Merge pull request #199 from VKCOM/e.khalilov/support-ldap-groups/QA-16111

Support LDAP groups

Author: e-khalilov

.eslintrc

@@ -25,7 +25,7 @@
     "dot-location": [2, "property"], // defaults to "object"
     "dot-notation": 2,
     "eqeqeq": [2, "smart"], // `2` is recommended
-    "guard-for-in": 2,
+    "guard-for-in": 0,
     "no-alert": 1, // `2` is recommended
     "no-caller": 2,
     "no-div-regex": 2,

lib/cli/auth-ldap/index.js

@@ -67,6 +67,11 @@ export const builder = function(yargs) {
             , default: process.env.LDAP_USERNAME_FIELD || 'cn'
             , demand: true
         })
+        .option('ldap-privilege-mapping', {
+            describe: 'LDAP group to privilege mapping in JSON format (e.g. \'{"admin_group":"admin","user_group":"user"}\').'
+            , type: 'string'
+            , default: process.env.LDAP_PRIVILEGE_MAPPING || '{}'
+        })
         .option('port', {
             alias: 'p'
             , describe: 'The port to bind to.'
@@ -130,6 +135,7 @@ export const handler = function(argv) {
             , username: {
                 field: argv.ldapUsernameField
             }
+            , privilegeMapping: argv.ldapPrivilegeMapping ? JSON.parse(argv.ldapPrivilegeMapping) : {}
         }
     })
 }

lib/db/api.js

@@ -690,28 +690,28 @@ export const setLockOnDevices = function(serials, lock) {
  */
 function setLockOnUser(email, state) {
     return db.connect().then(client => {
-        return client.collection('users').findOne({ email: email }).then(oldDoc => {
+        return client.collection('users').findOne({email: email}).then(oldDoc => {
             if (!oldDoc || !oldDoc.groups) {
-                throw new Error(`User with email ${email} not found or groups field is missing.`);
+                throw new Error(`User with email ${email} not found or groups field is missing.`)
             }
             return client.collection('users').updateOne(
-                { email: email },
+                {email: email},
                 {
                     $set: {
                         'groups.lock': oldDoc.groups.lock !== state ? state : oldDoc.groups.lock
                     }
                 }
             )
-            .then(updateStats => {
-                return client.collection('users').findOne({ email: email }).then(newDoc => {
-                    updateStats.changes = [
-                        { new_val: { ...newDoc }, old_val: { ...oldDoc } }
-                    ];
-                    return updateStats;
-                });
-            });
-        });
-    });
+                .then(updateStats => {
+                    return client.collection('users').findOne({email: email}).then(newDoc => {
+                        updateStats.changes = [
+                            {new_val: {...newDoc}, old_val: {...oldDoc}}
+                        ]
+                        return updateStats
+                    })
+                })
+        })
+    })
 }
 
 
@@ -1599,8 +1599,8 @@ export const deleteUserGroup = function(id) {
 }
 
 // dbapi.createUser = function(email, name, ip) {
-export const createUser = function(email, name, ip) {
-    return trace('createUser', {email, name, ip}, () => {
+export const createUser = function(email, name, ip, privilege) {
+    return trace('createUser', {email, name, ip, privilege}, () => {
         return getRootGroup().then(function(group) {
             return loadUser(group.owner.email).then(function(adminUser) {
                 let userObj = {
@@ -1613,7 +1613,7 @@ export const createUser = function(email, name, ip) {
                     , forwards: []
                     , settings: {}
                     , acceptedPolicy: false
-                    , privilege: adminUser ? apiutil.USER : apiutil.ADMIN
+                    , privilege: privilege || (adminUser ? apiutil.USER : apiutil.ADMIN)
                     , groups: {
                         subscribed: []
                         , lock: false
@@ -1658,17 +1658,20 @@ export const createUser = function(email, name, ip) {
 export const saveUserAfterLogin = function(user) {
     return trace('saveUserAfterLogin', {user}, () => {
         return db.connect().then(client => {
-            return client.collection('users').updateOne({email: user.email},
-                {
-                    $set: {
-                        name: user.name
-                        , ip: user.ip
-                        , lastLoggedInAt: getNow()
-                    }
-                })
+            const updateData = {
+                name: user.name
+                , ip: user.ip
+                , lastLoggedInAt: getNow()
+            }
+
+            if (user.privilege) {
+                updateData.privilege = user.privilege
+            }
+
+            return client.collection('users').updateOne({email: user.email}, {$set: updateData})
                 .then(function(stats) {
                     if (stats.modifiedCount === 0) {
-                        return createUser(user.email, user.name, user.ip)
+                        return createUser(user.email, user.name, user.ip, user.privilege)
                     }
                     return stats
                 })

lib/units/api/helpers/securityHandlers.js

@@ -3,7 +3,10 @@ import * as dbapi from '../../../db/api.js'
 import * as jwtutil from '../../../util/jwtutil.js'
 import logger from '../../../util/logger.js'
 import * as apiutil from '../../../util/apiutil.js'
+
 const log = logger.createLogger('api:helpers:securityHandlers')
+let upsertQueue
+
 // Specifications: https://tools.ietf.org/html/rfc6750#section-2.1
 async function accessTokenAuth(req) {
     let operationTag
@@ -13,6 +16,15 @@ async function accessTokenAuth(req) {
     else {
         operationTag = 'not-swagger'
     }
+
+    const isNotAllowed = (user) => !user || (
+        user.privilege === apiutil.USER && operationTag.indexOf('admin') > -1
+    )
+    const forbidden = {
+        status: 403
+        , message: 'Forbidden: privileged operation (admin)'
+    }
+
     if (req.headers.authorization) {
         const authHeader = req.headers.authorization.split(' ')
         const format = authHeader[0]
@@ -34,8 +46,7 @@ async function accessTokenAuth(req) {
         try {
             let data
             try {
-                const jwt = tokenId
-                data = jwtutil.decode(jwt, req.options.secret)
+                data = jwtutil.decode(tokenId, req.options.secret)
             }
             catch(e) {
                 const token = await dbapi.loadAccessToken(tokenId)
@@ -53,25 +64,35 @@ async function accessTokenAuth(req) {
                     , message: 'Bad token'
                 }
             }
+
+            await upsertQueue
             const user = await dbapi.loadUser(data.email)
+
             if (user) {
-                if (user.privilege === apiutil.USER && operationTag.indexOf('admin') > -1) {
-                    throw {
-                        status: 403
-                        , message: 'Forbidden: privileged operation (admin)'
-                    }
+                if (isNotAllowed(user)) {
+                    throw forbidden
                 }
                 req.user = user
                 req.internalJwt = tokenId
                 return true
             }
             else {
-                await dbapi.saveUserAfterLogin({
+                // Solve the problem with asynchronous requests (db duplicate key)
+                // when we get many requests that require upsert (updateOne -> not modified -> insert)
+                upsertQueue = (upsertQueue || Promise.resolve()).then(() => dbapi.saveUserAfterLogin({
                     name: data.name
                     , email: data.email
                     , ip: req.ip
-                })
+                    , ...(data.privilege && {privilege: data.privilege})
+                }))
+
+                await upsertQueue
+
                 const user = await dbapi.loadUser(data.email)
+                if (isNotAllowed(user)) {
+                    throw forbidden
+                }
+
                 req.user = user
                 req.internalJwt = tokenId
                 return true
@@ -112,11 +133,8 @@ async function accessTokenAuth(req) {
         try {
             const user = dbapi.loadUser(data.email)
             if (user) {
-                if (user.privilege === apiutil.USER && operationTag.indexOf('admin') > -1) {
-                    throw {
-                        status: 403
-                        , message: 'Forbidden: privileged operation (admin)'
-                    }
+                if (isNotAllowed(user)) {
+                    throw forbidden
                 }
                 req.user = user
                 return true

lib/units/auth/ldap.js

@@ -11,9 +11,24 @@ import * as jwtutil from '../../util/jwtutil.js'
 import * as pathutil from '../../util/pathutil.cjs'
 import lifecycle from '../../util/lifecycle.js'
 import rateLimitConfig from '../ratelimit/index.js'
-import {ONE_DAY} from '../../util/apiutil.js'
+import apiutil, {ONE_DAY} from '../../util/apiutil.js'
+
+const ALLOWED_LDAP_PRIVILEGES = [apiutil.ADMIN, apiutil.USER]
 export default (function(options) {
     const log = logger.createLogger('auth-ldap')
+
+    if (options.ldap.privilegeMapping) {
+        for (const key in options.ldap.privilegeMapping) {
+            if (!ALLOWED_LDAP_PRIVILEGES.includes(options.ldap.privilegeMapping[key])) {
+                log.fatal(`Unknown privilege in --ldap-privilege-mapping: { ${key}: ${options.ldap.privilegeMapping[key]} }`)
+                process.exit(1)
+            }
+
+            options.ldap.privilegeMapping[key.toLowerCase()] = options.ldap.privilegeMapping[key]
+        }
+    }
+
+
     let app = express()
     let server = Promise.promisifyAll(http.createServer(app))
     lifecycle.observe(function() {
@@ -57,65 +72,73 @@ export default (function(options) {
         res.sendFile(pathutil.reactFrontend('dist/auth/auth-ldap.html'))
     })
     app.post('/auth/api/v1/ldap', function(req, res) {
-        var log = logger.createLogger('auth-ldap')
+        const log = logger.createLogger('auth-ldap')
         log.setLocalIdentifier(req.ip)
-        switch (req.accepts(['json'])) {
-        case 'json':
-            requtil.validate(req, function() {
-                req.checkBody('username').notEmpty()
-                req.checkBody('password').notEmpty()
+        if (req.accepts(['json']) !== 'json') {
+            res.send(406)
+            return
+        }
+
+        requtil.validate(req, function() {
+            req.checkBody('username').notEmpty()
+            req.checkBody('password').notEmpty()
+        })
+            .then(function() {
+                return ldaputil.login(options.ldap, req.body.username, req.body.password)
             })
-                .then(function() {
-                    return ldaputil.login(options.ldap, req.body.username, req.body.password)
+            .then(function(user) {
+                const userEmail = ldaputil.email(user)
+                const privilege = ldaputil.determinePrivilege(user, options.ldap.privilegeMapping, userEmail)
+
+                const username = user[options.ldap.username.field]
+                const usernameValue = Array.isArray(username) ? username[0] : username
+
+
+                log.info('Authenticated "%s" with privilege "%s"', userEmail, privilege)
+
+                const token = jwtutil.encode({
+                    payload: {
+                        email: userEmail
+                        , name: usernameValue
+                        , privilege: privilege
+                    }
+                    , secret: options.secret
+                    , header: {
+                        exp: Date.now() + ONE_DAY
+                    }
                 })
-                .then(function(user) {
-                    log.info('Authenticated "%s"', ldaputil.email(user))
-                    var token = jwtutil.encode({
-                        payload: {
-                            email: ldaputil.email(user)
-                            , name: user[options.ldap.username.field]
-                        }
-                        , secret: options.secret
-                        , header: {
-                            exp: Date.now() + ONE_DAY
-                        }
+
+                res.status(200)
+                    .json({
+                        success: true
+                        , jwt: token
+                        , redirect: options.appUrl
                     })
-                    res.status(200)
-                        .json({
-                            success: true
-                            , jwt: token
-                            , redirect: options.appUrl
-                        })
-                })
-                .catch(requtil.ValidationError, function(err) {
-                    res.status(400)
-                        .json({
-                            success: false
-                            , error: 'ValidationError'
-                            , validationErrors: err.errors
-                        })
-                })
-                .catch(ldaputil.InvalidCredentialsError, function(err) {
-                    log.warn('Authentication failure for "%s"', err.user)
-                    res.status(400)
-                        .json({
-                            success: false
-                            , error: 'InvalidCredentialsError'
-                        })
-                })
-                .catch(function(err) {
-                    log.error('Unexpected error', err.stack)
-                    res.status(500)
-                        .json({
-                            success: false
-                            , error: 'ServerError'
-                        })
-                })
-            break
-        default:
-            res.send(406)
-            break
-        }
+            })
+            .catch(requtil.ValidationError, function(err) {
+                res.status(400)
+                    .json({
+                        success: false
+                        , error: 'ValidationError'
+                        , validationErrors: err.errors
+                    })
+            })
+            .catch(ldaputil.InvalidCredentialsError, function(err) {
+                log.warn('Authentication failure for "%s"', err.user)
+                res.status(400)
+                    .json({
+                        success: false
+                        , error: 'InvalidCredentialsError'
+                    })
+            })
+            .catch(function(err) {
+                log.error('Unexpected error', err.stack)
+                res.status(500)
+                    .json({
+                        success: false
+                        , error: 'ServerError'
+                    })
+            })
     })
     server.listen(options.port)
     log.info('Listening on port %d', options.port)

lib/units/websocket/middleware/auth.js

@@ -11,7 +11,7 @@ export default (function(options) {
             const tokenRaw = socket.handshake.auth.token
             const token = jwtutil.decode(tokenRaw, options.secret)
             req.internalJwt = tokenRaw
-            return dbapi.loadUser(token.email)
+            return !token?.email ? next(new Error('Invalid user')) : dbapi.loadUser(token.email)
                 .then(function(user) {
                     if (user) {
                         req.user = user