattermost.baseURL + '/oauth/authorize', + tokenURL: config.mattermost.baseURL + '/oauth/access_token', + clientID: config.mattermost.clientID, + clientSecret: config.mattermost.clientSecret, + callbackURL: config.serverurl + '/auth/mattermost/callback' +}, passportGeneralCallback) + +mattermostStrategy.userProfile = (accessToken, done) => { + mattermost.setUrl(config.mattermost.baseURL) + mattermost.token = accessToken + mattermost.useHeaderToken() + mattermost.getMe( + (data) => { + done(null, data) + }, + (err) => { + done(err) + } + ) +} + +passport.use(mattermostStrategy) + +mattermostAuth.get('/auth/mattermost', function (req, res, next) { + setReturnToFromReferer(req) + passport.authenticate('oauth2')(req, res, next) +}) + +// mattermost auth callback +mattermostAuth.get('/auth/mattermost/callback', + passport.authenticate('oauth2', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js new file mode 100644 index 00000000..386293ae --- /dev/null +++ b/lib/web/auth/saml/index.js @@ -0,0 +1,95 @@ +'use strict' + +const Router = require('express').Router +const passport = require('passport') +const SamlStrategy = require('passport-saml').Strategy +const config = require('../../../config') +const models = require('../../../models') +const logger = require('../../../logger') +const {urlencodedParser} = require('../../utils') +const fs = require('fs') +const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) } + +let samlAuth = module.exports = Router() + +passport.use(new SamlStrategy({ + callbackUrl: config.serverurl + '/auth/saml/callback', + entryPoint: config.saml.idpSsoUrl, + issuer: config.saml.issuer || config.serverurl, + cert: fs.readFileSync(config.saml.idpCert, 'utf-8'), + identifierFormat: config.saml.identifierFormat +}, function (user, done) { + // check authorization if needed + if (config.saml.externalGroups && config.saml.grouptAttribute) { + var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute]) + if (externalGroups.length > 0) { + logger.error('saml permission denied: ' + externalGroups.join(', ')) + return done('Permission denied', null) + } + } + if (config.saml.requiredGroups && config.saml.grouptAttribute) { + if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) { + logger.error('saml permission denied') + return done('Permission denied', null) + } + } + // user creation + var uuid = user[config.saml.attribute.id] || user.nameID + var profile = { + provider: 'saml', + id: 'SAML-' + uuid, + username: user[config.saml.attribute.username] || user.nameID, + emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : [] + } + if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') { + profile.emails.push(user.nameID) + } + var stringifiedProfile = JSON.stringify(profile) + models.User.findOrCreate({ + where: { + profileid: profile.id.toString() + }, + defaults: { + profile: stringifiedProfile + } + }).spread(function (user, created) { + if (user) { + var needSave = false + if (user.profile !== stringifiedProfile) { + user.profile = stringifiedProfile + needSave = true + } + if (needSave) { + user.save().then(function () { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + }) + } else { + if (config.debug) { logger.debug('user login: ' + user.id) } + return done(null, user) + } + } + }).catch(function (err) { + logger.error('saml auth failed: ' + err) + return done(err, null) + }) +})) + +samlAuth.get('/auth/saml', + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.post('/auth/saml/callback', urlencodedParser, + passport.authenticate('saml', { + successReturnToOrRedirect: config.serverurl + '/', + failureRedirect: config.serverurl + '/' + }) +) + +samlAuth.get('/auth/saml/metadata', function (req, res) { + res.type('application/xml') + res.send(passport._strategy('saml').generateServiceProviderMetadata()) +}) |