feat: admin UI fixes + SAML strategy + dashboard gql

2018-09-03 20:58:54 -04:00
parent 01f43bfaa5
commit 5e109802c6
11 changed files with 420 additions and 704 deletions
--- a/server/modules/authentication/saml/authentication.js
+++ b/server/modules/authentication/saml/authentication.js
@@ -0,0 +1,40 @@
+const _ = require('lodash')
+
+/* global WIKI */
+
+// ------------------------------------
+// SAML Account
+// ------------------------------------
+
+const SAMLStrategy = require('passport-saml').Strategy
+
+module.exports = {
+  init (passport, conf) {
+    passport.use('saml',
+      new SAMLStrategy({
+        callbackURL: conf.callbackURL,
+        entryPoint: conf.entryPoint,
+        issuer: conf.issuer,
+        audience: conf.audience,
+        cert: _.split(conf.cert, '|'),
+        privateCert: conf.privateCert,
+        decryptionPvk: conf.decryptionPvk,
+        signatureAlgorithm: conf.signatureAlgorithm,
+        identifierFormat: conf.identifierFormat,
+        acceptedClockSkewMs: _.toSafeInteger(conf.acceptedClockSkewMs),
+        disableRequestedAuthnContext: conf.disableRequestedAuthnContext,
+        authnContext: conf.authnContext,
+        forceAuthn: conf.forceAuthn,
+        providerName: conf.providerName,
+        skipRequestCompression: conf.skipRequestCompression,
+        authnRequestBinding: conf.authnRequestBinding
+      }, (profile, cb) => {
+        WIKI.models.users.processProfile(profile).then((user) => {
+          return cb(null, user) || true
+        }).catch((err) => {
+          return cb(err, null) || true
+        })
+      })
+    )
+  }
+}
--- a/server/modules/authentication/saml/definition.yml
+++ b/server/modules/authentication/saml/definition.yml
@@ -0,0 +1,83 @@
+key: saml
+title: SAML 2.0
+description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
+author: requarks.io
+logo: https://static.requarks.io/logo/saml.svg
+website: https://wiki.oasis-open.org/security/FrontPage
+useForm: false
+props:
+  entryPoint:
+    type: String
+    title: Entry Point
+    hint: Identity provider entrypoint (URL)
+  issuer:
+    type: String
+    title: Issuer
+    hint: Issuer string to supply to Identity Provider
+  audience:
+    type: String
+    title: Audience
+    hint: Expected SAML response Audience (if not provided, Audience won't be verified)
+  cert:
+    type: String
+    title: Certificate
+    hint: Public PEM-encoded X.509 signing certificate contents in base64 (e.g. 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='). If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
+  privateCert:
+    type: String
+    title: Private Certificate
+    hint: PEM formatted key used to sign the certificate.
+  decryptionPvk:
+    type: String
+    title: Decryption Private Key
+    hint: (optional) Private key that will be used to attempt to decrypt any encrypted assertions that are received.
+  signatureAlgorithm:
+    type: String
+    title: Signature Algorithm
+    hint: Signature algorithm used for signing requests
+    default: sha1
+    enum:
+      - sha1
+      - sha256
+      - sha512
+  identifierFormat:
+    type: String
+    title: Name Identifier format
+    default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+  acceptedClockSkewMs:
+    type: Number
+    title: Accepted Clock Skew Milleseconds
+    hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
+    default: 0
+  disableRequestedAuthnContext:
+    type: Boolean
+    title: Disable Requested Auth Context
+    hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
+    default: false
+  authnContext:
+    type: String
+    title: Auth Context
+    hint: Name identifier format to request auth context.
+    default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+  forceAuthn:
+    type: Boolean
+    title: Force Initial Re-authentication
+    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
+    default: false
+  providerName:
+    type: String
+    title: Provider Name
+    hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
+    default: wiki.js
+  skipRequestCompression:
+    type: Boolean
+    title: Skip Request Compression
+    hint: If enabled, the SAML request from the service provider won't be compressed.
+    default: false
+  authnRequestBinding:
+    type: String
+    title: Request Binding
+    hint: Binding used for request authentication from IDP.
+    default: 'HTTP-Redirect'
+    enum:
+      - HTTP-Redirect
+      - HTTP-POST