Skip to content

Commit b18407a

Browse files
committed
when run natively, you need a blank forms file and certificates.
1 parent e4f06fb commit b18407a

File tree

4 files changed

+229
-0
lines changed

4 files changed

+229
-0
lines changed

ldap.model.js

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
'use strict';
2+
const logger=require("../lib/logger");
3+
const mysql=require("./db.model")
4+
const helpers=require("../lib/common")
5+
const YAML=require("yaml")
6+
const {encrypt,decrypt} = require("../lib/crypto")
7+
8+
//ldap object create
9+
var Ldap=function(ldap){
10+
this.server = ldap.server;
11+
this.port = ldap.port;
12+
this.ignore_certs = (ldap.ignore_certs)?1:0;
13+
this.enable_tls = (ldap.enable_tls)?1:0;
14+
this.cert = ldap.cert;
15+
this.ca_bundle = ldap.ca_bundle;
16+
this.bind_user_dn = ldap.bind_user_dn;
17+
this.bind_user_pw = encrypt(ldap.bind_user_pw);
18+
this.search_base = ldap.search_base;
19+
this.username_attribute = ldap.username_attribute;
20+
this.groups_attribute = ldap.groups_attribute;
21+
this.enable = (ldap.enable)?1:0;
22+
this.is_advanced = (ldap.is_advanced)?1:0;
23+
this.groups_search_base = (ldap.is_advanced)?ldap.groups_search_base:""
24+
this.group_class = (ldap.is_advanced)?ldap.group_class:""
25+
this.group_member_attribute = (ldap.is_advanced)?ldap.group_member_attribute:""
26+
this.group_member_user_attribute = (ldap.is_advanced)?ldap.group_member_user_attribute:""
27+
this.mail_attribute = ldap.mail_attribute
28+
};
29+
Ldap.update = function (record) {
30+
logger.info(`Updating ldap ${record.server}`)
31+
return mysql.do("UPDATE AnsibleForms.`ldap` set ?", record)
32+
};
33+
Ldap.find = function(){
34+
return mysql.do("SELECT * FROM AnsibleForms.`ldap` limit 1;")
35+
.then((res)=>{
36+
if(res.length>0){
37+
try{
38+
res[0].bind_user_pw=decrypt(res[0].bind_user_pw)
39+
}catch(e){
40+
logger.error("Couldn't decrypt ldap binding password, did the secretkey change ?")
41+
res[0].bind_user_pw=""
42+
}
43+
return res[0]
44+
}else{
45+
logger.error("No ldap record in the database, something is wrong")
46+
throw "No ldap record in the database, something is wrong"
47+
}
48+
})
49+
}
50+
Ldap.check = function(ldapConfig){
51+
return new Promise(async (resolve,reject)=>{
52+
53+
const { authenticate } = require('../lib/ldap-authentication')
54+
// auth with admin
55+
var badCertificates=false
56+
let options = {
57+
ldapOpts: {
58+
url: ((ldapConfig.enable_tls==1)?"ldaps":"ldap") + "://" + ldapConfig.server + ":" + ldapConfig.port,
59+
tlsOptions: {
60+
// cert: cert,
61+
// requestCert: tls,
62+
// rejectUnauthorized: rejectUnauthorized,
63+
// ca: ca
64+
}
65+
},
66+
adminDn: ldapConfig.bind_user_dn,
67+
adminPassword: decrypt(ldapConfig.bind_user_pw),
68+
userPassword: "dummypassword_for_check",
69+
userSearchBase: ldapConfig.search_base,
70+
usernameAttribute: ldapConfig.username_attribute,
71+
username: "dummyuser_for_check",
72+
// starttls: false
73+
}
74+
// new in v4.0.20, add advanced ldap properties
75+
if(ldapConfig.is_advanced){
76+
if(ldapConfig.groups_search_base){ options.groupsSearchBase = ldapConfig.groups_search_base }
77+
if(ldapConfig.group_class){ options.groupClass = ldapConfig.group_class }
78+
if(ldapConfig.group_member_attribute){ options.groupMemberAttribute = ldapConfig.group_member_attribute }
79+
if(ldapConfig.group_member_user_attribute){ options.groupMemberUserAttribute = ldapConfig.group_member_user_attribute }
80+
}
81+
// console.log(options)
82+
// ldap-authentication has bad cert check, so we check first !!
83+
if(ldapConfig.enable_tls && !(ldapConfig.ignore_certs==1)){
84+
if(!helpers.checkCertificate(ldapConfig.cert)){
85+
badCertificates=true
86+
}
87+
if(!helpers.checkCertificate(ldapConfig.ca_bundle)){
88+
badCertificates=true
89+
}
90+
}else{
91+
ldapConfig.cert=""
92+
ldapConfig.ca_bundle=""
93+
}
94+
// enable tls/ldaps
95+
if(ldapConfig.enable_tls==1){
96+
options.ldapOpts.tlsOptions.requestCert = (ldapConfig.enable_tls==1)
97+
if(ldapConfig.cert!=""){
98+
options.ldapOpts.tlsOptions.cert = ldapConfig.cert
99+
}
100+
if(ldapConfig.ca_bundle!=""){
101+
options.ldapOpts.tlsOptions.ca = ldapConfig.ldapTlsCa
102+
}
103+
options.ldapOpts.tlsOptions.rejectUnauthorized = !(ldapConfig.ignore_certs==1)
104+
logger.info("use tls : " + (ldapConfig.enable_tls==1))
105+
logger.info("reject invalid certificates : " + !(ldapConfig.ignore_certs==1))
106+
}
107+
108+
if(badCertificates){
109+
reject("Certificate is not valid")
110+
}else{
111+
logger.notice("Certificates are valid")
112+
try{
113+
// logger.debug(JSON.stringify(options))
114+
logger.notice("Authenticating")
115+
var user = await authenticate(options)
116+
resolve(user)
117+
}catch(err){
118+
var em =""
119+
if(err.message){
120+
em = err.message
121+
}else{
122+
try{ em = YAML.stringify(err)}catch(e){em = err}
123+
}
124+
if(err.admin){
125+
if(err.admin.lde_message){
126+
try{ em = YAML.stringify(err.admin.lde_message)}catch(e){em = err}
127+
}
128+
else if(err.admin.code){
129+
try{ em = YAML.stringify(err.admin)}catch(e){em = err}
130+
if(err.admin.code=="UNABLE_TO_VERIFY_LEAF_SIGNATURE"){
131+
em = "Unable to verify the certificate"
132+
}else if(err.admin.code==49){
133+
em = "Wrong binding credentials"
134+
}else if(err.admin.code=="ENOTFOUND"){
135+
em = "Bad server or port (connection failed)"
136+
}
137+
}
138+
}
139+
140+
if(em.includes("user not found")){
141+
logger.notice("Checking ldap connection ok")
142+
resolve()
143+
}else{
144+
logger.notice("Checking ldap connection result : " + em)
145+
reject(em)
146+
}
147+
}
148+
}
149+
})
150+
}
151+
152+
module.exports= Ldap;

server/templates/cert.pem.template

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDujCCAqKgAwIBAgIJAMMW5u/nBgdrMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
3+
BAYTAkJFMREwDwYDVQQIDAhCcnVzc2VsczERMA8GA1UEBwwIQnJ1c3NlbHMxEzAR
4+
BgNVBAoMCkFuc2libGVHdXkxFTATBgNVBAsMDEFuc2libGVGb3JtczEVMBMGA1UE
5+
AwwMYW5zaWJsZWZvcm1zMB4XDTIxMTEwMjE1MjIzMVoXDTMxMTAzMTE1MjIzMVow
6+
djELMAkGA1UEBhMCQkUxETAPBgNVBAgMCEJydXNzZWxzMREwDwYDVQQHDAhCcnVz
7+
c2VsczETMBEGA1UECgwKQW5zaWJsZUd1eTEVMBMGA1UECwwMQW5zaWJsZUZvcm1z
8+
MRUwEwYDVQQDDAxhbnNpYmxlZm9ybXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
9+
ggEKAoIBAQCy4Gb5xWWG7w1CQ09m+PhG3kZaytv0nNs44q4rIBJNmphJ2tem8AIb
10+
Ggg81SeuOW7e+Ze04IXzNGqEMJ+2I/Hq357a/SlSCL6HnW2c/hZ3CRdrHu1SyFk9
11+
YrbpWIOBPaJB0KEY5tn4SAds0WR7HUhDsd9/EgkV95mFm16EPfNIzGAdEAZgQkfi
12+
GGUdfwPAUJoZlZzmSz2soxZJBFA0/x+cq21f0xrxesqM7Il4bWCZAVmYiIkAY1HA
13+
YOy4C7DKDrPpvifPJdMiOHQ6fwP/JAOZ4HoyDYoUQDCBbAadK3ws4x6i8YlKfltm
14+
Vq2t3zWZHSVwRF9abDbEGzmUSeYx91k3AgMBAAGjSzBJMA4GA1UdDwEB/wQEAwID
15+
iDATBgNVHSUEDDAKBggrBgEFBQcDATAiBgNVHREEGzAZggxhbnNpYmxlZm9ybXOC
16+
CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAHiY3mFawVyqeAN01jjGvF2+E
17+
QjtHOL5Q4dtVdoZLvVFdXlRZkqtCZaQna3nYdzLlwWYQy8SC23QkU+P1wNAakf0N
18+
na4M11Yi71h1hkHTo5Ub88DMWbz/VMaCo/Iefr4Sv1QoEmEeFEUtPbEAO6v9trqp
19+
GOZv+6H3tuhuQkR+wWllBw7hqnWTvXTGRZXBlQH1wH04Vw6uUXg91ZMUE8DSddEz
20+
nygVGVTEGWs3eld2j7rICRvGrtKOYrg6m+MfQN/skE1aa+auqu6OySAy0HBvS0u9
21+
G2+Ka6a54la0RR13lKmUR4y8B0izh5ThI0/FXtmVPI5XmG27Fellw7JG9bt1PQ==
22+
-----END CERTIFICATE-----

server/templates/forms.yaml.template

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
categories: # a list of categories to group forms
2+
- name: Default
3+
icon: bars
4+
roles: # a list of roles
5+
- name: admin
6+
groups:
7+
- local/admins
8+
- name: public
9+
groups: []
10+
constants: {} # free objects to re-use over all forms
11+
forms: # a list of forms
12+
- name: Demo Form
13+
showHelp: true
14+
help: >
15+
This is a demo form
16+
roles:
17+
- public
18+
description: A simple form
19+
categories:
20+
- Demo
21+
icon: heart
22+
playbook: dummy.yaml
23+
type: ansible
24+
fields:
25+
- type: text
26+
name: username
27+
label: Username

server/templates/key.pem.template

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCy4Gb5xWWG7w1C
3+
Q09m+PhG3kZaytv0nNs44q4rIBJNmphJ2tem8AIbGgg81SeuOW7e+Ze04IXzNGqE
4+
MJ+2I/Hq357a/SlSCL6HnW2c/hZ3CRdrHu1SyFk9YrbpWIOBPaJB0KEY5tn4SAds
5+
0WR7HUhDsd9/EgkV95mFm16EPfNIzGAdEAZgQkfiGGUdfwPAUJoZlZzmSz2soxZJ
6+
BFA0/x+cq21f0xrxesqM7Il4bWCZAVmYiIkAY1HAYOy4C7DKDrPpvifPJdMiOHQ6
7+
fwP/JAOZ4HoyDYoUQDCBbAadK3ws4x6i8YlKfltmVq2t3zWZHSVwRF9abDbEGzmU
8+
SeYx91k3AgMBAAECggEAYX0X4m0JBl9m9IRG1DJA7i7aXUVOV6TdfcVdczeJgi4N
9+
bcMN4XfRTgAEGVN6yuOWX4PcgMIVfxVEMENn6BbzFDVIGMX9LS6C2NqeEQASMlIM
10+
J1+1rHZw3JneYpLRKTD0K7aO9klq5nwrP81nXAn7hpl8235y4TwOudiRzLUO0M9Z
11+
Da6DT5R7bgGfXpkwZKKzlZwLYZq/gw+TBtEXRN//k8cRDqGCNvetgYczinJrg3HQ
12+
+PDayHAhMqm5ufr59cpGKGWScdNdnLAnporbSHd+6UHHm0Lpza3z2nI3z1R0B7xs
13+
kgvKh8g4N3lcAkjzMYSYr6Sf+aL16GP7imM8I/O2kQKBgQDaNZVYxs0pbnKocNaU
14+
YYqNkxT4eNxgU7h3Zqxq9dd++bVq4tOOpO7ocugBc1lrmbQ9kQKRtv3/nUgU9iCI
15+
ohPjJZRBlvlIaQfPo6zDD3K4xtVe083nlyeKiEN7yslTRl3N9zQDN+Cmb0h6U0Id
16+
g+q2hX8Ke1ofopQEKqZxpbxvswKBgQDR2vuNdfd77G/Qp7kOU6u+V7752W2nDLEu
17+
f7FBlwB9tHkfGiS2G/8HZ90Ei9ZC9rDjlsib7HG8tV/EZMhAtKgta3MHJm3h8tEA
18+
KtX3sRo9W+ArOp+jvu+6Bj7Jn+GOHXYwpOodP1zt47xPrnayFuPV7/5XtS2zrsuo
19+
CwZyEuAObQKBgE2nwhWM8lhrSPyu43581A0cKdtfT7YsNTqw3G1YPi+e+DQosvdR
20+
tQAeXHifr1P+qEk8wPhQckY0mAF1shBN9dvhdMh+zQo67p+zdPkaF06w3CBaKi3f
21+
+h9v7OwyN8GeCiYRcn4utZEli1qVJLNSTgZUrehyC5m0hw6QixlozQ3HAoGBAItq
22+
cuIo8/C1RBeXxb554chDnRF53Ho1WWSt2oHboqzgf/MkuCzv7n7qBpBlokO8hgm8
23+
+6ty6qDW0je0SMGMA4qhLrsaUbfhS+5ThvDWDLuk1QmDGdl8GOE6Eu56NCvo8MMi
24+
XJJvrPox6MH7AsoPoO9ZUFzOdf1Aa/ZI1NBmL8oFAoGBALduRfv4J1kFvauCWueM
25+
QKn7y8DIuFuPZiBmLIKPSPZlzayPLJjS99jRjX/f1l27wOVAbW2Jl6HcRgcZiyoo
26+
BNT1HmUcnP/G9OljB76j/URVjcfAUY12R8bnfuGlb1gzXaUccg0NdXMhOELXgnvx
27+
eO0iTAwAMg0zebMbkmfBe/Zw
28+
-----END PRIVATE KEY-----

0 commit comments

Comments
 (0)