|
| 1 | +'use strict'; |
| 2 | +const logger=require("../lib/logger"); |
| 3 | +const mysql=require("./db.model") |
| 4 | +const helpers=require("../lib/common") |
| 5 | +const YAML=require("yaml") |
| 6 | +const {encrypt,decrypt} = require("../lib/crypto") |
| 7 | + |
| 8 | +//ldap object create |
| 9 | +var Ldap=function(ldap){ |
| 10 | + this.server = ldap.server; |
| 11 | + this.port = ldap.port; |
| 12 | + this.ignore_certs = (ldap.ignore_certs)?1:0; |
| 13 | + this.enable_tls = (ldap.enable_tls)?1:0; |
| 14 | + this.cert = ldap.cert; |
| 15 | + this.ca_bundle = ldap.ca_bundle; |
| 16 | + this.bind_user_dn = ldap.bind_user_dn; |
| 17 | + this.bind_user_pw = encrypt(ldap.bind_user_pw); |
| 18 | + this.search_base = ldap.search_base; |
| 19 | + this.username_attribute = ldap.username_attribute; |
| 20 | + this.groups_attribute = ldap.groups_attribute; |
| 21 | + this.enable = (ldap.enable)?1:0; |
| 22 | + this.is_advanced = (ldap.is_advanced)?1:0; |
| 23 | + this.groups_search_base = (ldap.is_advanced)?ldap.groups_search_base:"" |
| 24 | + this.group_class = (ldap.is_advanced)?ldap.group_class:"" |
| 25 | + this.group_member_attribute = (ldap.is_advanced)?ldap.group_member_attribute:"" |
| 26 | + this.group_member_user_attribute = (ldap.is_advanced)?ldap.group_member_user_attribute:"" |
| 27 | + this.mail_attribute = ldap.mail_attribute |
| 28 | +}; |
| 29 | +Ldap.update = function (record) { |
| 30 | + logger.info(`Updating ldap ${record.server}`) |
| 31 | + return mysql.do("UPDATE AnsibleForms.`ldap` set ?", record) |
| 32 | +}; |
| 33 | +Ldap.find = function(){ |
| 34 | + return mysql.do("SELECT * FROM AnsibleForms.`ldap` limit 1;") |
| 35 | + .then((res)=>{ |
| 36 | + if(res.length>0){ |
| 37 | + try{ |
| 38 | + res[0].bind_user_pw=decrypt(res[0].bind_user_pw) |
| 39 | + }catch(e){ |
| 40 | + logger.error("Couldn't decrypt ldap binding password, did the secretkey change ?") |
| 41 | + res[0].bind_user_pw="" |
| 42 | + } |
| 43 | + return res[0] |
| 44 | + }else{ |
| 45 | + logger.error("No ldap record in the database, something is wrong") |
| 46 | + throw "No ldap record in the database, something is wrong" |
| 47 | + } |
| 48 | + }) |
| 49 | +} |
| 50 | +Ldap.check = function(ldapConfig){ |
| 51 | + return new Promise(async (resolve,reject)=>{ |
| 52 | + |
| 53 | + const { authenticate } = require('../lib/ldap-authentication') |
| 54 | + // auth with admin |
| 55 | + var badCertificates=false |
| 56 | + let options = { |
| 57 | + ldapOpts: { |
| 58 | + url: ((ldapConfig.enable_tls==1)?"ldaps":"ldap") + "://" + ldapConfig.server + ":" + ldapConfig.port, |
| 59 | + tlsOptions: { |
| 60 | + // cert: cert, |
| 61 | + // requestCert: tls, |
| 62 | + // rejectUnauthorized: rejectUnauthorized, |
| 63 | + // ca: ca |
| 64 | + } |
| 65 | + }, |
| 66 | + adminDn: ldapConfig.bind_user_dn, |
| 67 | + adminPassword: decrypt(ldapConfig.bind_user_pw), |
| 68 | + userPassword: "dummypassword_for_check", |
| 69 | + userSearchBase: ldapConfig.search_base, |
| 70 | + usernameAttribute: ldapConfig.username_attribute, |
| 71 | + username: "dummyuser_for_check", |
| 72 | + // starttls: false |
| 73 | + } |
| 74 | + // new in v4.0.20, add advanced ldap properties |
| 75 | + if(ldapConfig.is_advanced){ |
| 76 | + if(ldapConfig.groups_search_base){ options.groupsSearchBase = ldapConfig.groups_search_base } |
| 77 | + if(ldapConfig.group_class){ options.groupClass = ldapConfig.group_class } |
| 78 | + if(ldapConfig.group_member_attribute){ options.groupMemberAttribute = ldapConfig.group_member_attribute } |
| 79 | + if(ldapConfig.group_member_user_attribute){ options.groupMemberUserAttribute = ldapConfig.group_member_user_attribute } |
| 80 | + } |
| 81 | + // console.log(options) |
| 82 | + // ldap-authentication has bad cert check, so we check first !! |
| 83 | + if(ldapConfig.enable_tls && !(ldapConfig.ignore_certs==1)){ |
| 84 | + if(!helpers.checkCertificate(ldapConfig.cert)){ |
| 85 | + badCertificates=true |
| 86 | + } |
| 87 | + if(!helpers.checkCertificate(ldapConfig.ca_bundle)){ |
| 88 | + badCertificates=true |
| 89 | + } |
| 90 | + }else{ |
| 91 | + ldapConfig.cert="" |
| 92 | + ldapConfig.ca_bundle="" |
| 93 | + } |
| 94 | + // enable tls/ldaps |
| 95 | + if(ldapConfig.enable_tls==1){ |
| 96 | + options.ldapOpts.tlsOptions.requestCert = (ldapConfig.enable_tls==1) |
| 97 | + if(ldapConfig.cert!=""){ |
| 98 | + options.ldapOpts.tlsOptions.cert = ldapConfig.cert |
| 99 | + } |
| 100 | + if(ldapConfig.ca_bundle!=""){ |
| 101 | + options.ldapOpts.tlsOptions.ca = ldapConfig.ldapTlsCa |
| 102 | + } |
| 103 | + options.ldapOpts.tlsOptions.rejectUnauthorized = !(ldapConfig.ignore_certs==1) |
| 104 | + logger.info("use tls : " + (ldapConfig.enable_tls==1)) |
| 105 | + logger.info("reject invalid certificates : " + !(ldapConfig.ignore_certs==1)) |
| 106 | + } |
| 107 | + |
| 108 | + if(badCertificates){ |
| 109 | + reject("Certificate is not valid") |
| 110 | + }else{ |
| 111 | + logger.notice("Certificates are valid") |
| 112 | + try{ |
| 113 | + // logger.debug(JSON.stringify(options)) |
| 114 | + logger.notice("Authenticating") |
| 115 | + var user = await authenticate(options) |
| 116 | + resolve(user) |
| 117 | + }catch(err){ |
| 118 | + var em ="" |
| 119 | + if(err.message){ |
| 120 | + em = err.message |
| 121 | + }else{ |
| 122 | + try{ em = YAML.stringify(err)}catch(e){em = err} |
| 123 | + } |
| 124 | + if(err.admin){ |
| 125 | + if(err.admin.lde_message){ |
| 126 | + try{ em = YAML.stringify(err.admin.lde_message)}catch(e){em = err} |
| 127 | + } |
| 128 | + else if(err.admin.code){ |
| 129 | + try{ em = YAML.stringify(err.admin)}catch(e){em = err} |
| 130 | + if(err.admin.code=="UNABLE_TO_VERIFY_LEAF_SIGNATURE"){ |
| 131 | + em = "Unable to verify the certificate" |
| 132 | + }else if(err.admin.code==49){ |
| 133 | + em = "Wrong binding credentials" |
| 134 | + }else if(err.admin.code=="ENOTFOUND"){ |
| 135 | + em = "Bad server or port (connection failed)" |
| 136 | + } |
| 137 | + } |
| 138 | + } |
| 139 | + |
| 140 | + if(em.includes("user not found")){ |
| 141 | + logger.notice("Checking ldap connection ok") |
| 142 | + resolve() |
| 143 | + }else{ |
| 144 | + logger.notice("Checking ldap connection result : " + em) |
| 145 | + reject(em) |
| 146 | + } |
| 147 | + } |
| 148 | + } |
| 149 | + }) |
| 150 | +} |
| 151 | + |
| 152 | +module.exports= Ldap; |
0 commit comments