AIUS/Overleaf
1
0
Fork 0
mirror of https://git.unistra.fr/aius/root/ldap-overleaf-sl.git synced 2025-05-04 19:55:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

Adapt AuthenticationManager.js to work with sharelatex versions > 2.3.1

Browse source
This commit is contained in:
Simon M. Haller-Seeber 2021-03-11 08:48:34 +01:00
parent ca58b4852a
commit 8f0b270faf
2 changed files with 200 additions and 207 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
ldap-overleaf-sl/Dockerfile
View file

@ -1,4 +1,7 @@
FROM sharelatex/sharelatex:2.3.1 FROM sharelatex/sharelatex:2.5.2
# FROM sharelatex/sharelatex:latest
# latest might not be tested
# e.g. the AuthenticationManager.js script had to be adapted between versions after 2.3.1
LABEL maintainer="Simon Haller-Seeber" LABEL maintainer="Simon Haller-Seeber"
LABEL version="0.1" LABEL version="0.1"

402
ldap-overleaf-sl/sharelatex/AuthenticationManager.js
View file

@ -1,12 +1,11 @@
const Settings = require('settings-sharelatex') const Settings = require('settings-sharelatex')
const {User} = require('../../models/User') const { User } = require('../../models/User')
const {db, ObjectId} = require('../../infrastructure/mongojs') const { db, ObjectId } = require('../../infrastructure/mongodb')
const bcrypt = require('bcrypt') const bcrypt = require('bcrypt')
const EmailHelper = require('../Helpers/EmailHelper') const EmailHelper = require('../Helpers/EmailHelper')
const V1Handler = require('../V1/V1Handler')
const { const {
InvalidEmailError, InvalidEmailError,
InvalidPasswordError InvalidPasswordError
} = require('./AuthenticationErrors') } = require('./AuthenticationErrors')
const util = require('util') const util = require('util')
@ -18,20 +17,20 @@ const { Client } = require('ldapts');
const BCRYPT_ROUNDS = Settings.security.bcryptRounds || 12 const BCRYPT_ROUNDS = Settings.security.bcryptRounds || 12
const BCRYPT_MINOR_VERSION = Settings.security.bcryptMinorVersion || 'a' const BCRYPT_MINOR_VERSION = Settings.security.bcryptMinorVersion || 'a'
const _checkWriteResult = function (result, callback) { const _checkWriteResult = function(result, callback) {
// for MongoDB // for MongoDB
if (result && result.nModified === 1) { if (result && result.modifiedCount === 1) {
callback(null, true) callback(null, true)
} else { } else {
callback(null, false) callback(null, false)
} }
} }
const AuthenticationManager = { const AuthenticationManager = {
authenticate(query, password, callback) { authenticate(query, password, callback) {
// Using Mongoose for legacy reasons here. The returned User instance // Using Mongoose for legacy reasons here. The returned User instance
// gets serialized into the session and there may be subtle differences // gets serialized into the session and there may be subtle differences
// between the user returned by Mongoose vs mongojs (such as default values) // between the user returned by Mongoose vs mongodb (such as default values)
User.findOne(query, (error, user) => { User.findOne(query, (error, user) => {
//console.log("Begining:" + JSON.stringify(query)) //console.log("Begining:" + JSON.stringify(query))
AuthenticationManager.authUserObj(error, user, query, password, callback) AuthenticationManager.authUserObj(error, user, query, password, callback)
@ -47,7 +46,7 @@ const AuthenticationManager = {
if (err) { if (err) {
return callback(err) return callback(err)
} }
callback(null, user) callback(null, user)
} }
) )
}, },
@ -57,7 +56,7 @@ const AuthenticationManager = {
//console.log("Creating User:" + JSON.stringify(query)) //console.log("Creating User:" + JSON.stringify(query))
//create random pass for local userdb, does not get checked for ldap users during login //create random pass for local userdb, does not get checked for ldap users during login
let pass = require("crypto").randomBytes(32).toString("hex") let pass = require("crypto").randomBytes(32).toString("hex")
console.log("Creating User:" + JSON.stringify(query) + "Random Pass" + pass) //console.log("Creating User:" + JSON.stringify(query) + "Random Pass" + pass)
const userRegHand = require('../User/UserRegistrationHandler.js') const userRegHand = require('../User/UserRegistrationHandler.js')
userRegHand.registerNewUser({ userRegHand.registerNewUser({
@ -117,20 +116,19 @@ const AuthenticationManager = {
// therefore we do not enforce checks here // therefore we do not enforce checks here
const parsed = EmailHelper.parseEmail(email) const parsed = EmailHelper.parseEmail(email)
//if (!parsed) { //if (!parsed) {
// return new InvalidEmailError({message: 'email not valid'}) // return new InvalidEmailError({ message: 'email not valid' })
//} //}
return null return null
}, },
// validates a password based on a similar set of rules to `complexPassword.js` on the frontend // validates a password based on a similar set of rules to `complexPassword.js` on the frontend
// note that `passfield.js` enforces more rules than this, but these are the most commonly set // note that `passfield.js` enforces more rules than this, but these are the most commonly set.
// returns null on success, or an error string. // returns null on success, or an error object.
// Actually we do not need this because we always use the ldap backend validatePassword(password, email) {
validatePassword(password) {
if (password == null) { if (password == null) {
return new InvalidPasswordError({ return new InvalidPasswordError({
message: 'password not set', message: 'password not set',
info: {code: 'not_set'} info: { code: 'not_set' }
}) })
} }
@ -154,13 +152,13 @@ const AuthenticationManager = {
if (password.length < min) { if (password.length < min) {
return new InvalidPasswordError({ return new InvalidPasswordError({
message: 'password is too short', message: 'password is too short',
info: {code: 'too_short'} info: { code: 'too_short' }
}) })
} }
if (password.length > max) { if (password.length > max) {
return new InvalidPasswordError({ return new InvalidPasswordError({
message: 'password is too long', message: 'password is too long',
info: {code: 'too_long'} info: { code: 'too_long' }
}) })
} }
if ( if (
@ -168,203 +166,195 @@ const AuthenticationManager = {
!AuthenticationManager._passwordCharactersAreValid(password) !AuthenticationManager._passwordCharactersAreValid(password)
) { ) {
return new InvalidPasswordError({ return new InvalidPasswordError({
message: 'password contains an invalid character', message: 'password contains an invalid character',
info: {code: 'invalid_character'} info: { code: 'invalid_character' }
}) })
} }
return null return null
}, },
setUserPassword(userId, password, callback) { setUserPassword(user, password, callback) {
AuthenticationManager.setUserPasswordInV2(userId, password, callback) AuthenticationManager.setUserPasswordInV2(user, password, callback)
}, },
checkRounds(user, hashedPassword, password, callback) { checkRounds(user, hashedPassword, password, callback) {
// Temporarily disable this function, TODO: re-enable this // Temporarily disable this function, TODO: re-enable this
return callback() //return callback()
if (Settings.security.disableBcryptRoundsUpgrades) { if (Settings.security.disableBcryptRoundsUpgrades) {
return callback() return callback()
}
// check current number of rounds and rehash if necessary
const currentRounds = bcrypt.getRounds(hashedPassword)
if (currentRounds < BCRYPT_ROUNDS) {
AuthenticationManager.setUserPassword(user, password, callback)
} else {
callback()
}
},
hashPassword(password, callback) {
bcrypt.genSalt(BCRYPT_ROUNDS, BCRYPT_MINOR_VERSION, function(error, salt) {
if (error) {
return callback(error)
}
bcrypt.hash(password, salt, callback)
})
},
setUserPasswordInV2(user, password, callback) {
//if (!user || !user.email || !user._id) {
// return callback(new Error('invalid user object'))
//}
console.log("Setting pass for user: " + JSON.stringify(user))
const validationError = this.validatePassword(password, user.email)
if (validationError) {
return callback(validationError)
}
this.hashPassword(password, function(error, hash) {
if (error) {
return callback(error)
}
db.users.updateOne(
{
_id: ObjectId(user._id.toString())
},
{
$set: {
hashedPassword: hash
},
$unset: {
password: true
}
},
function(updateError, result) {
if (updateError) {
return callback(updateError)
}
_checkWriteResult(result, callback)
} }
// check current number of rounds and rehash if necessary )
const currentRounds = bcrypt.getRounds(hashedPassword) })
if (currentRounds < BCRYPT_ROUNDS) { },
AuthenticationManager.setUserPassword(user._id, password, callback)
} else {
callback()
}
},
hashPassword(password, callback) { _passwordCharactersAreValid(password) {
bcrypt.genSalt(BCRYPT_ROUNDS, BCRYPT_MINOR_VERSION, function (error, salt) { let digits, letters, lettersUp, symbols
if (error) { if (
return callback(error) Settings.passwordStrengthOptions &&
} Settings.passwordStrengthOptions.chars
bcrypt.hash(password, salt, callback) ) {
}) digits = Settings.passwordStrengthOptions.chars.digits
}, letters = Settings.passwordStrengthOptions.chars.letters
lettersUp = Settings.passwordStrengthOptions.chars.letters_up
symbols = Settings.passwordStrengthOptions.chars.symbols
}
digits = digits || '1234567890'
letters = letters || 'abcdefghijklmnopqrstuvwxyz'
lettersUp = lettersUp || 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
symbols = symbols || '@#$%^&*()-_=+[]{};:<>/?!£€.,'
setUserPasswordInV2(userId, password, callback) { for (let charIndex = 0; charIndex <= password.length - 1; charIndex++) {
const validationError = this.validatePassword(password) if (
if (validationError) { digits.indexOf(password[charIndex]) === -1 &&
return callback(validationError) letters.indexOf(password[charIndex]) === -1 &&
} lettersUp.indexOf(password[charIndex]) === -1 &&
this.hashPassword(password, function (error, hash) { symbols.indexOf(password[charIndex]) === -1
if (error) { ) {
return callback(error) return false
} }
db.users.update( }
{ return true
_id: ObjectId(userId.toString()) },
},
{
$set: {
hashedPassword: hash
},
$unset: {
password: true
}
},
function (updateError, result) {
if (updateError) {
return callback(updateError)
}
_checkWriteResult(result, callback)
}
)
})
},
setUserPasswordInV1(v1UserId, password, callback) { async ldapAuth(query, password, onSuccessCreateUserIfNotExistent, callback, user) {
const validationError = this.validatePassword(password) const client = new Client({
if (validationError) { url: process.env.LDAP_SERVER,
return callback(validationError.message) });
} //const bindDn = process.env.LDAP_BIND_USER
//const bindPassword = process.env.LDAP_BIND_PW
V1Handler.doPasswordReset(v1UserId, password, function (error, reset) { const ldap_bd = process.env.LDAP_BINDDN
if (error) { const ldap_base = process.env.LDAP_BASE
return callback(error) const uid = query.email.split('@')[0]
} const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(uid=' + uid + '))'
callback(error, reset) const userDn = 'uid=' + uid + ',' + ldap_bd;
}) var mail = ""
}, var firstname = ""
var lastname = ""
_passwordCharactersAreValid(password) { var isAdmin = false
let digits, letters, lettersUp, symbols // check bind
if ( try {
Settings.passwordStrengthOptions && //await client.bind(bindDn, bindPassword);
Settings.passwordStrengthOptions.chars await client.bind(userDn,password);
) { } catch (ex) {
digits = Settings.passwordStrengthOptions.chars.digits console.log("Could not bind user." + String(ex))
letters = Settings.passwordStrengthOptions.chars.letters return callback(null, null)
lettersUp = Settings.passwordStrengthOptions.chars.letters_up }
symbols = Settings.passwordStrengthOptions.chars.symbols // get user data
} try {
digits = digits || '1234567890' const {searchEntries, searchRef,} = await client.search(ldap_base, {
letters = letters || 'abcdefghijklmnopqrstuvwxyz' scope: 'sub',
lettersUp = lettersUp || 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' filter: filterstr ,
symbols = symbols || '@#$%^&*()-_=+[]{};:<>/?!£€.,' });
await searchEntries
for (let charIndex = 0; charIndex <= password.length - 1; charIndex++) { //console.log(JSON.stringify(searchEntries))
if ( if (searchEntries[0]) {
digits.indexOf(password[charIndex]) === -1 && mail = searchEntries[0].mail
letters.indexOf(password[charIndex]) === -1 && firstname = searchEntries[0].givenName
lettersUp.indexOf(password[charIndex]) === -1 && lastname = searchEntries[0].sn
symbols.indexOf(password[charIndex]) === -1 //console.log("Found user: " + mail + " Name: " + firstname + " " + lastname)
) { }
return false } catch (ex) {
} console.log("An Error occured while getting user data during ldapsearch: " + String(ex))
} await client.unbind();
return true return callback(null, null)
}, }
try {
async ldapAuth(query, password, onSuccessCreateUserIfNotExistent, callback, user) { // if admin filter is set - only set admin for user in ldap group
const client = new Client({ // does not matter - admin is deactivated: managed through ldap
url: process.env.LDAP_SERVER, if (process.env.LDAP_ADMIN_GROUP_FILTER) {
const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(uid=' + uid + '))'
adminEntry = await client.search(ldap_base, {
scope: 'sub',
filter: adminfilter,
}); });
//const bindDn = process.env.LDAP_BIND_USER await adminEntry;
//const bindPassword = process.env.LDAP_BIND_PW //console.log("Admin Search response:" + JSON.stringify(adminEntry.searchEntries))
const ldap_bd = process.env.LDAP_BINDDN if (adminEntry.searchEntries[0].mail) {
const ldap_base = process.env.LDAP_BASE console.log("is Admin")
const uid = query.email.split('@')[0] isAdmin=true;
const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(uid=' + uid + '))'
const userDn = 'uid=' + uid + ',' + ldap_bd;
var mail = ""
var firstname = ""
var lastname = ""
var isAdmin = false
// check bind
try {
//await client.bind(bindDn, bindPassword);
await client.bind(userDn,password);
} catch (ex) {
console.log("Could not bind user." + String(ex))
return callback(null, null)
} }
// get user data }
try { } catch (ex) {
const {searchEntries, searchRef,} = await client.search(ldap_base, { console.log("An Error occured while checking for admin rights - setting admin rights to false: " + String(ex))
scope: 'sub', isAdmin = false;
filter: filterstr , } finally {
}); await client.unbind();
await searchEntries }
console.log(JSON.stringify(searchEntries)) if (mail == "") {
if (searchEntries[0]) { console.log("Mail not set - exit. This should not happen - please set mail-entry in ldap.")
mail = searchEntries[0].mail return callback(null, null)
firstname = searchEntries[0].givenName }
lastname = searchEntries[0].sn //console.log("Logging in user: " + mail + " Name: " + firstname + " " + lastname + " isAdmin: " + String(isAdmin))
console.log("Found user: " + mail + " Name: " + firstname + " " + lastname) // we are authenticated now let's set the query to the correct mail from ldap
} query.email = mail
} catch (ex) { User.findOne(query, (error, user) => {
console.log("An Error occured while getting user data during ldapsearch: " + String(ex)) if (error) {
await client.unbind(); console.log(error)
return callback(null, null) }
} if (user && user.hashedPassword) {
try { //console.log("******************** LOGIN ******************")
// if admin filter is set - only set admin for user in ldap group AuthenticationManager.login(user, "randomPass", callback)
// does not matter - admin is deactivated: managed through ldap } else {
if (process.env.LDAP_ADMIN_GROUP_FILTER) { onSuccessCreateUserIfNotExistent(query, user, callback, uid, firstname, lastname, mail, isAdmin)
const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(uid=' + uid + '))' }
adminEntry = await client.search(ldap_base, { })
scope: 'sub', }
filter: adminfilter,
});
await adminEntry;
console.log("Admin Search response:" + JSON.stringify(adminEntry.searchEntries))
if (adminEntry.searchEntries[0].mail) {
console.log("is Admin")
isAdmin=true;
}
}
} catch (ex) {
console.log("An Error occured while checking for admin rights - setting admin rights to false: " + String(ex))
isAdmin = false;
} finally {
await client.unbind();
}
if (mail == "") {
console.log("Mail not set - exit. This should not happen - please set mail-entry in ldap.")
return callback(null, null)
}
console.log("Logging in iser: " + mail + " Name: " + firstname + " " + lastname + " isAdmin: " + String(isAdmin))
// we are authenticated now let's set the query to the correct mail from ldap
query.email = mail
User.findOne(query, (error, user) => {
if (error) {
console.log(error)
}
if (user && user.hashedPassword) {
//console.log("******************** LOGIN ******************")
AuthenticationManager.login(user, "randomPass", callback)
} else {
onSuccessCreateUserIfNotExistent(query, user, callback, uid, firstname, lastname, mail, isAdmin)
}
})
}
} }
AuthenticationManager.promises = { AuthenticationManager.promises = {
authenticate: util.promisify(AuthenticationManager.authenticate), authenticate: util.promisify(AuthenticationManager.authenticate),
hashPassword: util.promisify(AuthenticationManager.hashPassword) hashPassword: util.promisify(AuthenticationManager.hashPassword),
setUserPassword: util.promisify(AuthenticationManager.setUserPassword)
} }
module.exports = AuthenticationManager module.exports = AuthenticationManager