Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-18 20:59:43 +02:00
Code Releases Activity

Capture LDAP configuration

Browse source
This commit is contained in:
sauls8t 2018-09-03 17:36:54 +01:00
parent fd167234ae
commit 1ce7e53398
15 changed files with 647 additions and 714 deletions
Download patch file Download diff file Expand all files Collapse all files

8
domain/auth/ldap/ad_test.go
View file

@ -31,8 +31,8 @@ var testConfigPublicAD = lm.LDAPConfig{
BaseDN: "DC=mycompany,DC=local",
BindDN: "CN=ad-admin,CN=Users,DC=mycompany,DC=local",
BindPassword: "8B5tNRLvbk8K",
UserFilter: "",
GroupFilter: "",
UserFilter: "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))",
GroupFilter: "(|(cn=Accounting)(cn=IT))",
AttributeUserRDN: "sAMAccountName",
AttributeUserFirstname: "givenName",
AttributeUserLastname: "sn",
@ -43,8 +43,6 @@ var testConfigPublicAD = lm.LDAPConfig{
}
func TestUserFilter_PublicAD(t *testing.T) {
testConfigPublicAD.UserFilter = "(|(objectCategory=person)(objectClass=user)(objectClass=inetOrgPerson))"
e, err := executeUserFilter(testConfigPublicAD)
if err != nil {
t.Error("unable to exeucte user filter", err.Error())
@ -64,8 +62,6 @@ func TestUserFilter_PublicAD(t *testing.T) {
}
func TestGroupFilter_PublicAD(t *testing.T) {
testConfigPublicAD.GroupFilter = "(|(cn=Accounting)(cn=IT))"
e, err := executeGroupFilter(testConfigPublicAD)
if err != nil {
t.Error("unable to exeucte group filter", err.Error())

314
domain/auth/ldap/endpoint.go
View file

@ -14,9 +14,9 @@ package ldap
import (
"crypto/tls"
// "database/sql"
// "encoding/json"
"encoding/json"
"fmt"
// "io/ioutil"
"io/ioutil"
"net/http"
// "sort"
// "strings"
@ -24,15 +24,15 @@ import (
"github.com/documize/community/core/env"
"github.com/documize/community/core/response"
// "github.com/documize/community/core/secrets"
// "github.com/documize/community/core/streamutil"
"github.com/documize/community/core/streamutil"
// "github.com/documize/community/core/stringutil"
"github.com/documize/community/domain"
// "github.com/documize/community/domain/auth"
// usr "github.com/documize/community/domain/user"
ath "github.com/documize/community/model/auth"
lm "github.com/documize/community/model/auth"
"github.com/documize/community/model/user"
ld "gopkg.in/ldap.v2"
// "github.com/documize/community/model/user"
)
// Handler contains the runtime information such as logging and database.
@ -41,6 +41,70 @@ type Handler struct {
Store *domain.Store
}
// Preview connects to LDAP using paylaod and returns
// first 100 users for.
// and marks Keycloak disabled users as inactive.
func (h *Handler) Preview(w http.ResponseWriter, r *http.Request) {
h.Runtime.Log.Info("Sync'ing with LDAP")
ctx := domain.GetRequestContext(r)
if !ctx.Administrator {
response.WriteForbiddenError(w)
return
}
var result struct {
Message string `json:"message"`
IsError bool `json:"isError"`
Users []user.User `json:"users"`
}
// Read the request.
defer streamutil.Close(r.Body)
body, err := ioutil.ReadAll(r.Body)
if err != nil {
result.Message = "Error: unable read request body"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
// Decode LDAP config.
c := lm.LDAPConfig{}
err = json.Unmarshal(body, &c)
if err != nil {
result.Message = "Error: unable read LDAP configuration payload"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
h.Runtime.Log.Info("Fetching LDAP users")
users, err := fetchUsers(c)
if err != nil {
result.Message = "Error: unable fetch users from LDAP"
result.IsError = true
response.WriteJSON(w, result)
h.Runtime.Log.Error(result.Message, err)
return
}
result.IsError = false
result.Message = fmt.Sprintf("Sync'ed with LDAP, found %d users", len(users))
if len(users) > 100 {
result.Users = users[:100]
} else {
result.Users = users
}
h.Runtime.Log.Info(result.Message)
response.WriteJSON(w, result)
}
// Sync gets list of Keycloak users and inserts new users into Documize
// and marks Keycloak disabled users as inactive.
func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
@ -233,145 +297,145 @@ func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
}
// Authenticate checks Keycloak authentication credentials.
// func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
// method := "authenticate"
// ctx := domain.GetRequestContext(r)
func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
// method := "authenticate"
// ctx := domain.GetRequestContext(r)
// defer streamutil.Close(r.Body)
// body, err := ioutil.ReadAll(r.Body)
// if err != nil {
// response.WriteBadRequestError(w, method, "Bad payload")
// h.Runtime.Log.Error(method, err)
// return
// }
// defer streamutil.Close(r.Body)
// body, err := ioutil.ReadAll(r.Body)
// if err != nil {
// response.WriteBadRequestError(w, method, "Bad payload")
// h.Runtime.Log.Error(method, err)
// return
// }
// a := ath.KeycloakAuthRequest{}
// err = json.Unmarshal(body, &a)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Error(method, err)
// return
// }
// a := ath.KeycloakAuthRequest{}
// err = json.Unmarshal(body, &a)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Error(method, err)
// return
// }
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
// a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
// a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
// a.Email = strings.TrimSpace(strings.ToLower(a.Email))
// // Check for required fields.
// if len(a.Email) == 0 {
// response.WriteUnauthorizedError(w)
// return
// }
// // Check for required fields.
// if len(a.Email) == 0 {
// response.WriteUnauthorizedError(w)
// return
// }
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
// if err != nil {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// org, err := h.Store.Organization.GetOrganizationByDomain(a.Domain)
// if err != nil {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// ctx.OrgID = org.RefID
// ctx.OrgID = org.RefID
// // Fetch Keycloak auth provider config
// ac := ath.KeycloakConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// // Fetch Keycloak auth provider config
// ac := ath.KeycloakConfig{}
// err = json.Unmarshal([]byte(org.AuthConfig), &ac)
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// pk := string(pkb)
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
// // Decode and prepare RSA Public Key used by keycloak to sign JWT.
// pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
// if err != nil {
// response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
// h.Runtime.Log.Error(method, err)
// return
// }
// pk := string(pkb)
// pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
// // Decode and verify Keycloak JWT
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
// return
// }
// // Decode and verify Keycloak JWT
// claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
// if err != nil {
// response.WriteBadRequestError(w, method, err.Error())
// h.Runtime.Log.Info("decodeKeycloakJWT failed")
// return
// }
// // Compare the contents from JWT with what we have.
// // Guards against MITM token tampering.
// if a.Email != claims["email"].(string) {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Info(">> Start Keycloak debug")
// h.Runtime.Log.Info(a.Email)
// h.Runtime.Log.Info(claims["email"].(string))
// h.Runtime.Log.Info(">> End Keycloak debug")
// return
// }
// // Compare the contents from JWT with what we have.
// // Guards against MITM token tampering.
// if a.Email != claims["email"].(string) {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Info(">> Start Keycloak debug")
// h.Runtime.Log.Info(a.Email)
// h.Runtime.Log.Info(claims["email"].(string))
// h.Runtime.Log.Info(">> End Keycloak debug")
// return
// }
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
// h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
// if err != nil && err != sql.ErrNoRows {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
// if err != nil && err != sql.ErrNoRows {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Create user account if not found
// if err == sql.ErrNoRows {
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
// // Create user account if not found
// if err == sql.ErrNoRows {
// h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
// u = user.User{}
// u.Firstname = a.Firstname
// u.Lastname = a.Lastname
// u.Email = a.Email
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
// u.Salt = secrets.GenerateSalt()
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
// u = user.User{}
// u.Firstname = a.Firstname
// u.Lastname = a.Lastname
// u.Email = a.Email
// u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
// u.Salt = secrets.GenerateSalt()
// u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
// if err != nil {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// }
// err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
// if err != nil {
// response.WriteServerError(w, method, err)
// h.Runtime.Log.Error(method, err)
// return
// }
// }
// // Password correct and active user
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
// response.WriteUnauthorizedError(w)
// return
// }
// // Password correct and active user
// if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
// response.WriteUnauthorizedError(w)
// return
// }
// // Attach user accounts and work out permissions.
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// // Attach user accounts and work out permissions.
// usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
// // No accounts signals data integrity problem
// // so we reject login request.
// if len(u.Accounts) == 0 {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// // No accounts signals data integrity problem
// // so we reject login request.
// if len(u.Accounts) == 0 {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// // Abort login request if account is disabled.
// for _, ac := range u.Accounts {
// if ac.OrgID == org.RefID {
// if ac.Active == false {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// break
// }
// }
// // Abort login request if account is disabled.
// for _, ac := range u.Accounts {
// if ac.OrgID == org.RefID {
// if ac.Active == false {
// response.WriteUnauthorizedError(w)
// h.Runtime.Log.Error(method, err)
// return
// }
// break
// }
// }
// // Generate JWT token
// authModel := ath.AuthenticationModel{}
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
// authModel.User = u
// // Generate JWT token
// authModel := ath.AuthenticationModel{}
// authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
// authModel.User = u
// response.WriteJSON(w, authModel)
// }
// response.WriteJSON(w, authModel)
}

75
domain/auth/ldap/ldap.go
View file

@ -16,8 +16,9 @@ import (
"fmt"
"strings"
"github.com/documize/community/core/stringutil"
lm "github.com/documize/community/model/auth"
// "github.com/documize/community/model/user"
"github.com/documize/community/model/user"
"github.com/pkg/errors"
ld "gopkg.in/ldap.v2"
)
@ -201,9 +202,79 @@ func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)
u.Lastname = e.GetAttributeValue(c.AttributeUserLastname)
u.Email = e.GetAttributeValue(c.AttributeUserEmail)
u.Email = strings.ToLower(e.GetAttributeValue(c.AttributeUserEmail))
u.RemoteID = e.GetAttributeValue(c.AttributeUserRDN)
u.CN = e.GetAttributeValue("cn")
// Make name elements from DisplayName if we can.
if (len(u.Firstname) == 0 || len(u.Firstname) == 0) &&
len(e.GetAttributeValue(c.AttributeUserDisplayName)) > 0 {
}
if len(u.Firstname) == 0 {
u.Firstname = "Empty"
}
if len(u.Lastname) == 0 {
u.Lastname = "Empty"
}
return
}
// ConvertUsers creates a unique list of users using email as primary key.
// The result is a collection of Documize user objects.
func convertUsers(c lm.LDAPConfig, lu []lm.LDAPUser) (du []user.User) {
for _, i := range lu {
add := true
for _, j := range du {
if len(j.Email) > 0 && i.Email == j.Email {
add = false
break
}
}
// skip if empty email address
add = len(i.Email) > 0
if add {
nu := user.User{}
nu.Editor = c.DefaultPermissionAddSpace
nu.Active = true
nu.Email = i.Email
nu.ViewUsers = false
nu.Analytics = false
nu.Admin = false
nu.Global = false
nu.Firstname = i.Firstname
nu.Lastname = i.Lastname
nu.Initials = stringutil.MakeInitials(i.Firstname, i.Lastname)
du = append(du, nu)
}
}
return
}
// FetchUsers from LDAP server using both User and Group filters.
func fetchUsers(c lm.LDAPConfig) (du []user.User, err error) {
du = []user.User{}
e1, err := executeUserFilter(c)
if err != nil {
err = errors.Wrap(err, "unable to execute user filter")
return
}
e2, err := executeGroupFilter(c)
if err != nil {
err = errors.Wrap(err, "unable to execute group filter")
return
}
// convert users from LDAP format to Documize format.
e3 := []lm.LDAPUser{}
e3 = append(e3, e1...)
e3 = append(e3, e2...)
du = convertUsers(c, e3)
return
}

31
domain/auth/ldap/local_test.go
View file

@ -60,6 +60,32 @@ func TestUserFilter_LocalLDAP(t *testing.T) {
}
}
func TestDualFilters_LocalLDAP(t *testing.T) {
testConfigLocalLDAP.UserFilter = "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))"
e1, err := executeUserFilter(testConfigLocalLDAP)
if err != nil {
t.Error("unable to exeucte user filter", err.Error())
return
}
testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"
e2, err := executeGroupFilter(testConfigLocalLDAP)
if err != nil {
t.Error("unable to exeucte group filter", err.Error())
return
}
e3 := []lm.LDAPUser{}
e3 = append(e3, e1...)
e3 = append(e3, e2...)
users := convertUsers(testConfigLocalLDAP, e3)
for _, u := range users {
t.Logf("(%s %s) @ %s\n",
u.Firstname, u.Lastname, u.Email)
}
}
func TestGroupFilter_LocalLDAP(t *testing.T) {
testConfigLocalLDAP.GroupFilter = "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))"
@ -74,11 +100,6 @@ func TestGroupFilter_LocalLDAP(t *testing.T) {
}
t.Logf("LDAP group search entries found: %d", len(e))
for _, u := range e {
t.Logf("[%s] %s (%s %s) @ %s\n",
u.RemoteID, u.CN, u.Firstname, u.Lastname, u.Email)
}
}
func TestAuthenticate_LocalLDAP(t *testing.T) {

88
gui/app/components/customize/auth-settings.js
View file

@ -20,12 +20,17 @@ import Component from '@ember/component';
export default Component.extend(Notifier, {
appMeta: service(),
isDocumizeProvider: computed('authProvider', function() {
return this.get('authProvider') === this.get('constants').AuthProvider.Documize;
}),
isKeycloakProvider: computed('authProvider', function() {
return this.get('authProvider') === this.get('constants').AuthProvider.Keycloak;
}),
isLDAPProvider: computed('authProvider', function() {
return this.get('authProvider') === this.get('constants').AuthProvider.LDAP;
}),
KeycloakUrlError: empty('keycloakConfig.url'),
KeycloakRealmError: empty('keycloakConfig.realm'),
KeycloakClientIdError: empty('keycloakConfig.clientId'),
@ -34,9 +39,28 @@ export default Component.extend(Notifier, {
KeycloakAdminPasswordError: empty('keycloakConfig.adminPassword'),
keycloakFailure: '',
ldapErrorServerHost: empty('ldapConfig.serverHost'),
ldapErrorServerPort: computed('ldapConfig.serverPort', function() {
return is.empty(this.get('ldapConfig.serverPort')) || is.not.number(parseInt(this.get('ldapConfig.serverPort')));
}),
ldapErrorBindDN: empty('ldapConfig.bindDN'),
ldapErrorBindPassword: empty('ldapConfig.bindPassword'),
ldapErrorNoFilter: computed('ldapConfig.{userFilter,groupFilter}', function() {
return is.empty(this.get('ldapConfig.userFilter')) && is.empty(this.get('ldapConfig.groupFilter'));
}),
ldapErrorAttributeUserRDN: empty('ldapConfig.attributeUserRDN'),
ldapErrorAttributeUserFirstname: empty('ldapConfig.attributeUserFirstname'),
ldapErrorAttributeUserLastname: empty('ldapConfig.attributeUserLastname'),
ldapErrorAttributeUserEmail: empty('ldapConfig.attributeUserEmail'),
ldapErrorAttributeGroupMember: computed('ldapConfig.{groupFilter,attributeGroupMember}', function() {
return is.not.empty(this.get('ldapConfig.groupFilter')) && is.empty(this.get('ldapConfig.attributeGroupMember'));
}),
init() {
this._super(...arguments);
let constants = this.get('constants');
this.keycloakConfig = {
url: '',
realm: '',
@ -48,6 +72,27 @@ export default Component.extend(Notifier, {
disableLogout: false,
defaultPermissionAddSpace: false
};
this.ldapConfig = {
serverType: constants.AuthProvider.ServerTypeLDAP,
serverHost: '',
serverPort: 389,
encryptionType: constants.AuthProvider.EncryptionTypeStartTLS,
baseDN: "",
bindDN: "cn=admin,dc=planetexpress,dc=com",
bindPassword: "GoodNewsEveryone",
userFilter: "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
groupFilter: "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))",
attributeUserRDN: "uid",
attributeUserFirstname: "givenName",
attributeUserLastname: "sn",
attributeUserEmail: "mail",
attributeUserDisplayName: "",
attributeUserGroupName: "",
attributeGroupMember: "member",
disableLogout: false,
defaultPermissionAddSpace: false
};
},
didReceiveAttrs() {
@ -60,6 +105,7 @@ export default Component.extend(Notifier, {
case constants.AuthProvider.Documize:
// nothing to do
break;
case constants.AuthProvider.Keycloak: // eslint-disable-line no-case-declarations
let config = this.get('authConfig');
@ -74,6 +120,19 @@ export default Component.extend(Notifier, {
this.set('keycloakConfig', config);
break;
case constants.AuthProvider.LDAP: // eslint-disable-line no-case-declarations
let ldapConfig = this.get('authConfig');
if (is.undefined(ldapConfig) || is.null(ldapConfig) || is.empty(ldapConfig) ) {
ldapConfig = {};
} else {
ldapConfig.defaultPermissionAddSpace = ldapConfig.hasOwnProperty('defaultPermissionAddSpace') ? ldapConfig.defaultPermissionAddSpace : false;
ldapConfig.disableLogout = ldapConfig.hasOwnProperty('disableLogout') ? ldapConfig.disableLogout : true;
}
this.set('ldapConfig', ldapConfig);
break;
}
},
@ -88,6 +147,15 @@ export default Component.extend(Notifier, {
this.set('authProvider', constants.AuthProvider.Keycloak);
},
onLDAP() {
let constants = this.get('constants');
this.set('authProvider', constants.AuthProvider.LDAP);
},
onLDAPEncryption(e) {
this.set('ldapConfig.encryptionType', e);
},
onSave() {
let constants = this.get('constants');
let provider = this.get('authProvider');
@ -99,6 +167,7 @@ export default Component.extend(Notifier, {
case constants.AuthProvider.Documize:
config = {};
break;
case constants.AuthProvider.Keycloak:
if (this.get('KeycloakUrlError')) {
this.$("#keycloak-url").focus();
@ -142,13 +211,31 @@ export default Component.extend(Notifier, {
set(config, 'publicKey', encoding.Base64.encode(this.get('keycloakConfig.publicKey')));
break;
case constants.AuthProvider.LDAP:
if (this.get('ldapErrorServerHost')) {
this.$("#ldap-host").focus();
return;
}
if (this.get('ldapErrorServerPort')) {
this.$("#ldap-port").focus();
return;
}
config = copy(this.get('ldapConfig'));
config.serverHost = config.serverHost.trim();
config.serverPort = parseInt(this.get('ldapConfig.serverPort'));
break;
}
debugger;
this.showWait();
let data = { authProvider: provider, authConfig: JSON.stringify(config) };
this.get('onSave')(data).then(() => {
// Without sync we cannot log in
if (data.authProvider === constants.AuthProvider.Keycloak) {
this.get('onSync')().then((response) => {
if (response.isError) {
@ -165,6 +252,7 @@ export default Component.extend(Notifier, {
}
});
}
this.showDone();
});
}

6
gui/app/constants/constants.js
View file

@ -24,7 +24,11 @@ let constants = EmberObject.extend({
AuthProvider: { // eslint-disable-line ember/avoid-leaking-state-in-ember-objects
Documize: 'documize',
Keycloak: 'keycloak',
LDAP: 'ldap'
LDAP: 'ldap',
ServerTypeLDAP: 'ldap',
ServerTypeAD: 'ad',
EncryptionTypeNone: 'none',
EncryptionTypeStartTLS: 'starttls'
},
DocumentActionType: { // eslint-disable-line ember/avoid-leaking-state-in-ember-objects

25
gui/app/pods/customize/auth/route.js
View file

@ -26,11 +26,36 @@ export default Route.extend(AuthenticatedRouteMixin, {
},
model() {
let constants = this.get('constants');
let data = {
authProvider: this.get('appMeta.authProvider'),
authConfig: null,
};
let config = {
ServerType: constants.AuthProvider.ServerTypeLDAP,
ServerHost: "127.0.0.1",
ServerPort: 389,
EncryptionType: constants.AuthProvider.EncryptionTypeStartTLS,
BaseDN: "ou=people,dc=planetexpress,dc=com",
BindDN: "cn=admin,dc=planetexpress,dc=com",
BindPassword: "GoodNewsEveryone",
UserFilter: "(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
GroupFilter: "(&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff)))",
AttributeUserRDN: "uid",
AttributeUserFirstname: "givenName",
AttributeUserLastname: "sn",
AttributeUserEmail: "mail",
AttributeUserDisplayName: "",
AttributeUserGroupName: "",
AttributeGroupMember: "member",
};
this.get('global').previewLDAP(config).then((r) => {
console.log(r);
});
return new EmberPromise((resolve) => {
let constants = this.get('constants');

2
gui/app/pods/customize/auth/template.hbs
View file

@ -1,2 +1,2 @@
{{customize/auth-settings authProvider=model.authProvider authConfig=model.authConfig
{{customize/auth-settings authProvider=model.authProvider authConfig=model.authConfig
onSave=(action 'onSave') onSync=(action 'onSync') onChange=(action 'onChange')}}

13
gui/app/services/global.js
View file

@ -106,6 +106,19 @@ export default Service.extend({
}
},
previewLDAP(config) {
if(this.get('sessionService.isAdmin')) {
return this.get('ajax').request(`global/sync/ldap/preview`, {
method: 'POST',
data: JSON.stringify(config)
}).then((response) => {
return response;
}).catch((error) => {
return error;
});
}
},
// Returns product license.
searchStatus() {
if (this.get('sessionService.isGlobalAdmin')) {

7
gui/app/styles/bootstrap.scss vendored
View file

@ -80,9 +80,14 @@ $input-btn-focus-color: rgba($color-primary, .25);
font-weight: 500;
}
> small {
> small, > div[class*="col"] > small {
font-size: 1rem;
}
> small.highlight, > div[class*="col"] > small.highlight {
font-size: 1rem;
color: $color-orange !important;
}
}
// links

1
gui/app/styles/color.scss
View file

@ -39,6 +39,7 @@ $color-red: #9E0D1F;
$color-green: #348A37;
$color-blue: #2667af;
$color-goldy: #FFD700;
$color-yellow: #fff8dc;
$color-orange: #FFAD15;
// widgets

531
gui/app/styles/vendor.scss
View file

File diff suppressed because one or more lines are too long

58
gui/app/styles/widget/widget-list-picker.scss
View file

@ -7,37 +7,79 @@
padding: 0;
> .option {
@include ease-in();
margin: 0 0 5px 0;
@include border-radius(3px);
margin: 0 0 15px 0;
padding: 10px 15px;
color: $color-gray;
background-color: $color-off-white;
border: 1px solid $color-gray;
cursor: pointer;
position: relative;
list-style-type: none;
line-height: 26px;
&:hover {
color: $color-black;
// background-color: $color-primary-light;
> .text-header, > .text {
color: $color-off-black;
}
}
> .text-header {
@include ease-in();
color: $color-gray;
font-size: 1.3rem;
font-weight: 600;
margin-bottom: 5px;
overflow: hidden;
text-overflow: ellipsis;
white-space: nowrap;
width: 80%;
}
> .text {
@include ease-in();
color: $color-gray;
font-size: 1rem;
font-weight: 500;
overflow: hidden;
text-overflow: ellipsis;
white-space: nowrap;
width: 80%;
font-weight: bold;
}
> .material-icons {
position: absolute;
top: 10px;
right: 10px;
color: $color-white;
color: $color-green;
font-weight: 700;
font-size: 1.3rem;
}
}
> .selected {
color: $color-white !important;
background-color: $color-link !important;
> .text-header, > .text {
color: $color-off-black;
}
background-color: $color-yellow !important;
border: 1px solid $color-goldy !important;
}
}
}
.widget-list-picker-horiz {
> .options {
> .option {
display: inline-block;
margin: 15px 15px 0 0;
padding: 10px 15px;
width: 30%;
@media only screen and (max-width: 1200px) {
display: block;
width: 100%;
}
}
}
}

200
gui/app/templates/components/customize/auth-settings.hbs
View file

@ -9,91 +9,213 @@
<div class="view-customize">
<form class="mt-5">
<div class="form-group row">
<label class="col-sm-2 col-form-label">Provider</label>
<div class="col-sm-10">
{{#ui/ui-radio selected=isDocumizeProvider onClick=(action 'onDocumize')}} Documize &mdash; email/password{{/ui/ui-radio}}
{{#ui/ui-radio selected=isKeycloakProvider onClick=(action 'onKeycloak')}} Keycloak &mdash; bring your own authentication server{{/ui/ui-radio}}
<small class="form-text text-muted">
External authentication servers, services must be accessible from the server running this Documize instance
</small>
</div>
<div class="widget-list-picker widget-list-picker-horiz mb-5">
<ul class="options">
<li class="option {{if isDocumizeProvider 'selected'}}" {{action 'onDocumize'}}>
<div class="text-header">Documize</div>
<div class="text">Built-in email/password</div>
{{#if isDocumizeProvider}}
<i class="material-icons">check</i>
{{/if}}
</li>
<li class="option {{if isKeycloakProvider 'selected'}}" {{action 'onKeycloak'}}>
<div class="text-header">Keycloak</div>
<div class="text">Via authentication server</div>
{{#if isKeycloakProvider}}
<i class="material-icons">check</i>
{{/if}}
</li>
<li class="option {{if isLDAPProvider 'selected'}}" {{action 'onLDAP'}}>
<div class="text-header">LDAP</div>
<div class="text">Connect to LDAP/ Active Directory</div>
{{#if isLDAPProvider}}
<i class="material-icons">check</i>
{{/if}}
</li>
</ul>
</div>
{{#if isKeycloakProvider}}
<div class="form-group row">
<label for="keycloak-url" class="col-sm-2 col-form-label">Keycloak Server URL</label>
<div class="col-sm-10">
<label for="keycloak-url" class="col-sm-3 col-form-label">Keycloak Server URL</label>
<div class="col-sm-9">
{{focus-input id="keycloak-url" type="text" value=keycloakConfig.url class=(if KeycloakUrlError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">e.g. http://localhost:8888/auth</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-realm" class="col-sm-2 col-form-label">Keycloak Realm</label>
<div class="col-sm-10">
<label for="keycloak-realm" class="col-sm-3 col-form-label">Keycloak Realm</label>
<div class="col-sm-9">
{{input id="keycloak-realm" type="text" value=keycloakConfig.realm class=(if KeycloakRealmError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">e.g. main</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-publicKey" class="col-sm-2 col-form-label">Keycloak Realm Public Key</label>
<div class="col-sm-10">
<label for="keycloak-publicKey" class="col-sm-3 col-form-label">Keycloak Realm Public Key</label>
<div class="col-sm-9">
{{textarea id="keycloak-publicKey" type="text" value=keycloakConfig.publicKey rows=7 class=(if KeycloakPublicKeyError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Copy the RSA Public Key from Realm Settings &rarr; Keys</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-clientId" class="col-sm-2 col-form-label">Keycloak OIDC Client ID</label>
<div class="col-sm-10">
<label for="keycloak-clientId" class="col-sm-3 col-form-label">Keycloak OIDC Client ID</label>
<div class="col-sm-9">
{{input id="keycloak-clientId" type="text" value=keycloakConfig.clientId class=(if KeycloakClientIdError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">e.g. account</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-group" class="col-sm-2 col-form-label">Keycloak Group ID (Optional)</label>
<div class="col-sm-10">
<label for="keycloak-group" class="col-sm-3 col-form-label">Keycloak Group ID (Optional)</label>
<div class="col-sm-9">
{{input id="keycloak-group" type="text" value=keycloakConfig.group class="form-control"}}
<small class="form-text text-muted">If you want to sync users in a particular Group (e.g. 'Documize Users'), provide the Group ID (e.g. 511d8b61-1ec8-45f6-bc8d-5de64d54c9d2)</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-admin-user" class="col-sm-2 col-form-label">Keycloak Username</label>
<div class="col-sm-10">
<label for="keycloak-admin-user" class="col-sm-3 col-form-label">Keycloak Username</label>
<div class="col-sm-9">
{{input id="keycloak-admin-user" type="text" value=keycloakConfig.adminUser class=(if KeycloakAdminUserError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Used to connect with Keycloak and sync users with Documize (create user under Master Realm and assign 'view-users' role
against Realm specified above)</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Keycloak Password</label>
<div class="col-sm-10">
<label for="keycloak-admin-password" class="col-sm-3 col-form-label">Keycloak Password</label>
<div class="col-sm-9">
{{input id="keycloak-admin-password" type="password" value=keycloakConfig.adminPassword class=(if KeycloakAdminPasswordError 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Used to connect with Keycloak and sync users with Documize</small>
</div>
</div>
<div class="form-group row">
<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Logout</label>
<div class="col-sm-10">
<div class="form-check">
{{input type="checkbox" class="form-check-input" id="keycloak-logout" checked=keycloakConfig.disableLogout}}
<label class="form-check-label" for="keycloak-logout">
Hide the logout button for Keycloak users
</label>
</div>
<label class="col-sm-3 col-form-label">Disable Logout</label>
<div class="col-sm-9">
{{x-toggle value=keycloakConfig.disableLogout size="medium" theme="light" onToggle=(action (mut keycloakConfig.disableLogout))}}
</div>
</div>
<div class="form-group row">
<label for="keycloak-admin-password" class="col-sm-2 col-form-label">Space Permission</label>
<div class="col-sm-10">
<div class="form-check">
{{input type="checkbox" class="form-check-input" id="keycloak-perm" checked=keycloakConfig.defaultPermissionAddSpace}}
<label class="form-check-label" for="keycloak-perm">
Can add spaces
</label>
</div>
<label for="ldap-defaultPermissionAddSpace" class="col-sm-3 col-form-label">Can Create Spaces</label>
<div class="col-sm-9">
{{x-toggle value=keycloakConfig.defaultPermissionAddSpace size="medium" theme="light" onToggle=(action (mut keycloakConfig.defaultPermissionAddSpace))}}
</div>
</div>
{{/if}}
{{#if isLDAPProvider}}
<div class="form-group row">
<label for="ldap-host" class="col-sm-3 col-form-label">LDAP Server</label>
<div class="col-sm-9">
{{focus-input id="ldap-host" type="text" value=ldapConfig.serverHost class=(if ldapErrorServerHost 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">IP or host address, e.g. ldap.example.org, 127.0.0.1</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-port" class="col-sm-3 col-form-label">LDAP Server Port</label>
<div class="col-sm-9">
{{input id="ldap-port" type="number" value=ldapConfig.serverPort class=(if ldapErrorServerPort 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Port number, e.g. 389</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-encryption" class="col-sm-3 col-form-label">Encryption</label>
<div class="col-sm-9">
<select onchange={{action 'onLDAPEncryption' value="target.value"}} class="form-control">
<option value="{{constants.AuthProvider.EncryptionTypeNone}}" selected={{is-equal ldapConfig.encryptionType constants.AuthProvider.EncryptionTypeNone}}>
{{constants.AuthProvider.EncryptionTypeNone}}
</option>
<option value="{{constants.AuthProvider.EncryptionTypeStartTLS}}" selected={{is-equal ldapConfig.encryptionType constants.AuthProvider.EncryptionTypeStartTLS}}>
{{constants.AuthProvider.EncryptionTypeStartTLS}}
</option>
</select>
</div>
</div>
<div class="form-group row">
<label for="ldap-baseDN" class="col-sm-3 col-form-label">Base DN</label>
<div class="col-sm-9">
{{input id="ldap-baseDN" type="number" value=ldapConfig.baseDN class='form-control'}}
<small class="form-text text-muted">Starting point for search filters, e.g. ou=users,dc=example,dc=com</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-bindDN" class="col-sm-3 col-form-label">Bind DN</label>
<div class="col-sm-9">
{{input id="ldap-bindDN" type="text" value=ldapConfig.bindDN class=(if ldapErrorBindDN 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">login credentials for LDAP server</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-bindPassword" class="col-sm-3 col-form-label">Bind Password</label>
<div class="col-sm-9">
{{input id="ldap-bindPassword" type="password" value=ldapConfig.bindPassword class=(if ldapErrorBindPassword 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">login credentials for LDAP server</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-userFilter" class="col-sm-3 col-form-label">User Filter</label>
<div class="col-sm-9">
{{input id="ldap-userFilter" type="text" value=ldapConfig.userFilter class=(if ldapErrorNoFilter 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Search filter for finding users, e.g. (|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))</small>
<small class="form-text text-muted highlight">Specify User Filter and/or Group Filter</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-groupFilter" class="col-sm-3 col-form-label">Group Filter</label>
<div class="col-sm-9">
{{input id="ldap-groupFilter" type="text" value=ldapConfig.groupFilter class=(if ldapErrorNoFilter 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Search filter for finding users via groups, e.g. (&(objectClass=group)(|(cn=ship_crew)(cn=admin_staff))</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-attributeUserRDN" class="col-sm-3 col-form-label">User Attribute RDN</label>
<div class="col-sm-9">
{{input id="ldap-attributeUserRDN" type="text" value=ldapConfig.attributeUserRDN class=(if ldapErrorAttributeUserRDN 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Username/login attribute, e.g. uid in LDAP, sAMAccountName in Active Directory</small>
<small class="form-text text-muted highlight">User Attributes used to retreive data when using User Filter</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-attributeUserFirstname" class="col-sm-3 col-form-label">User Attribute Firstname</label>
<div class="col-sm-9">
{{input id="ldap-attributeUserFirstname" type="text" value=ldapConfig.attributeUserFirstname class=(if ldapErrorAttributeUserFirstname 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Firstname attribute, e.g. givenName</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-attributeUserLastname" class="col-sm-3 col-form-label">User Attribute Lastname</label>
<div class="col-sm-9">
{{input id="ldap-attributeUserLastname" type="text" value=ldapConfig.attributeUserLastname class=(if ldapErrorAttributeUserLastname 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Lastname attribute, e.g. sn</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-attributeUserEmail" class="col-sm-3 col-form-label">User Attribute Email</label>
<div class="col-sm-9">
{{input id="ldap-attributeUserEmail" type="text" value=ldapConfig.attributeUserEmail class=(if ldapErrorAttributeUserEmail 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Email attribute, e.g. mail</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-attributeGroupMember" class="col-sm-3 col-form-label">Group Attribute Member</label>
<div class="col-sm-9">
{{input id="ldap-attributeGroupMember" type="text" value=ldapConfig.attributeGroupMember class=(if ldapErrorAttributeGroupMember 'form-control is-invalid' 'form-control')}}
<small class="form-text text-muted">Attribute that identifies individual group member, e.g. member or uniqueMember</small>
<small class="form-text text-muted highlight">Group Attributes used to retreive data when using Group Filter</small>
</div>
</div>
<div class="form-group row">
<label for="ldap-disableLogout" class="col-sm-3 col-form-label">Disable Logout</label>
<div class="col-sm-9">
{{x-toggle value=ldapConfig.disableLogout size="medium" theme="light" onToggle=(action (mut ldapConfig.disableLogout))}}
</div>
</div>
<div class="form-group row">
<label for="ldap-defaultPermissionAddSpace" class="col-sm-3 col-form-label">Can Create Spaces</label>
<div class="col-sm-9">
{{x-toggle value=ldapConfig.defaultPermissionAddSpace size="medium" theme="light" onToggle=(action (mut ldapConfig.defaultPermissionAddSpace))}}
</div>
</div>
{{/if}}
<div class="btn btn-success mt-4" {{action 'onSave'}}>Save</div>
</form>

2
server/routing/routes.go
View file

@ -214,7 +214,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
AddPrivate(rt, "global/search/status", []string{"GET", "OPTIONS"}, nil, meta.SearchStatus)
AddPrivate(rt, "global/search/reindex", []string{"POST", "OPTIONS"}, nil, meta.Reindex)
AddPrivate(rt, "global/sync/keycloak", []string{"GET", "OPTIONS"}, nil, keycloak.Sync)
AddPrivate(rt, "global/sync/ldap", []string{"GET", "OPTIONS"}, nil, ldap.Sync)
AddPrivate(rt, "global/sync/ldap/preview", []string{"POST", "OPTIONS"}, nil, ldap.Preview)
Add(rt, RoutePrefixRoot, "robots.txt", []string{"GET", "OPTIONS"}, nil, meta.RobotsTxt)
Add(rt, RoutePrefixRoot, "sitemap.xml", []string{"GET", "OPTIONS"}, nil, meta.Sitemap)