summaryrefslogtreecommitdiff
path: root/lib/web/auth
diff options
context:
space:
mode:
Diffstat (limited to 'lib/web/auth')
-rw-r--r--lib/web/auth/google/index.js6
-rw-r--r--lib/web/auth/index.js2
-rw-r--r--lib/web/auth/ldap/index.js11
-rw-r--r--lib/web/auth/mattermost/index.js49
-rw-r--r--lib/web/auth/saml/index.js95
5 files changed, 158 insertions, 5 deletions
diff --git a/lib/web/auth/google/index.js b/lib/web/auth/google/index.js
index bf2a260f..609c69cf 100644
--- a/lib/web/auth/google/index.js
+++ b/lib/web/auth/google/index.js
@@ -6,7 +6,7 @@ var GoogleStrategy = require('passport-google-oauth20').Strategy
const config = require('../../../config')
const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
-let facebookAuth = module.exports = Router()
+let googleAuth = module.exports = Router()
passport.use(new GoogleStrategy({
clientID: config.google.clientID,
@@ -14,12 +14,12 @@ passport.use(new GoogleStrategy({
callbackURL: config.serverurl + '/auth/google/callback'
}, passportGeneralCallback))
-facebookAuth.get('/auth/google', function (req, res, next) {
+googleAuth.get('/auth/google', function (req, res, next) {
setReturnToFromReferer(req)
passport.authenticate('google', { scope: ['profile'] })(req, res, next)
})
// google auth callback
-facebookAuth.get('/auth/google/callback',
+googleAuth.get('/auth/google/callback',
passport.authenticate('google', {
successReturnToOrRedirect: config.serverurl + '/',
failureRedirect: config.serverurl + '/'
diff --git a/lib/web/auth/index.js b/lib/web/auth/index.js
index b5ca8434..db5ff11d 100644
--- a/lib/web/auth/index.js
+++ b/lib/web/auth/index.js
@@ -33,9 +33,11 @@ if (config.isFacebookEnable) authRouter.use(require('./facebook'))
if (config.isTwitterEnable) authRouter.use(require('./twitter'))
if (config.isGitHubEnable) authRouter.use(require('./github'))
if (config.isGitLabEnable) authRouter.use(require('./gitlab'))
+if (config.isMattermostEnable) authRouter.use(require('./mattermost'))
if (config.isDropboxEnable) authRouter.use(require('./dropbox'))
if (config.isGoogleEnable) authRouter.use(require('./google'))
if (config.isLDAPEnable) authRouter.use(require('./ldap'))
+if (config.isSAMLEnable) authRouter.use(require('./saml'))
if (config.isEmailEnable) authRouter.use(require('./email'))
// logout
diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js
index 766c5cbc..cc0d29ad 100644
--- a/lib/web/auth/ldap/index.js
+++ b/lib/web/auth/ldap/index.js
@@ -23,9 +23,16 @@ passport.use(new LDAPStrategy({
tlsOptions: config.ldap.tlsOptions || null
}
}, function (user, done) {
+ var uuid = user.uidNumber || user.uid || user.sAMAccountName
+ var username = uuid
+
+ if (config.ldap.usernameField && user[config.ldap.usernameField]) {
+ username = user[config.ldap.usernameField]
+ }
+
var profile = {
- id: 'LDAP-' + user.uidNumber,
- username: user.uid,
+ id: 'LDAP-' + uuid,
+ username: username,
displayName: user.displayName,
emails: user.mail ? [user.mail] : [],
avatarUrl: null,
diff --git a/lib/web/auth/mattermost/index.js b/lib/web/auth/mattermost/index.js
new file mode 100644
index 00000000..9ccf3de5
--- /dev/null
+++ b/lib/web/auth/mattermost/index.js
@@ -0,0 +1,49 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const Mattermost = require('mattermost')
+const OAuthStrategy = require('passport-oauth2').Strategy
+const config = require('../../../config')
+const {setReturnToFromReferer, passportGeneralCallback} = require('../utils')
+
+const mattermost = new Mattermost.Client()
+
+let mattermostAuth = module.exports = Router()
+
+let mattermostStrategy = new OAuthStrategy({
+ authorizationURL: config.mattermost.baseURL + '/oauth/authorize',
+ tokenURL: config.mattermost.baseURL + '/oauth/access_token',
+ clientID: config.mattermost.clientID,
+ clientSecret: config.mattermost.clientSecret,
+ callbackURL: config.serverurl + '/auth/mattermost/callback'
+}, passportGeneralCallback)
+
+mattermostStrategy.userProfile = (accessToken, done) => {
+ mattermost.setUrl(config.mattermost.baseURL)
+ mattermost.token = accessToken
+ mattermost.useHeaderToken()
+ mattermost.getMe(
+ (data) => {
+ done(null, data)
+ },
+ (err) => {
+ done(err)
+ }
+ )
+}
+
+passport.use(mattermostStrategy)
+
+mattermostAuth.get('/auth/mattermost', function (req, res, next) {
+ setReturnToFromReferer(req)
+ passport.authenticate('oauth2')(req, res, next)
+})
+
+// mattermost auth callback
+mattermostAuth.get('/auth/mattermost/callback',
+ passport.authenticate('oauth2', {
+ successReturnToOrRedirect: config.serverurl + '/',
+ failureRedirect: config.serverurl + '/'
+ })
+)
diff --git a/lib/web/auth/saml/index.js b/lib/web/auth/saml/index.js
new file mode 100644
index 00000000..386293ae
--- /dev/null
+++ b/lib/web/auth/saml/index.js
@@ -0,0 +1,95 @@
+'use strict'
+
+const Router = require('express').Router
+const passport = require('passport')
+const SamlStrategy = require('passport-saml').Strategy
+const config = require('../../../config')
+const models = require('../../../models')
+const logger = require('../../../logger')
+const {urlencodedParser} = require('../../utils')
+const fs = require('fs')
+const intersection = function (array1, array2) { return array1.filter((n) => array2.includes(n)) }
+
+let samlAuth = module.exports = Router()
+
+passport.use(new SamlStrategy({
+ callbackUrl: config.serverurl + '/auth/saml/callback',
+ entryPoint: config.saml.idpSsoUrl,
+ issuer: config.saml.issuer || config.serverurl,
+ cert: fs.readFileSync(config.saml.idpCert, 'utf-8'),
+ identifierFormat: config.saml.identifierFormat
+}, function (user, done) {
+ // check authorization if needed
+ if (config.saml.externalGroups && config.saml.grouptAttribute) {
+ var externalGroups = intersection(config.saml.externalGroups, user[config.saml.groupAttribute])
+ if (externalGroups.length > 0) {
+ logger.error('saml permission denied: ' + externalGroups.join(', '))
+ return done('Permission denied', null)
+ }
+ }
+ if (config.saml.requiredGroups && config.saml.grouptAttribute) {
+ if (intersection(config.saml.requiredGroups, user[config.saml.groupAttribute]).length === 0) {
+ logger.error('saml permission denied')
+ return done('Permission denied', null)
+ }
+ }
+ // user creation
+ var uuid = user[config.saml.attribute.id] || user.nameID
+ var profile = {
+ provider: 'saml',
+ id: 'SAML-' + uuid,
+ username: user[config.saml.attribute.username] || user.nameID,
+ emails: user[config.saml.attribute.email] ? [user[config.saml.attribute.email]] : []
+ }
+ if (profile.emails.length === 0 && config.saml.identifierFormat === 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') {
+ profile.emails.push(user.nameID)
+ }
+ var stringifiedProfile = JSON.stringify(profile)
+ models.User.findOrCreate({
+ where: {
+ profileid: profile.id.toString()
+ },
+ defaults: {
+ profile: stringifiedProfile
+ }
+ }).spread(function (user, created) {
+ if (user) {
+ var needSave = false
+ if (user.profile !== stringifiedProfile) {
+ user.profile = stringifiedProfile
+ needSave = true
+ }
+ if (needSave) {
+ user.save().then(function () {
+ if (config.debug) { logger.debug('user login: ' + user.id) }
+ return done(null, user)
+ })
+ } else {
+ if (config.debug) { logger.debug('user login: ' + user.id) }
+ return done(null, user)
+ }
+ }
+ }).catch(function (err) {
+ logger.error('saml auth failed: ' + err)
+ return done(err, null)
+ })
+}))
+
+samlAuth.get('/auth/saml',
+ passport.authenticate('saml', {
+ successReturnToOrRedirect: config.serverurl + '/',
+ failureRedirect: config.serverurl + '/'
+ })
+)
+
+samlAuth.post('/auth/saml/callback', urlencodedParser,
+ passport.authenticate('saml', {
+ successReturnToOrRedirect: config.serverurl + '/',
+ failureRedirect: config.serverurl + '/'
+ })
+)
+
+samlAuth.get('/auth/saml/metadata', function (req, res) {
+ res.type('application/xml')
+ res.send(passport._strategy('saml').generateServiceProviderMetadata())
+})