wikijs-fork/server/modules/authentication/ldap/authentication.js

/* global WIKI */

// ------------------------------------
// LDAP Account
// ------------------------------------

const LdapStrategy = require('passport-ldapauth').Strategy
const fs = require('fs')
const _ = require('lodash')

module.exports = {
  init (passport, conf) {
    passport.use(conf.key,
      new LdapStrategy({
        server: {
          url: conf.url,
          bindDn: conf.bindDn,
          bindCredentials: conf.bindCredentials,
          searchBase: conf.searchBase,
          searchFilter: conf.searchFilter,
          tlsOptions: getTlsOptions(conf),
          ...conf.mapGroups && {
            groupSearchBase: conf.groupSearchBase,
            groupSearchFilter: conf.groupSearchFilter,
            groupSearchScope: conf.groupSearchScope,
            groupDnProperty: conf.groupDnProperty,
            groupSearchAttributes: [conf.groupNameField]
          },
          includeRaw: true
        },
        usernameField: 'email',
        passwordField: 'password',
        passReqToCallback: true
      }, async (req, profile, cb) => {
        try {
          const userId = _.get(profile, conf.mappingUID, null)
          if (!userId) {
            throw new Error('Invalid Unique ID field mapping!')
          }

          const user = await WIKI.models.users.processProfile({
            providerKey: req.params.strategy,
            profile: {
              id: userId,
              email: String(_.get(profile, conf.mappingEmail, '')).split(',')[0],
              displayName: _.get(profile, conf.mappingDisplayName, '???'),
              picture: _.get(profile, `_raw.${conf.mappingPicture}`, '')
            }
          })
          // map users LDAP groups to wiki groups with the same name, and remove any groups that don't match LDAP
          if (conf.mapGroups) {
            const ldapGroups = _.get(profile, '_groups')
            if (ldapGroups && _.isArray(ldapGroups)) {
              const groups = ldapGroups.map(g => g[conf.groupNameField])
              const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
              const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
              for (const groupId of _.difference(expectedGroups, currentGroups)) {
                await user.$relatedQuery('groups').relate(groupId)
              }
              for (const groupId of _.difference(currentGroups, expectedGroups)) {
                await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
              }
            }
          }
          cb(null, user)
        } catch (err) {
          if (WIKI.config.flags.ldapdebug) {
            WIKI.logger.warn('LDAP LOGIN ERROR (c2): ', err)
          }
          cb(err, null)
        }
      }
      ))
  }
}

function getTlsOptions(conf) {
  if (!conf.tlsEnabled) {
    return {}
  }

  if (!conf.tlsCertPath) {
    return {
      rejectUnauthorized: conf.verifyTLSCertificate
    }
  }

  const caList = []
  if (conf.verifyTLSCertificate) {
    caList.push(fs.readFileSync(conf.tlsCertPath))
  }

  return {
    rejectUnauthorized: conf.verifyTLSCertificate,
    ca: caList
  }
}
refactor: global namespace + admin pages UI 2018-03-05 20:49:36 +00:00			`/* global WIKI */`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00
			`// ------------------------------------`
			`// LDAP Account`
			`// ------------------------------------`

			`const LdapStrategy = require('passport-ldapauth').Strategy`
feat: modular auth + logging changes 2017-07-30 04:04:57 +00:00			`const fs = require('fs')`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`const _ = require('lodash')`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`module.exports = {`
			`init (passport, conf) {`
fix: handle multiple LDAP strategies (#5116) 2022-03-26 01:11:24 +00:00			`passport.use(conf.key,`
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`new LdapStrategy({`
			`server: {`
			`url: conf.url,`
			`bindDn: conf.bindDn,`
			`bindCredentials: conf.bindCredentials,`
			`searchBase: conf.searchBase,`
			`searchFilter: conf.searchFilter,`
fix: LDAP - avoid reading empty tls cert file (#2980) Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr> 2021-01-31 06:03:24 +00:00			`tlsOptions: getTlsOptions(conf),`
feat: set groups based on LDAP groups (#5903) * Add mapping ldap groups to wiki groups --------- Co-authored-by: Nicolas Giard <github@ngpixel.com> 2023-01-30 03:52:21 +00:00			`...conf.mapGroups && {`
			`groupSearchBase: conf.groupSearchBase,`
			`groupSearchFilter: conf.groupSearchFilter,`
			`groupSearchScope: conf.groupSearchScope,`
			`groupDnProperty: conf.groupDnProperty,`
			`groupSearchAttributes: [conf.groupNameField]`
			`},`
feat: ldap avatar support 2020-09-08 00:02:33 +00:00			`includeRaw: true`
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`},`
			`usernameField: 'email',`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`passwordField: 'password',`
fix: LDAP missing reqToCallback 2020-09-05 19:19:18 +00:00			`passReqToCallback: true`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`}, async (req, profile, cb) => {`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`try {`
			`const userId = _.get(profile, conf.mappingUID, null)`
			`if (!userId) {`
			`throw new Error('Invalid Unique ID field mapping!')`
			`}`

			`const user = await WIKI.models.users.processProfile({`
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`providerKey: req.params.strategy,`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`profile: {`
			`id: userId,`
fix: use first email address when retrieving multiple from LDAP (#2051) Signed-off-by: Jonas Jöst <jonas@gpplanet.de> 2020-06-16 04:11:38 +00:00			`email: String(_.get(profile, conf.mappingEmail, '')).split(',')[0],`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`displayName: _.get(profile, conf.mappingDisplayName, '???'),`
feat: ldap avatar support 2020-09-08 00:02:33 +00:00			picture: _.get(profile, `_raw.${conf.mappingPicture}`, '')
feat: social login providers with dynamic instances 2020-08-30 05:36:17 +00:00			`}`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`})`
feat: set groups based on LDAP groups (#5903) * Add mapping ldap groups to wiki groups --------- Co-authored-by: Nicolas Giard <github@ngpixel.com> 2023-01-30 03:52:21 +00:00			`// map users LDAP groups to wiki groups with the same name, and remove any groups that don't match LDAP`
			`if (conf.mapGroups) {`
			`const ldapGroups = _.get(profile, '_groups')`
			`if (ldapGroups && _.isArray(ldapGroups)) {`
			`const groups = ldapGroups.map(g => g[conf.groupNameField])`
			`const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)`
			`const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)`
			`for (const groupId of _.difference(expectedGroups, currentGroups)) {`
			`await user.$relatedQuery('groups').relate(groupId)`
			`}`
			`for (const groupId of _.difference(currentGroups, expectedGroups)) {`
			`await user.$relatedQuery('groups').unrelate().where('groupId', groupId)`
			`}`
			`}`
			`}`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`cb(null, user)`
			`} catch (err) {`
feat: LDAP debug flag 2019-06-05 02:23:32 +00:00			`if (WIKI.config.flags.ldapdebug) {`
			`WIKI.logger.warn('LDAP LOGIN ERROR (c2): ', err)`
			`}`
feat: ldap module + deps upgrade 2019-04-27 03:59:35 +00:00			`cb(err, null)`
			`}`
feat: self-contained auth modules + login UI + icons 2017-09-11 03:00:03 +00:00			`}`
			`))`
			`}`
feat: modular auth + queue tasks 2017-07-29 21:33:08 +00:00			`}`
fix: LDAP - avoid reading empty tls cert file (#2980) Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr> 2021-01-31 06:03:24 +00:00
			`function getTlsOptions(conf) {`
			`if (!conf.tlsEnabled) {`
			`return {}`
			`}`

			`if (!conf.tlsCertPath) {`
			`return {`
feat: set groups based on LDAP groups (#5903) * Add mapping ldap groups to wiki groups --------- Co-authored-by: Nicolas Giard <github@ngpixel.com> 2023-01-30 03:52:21 +00:00			`rejectUnauthorized: conf.verifyTLSCertificate`
fix: LDAP - avoid reading empty tls cert file (#2980) Co-authored-by: Kevyn Bruyere <kevyn@inovasi.fr> 2021-01-31 06:03:24 +00:00			`}`
			`}`

			`const caList = []`
			`if (conf.verifyTLSCertificate) {`
			`caList.push(fs.readFileSync(conf.tlsCertPath))`
			`}`

			`return {`
			`rejectUnauthorized: conf.verifyTLSCertificate,`
			`ca: caList`
			`}`
			`}`