Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-19 13:19:43 +02:00
Code Releases Activity

PRovide LDAP sync and authentication

Browse source
This commit is contained in:
sauls8t 2018-09-04 17:19:26 +01:00
parent 63b17f9b88
commit 074eea3aeb
38 changed files with 567 additions and 499 deletions
Download patch file Download diff file Expand all files Collapse all files

90
domain/auth/add.go Normal file
View file

@ -0,0 +1,90 @@
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com
package auth
import (
"database/sql"
"github.com/documize/community/core/env"
"github.com/documize/community/core/uniqueid"
"github.com/documize/community/domain"
usr "github.com/documize/community/domain/user"
"github.com/documize/community/model/account"
"github.com/documize/community/model/user"
)
// AddExternalUser method to setup user account in Documize using Keycloak/LDAP provided user data.
func AddExternalUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (nu user.User, err error) {
// only create account if not dupe
addUser := true
addAccount := true
var userID string
userDupe, err := store.User.GetByEmail(ctx, u.Email)
if err != nil && err != sql.ErrNoRows {
return
}
if u.Email == userDupe.Email {
addUser = false
userID = userDupe.RefID
}
ctx.Transaction, err = rt.Db.Beginx()
if err != nil {
return
}
if addUser {
userID = uniqueid.Generate()
u.RefID = userID
err = store.User.Add(ctx, u)
if err != nil {
ctx.Transaction.Rollback()
return
}
} else {
usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe)
for _, a := range userDupe.Accounts {
if a.OrgID == ctx.OrgID {
addAccount = false
break
}
}
}
// set up user account for the org
if addAccount {
var a account.Account
a.UserID = userID
a.OrgID = ctx.OrgID
a.Editor = addSpace
a.Admin = false
accountID := uniqueid.Generate()
a.RefID = accountID
a.Active = true
err = store.Account.Add(ctx, a)
if err != nil {
ctx.Transaction.Rollback()
return
}
}
ctx.Transaction.Commit()
nu, err = store.User.Get(ctx, userID)
return
}

4
domain/auth/keycloak/endpoint.go
View file

@ -130,7 +130,7 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
if len(u.Email) == 0 {
missing++
} else {
err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
_, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
}
}
@ -240,7 +240,7 @@ func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
u.Salt = secrets.GenerateSalt()
u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
u, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
if err != nil {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)

73
domain/auth/keycloak/keycloak.go
View file

@ -13,7 +13,6 @@ package keycloak
import (
"bytes"
"database/sql"
"encoding/json"
"fmt"
"io/ioutil"
@ -22,12 +21,7 @@ import (
"strconv"
"strings"
"github.com/documize/community/core/env"
"github.com/documize/community/core/stringutil"
"github.com/documize/community/core/uniqueid"
"github.com/documize/community/domain"
usr "github.com/documize/community/domain/user"
"github.com/documize/community/model/account"
"github.com/documize/community/model/auth"
"github.com/documize/community/model/user"
"github.com/pkg/errors"
@ -136,70 +130,3 @@ func Fetch(c auth.KeycloakConfig) (users []user.User, err error) {
return users, nil
}
// Helper method to setup user account in Documize using Keycloak provided user data.
func addUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (err error) {
// only create account if not dupe
addUser := true
addAccount := true
var userID string
userDupe, err := store.User.GetByEmail(ctx, u.Email)
if err != nil && err != sql.ErrNoRows {
return err
}
if u.Email == userDupe.Email {
addUser = false
userID = userDupe.RefID
}
ctx.Transaction, err = rt.Db.Beginx()
if err != nil {
return err
}
if addUser {
userID = uniqueid.Generate()
u.RefID = userID
err = store.User.Add(ctx, u)
if err != nil {
ctx.Transaction.Rollback()
return err
}
} else {
usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe)
for _, a := range userDupe.Accounts {
if a.OrgID == ctx.OrgID {
addAccount = false
break
}
}
}
// set up user account for the org
if addAccount {
var a account.Account
a.UserID = userID
a.OrgID = ctx.OrgID
a.Editor = addSpace
a.Admin = false
accountID := uniqueid.Generate()
a.RefID = accountID
a.Active = true
err = store.Account.Add(ctx, a)
if err != nil {
ctx.Transaction.Rollback()
return err
}
}
ctx.Transaction.Commit()
u, err = store.User.Get(ctx, userID)
return err
}

8
domain/auth/ldap/ad_test.go
View file

@ -88,16 +88,17 @@ func TestAuthenticate_PublicAD(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicAD, "bob.johnson", "Pass@word1!")
user, ok, err := authenticate(l, testConfigPublicAD, "bob.johnson", "Pass@word1!")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated")
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_PublicAD(t *testing.T) {
@ -108,13 +109,14 @@ func TestNotAuthenticate_PublicAD(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicAD, "junk", "junk")
_, ok, err := authenticate(l, testConfigPublicAD, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")

507
domain/auth/ldap/endpoint.go
View file

@ -12,27 +12,24 @@
package ldap
import (
"crypto/tls"
// "database/sql"
"database/sql"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
// "sort"
// "strings"
"sort"
"strings"
"github.com/documize/community/core/env"
"github.com/documize/community/core/response"
// "github.com/documize/community/core/secrets"
"github.com/documize/community/core/secrets"
"github.com/documize/community/core/streamutil"
// "github.com/documize/community/core/stringutil"
"github.com/documize/community/domain"
// "github.com/documize/community/domain/auth"
// usr "github.com/documize/community/domain/user"
"github.com/documize/community/domain/auth"
usr "github.com/documize/community/domain/user"
ath "github.com/documize/community/model/auth"
lm "github.com/documize/community/model/auth"
"github.com/documize/community/model/user"
ld "gopkg.in/ldap.v2"
)
// Handler contains the runtime information such as logging and database.
@ -41,9 +38,7 @@ type Handler struct {
Store *domain.Store
}
// Preview connects to LDAP using paylaod and returns
// first 100 users for.
// and marks Keycloak disabled users as inactive.
// Preview connects to LDAP using paylaod and returns first 50 users.
func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
h.Runtime.Log.Info("Sync'ing with LDAP")
@ -57,6 +52,7 @@ func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
Message string `json:"message"`
IsError bool `json:"isError"`
Users []user.User `json:"users"`
Count int `json:"count"`
}
result.Users = []user.User{}
@ -95,10 +91,12 @@ func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
result.IsError = false
result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
if len(users) > 100 {
result.Users = users[:100]
} else {
result.Users = users
result.Count = len(users)
result.Users = users
// Preview does not require more than 50 users.
if len(users) > 50 {
result.Users = users[:50]
}
h.Runtime.Log.Info(result.Message)
@ -133,310 +131,219 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
// Exit if not using LDAP
if org.AuthProvider != ath.AuthProviderLDAP {
// result.Message = "Error: skipping user sync with LDAP as it is not the configured option"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Info(result.Message)
// return
result.Message = "Error: skipping user sync with LDAP as it is not the configured option"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Info(result.Message)
return
}
// Make Keycloak auth provider config
// Get auth provider config
c := lm.LDAPConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &c)
// if err != nil {
// result.Message = "Error: unable read LDAP configuration data"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
c.ServerHost = "ldap.forumsys.com"
c.ServerPort = 389
c.EncryptionType = "none"
c.BaseDN = "dc=example,dc=com"
c.BindDN = "cn=read-only-admin,dc=example,dc=com"
c.BindPassword = "password"
c.UserFilter = ""
c.GroupFilter = ""
c.DisableLogout = false
c.DefaultPermissionAddSpace = false
address := fmt.Sprintf("%s:%d", c.ServerHost, c.ServerPort)
h.Runtime.Log.Info("Connecting to LDAP server")
l, err := ld.Dial("tcp", address)
err = json.Unmarshal([]byte(org.AuthConfig), &c)
if err != nil {
result.Message = "Error: unable to dial LDAP server: " + err.Error()
result.Message = "Error: unable read LDAP configuration data"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
// Get user list from LDAP.
ldapUsers, err := fetchUsers(c)
if err != nil {
result.Message = "Error: unable to fetch LDAP users: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
// Get user list from Documize
dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx, "", 99999)
if err != nil {
result.Message = "Error: unable to fetch Documize users"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
sort.Slice(ldapUsers, func(i, j int) bool { return ldapUsers[i].Email < ldapUsers[j].Email })
sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
insert := []user.User{}
for _, k := range ldapUsers {
exists := false
for _, d := range dmzUsers {
if k.Email == d.Email {
exists = true
}
}
if !exists {
insert = append(insert, k)
}
}
// Track the number of LDAP users with missing data.
missing := 0
// Insert new users into Documize
for _, u := range insert {
if len(u.Email) == 0 {
missing++
} else {
_, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
}
}
result.IsError = false
result.Message = "Sync complete with LDAP server"
result.Message = fmt.Sprintf(
"LDAP sync found %d users, %d new users added, %d users with missing data ignored",
len(ldapUsers), len(insert), missing)
h.Runtime.Log.Info(result.Message)
response.WriteJSON(w, result)
}
// Authenticate checks LDAP authentication credentials.
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
method := "ldap.authenticate"
ctx := domain.GetRequestContext(r)
// check for http header
authHeader := r.Header.Get("Authorization")
if len(authHeader) == 0 {
response.WriteBadRequestError(w, method, "Missing Authorization header")
return
}
// decode what we received
data := strings.Replace(authHeader, "Basic ", "", 1)
decodedBytes, err := secrets.DecodeBase64([]byte(data))
if err != nil {
response.WriteBadRequestError(w, method, "Unable to decode authentication token")
h.Runtime.Log.Error("decode auth header", err)
return
}
decoded := string(decodedBytes)
// check that we have domain:username:password (but allow for : in password field!)
credentials := strings.SplitN(decoded, ":", 3)
if len(credentials) != 3 {
response.WriteBadRequestError(w, method, "Bad authentication token, expecting domain:username:password")
h.Runtime.Log.Error("bad auth token", err)
return
}
dom := strings.TrimSpace(strings.ToLower(credentials[0]))
username := strings.TrimSpace(strings.ToLower(credentials[1]))
password := credentials[2]
// Check for required fields.
if len(username) == 0 || len(password) == 0 {
response.WriteUnauthorizedError(w)
return
}
dom = h.Store.Organization.CheckDomain(ctx, dom) // TODO optimize by removing this once js allows empty domains
h.Runtime.Log.Info("LDAP login request " + username + " @ " + dom)
// Get the org and it's associated LDAP config.
org, err := h.Store.Organization.GetOrganizationByDomain(dom)
if err != nil {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error("bad auth organization", err)
return
}
lc := lm.LDAPConfig{}
err = json.Unmarshal([]byte(org.AuthConfig), &lc)
if err != nil {
response.WriteBadRequestError(w, method, "unable to read LDAP config during authorization")
h.Runtime.Log.Error(method, err)
return
}
ctx.OrgID = org.RefID
l, err := connect(lc)
if err != nil {
response.WriteBadRequestError(w, method, "unable to dial LDAP server")
h.Runtime.Log.Error(method, err)
return
}
defer l.Close()
if c.EncryptionType == "starttls" {
h.Runtime.Log.Info("Using StartTLS with LDAP server")
err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
lu, ok, err := authenticate(l, lc, username, password)
if err != nil {
response.WriteBadRequestError(w, method, "error during LDAP authentication")
h.Runtime.Log.Error(method, err)
return
}
if !ok {
response.WriteUnauthorizedError(w)
return
}
h.Runtime.Log.Info("LDAP logon completed " + lu.Email)
u, err := h.Store.User.GetByDomain(ctx, dom, lu.Email)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
// Create user account if not found
if err == sql.ErrNoRows {
h.Runtime.Log.Info("Adding new LDAP user " + lu.Email + " @ " + dom)
u = convertUser(lc, lu)
u.Salt = secrets.GenerateSalt()
u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
u, err = auth.AddExternalUser(ctx, h.Runtime, h.Store, u, lc.DefaultPermissionAddSpace)
if err != nil {
result.Message = "Error: unable to startTLS with LDAP server: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
}
// Authenticate with LDAP server using admin credentials.
h.Runtime.Log.Info("Binding LDAP admin user")
err = l.Bind(c.BindDN, c.BindPassword)
if err != nil {
result.Message = "Error: unable to bind specified admin user to LDAP: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
// Attach user accounts and work out permissions.
usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// No accounts signals data integrity problem
// so we reject login request.
if len(u.Accounts) == 0 {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error(method, err)
return
}
// Get users from LDAP server by using filter
filter := ""
attrs := []string{}
if len(c.GroupFilter) > 0 {
filter = fmt.Sprintf("(&(objectClass=group)(cn=%s))", c.GroupFilter)
attrs = []string{"cn"}
} else {
filter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
attrs = []string{"dn", "cn", "givenName", "sn", "mail", "uid"}
// Abort login request if account is disabled.
for _, ac := range u.Accounts {
if ac.OrgID == org.RefID {
if ac.Active == false {
response.WriteUnauthorizedError(w)
h.Runtime.Log.Error(method, err)
return
}
break
}
}
searchRequest := ld.NewSearchRequest(
c.BaseDN,
ld.ScopeWholeSubtree, ld.NeverDerefAliases, 0, 0, false,
filter,
attrs,
nil,
)
// Generate JWT token
authModel := ath.AuthenticationModel{}
authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, dom)
authModel.User = u
sr, err := l.Search(searchRequest)
if err != nil {
result.Message = "Error: unable to bind specified admin user to LDAP: " + err.Error()
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
fmt.Printf("entries found: %d", len(sr.Entries))
for _, entry := range sr.Entries {
fmt.Printf("[%s] %s (%s %s) @ %s\n",
entry.GetAttributeValue("uid"),
entry.GetAttributeValue("cn"),
entry.GetAttributeValue("givenName"),
entry.GetAttributeValue("sn"),
entry.GetAttributeValue("mail"))
}
// // User list from LDAP
// kcUsers, err := Fetch(c)
// if err != nil {
// result.Message = "Error: unable to fetch Keycloak users: " + err.Error()
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
// // User list from Documize
// dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx, "", 99999)
// if err != nil {
// result.Message = "Error: unable to fetch Documize users"
// result.IsError = true
// response.WriteJSON(w, result)
// h.Runtime.Log.Error(result.Message, err)
// return
// }
// sort.Slice(kcUsers, func(i, j int) bool { return kcUsers[i].Email < kcUsers[j].Email })
// sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
// insert := []user.User{}
// for _, k := range kcUsers {
// exists := false
// for _, d := range dmzUsers {
// if k.Email == d.Email {
// exists = true
// }
// }
// if !exists {
// insert = append(insert, k)
// }
// }
// // Track the number of Keycloak users with missing data.
// missing := 0
// // Insert new users into Documize
// for _, u := range insert {
// if len(u.Email) == 0 {
// missing++
// } else {
// err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
// }
// }
// result.Message = fmt.Sprintf("LDAP sync found %d users, %d new users added, %d users with missing data ignored",
// len(kcUsers), len(insert), missing)
result.IsError = false
result.Message = "Sync complete with LDAP server"
response.WriteJSON(w, result)
h.Runtime.Log.Info(result.Message)
}
// Authenticate checks Keycloak authentication credentials.
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
// method := "authenticate"
// ctx := domain.GetRequestContext(r)
// defer streamutil.Close(r.Body)
// body, err := ioutil.ReadAll(r.Body)
// if err != nil {
// response.WriteBadRequestError(w, method, "Bad payload")
// h.Runtime.Log.Error(method, err)
// return
// }
// a := ath.KeycloakAuthRequest{}
// err = json.Unmarshal(body, &a)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Error(method, err)
// return
// }
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
// // Check for required fields.
// if len(a.Email) == 0 {
// response.WriteUnauthorizedError(w)
// return
// }
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
// if err != nil {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// ctx.OrgID = org.RefID
// // Fetch Keycloak auth provider config
// ac := ath.KeycloakConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// pk := string(pkb)
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
// // Decode and verify Keycloak JWT
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
// return
// }
// // Compare the contents from JWT with what we have.
// // Guards against MITM token tampering.
// if a.Email != claims["email"].(string) {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Info(">> Start Keycloak debug")
// h.Runtime.Log.Info(a.Email)
// h.Runtime.Log.Info(claims["email"].(string))
// h.Runtime.Log.Info(">> End Keycloak debug")
// return
// }
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
// if err != nil && err != sql.ErrNoRows {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Create user account if not found
// if err == sql.ErrNoRows {
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
// u = user.User{}
// u.Firstname = a.Firstname
// u.Lastname = a.Lastname
// u.Email = a.Email
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
// u.Salt = secrets.GenerateSalt()
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
// if err != nil {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// }
// // Password correct and active user
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
// response.WriteUnauthorizedError(w)
// return
// }
// // Attach user accounts and work out permissions.
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// // No accounts signals data integrity problem
// // so we reject login request.
// if len(u.Accounts) == 0 {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Abort login request if account is disabled.
// for _, ac := range u.Accounts {
// if ac.OrgID == org.RefID {
// if ac.Active == false {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// break
// }
// }
// // Generate JWT token
// authModel := ath.AuthenticationModel{}
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
// authModel.User = u
// response.WriteJSON(w, authModel)
response.WriteJSON(w, authModel)
}

46
domain/auth/ldap/ldap.go
View file

@ -48,8 +48,10 @@ func connect(c lm.LDAPConfig) (l *ld.Conn, err error) {
}
// Authenticate user against LDAP provider.
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bool, err error) {
func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (lu lm.LDAPUser, success bool, err error) {
success = false
err = nil
userAttrs := c.GetUserFilterAttributes()
filter := fmt.Sprintf("(%s=%s)", c.AttributeUserRDN, username)
@ -87,10 +89,13 @@ func authenticate(l *ld.Conn, c lm.LDAPConfig, username, pwd string) (success bo
// Bind as the user to verify their password
err = l.Bind(userdn, pwd)
if err != nil {
return false, nil
return
}
return true, nil
lu = extractUser(c, sr.Entries[0])
success = true
return
}
// ExecuteUserFilter returns all matching LDAP users.
@ -212,10 +217,10 @@ func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
}
if len(u.Firstname) == 0 {
u.Firstname = "Empty"
u.Firstname = "LDAP"
}
if len(u.Lastname) == 0 {
u.Lastname = "Empty"
u.Lastname = "User"
}
return
@ -235,25 +240,30 @@ func convertUsers(c lm.LDAPConfig, lu []lm.LDAPUser) (du []user.User) {
// skip if empty email address
add = len(i.Email) > 0
if add {
nu := user.User{}
nu.Editor = c.DefaultPermissionAddSpace
nu.Active = true
nu.Email = i.Email
nu.ViewUsers = false
nu.Analytics = false
nu.Admin = false
nu.Global = false
nu.Firstname = i.Firstname
nu.Lastname = i.Lastname
nu.Initials = stringutil.MakeInitials(i.Firstname, i.Lastname)
du = append(du, nu)
du = append(du, convertUser(c, i))
}
}
return
}
// ConvertUser turns LDAP user into Documize user.
func convertUser(c lm.LDAPConfig, lu lm.LDAPUser) (du user.User) {
du = user.User{}
du.Editor = c.DefaultPermissionAddSpace
du.Active = true
du.Email = lu.Email
du.ViewUsers = false
du.Analytics = false
du.Admin = false
du.Global = false
du.Firstname = lu.Firstname
du.Lastname = lu.Lastname
du.Initials = stringutil.MakeInitials(lu.Firstname, lu.Lastname)
return
}
// FetchUsers from LDAP server using both User and Group filters.
func fetchUsers(c lm.LDAPConfig) (du []user.User, err error) {
du = []user.User{}

8
domain/auth/ldap/local_test.go
View file

@ -104,16 +104,17 @@ func TestAuthenticate_LocalLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigLocalLDAP, "professor", "professor")
user, ok, err := authenticate(l, testConfigLocalLDAP, "professor", "professor")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated")
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_LocalLDAP(t *testing.T) {
@ -124,13 +125,14 @@ func TestNotAuthenticate_LocalLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigLocalLDAP, "junk", "junk")
_, ok, err := authenticate(l, testConfigLocalLDAP, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")

8
domain/auth/ldap/public_test.go
View file

@ -88,14 +88,17 @@ func TestAuthenticate_PublicLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicLDAP, "newton", "password")
user, ok, err := authenticate(l, testConfigPublicLDAP, "newton", "password")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if !ok {
t.Error("failed LDAP authentication")
return
}
t.Log("Authenticated", user.Email)
}
func TestNotAuthenticate_PublicLDAP(t *testing.T) {
@ -106,13 +109,14 @@ func TestNotAuthenticate_PublicLDAP(t *testing.T) {
}
defer l.Close()
ok, err := authenticate(l, testConfigPublicLDAP, "junk", "junk")
_, ok, err := authenticate(l, testConfigPublicLDAP, "junk", "junk")
if err != nil {
t.Error("error during LDAP authentication: ", err.Error())
return
}
if ok {
t.Error("incorrect LDAP authentication")
return
}
t.Log("Not authenticated")

1
gui/app/authenticators/anonymous.js
View file

@ -10,7 +10,6 @@
// https://documize.com
import { resolve } from 'rsvp';
import Base from 'ember-simple-auth/authenticators/base';
export default Base.extend({

3
gui/app/authenticators/documize.js
View file

@ -10,12 +10,11 @@
// https://documize.com
import { isPresent } from '@ember/utils';
import { reject, resolve } from 'rsvp';
import { inject as service } from '@ember/service';
import Base from 'ember-simple-auth/authenticators/base';
import encodingUtil from '../utils/encoding';
import netUtil from '../utils/net';
import Base from 'ember-simple-auth/authenticators/base';
export default Base.extend({
ajax: service(),

3
gui/app/authenticators/keycloak.js
View file

@ -10,11 +10,10 @@
// https://documize.com
import { isPresent } from '@ember/utils';
import { reject, resolve } from 'rsvp';
import { inject as service } from '@ember/service';
import Base from 'ember-simple-auth/authenticators/base';
import netUtil from '../utils/net';
import Base from 'ember-simple-auth/authenticators/base';
export default Base.extend({
ajax: service(),

60
gui/app/authenticators/ldap.js Normal file
View file

@ -0,0 +1,60 @@
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com
import { isPresent } from '@ember/utils';
import { reject, resolve } from 'rsvp';
import { inject as service } from '@ember/service';
import encodingUtil from '../utils/encoding';
import netUtil from '../utils/net';
import Base from 'ember-simple-auth/authenticators/base';
export default Base.extend({
ajax: service(),
appMeta: service(),
localStorage: service(),
restore(data) {
// TODO: verify authentication data
if (data) {
return resolve(data);
}
return reject();
},
authenticate(credentials) {
let domain = netUtil.getSubdomain();
let encoded;
if (typeof credentials === 'object') {
let { password, username } = credentials;
if (!isPresent(password) || !isPresent(username)) {
return reject("invalid");
}
encoded = encodingUtil.Base64.encode(`${domain}:${username}:${password}`);
} else if (typeof credentials === 'string') {
encoded = credentials;
} else {
return reject("invalid");
}
let headers = { 'Authorization': 'Basic ' + encoded };
return this.get('ajax').post('public/authenticate/ldap', { headers });
},
invalidate() {
this.get('localStorage').clearAll();
return resolve();
}
});

31
gui/app/components/customize/auth-settings.js
View file

@ -129,6 +129,7 @@ export default Component.extend(ModalMixin, Notifier, {
if (is.undefined(ldapConfig) || is.null(ldapConfig) || is.empty(ldapConfig) ) {
ldapConfig = {};
} else {
ldapConfig = JSON.parse(ldapConfig);
ldapConfig.defaultPermissionAddSpace = ldapConfig.hasOwnProperty('defaultPermissionAddSpace') ? ldapConfig.defaultPermissionAddSpace : false;
ldapConfig.disableLogout = ldapConfig.hasOwnProperty('disableLogout') ? ldapConfig.disableLogout : true;
}
@ -240,19 +241,43 @@ export default Component.extend(ModalMixin, Notifier, {
config = copy(this.get('ldapConfig'));
config.serverHost = config.serverHost.trim();
config.serverPort = parseInt(this.get('ldapConfig.serverPort'));
if (is.not.empty(config.groupFilter) && is.empty(config.attributeGroupMember)) {
this.$('#ldap-attributeGroupMember').focus();
return;
}
break;
}
debugger;
this.showWait();
let data = { authProvider: provider, authConfig: JSON.stringify(config) };
this.get('onSave')(data).then(() => {
// Without sync we cannot log in
// Keycloak sync process
if (data.authProvider === constants.AuthProvider.Keycloak) {
this.get('onSync')().then((response) => {
this.get('onSyncKeycloak')().then((response) => {
if (response.isError) {
this.set('keycloakFailure', response.message);
console.log(response.message); // eslint-disable-line no-console
data.authProvider = constants.AuthProvider.Documize;
this.get('onSave')(data).then(() => {});
} else {
if (data.authProvider === this.get('appMeta.authProvider')) {
console.log(response.message); // eslint-disable-line no-console
} else {
this.get('onChange')(data);
}
}
});
}
// LDAP sync process
if (data.authProvider === constants.AuthProvider.LDAP) {
this.get('onSyncLDAP')().then((response) => {
if (response.isError) {
this.set('keycloakFailure', response.message);
console.log(response.message); // eslint-disable-line no-console

8
gui/app/components/customize/user-list.js
View file

@ -240,8 +240,12 @@ export default Component.extend(AuthProvider, ModalMixin, TooltipMixin, {
});
},
onSync() {
this.get('onSync')();
onSyncKeycloak() {
this.get('onSyncKeycloak')();
},
onSyncLDAP() {
this.get('onSyncLDAP')();
},
onLimit(limit) {

2
gui/app/components/forgot-password.js
View file

@ -12,8 +12,8 @@
import $ from 'jquery';
import { empty, and } from '@ember/object/computed';
import { set } from '@ember/object';
import Component from '@ember/component';
import { isEmpty } from '@ember/utils';
import Component from '@ember/component';
export default Component.extend({
email: "",

2
gui/app/components/layout/top-bar.js
View file

@ -36,7 +36,7 @@ export default Component.extend(ModalMixin, {
this.pins = [];
if (this.get('appMeta.authProvider') === constants.AuthProvider.Keycloak) {
if (this.get('appMeta.authProvider') !== constants.AuthProvider.Documize) {
let config = this.get('appMeta.authConfig');
config = JSON.parse(config);
this.set('enableLogout', !config.disableLogout);

2
gui/app/pods/auth/forgot/controller.js
View file

@ -10,11 +10,11 @@
// https://documize.com
import { inject as service } from '@ember/service';
import Controller from '@ember/controller';
export default Controller.extend({
userService: service('user'),
appMeta: service('app-meta'),
actions: {
forgot: function (email) {

2
gui/app/pods/auth/forgot/route.js
View file

@ -19,7 +19,7 @@ export default Route.extend({
beforeModel() {
let constants = this.get('constants');
if (this.get('appMeta.authProvider') === constants.AuthProvider.Keycloak) {
if (this.get('appMeta.authProvider') !== constants.AuthProvider.Documize) {
this.transitionTo('auth.login');
}
},

1
gui/app/pods/auth/forgot/template.hbs
View file

@ -2,6 +2,7 @@
<div class="auth-box">
<div class="logo">
<img src="/assets/img/logo-purple.png" title="Documize" alt="Documize" class="img-fluid" />
<div class="url">Authenticate with {{appMeta.appHost}}</div>
</div>
<div class="login-form">
{{forgot-password forgot=(action 'forgot')}}

46
gui/app/pods/auth/login/controller.js
View file

@ -10,8 +10,8 @@
// https://documize.com
import { inject as service } from '@ember/service';
import Controller from '@ember/controller';
import AuthProvider from '../../../mixins/auth';
import Controller from '@ember/controller';
export default Controller.extend(AuthProvider, {
appMeta: service('app-meta'),
@ -19,10 +19,19 @@ export default Controller.extend(AuthProvider, {
invalidCredentials: false,
reset() {
this.setProperties({
email: '',
password: ''
});
if (this.get('sAuthProviderDocumize')) {
this.setProperties({
email: '',
password: ''
});
}
if (this.get('sAuthProviderLDAP')) {
this.setProperties({
username: '',
password: ''
});
}
let dbhash = document.head.querySelector("[property=dbhash]").content;
if (dbhash.length > 0 && dbhash !== "{{.DBhash}}") {
@ -32,14 +41,27 @@ export default Controller.extend(AuthProvider, {
actions: {
login() {
let creds = this.getProperties('email', 'password');
if (this.get('isAuthProviderDocumize')) {
let creds = this.getProperties('email', 'password');
this.get('session').authenticate('authenticator:documize', creds).then((response) => {
this.transitionToRoute('folders');
return response;
}).catch(() => {
this.set('invalidCredentials', true);
});
this.get('session').authenticate('authenticator:documize', creds).then((response) => {
this.transitionToRoute('folders');
return response;
}).catch(() => {
this.set('invalidCredentials', true);
});
}
if (this.get('isAuthProviderLDAP')) {
let creds = this.getProperties('username', 'password');
this.get('session').authenticate('authenticator:ldap', creds).then((response) => {
this.transitionToRoute('folders');
return response;
}).catch(() => {
this.set('invalidCredentials', true);
});
}
}
}
});

17
gui/app/pods/auth/login/template.hbs
View file

@ -3,22 +3,27 @@
<div class="auth-box">
<div class="logo">
<img src="/assets/img/logo-purple.png" title="Documize" alt="Documize" class="img-fluid" />
<div class="url">Authenticate with {{appMeta.appHost}}</div>
</div>
<form {{action 'login' on="submit"}}>
<div class="form-group">
<label for="authEmail">Email</label>
{{focus-input type="email" value=email id="authEmail" class="form-control mousetrap" placeholder="" autocomplete="username email"}}
{{#if isAuthProviderDocumize}}
<label for="authEmail">Email</label>
{{focus-input type="email" value=email id="authEmail" class="form-control mousetrap" placeholder="" autocomplete="username email"}}
{{/if}}
{{#if isAuthProviderLDAP}}
<label for="authUsername">Network Username</label>
{{focus-input type="text" value=username id="authUsername" class="form-control mousetrap" placeholder="network domain username" autocomplete="username"}}
{{/if}}
</div>
<div class="form-group">
<label for="authPassword">Password</label>
{{input type="password" value=password id="authPassword" class="form-control" autocomplete="current-password"}}
{{input type="password" value=password id="authPassword" class="form-control" placeholder="network password" autocomplete="current-password"}}
</div>
<button type="submit" class="btn btn-success font-weight-bold text-uppercase mt-4">Sign in</button>
<div class="{{unless invalidCredentials "invisible"}} color-red mt-3">Invalid credentials</div>
{{#if isAuthProviderDocumize}}
<div class="mt-5">
{{#link-to 'auth.forgot'}}Forgot your password?{{/link-to}}
</div>
{{#link-to 'auth.forgot'}}Forgot your password?{{/link-to}}
{{/if}}
</form>
</div>

11
gui/app/pods/auth/logout/route.js
View file

@ -10,9 +10,7 @@
// https://documize.com
import { inject as service } from '@ember/service';
import Route from '@ember/routing/route';
// import config from 'documize/config/environment';
export default Route.extend({
session: service(),
@ -20,15 +18,6 @@ export default Route.extend({
activate: function () {
this.get('session').invalidate().then(() => {
// if (config.environment === 'test') {
// this.transitionTo('auth.login');
// } else {
// if (this.get("appMeta.allowAnonymousAccess")) {
// this.transitionTo('folders');
// } else {
// this.transitionTo('auth.login');
// }
// }
});
}
});

2
gui/app/pods/auth/reset/controller.js
View file

@ -10,11 +10,11 @@
// https://documize.com
import { inject as service } from '@ember/service';
import Controller from '@ember/controller';
export default Controller.extend({
userService: service('user'),
appMeta: service('app-meta'),
password: "",
passwordConfirm: "",
mustMatch: false,

1
gui/app/pods/auth/reset/template.hbs
View file

@ -2,6 +2,7 @@
<div class="auth-box">
<div class="logo">
<img src="/assets/img/logo-purple.png" title="Documize" alt="Documize" class="img-fluid" />
<div class="url">Authenticate with {{appMeta.appHost}}</div>
</div>
{{password-reset reset=(action 'reset')}}
</div>

2
gui/app/pods/auth/share/route.js
View file

@ -11,8 +11,8 @@
import $ from 'jquery';
import { inject as service } from '@ember/service';
import Route from '@ember/routing/route';
import AuthenticatedRouteMixin from 'ember-simple-auth/mixins/authenticated-route-mixin';
import Route from '@ember/routing/route';
export default Route.extend(AuthenticatedRouteMixin, {
session: service(),

10
gui/app/pods/customize/auth/controller.js
View file

@ -32,7 +32,7 @@ export default Controller.extend(NotifierMixin, {
});
},
onSync() {
onSyncKeycloak() {
return new EmberPromise((resolve) => {
this.get('global').syncKeycloak().then((response) => {
resolve(response);
@ -40,6 +40,14 @@ export default Controller.extend(NotifierMixin, {
});
},
onSyncLDAP() {
return new EmberPromise((resolve) => {
this.get('global').syncLDAP().then((response) => {
resolve(response);
});
});
},
onChange(data) {
this.get('session').logout();
this.set('appMeta.authProvider', data.authProvider);

25
gui/app/pods/customize/auth/route.js
View file

@ -33,32 +33,7 @@ export default Route.extend(AuthenticatedRouteMixin, {
authConfig: null,
};
let config = {
ServerType: constants.AuthProvider.ServerTypeLDAP,
ServerHost: "127.0.0.1",
ServerPort: 389,
EncryptionType: constants.AuthProvider.EncryptionTypeStartTLS,
BaseDN: "ou=people,dc=planetexpress,dc=com",
BindDN: "cn=admin,dc=planetexpress,dc=com",
BindPassword: "GoodNewsEveryone",
UserFilter: "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
GroupFilter: "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))",
AttributeUserRDN: "uid",
AttributeUserFirstname: "givenName",
AttributeUserLastname: "sn",
AttributeUserEmail: "mail",
AttributeUserDisplayName: "",
AttributeUserGroupName: "",
AttributeGroupMember: "member",
};
this.get('global').previewLDAP(config).then((r) => {
console.log(r);
});
return new EmberPromise((resolve) => {
let constants = this.get('constants');
this.get('global').getAuthConfig().then((config) => {
switch (data.authProvider) {
case constants.AuthProvider.Keycloak:

9
gui/app/pods/customize/auth/template.hbs
View file

@ -1,2 +1,7 @@
{{customize/auth-settings authProvider=model.authProvider authConfig=model.authConfig
onSave=(action 'onSave') onSync=(action 'onSync') onChange=(action 'onChange')}}
{{customize/auth-settings
authProvider=model.authProvider
authConfig=model.authConfig
onSave=(action 'onSave')
onSyncLDAP=(action 'onSyncLDAP')
onSyncKeycloak=(action 'onSyncKeycloak')
onChange=(action 'onChange')}}

10
gui/app/pods/customize/users/controller.js
View file

@ -57,12 +57,20 @@ export default Controller.extend({
this.loadUsers(filter);
},
onSync() {
onSyncKeycloak() {
this.set('syncInProgress', true);
this.get('globalSvc').syncKeycloak().then(() => {
this.set('syncInProgress', false);
this.loadUsers('');
});
},
onSyncLDAP() {
this.set('syncInProgress', true);
this.get('globalSvc').syncLDAP().then(() => {
this.set('syncInProgress', false);
this.loadUsers('');
});
}
}
});

3
gui/app/pods/customize/users/template.hbs
View file

@ -5,7 +5,8 @@
{{customize/user-list users=model
syncInProgress=syncInProgress
userLimit=userLimit
onSync=(action "onSync")
onSyncKeycloak=(action "onSyncKeycloak")
onSyncLDAP=(action "onSyncLDAP")
onFilter=(action "onFilter")
onDelete=(action "onDelete")
onSave=(action "onSave")

4
gui/app/routes/application.js
View file

@ -9,11 +9,11 @@
//
// https://documize.com
import Route from '@ember/routing/route';
import { inject as service } from '@ember/service';
import ApplicationRouteMixin from 'ember-simple-auth/mixins/application-route-mixin';
import netUtil from '../utils/net';
import TooltipMixin from '../mixins/tooltip';
import Route from '@ember/routing/route';
export default Route.extend(ApplicationRouteMixin, TooltipMixin, {
appMeta: service(),
@ -27,7 +27,7 @@ export default Route.extend(ApplicationRouteMixin, TooltipMixin, {
let sa = this.get('session.session.authenticator');
return this.get('appMeta').boot(transition.targetName, window.location.href).then(data => {
if (sa !== "authenticator:documize" && sa !== "authenticator:keycloak" && data.allowAnonymousAccess) {
if (sa !== "authenticator:documize" && sa !== "authenticator:keycloak" && sa !== "authenticator:ldap" && data.allowAnonymousAccess) {
if (!this.get('appMeta.setupMode') && !this.get('appMeta.secureMode')) {
return this.get('session').authenticate('authenticator:anonymous', data);
}

2
gui/app/services/app-meta.js
View file

@ -20,6 +20,7 @@ export default Service.extend({
ajax: service(),
localStorage: service(),
kcAuth: service(),
appHost: '',
apiHost: `${config.apiHost}`,
endpoint: `${config.apiHost}/${config.apiNamespace}`,
conversionEndpoint: '',
@ -72,6 +73,7 @@ export default Service.extend({
return this.get('ajax').request('public/meta').then((response) => {
this.setProperties(response);
this.set('version', 'v' + this.get('version'));
this.set('appHost', window.location.host);
if (requestedRoute === 'secure') {
this.setProperties({

4
gui/app/services/global.js
View file

@ -96,7 +96,7 @@ export default Service.extend({
syncLDAP() {
if(this.get('sessionService.isAdmin')) {
return this.get('ajax').request(`global/sync/ldap`, {
return this.get('ajax').request(`global/ldap/sync`, {
method: 'GET'
}).then((response) => {
return response;
@ -108,7 +108,7 @@ export default Service.extend({
previewLDAP(config) {
if(this.get('sessionService.isAdmin')) {
return this.get('ajax').request(`global/sync/ldap/preview`, {
return this.get('ajax').request(`global/ldap/preview`, {
method: 'POST',
data: JSON.stringify(config)
}).then((response) => {

2
gui/app/services/kc-auth.js
View file

@ -10,8 +10,8 @@
// https://documize.com
import { Promise as EmberPromise } from 'rsvp';
import Service, { inject as service } from '@ember/service';
import netUtil from '../utils/net';
import Service, { inject as service } from '@ember/service';
export default Service.extend({
sessionService: service('session'),

8
gui/app/styles/view/auth.scss
View file

@ -23,7 +23,13 @@
> img {
height: 60px;
margin: 40px 0;
margin: 30px 0 0 0;
}
> .url {
margin: 20px 0;
color: $color-gray;
font-weight: 0.9rem;
}
}
}

12
gui/app/templates/components/customize/auth-settings.hbs
View file

@ -9,7 +9,7 @@
<div class="view-customize">
<form class="mt-5">
<div class="widget-list-picker widget-list-picker-horiz mb-5">
<div class="widget-list-picker widget-list-picker-horiz">
<ul class="options">
<li class="option {{if isDocumizeProvider 'selected'}}" {{action 'onDocumize'}}>
<div class="text-header">Documize</div>
@ -35,6 +35,14 @@
</ul>
</div>
<br/>
<br/>
<br/>
{{#if isDocumizeProvider}}
<p>There are no settings.</p>
{{/if}}
{{#if isKeycloakProvider}}
<div class="form-group row">
<label for="keycloak-url" class="col-sm-3 col-form-label">Keycloak Server URL</label>
@ -238,7 +246,7 @@
{{#if ldapPreview.isError}}
<p class="text-danger">{{ldapPreview.message}}</p>
{{else}}
<p class="text-success">Connection successful.</p>
<p class="text-success">Connection successful, found {{ldapPreview.count}} users.</p>
{{#each ldapPreview.users as |user|}}
<p>{{user.firstname}} {{user.firstname}} ({{user.email}})</p>
{{/each}}

9
gui/app/templates/components/customize/user-list.hbs
View file

@ -3,7 +3,14 @@
{{#if syncInProgress}}
<div class="btn btn-secondary mt-3 mb-3">Keycloak user sync running...</div>
{{else}}
<div class="btn btn-success mt-3 mb-3" {{action 'onSync'}}>Sync with Keycloak</div>
<div class="btn btn-success mt-3 mb-3" {{action 'onSyncKeycloak'}}>Sync with Keycloak</div>
{{/if}}
{{/if}}
{{#if isAuthProviderLDAP}}
{{#if syncInProgress}}
<div class="btn btn-secondary mt-3 mb-3">LDAP user sync running...</div>
{{else}}
<div class="btn btn-success mt-3 mb-3" {{action 'onSyncLDAP'}}>Sync with LDAP</div>
{{/if}}
{{/if}}

4
server/routing/routes.go
View file

@ -82,6 +82,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
//**************************************************
AddPublic(rt, "authenticate/keycloak", []string{"POST", "OPTIONS"}, nil, keycloak.Authenticate)
AddPublic(rt, "authenticate/ldap", []string{"POST", "OPTIONS"}, nil, ldap.Authenticate)
AddPublic(rt, "authenticate", []string{"POST", "OPTIONS"}, nil, auth.Login)
AddPublic(rt, "validate", []string{"GET", "OPTIONS"}, nil, auth.ValidateToken)
AddPublic(rt, "forgot", []string{"POST", "OPTIONS"}, nil, user.ForgotPassword)
@ -214,7 +215,8 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
AddPrivate(rt, "global/search/status", []string{"GET", "OPTIONS"}, nil, meta.SearchStatus)
AddPrivate(rt, "global/search/reindex", []string{"POST", "OPTIONS"}, nil, meta.Reindex)
AddPrivate(rt, "global/sync/keycloak", []string{"GET", "OPTIONS"}, nil, keycloak.Sync)
AddPrivate(rt, "global/sync/ldap/preview", []string{"POST", "OPTIONS"}, nil, ldap.Preview)
AddPrivate(rt, "global/ldap/preview", []string{"POST", "OPTIONS"}, nil, ldap.Preview)
AddPrivate(rt, "global/ldap/sync", []string{"GET", "OPTIONS"}, nil, ldap.Sync)
Add(rt, RoutePrefixRoot, "robots.txt", []string{"GET", "OPTIONS"}, nil, meta.RobotsTxt)
Add(rt, RoutePrefixRoot, "sitemap.xml", []string{"GET", "OPTIONS"}, nil, meta.Sitemap)