jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
7df89e66c8783d5afd423592de13acd855e8a9a6
cloudron-box/src/ldap.js

759 lines
31 KiB
JavaScript
Raw Normal View History

app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
'use strict';
exports = module.exports = {
rename addons.js to services.js services is the named container (services view) addons is more like a heroku concept
2021-01-21 11:31:35 -08:00
start,
stop
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
};
rename addons.js to services.js services is the named container (services view) addons is more like a heroku concept
2021-01-21 11:31:35 -08:00
const assert = require('assert'),
Verify password for sendmail/recvmail addon Part of #109
2017-03-26 19:14:50 -07:00
appdb = require('./appdb.js'),
Adhere to access control on ldap user bind
2016-02-18 16:04:53 +01:00
apps = require('./apps.js'),
Only list users who have access to the app in an ldap search Part of #215
2017-03-13 11:01:11 +01:00
async = require('async'),
Start moving db code to use BoxError as well
2019-10-24 11:13:48 -07:00
BoxError = require('./boxerror.js'),
Move ExternalLdapError to BoxError
2019-10-24 13:41:41 -07:00
constants = require('./constants.js'),
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
debug = require('debug')('box:ldap'),
add user login to event log
2016-04-30 23:16:37 -07:00
eventlog = require('./eventlog.js'),
mail: owner can be a group
2020-11-12 23:25:33 -08:00
groups = require('./groups.js'),
add mailbox ldap auth point
2016-05-29 17:25:23 -07:00
ldap = require('ldapjs'),
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
mail = require('./mail.js'),
remove mailbox routes and move it to users
2016-09-21 15:34:58 -07:00
mailboxdb = require('./mailboxdb.js'),
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
path = require('path'),
keep it alphabetical
2019-03-22 15:42:16 -07:00
safe = require('safetydance'),
rename addons.js to services.js services is the named container (services view) addons is more like a heroku concept
2021-01-21 11:31:35 -08:00
services = require('./services.js'),
Move UsersError to BoxError
2019-10-24 14:40:26 -07:00
users = require('./users.js');
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
var gServer = null;
var NOOP = function () {};
Add ldap memberof attribute
2015-08-12 15:31:44 +02:00
var GROUP_USERS_DN = 'cn=users,ou=groups,dc=cloudron';
CN of admin group is admins
2015-08-18 16:35:52 -07:00
var GROUP_ADMINS_DN = 'cn=admins,ou=groups,dc=cloudron';
Add ldap memberof attribute
2015-08-12 15:31:44 +02:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
// Will attach req.app if successful
function authenticateApp(req, res, next) {
The ldap property is part of req.connection
2016-02-18 16:40:30 +01:00
var sourceIp = req.connection.ldap.id.split(':')[0];
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
if (sourceIp.split('.').length !== 4) return next(new ldap.InsufficientAccessRightsError('Missing source identifier'));
Adhere to access control on ldap user bind
2016-02-18 16:04:53 +01:00
apps.getByIpAddress(sourceIp, function (error, app) {
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
if (error) return next(new ldap.OperationsError(error.message));
if (!app) return next(new ldap.OperationsError('Could not detect app source'));
do not allow access if app is not found
2016-06-17 10:08:41 -05:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
req.app = app;
do not allow access if app is not found
2016-06-17 10:08:41 -05:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
next();
Adhere to access control on ldap user bind
2016-02-18 16:04:53 +01:00
});
}
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
function getUsersWithAccessToApp(req, callback) {
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
assert.strictEqual(typeof req.app, 'object');
add some asserts in the ldap code
2017-03-13 11:10:08 +01:00
assert.strictEqual(typeof callback, 'function');
Add user pagination to rest api
2019-01-14 16:39:20 +01:00
users.getAll(function (error, result) {
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
if (error) return callback(new ldap.OperationsError(error.toString()));
Only list users who have access to the app in an ldap search Part of #215
2017-03-13 11:01:11 +01:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
async.filter(result, apps.hasAccessTo.bind(null, req.app), function (error, allowedUsers) {
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
if (error) return callback(new ldap.OperationsError(error.toString()));
Only list users who have access to the app in an ldap search Part of #215
2017-03-13 11:01:11 +01:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
callback(null, allowedUsers);
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
});
});
refactor code for readability
2016-05-12 13:36:53 -07:00
}
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
Add ldap pagination support
2017-10-27 01:25:07 +02:00
// helper function to deal with pagination
function finalSend(results, req, res, next) {
var min = 0;
var max = results.length;
var cookie = null;
var pageSize = 0;
// check if this is a paging request, if so get the cookie for session info
req.controls.forEach(function (control) {
if (control.type === ldap.PagedResultsControl.OID) {
pageSize = control.value.size;
cookie = control.value.cookie;
}
});
function sendPagedResults(start, end) {
start = (start < min) ? min : start;
end = (end > max || end < min) ? max : end;
var i;
for (i = start; i < end; i++) {
res.send(results[i]);
}
return i;
}
if (cookie && Buffer.isBuffer(cookie)) {
// we have pagination
var first = min;
if (cookie.length !== 0) {
first = parseInt(cookie.toString(), 10);
}
var last = sendPagedResults(first, first + pageSize);
var resultCookie;
if (last < max) {
Fix buffer warnings
2019-03-21 20:06:14 -07:00
resultCookie = Buffer.from(last.toString());
Add ldap pagination support
2017-10-27 01:25:07 +02:00
} else {
Fix buffer warnings
2019-03-21 20:06:14 -07:00
resultCookie = Buffer.from('');
Add ldap pagination support
2017-10-27 01:25:07 +02:00
}
res.controls.push(new ldap.PagedResultsControl({
value: {
size: pageSize, // correctness not required here
cookie: resultCookie
}
}));
} else {
// no pagination simply send all
results.forEach(function (result) {
res.send(result);
});
}
// all done
res.end();
next();
}
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
function userSearch(req, res, next) {
debug('user search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
getUsersWithAccessToApp(req, function (error, result) {
if (error) return next(error);
Add ldap pagination support
2017-10-27 01:25:07 +02:00
var results = [];
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
// send user objects
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
result.forEach(function (user) {
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
// skip entries with empty username. Some apps like owncloud can't deal with this
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
if (!user.username) return;
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
var dn = ldap.parseDN('cn=' + user.id + ',ou=users,dc=cloudron');
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
mail: owner can be a group
2020-11-12 23:25:33 -08:00
var memberof = [ GROUP_USERS_DN ];
if (users.compareRoles(user.role, users.ROLE_ADMIN) >= 0) memberof.push(GROUP_ADMINS_DN);
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
var displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
var nameParts = displayName.split(' ');
var firstName = nameParts[0];
var lastName = nameParts.length > 1 ? nameParts[nameParts.length - 1] : ''; // choose last part, if it exists
var obj = {
dn: dn.toString(),
attributes: {
add openldap compat apps like firefly-iii seem to require these fields when using the openldap driver
2020-01-05 15:14:44 -08:00
objectclass: ['user', 'inetorgperson', 'person' ],
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
objectcategory: 'person',
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
cn: user.id,
uid: user.id,
entryuuid: user.id, // to support OpenLDAP clients
mail: user.email,
mailAlternateAddress: user.fallbackEmail,
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
displayname: displayName,
givenName: firstName,
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
username: user.username,
samaccountname: user.username, // to support ActiveDirectory clients
mail: owner can be a group
2020-11-12 23:25:33 -08:00
memberof: memberof
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
}
};
// http://www.zytrax.com/books/ldap/ape/core-schema.html#sn has 'name' as SUP which is a DirectoryString
// which is required to have atleast one character if present
if (lastName.length !== 0) obj.attributes.sn = lastName;
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
Add ldap pagination support
2017-10-27 01:25:07 +02:00
results.push(obj);
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
}
});
Add ldap pagination support
2017-10-27 01:25:07 +02:00
finalSend(results, req, res, next);
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
});
}
refactor code for readability
2016-05-12 13:36:53 -07:00
function groupSearch(req, res, next) {
log the ldap source
2016-05-16 14:14:58 -07:00
debug('group search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
refactor code for readability
2016-05-12 13:36:53 -07:00
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
getUsersWithAccessToApp(req, function (error, result) {
Only list users in ldap groups who have access to the app Fixes #215
2017-03-13 11:06:27 +01:00
if (error) return next(error);
refactor code for readability
2016-05-12 13:36:53 -07:00
Add ldap pagination support
2017-10-27 01:25:07 +02:00
var results = [];
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
var groups = [{
name: 'users',
admin: false
}, {
name: 'admins',
admin: true
}];
groups.forEach(function (group) {
var dn = ldap.parseDN('cn=' + group.name + ',ou=groups,dc=cloudron');
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
var members = group.admin ? result.filter(function (user) { return users.compareRoles(user.role, users.ROLE_ADMIN) >= 0; }) : result;
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
var obj = {
dn: dn.toString(),
attributes: {
objectclass: ['group'],
cn: group.name,
memberuid: members.map(function(entry) { return entry.id; })
}
};
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
Add ldap pagination support
2017-10-27 01:25:07 +02:00
results.push(obj);
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
}
Only list users in ldap groups who have access to the app Fixes #215
2017-03-13 11:06:27 +01:00
});
Refactor ldap user listing code to avoid pyramids
2017-03-13 11:09:12 +01:00
Add ldap pagination support
2017-10-27 01:25:07 +02:00
finalSend(results, req, res, next);
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
});
refactor code for readability
2016-05-12 13:36:53 -07:00
}
Support ldap group compare Fixes #463
2017-10-24 01:35:35 +02:00
function groupUsersCompare(req, res, next) {
debug('group users compare: dn %s, attribute %s, value %s (from %s)', req.dn.toString(), req.attribute, req.value, req.connection.ldap.id);
getUsersWithAccessToApp(req, function (error, result) {
if (error) return next(error);
// we only support memberuid here, if we add new group attributes later add them here
if (req.attribute === 'memberuid') {
var found = result.find(function (u) { return u.id === req.value; });
if (found) return res.end(true);
}
res.end(false);
});
}
function groupAdminsCompare(req, res, next) {
debug('group admins compare: dn %s, attribute %s, value %s (from %s)', req.dn.toString(), req.attribute, req.value, req.connection.ldap.id);
getUsersWithAccessToApp(req, function (error, result) {
if (error) return next(error);
// we only support memberuid here, if we add new group attributes later add them here
if (req.attribute === 'memberuid') {
migrate permissions and admin flag to user.role
2020-02-21 12:17:06 -08:00
var user = result.find(function (u) { return u.id === req.value; });
if (user && users.compareRoles(user.role, users.ROLE_ADMIN) >= 0) return res.end(true);
Support ldap group compare Fixes #463
2017-10-24 01:35:35 +02:00
}
res.end(false);
});
}
ldap: fix mailbox search and bind
2016-09-26 10:18:58 -07:00
function mailboxSearch(req, res, next) {
debug('mailbox search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
add mailbox search endpoint
2016-05-29 18:24:54 -07:00
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
// if cn is set we only search for one mailbox specifically
if (req.dn.rdns[0].attrs.cn) {
var email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
var parts = email.split('@');
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add ldap pagination support
2017-10-27 01:25:07 +02:00
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
mailboxdb.getMailbox(parts[0], parts[1], function (error, mailbox) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
if (error) return next(new ldap.OperationsError(error.toString()));
allow mailbox search by email
2016-09-26 21:03:07 -07:00
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
var obj = {
dn: req.dn.toString(),
attributes: {
objectclass: ['mailbox'],
objectcategory: 'mailbox',
cn: `${mailbox.name}@${mailbox.domain}`,
uid: `${mailbox.name}@${mailbox.domain}`,
ldap: remove bogus name response
2019-03-22 15:58:53 -07:00
mail: `${mailbox.name}@${mailbox.domain}`
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
}
};
add mailbox search endpoint
2016-05-29 18:24:54 -07:00
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
if (lowerCaseFilter.matches(obj.attributes)) {
finalSend([ obj ], req, res, next);
} else {
res.end();
}
});
Add comment
2020-03-06 13:05:31 -08:00
} else if (req.dn.rdns[0].attrs.domain) { // legacy ldap mailbox search for old sogo
Bring back legacy ldap mailbox search for old sogo
2020-03-06 11:48:51 -08:00
var domain = req.dn.rdns[0].attrs.domain.value.toLowerCase();
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
mailboxdb.listMailboxes(domain, 1, 1000, function (error, mailboxes) {
Bring back legacy ldap mailbox search for old sogo
2020-03-06 11:48:51 -08:00
if (error) return next(new ldap.OperationsError(error.toString()));
var results = [];
// send mailbox objects
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
mailboxes.forEach(function (mailbox) {
Bring back legacy ldap mailbox search for old sogo
2020-03-06 11:48:51 -08:00
var dn = ldap.parseDN(`cn=${mailbox.name}@${domain},domain=${domain},ou=mailboxes,dc=cloudron`);
var obj = {
dn: dn.toString(),
attributes: {
objectclass: ['mailbox'],
objectcategory: 'mailbox',
cn: `${mailbox.name}@${domain}`,
uid: `${mailbox.name}@${domain}`,
mail: `${mailbox.name}@${domain}`
}
};
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
results.push(obj);
}
});
finalSend(results, req, res, next);
});
Add comment
2020-03-06 13:05:31 -08:00
} else { // new sogo
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
mailboxdb.listAllMailboxes(1, 1000, function (error, mailboxes) {
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
if (error) return next(new ldap.OperationsError(error.toString()));
var results = [];
// send mailbox objects
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
async.eachSeries(mailboxes, function (mailbox, callback) {
var dn = ldap.parseDN(`cn=${mailbox.name}@${mailbox.domain},ou=mailboxes,dc=cloudron`);
mail: owner can be a group
2020-11-12 23:25:33 -08:00
let getFunc = mailbox.ownerType === mail.OWNERTYPE_USER ? users.get : groups.get;
getFunc(mailbox.ownerId, function (error, ownerObject) {
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
if (error) return callback(); // skip mailboxes with unknown owner
var obj = {
dn: dn.toString(),
attributes: {
objectclass: ['mailbox'],
objectcategory: 'mailbox',
mail: owner can be a group
2020-11-12 23:25:33 -08:00
displayname: mailbox.ownerType === mail.OWNERTYPE_USER ? ownerObject.displayName : ownerObject.name,
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
cn: `${mailbox.name}@${mailbox.domain}`,
uid: `${mailbox.name}@${mailbox.domain}`,
mail: `${mailbox.name}@${mailbox.domain}`
}
};
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
mailbox.aliases.forEach(function (a, idx) {
obj.attributes['mail' + idx] = `${a.name}@${a.domain}`;
});
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
results.push(obj);
}
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
mailbox: list mailbox with alias info with a self join fixes #738
2021-01-07 21:25:38 -08:00
callback();
Improve LDAP mailbox searches to better suit sogo
2020-03-05 22:40:25 -08:00
});
}, function (error) {
if (error) return next(new ldap.OperationsError(error.toString()));
finalSend(results, req, res, next);
Allow search for mailboxes over ldap for a specific domain
2018-05-03 18:05:32 +02:00
});
});
}
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
}
Fix mailAlias LDAP listing
2016-09-26 14:38:23 -07:00
function mailAliasSearch(req, res, next) {
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
debug('mail alias get: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add ldap pagination support
2017-10-27 01:25:07 +02:00
ldap: mailbox routes now require the cn to be fully qualified
2018-01-18 18:14:31 -08:00
var email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
var parts = email.split('@');
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
mailboxdb.getAlias(parts[0], parts[1], function (error, alias) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
if (error) return next(new ldap.OperationsError(error.toString()));
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
// https://wiki.debian.org/LDAP/MigrationTools/Examples
// https://docs.oracle.com/cd/E19455-01/806-5580/6jej518pp/index.html
ldap: Make alias return fully qualified alias
2018-01-19 12:10:24 -08:00
// member is fully qualified - https://docs.oracle.com/cd/E19957-01/816-6082-10/chap4.doc.html#43314
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
var obj = {
remove unused variable
2016-09-27 11:58:02 -07:00
dn: req.dn.toString(),
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
attributes: {
objectclass: ['nisMailAlias'],
objectcategory: 'nisMailAlias',
ldap: Make alias return fully qualified alias
2018-01-19 12:10:24 -08:00
cn: `${alias.name}@${alias.domain}`,
mail: implement aliases across domains part of #577
2020-04-19 18:44:16 -07:00
rfc822MailMember: `${alias.aliasName}@${alias.aliasDomain}`
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
}
};
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
remove the alias and mailbox ldap listing code it's unused and complicates things. besides, this is not going to be possible to implement for the mailgroup code.
2016-09-27 11:45:49 -07:00
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
Add ldap pagination support
2017-10-27 01:25:07 +02:00
if (lowerCaseFilter.matches(obj.attributes)) {
finalSend([ obj ], req, res, next);
} else {
res.end();
}
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
});
}
Fix group listing
2016-09-27 12:20:20 -07:00
function mailingListSearch(req, res, next) {
debug('mailing list get: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
Fix group listing
2016-09-27 12:20:20 -07:00
if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add ldap pagination support
2017-10-27 01:25:07 +02:00
mail: resolve list members
2019-11-06 16:45:44 -08:00
let email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
let parts = email.split('@');
ldap: mailbox routes now require the cn to be fully qualified
2018-01-18 18:14:31 -08:00
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
mail: resolve list members
2019-11-06 16:45:44 -08:00
const name = parts[0], domain = parts[1];
ldap: mailbox routes now require the cn to be fully qualified
2018-01-18 18:14:31 -08:00
add membersOnly flag to a mailing list
2020-04-17 16:55:23 -07:00
mail.resolveList(parts[0], parts[1], function (error, resolvedMembers, list) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
if (error) return next(new ldap.OperationsError(error.toString()));
return members of mailing list
2016-09-27 16:27:22 -07:00
// http://ldapwiki.willeke.com/wiki/Original%20Mailgroup%20Schema%20From%20Netscape
ldap: make mailing list search return fully qualified members
2018-01-19 11:35:02 -08:00
// members are fully qualified (https://docs.oracle.com/cd/E19444-01/816-6018-10/groups.htm#13356)
Fix group listing
2016-09-27 12:20:20 -07:00
var obj = {
dn: req.dn.toString(),
attributes: {
objectclass: ['mailGroup'],
objectcategory: 'mailGroup',
mail: resolve list members
2019-11-06 16:45:44 -08:00
cn: `${name}@${domain}`, // fully qualified
mail: `${name}@${domain}`,
update mail container
2020-04-18 02:31:59 -07:00
membersOnly: list.membersOnly, // ldapjs only supports strings and string array. so this is not a bool!
mail: resolve list members
2019-11-06 16:45:44 -08:00
mgrpRFC822MailMember: resolvedMembers // fully qualified
Fix group listing
2016-09-27 12:20:20 -07:00
}
};
add mailbox search endpoint
2016-05-29 18:24:54 -07:00
Fix group listing
2016-09-27 12:20:20 -07:00
// ensure all filter values are also lowercase
var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
add mailbox search endpoint
2016-05-29 18:24:54 -07:00
Add ldap pagination support
2017-10-27 01:25:07 +02:00
if (lowerCaseFilter.matches(obj.attributes)) {
finalSend([ obj ], req, res, next);
} else {
res.end();
}
add mailbox search endpoint
2016-05-29 18:24:54 -07:00
});
}
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
// Will attach req.user if successful
refactor authenticate path into a middleware
2016-05-29 17:16:52 -07:00
function authenticateUser(req, res, next) {
log the ldap source
2016-05-16 14:14:58 -07:00
debug('user bind: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
refactor code for readability
2016-05-12 13:36:53 -07:00
// extract the common name which might have different attribute names
fix ldapjs usage
2016-09-26 09:08:04 -07:00
var attributeName = Object.keys(req.dn.rdns[0].attrs)[0];
var commonName = req.dn.rdns[0].attrs[attributeName].value;
refactor code for readability
2016-05-12 13:36:53 -07:00
if (!commonName) return next(new ldap.NoSuchObjectError(req.dn.toString()));
var api;
cn can also be the cloudron email cn can be: 1. username 2. username@fqdn 3. user@personalemail.com
2016-05-16 12:21:15 -07:00
if (attributeName === 'mail') {
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
api = users.verifyWithEmail;
cn can also be the cloudron email cn can be: 1. username 2. username@fqdn 3. user@personalemail.com
2016-05-16 12:21:15 -07:00
} else if (commonName.indexOf('@') !== -1) { // if mail is specified, enforce mail check
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
api = users.verifyWithEmail;
refactor code for readability
2016-05-12 13:36:53 -07:00
} else if (commonName.indexOf('uid-') === 0) {
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
api = users.verify;
refactor code for readability
2016-05-12 13:36:53 -07:00
} else {
Rename user.js to users.js
2018-04-29 10:58:45 -07:00
api = users.verifyWithUsername;
refactor code for readability
2016-05-12 13:36:53 -07:00
}
Add app passwords feature
2020-01-31 15:28:42 -08:00
api(commonName, req.credentials || '', req.app.id, function (error, user) {
Move UsersError to BoxError
2019-10-24 14:40:26 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
do not allow access if app is not found
2016-06-17 10:08:41 -05:00
if (error) return next(new ldap.OperationsError(error.message));
refactor code for readability
2016-05-12 13:36:53 -07:00
refactor authenticate path into a middleware
2016-05-29 17:16:52 -07:00
req.user = user;
refactor code for readability
2016-05-12 13:36:53 -07:00
refactor authenticate path into a middleware
2016-05-29 17:16:52 -07:00
next();
});
}
function authorizeUserForApp(req, res, next) {
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
assert.strictEqual(typeof req.user, 'object');
assert.strictEqual(typeof req.app, 'object');
refactor authenticate path into a middleware
2016-05-29 17:16:52 -07:00
rename variable
2020-11-20 17:52:22 -08:00
apps.hasAccessTo(req.app, req.user, function (error, hasAccess) {
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
if (error) return next(new ldap.OperationsError(error.toString()));
refactor code for readability
2016-05-12 13:36:53 -07:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
// we return no such object, to avoid leakage of a users existence
rename variable
2020-11-20 17:52:22 -08:00
if (!hasAccess) return next(new ldap.NoSuchObjectError(req.dn.toString()));
refactor code for readability
2016-05-12 13:36:53 -07:00
eventlog: only merge ldap login events (and not dashboard) fixes #758
2021-01-06 22:09:37 -08:00
eventlog.upsert(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', appId: req.app.id }, { userId: req.user.id, user: users.removePrivateFields(req.user) });
refactor code for readability
2016-05-12 13:36:53 -07:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
res.end();
refactor code for readability
2016-05-12 13:36:53 -07:00
});
}
mail: owner can be a group
2020-11-12 23:25:33 -08:00
function verifyMailboxPassword(mailbox, password, callback) {
assert.strictEqual(typeof mailbox, 'object');
assert.strictEqual(typeof password, 'string');
assert.strictEqual(typeof callback, 'function');
if (mailbox.ownerType === mail.OWNERTYPE_USER) return users.verify(mailbox.ownerId, password, users.AP_MAIL /* identifier */, callback);
groups.getMembers(mailbox.ownerId, function (error, userIds) {
if (error) return callback(error);
let verifiedUser = null;
async.someSeries(userIds, function iterator(userId, iteratorDone) {
users.verify(userId, password, users.AP_MAIL /* identifier */, function (error, result) {
if (error) return iteratorDone(null, false);
verifiedUser = result;
iteratorDone(null, true);
});
}, function (error, result) {
if (!result) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
callback(null, verifiedUser);
});
});
}
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
function authenticateUserMailbox(req, res, next) {
debug('user mailbox auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
var email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
var parts = email.split('@');
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
mail.getDomain(parts[1], function (error, domain) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
if (error) return next(new ldap.OperationsError(error.message));
if (!domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
mailboxdb.getMailbox(parts[0], parts[1], function (error, mailbox) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
if (error) return next(new ldap.OperationsError(error.message));
mail: owner can be a group
2020-11-12 23:25:33 -08:00
verifyMailboxPassword(mailbox, req.credentials || '', function (error, result) {
Move UsersError to BoxError
2019-10-24 14:40:26 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
if (error) return next(new ldap.OperationsError(error.message));
eventlog: only merge ldap login events (and not dashboard) fixes #758
2021-01-06 22:09:37 -08:00
eventlog.upsert(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: email }, { userId: result.id, user: users.removePrivateFields(result) });
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
res.end();
});
});
});
}
containerize sftp
2019-04-04 20:46:01 -07:00
function authenticateSftp(req, res, next) {
debug('sftp auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
Verify proftp ldap connection via ip instead of fake admin account
2019-03-19 11:59:51 -07:00
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
var email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
var parts = email.split('@');
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
make app password work with sftp
2020-03-26 21:50:25 -07:00
apps.getByFqdn(parts[1], function (error, app) {
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
make app password work with sftp
2020-03-26 21:50:25 -07:00
users.verifyWithUsername(parts[0], req.credentials, app.id, function (error) {
if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
make app password work with sftp
2020-03-26 21:50:25 -07:00
debug('sftp auth: success');
res.end();
});
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
});
}
Add option to allow non-admins to access SFTP
2020-10-21 22:31:59 -07:00
function loadSftpConfig(req, res, next) {
Fixes to service configuration restart service does not rebuild automatically, we should add a route for that. we need to figure where to scale services etc if we randomly create containers like that.
2021-01-21 12:53:38 -08:00
services.getServiceConfig('sftp', function (error, serviceConfig) {
Add option to allow non-admins to access SFTP
2020-10-21 22:31:59 -07:00
if (error) return next(new ldap.OperationsError(error.toString()));
Fixes to service configuration restart service does not rebuild automatically, we should add a route for that. we need to figure where to scale services etc if we randomly create containers like that.
2021-01-21 12:53:38 -08:00
req.requireAdmin = serviceConfig.requireAdmin;
Add option to allow non-admins to access SFTP
2020-10-21 22:31:59 -07:00
next();
});
}
containerize sftp
2019-04-04 20:46:01 -07:00
function userSearchSftp(req, res, next) {
debug('sftp user search: dn %s, scope %s, filter %s (from %s)', req.dn.toString(), req.scope, req.filter.toString(), req.connection.ldap.id);
Verify proftp ldap connection via ip instead of fake admin account
2019-03-19 11:59:51 -07:00
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
if (req.filter.attribute !== 'username' || !req.filter.value) return next(new ldap.NoSuchObjectError(req.dn.toString()));
var parts = req.filter.value.split('@');
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
var username = parts[0];
Check for user access in ldap ftp routes
2019-03-19 16:23:03 -07:00
var appFqdn = parts[1];
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
Check for user access in ldap ftp routes
2019-03-19 16:23:03 -07:00
apps.getByFqdn(appFqdn, function (error, app) {
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
if (error) return next(new ldap.OperationsError(error.toString()));
Only allow ftp access for apps which support it
2019-03-19 20:47:57 -07:00
// only allow apps which specify "ftp" support in the localstorage addon
sftp: Fix uid parsing format is 33/www-data
2019-04-04 22:38:40 -07:00
if (!safe.query(app.manifest.addons, 'localstorage.ftp.uid')) return next(new ldap.UnavailableError('Not supported'));
localstorage ftp uid must be a number
2019-04-05 12:59:00 +02:00
if (typeof app.manifest.addons.localstorage.ftp.uid !== 'number') return next(new ldap.UnavailableError('Bad uid, must be a number'));
sftp: Fix uid parsing format is 33/www-data
2019-04-04 22:38:40 -07:00
localstorage ftp uid must be a number
2019-04-05 12:59:00 +02:00
const uidNumber = app.manifest.addons.localstorage.ftp.uid;
Set uid number from localstorage addon ftp value
2019-03-19 21:17:23 -07:00
Check for user access in ldap ftp routes
2019-03-19 16:23:03 -07:00
users.getByUsername(username, function (error, user) {
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
if (error) return next(new ldap.OperationsError(error.toString()));
Add option to allow non-admins to access SFTP
2020-10-21 22:31:59 -07:00
if (req.requireAdmin && users.compareRoles(user.role, users.ROLE_ADMIN) < 0) return next(new ldap.InsufficientAccessRightsError('Insufficient previleges'));
Revert "only admins have sftp access" This reverts commit ecc9415679e3c3bea6c2c7ca718241c79d166509. We want to support the workflow where normal users can have SFTP access without being cloudron admins. The reason it is admin only is because it is possible to upload/modify app code via SFTP to then get cloudron admin credentials. For this reason, we will fixup the apps as follows: * Unmanaged WP - remove LDAP integration * LAMP - remove LDAP. We will make a new major version that informs the user NOT to update the app if they use LDAP. In 4.1, we will expose the LDAP server, so they can use the public LDAP server for any integration. * Managed WP - Remove SFTP. This is contential but if people want to really build/develop plugins then they can use Unmanaged WP for the dev environment. * Surfer - no change. Can have SFTP and LDAP since code is not modifiable In general, should also be careful then about adding SFTP access to random apps (like say nextcloud), since this would allow normal user to access other people's data.
2019-05-22 14:20:52 -07:00
apps.hasAccessTo(app, user, function (error, hasAccess) {
if (error) return next(new ldap.OperationsError(error.toString()));
if (!hasAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized'));
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
Revert "only admins have sftp access" This reverts commit ecc9415679e3c3bea6c2c7ca718241c79d166509. We want to support the workflow where normal users can have SFTP access without being cloudron admins. The reason it is admin only is because it is possible to upload/modify app code via SFTP to then get cloudron admin credentials. For this reason, we will fixup the apps as follows: * Unmanaged WP - remove LDAP integration * LAMP - remove LDAP. We will make a new major version that informs the user NOT to update the app if they use LDAP. In 4.1, we will expose the LDAP server, so they can use the public LDAP server for any integration. * Managed WP - Remove SFTP. This is contential but if people want to really build/develop plugins then they can use Unmanaged WP for the dev environment. * Surfer - no change. Can have SFTP and LDAP since code is not modifiable In general, should also be careful then about adding SFTP access to random apps (like say nextcloud), since this would allow normal user to access other people's data.
2019-05-22 14:20:52 -07:00
var obj = {
dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=sftp,dc=cloudron`).toString(),
attributes: {
sftp: fix home directory path
2020-08-08 18:16:32 -07:00
homeDirectory: path.join('/app/data', app.id),
Revert "only admins have sftp access" This reverts commit ecc9415679e3c3bea6c2c7ca718241c79d166509. We want to support the workflow where normal users can have SFTP access without being cloudron admins. The reason it is admin only is because it is possible to upload/modify app code via SFTP to then get cloudron admin credentials. For this reason, we will fixup the apps as follows: * Unmanaged WP - remove LDAP integration * LAMP - remove LDAP. We will make a new major version that informs the user NOT to update the app if they use LDAP. In 4.1, we will expose the LDAP server, so they can use the public LDAP server for any integration. * Managed WP - Remove SFTP. This is contential but if people want to really build/develop plugins then they can use Unmanaged WP for the dev environment. * Surfer - no change. Can have SFTP and LDAP since code is not modifiable In general, should also be careful then about adding SFTP access to random apps (like say nextcloud), since this would allow normal user to access other people's data.
2019-05-22 14:20:52 -07:00
objectclass: ['user'],
objectcategory: 'person',
cn: user.id,
uid: `${username}@${appFqdn}`, // for bind after search
uidNumber: uidNumber, // unix uid for ftp access
gidNumber: uidNumber // unix gid for ftp access
}
};
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
Revert "only admins have sftp access" This reverts commit ecc9415679e3c3bea6c2c7ca718241c79d166509. We want to support the workflow where normal users can have SFTP access without being cloudron admins. The reason it is admin only is because it is possible to upload/modify app code via SFTP to then get cloudron admin credentials. For this reason, we will fixup the apps as follows: * Unmanaged WP - remove LDAP integration * LAMP - remove LDAP. We will make a new major version that informs the user NOT to update the app if they use LDAP. In 4.1, we will expose the LDAP server, so they can use the public LDAP server for any integration. * Managed WP - Remove SFTP. This is contential but if people want to really build/develop plugins then they can use Unmanaged WP for the dev environment. * Surfer - no change. Can have SFTP and LDAP since code is not modifiable In general, should also be careful then about adding SFTP access to random apps (like say nextcloud), since this would allow normal user to access other people's data.
2019-05-22 14:20:52 -07:00
finalSend([ obj ], req, res, next);
});
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
});
});
}
fix issue where apps can sendmail with any username a valid password is still required for this to work
2020-12-03 12:14:04 -08:00
function verifyAppMailboxPassword(addonId, username, password, callback) {
assert.strictEqual(typeof addonId, 'string');
assert.strictEqual(typeof username, 'string');
assert.strictEqual(typeof password, 'string');
assert.strictEqual(typeof callback, 'function');
const pattern = addonId === 'sendmail' ? 'MAIL_SMTP' : 'MAIL_IMAP';
appdb.getAppIdByAddonConfigValue(addonId, `%${pattern}_PASSWORD`, password, function (error, appId) { // search by password because this is unique for each app
if (error) return callback(error);
appdb.getAddonConfig(appId, addonId, function (error, result) {
if (error) return callback(error);
if (!result.some(r => r.name.endsWith(`${pattern}_USERNAME`) && r.value === username)) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
callback(null);
});
});
}
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
function authenticateMailAddon(req, res, next) {
debug('mail addon auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
debug: authenticateMailbox
2018-02-08 18:49:27 -08:00
Add back cn existence check
2020-12-03 13:35:50 -08:00
if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
const email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
const parts = email.split('@');
ldap: mailbox routes now require the cn to be fully qualified
2018-01-18 18:14:31 -08:00
if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
authenticate mailbox based on owner
2016-09-26 11:50:32 -07:00
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
const addonId = req.dn.rdns[1].attrs.ou.value.toLowerCase(); // 'sendmail' or 'recvmail'
fix issue where apps can sendmail with any username a valid password is still required for this to work
2020-12-03 12:14:04 -08:00
if (addonId !== 'sendmail' && addonId !== 'recvmail') return next(new ldap.OperationsError('Invalid DN'));
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
mail.getDomain(parts[1], function (error, domain) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
authenticate mailbox based on owner
2016-09-26 11:50:32 -07:00
if (error) return next(new ldap.OperationsError(error.message));
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
if (addonId === 'recvmail' && !domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
fix issue where apps can sendmail with any username a valid password is still required for this to work
2020-12-03 12:14:04 -08:00
verifyAppMailboxPassword(addonId, email, req.credentials || '', function (error) {
if (!error) return res.end(); // validated as app
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
fix issue where apps can sendmail with any username a valid password is still required for this to work
2020-12-03 12:14:04 -08:00
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
Start moving db code to use BoxError as well
2019-10-24 11:13:48 -07:00
if (error && error.reason !== BoxError.NOT_FOUND) return next(new ldap.OperationsError(error.message));
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
mailboxdb.getMailbox(parts[0], parts[1], function (error, mailbox) {
Move MailError to BoxError
2019-10-24 13:34:14 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
if (error) return next(new ldap.OperationsError(error.message));
Do not check if email is enabled when an app tries to do sendmail auth through ldap
2018-01-29 19:29:04 +01:00
mail: owner can be a group
2020-11-12 23:25:33 -08:00
verifyMailboxPassword(mailbox, req.credentials || '', function (error, result) {
Move UsersError to BoxError
2019-10-24 14:40:26 -07:00
if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
if (error) return next(new ldap.OperationsError(error.message));
eventlog: only merge ldap login events (and not dashboard) fixes #758
2021-01-06 22:09:37 -08:00
eventlog.upsert(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: email }, { userId: result.id, user: users.removePrivateFields(result) });
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
res.end();
});
rework how app mailboxes are allocated Our current setup had a mailbox allocated for an app during app install (into the mailboxes table). This has many issues: * When set to a custom mailbox location, there was no way to access this mailbox even via IMAP. Even when using app credentials, we cannot use IMAP since the ldap logic was testing on the addon type (most of our apps only use sendmail addon and thus cannot recvmail). * The mailboxes table was being used to add hidden 'app' type entries. This made it very hard for the user to understand why a mailbox conflicts. For example, if you set an app to use custom mailbox 'blog', this is hidden from all views. The solution is to let an app send email as whatever mailbox name is allocated to it (which we now track in the apps table. the default is in the db already so that REST response contains it). When not using Cloudron email, it will just send mail as that mailbox and the auth checks the "app password" in the addons table. Any replies to that mailbox will end up in the domain's mail server (not our problem). When using cloudron email, the app can send mail like above. Any responses will not end anywhere and bounce since there is no 'mailbox'. This is the expected behavior. If user wants to access this mailbox name, he can create a concrete mailbox and set himself as owner OR set this as an alias. For apps using the recvmail addon, the workflow is to actually create a mailbox at some point. Currently, we have no UI for this 'flow'. It's fine because we have only meemo using it. Intuitive much!
2018-12-06 21:08:19 -08:00
});
Also check if the domain has mail enabled for ldap sendmail auth
2018-01-22 20:35:08 +01:00
});
authenticate mailbox based on owner
2016-09-26 11:50:32 -07:00
});
add mailbox ldap auth point
2016-05-29 17:25:23 -07:00
}
refactor code for readability
2016-05-12 13:36:53 -07:00
function start(callback) {
assert.strictEqual(typeof callback, 'function');
ldap: remove unnecessary global
2016-09-25 16:11:54 -07:00
var logger = {
trace: NOOP,
debug: NOOP,
info: debug,
warn: debug,
Use debug instead of console.* everywhere No need to patch up console.* anymore also removes supererror
2020-08-02 11:43:18 -07:00
error: debug,
fatal: debug
ldap: remove unnecessary global
2016-09-25 16:11:54 -07:00
};
gServer = ldap.createServer({ log: logger });
refactor code for readability
2016-05-12 13:36:53 -07:00
Handle ldap server errors grazefully
2019-04-25 13:10:52 +02:00
gServer.on('error', function (error) {
Use debug instead of console.* everywhere No need to patch up console.* anymore also removes supererror
2020-08-02 11:43:18 -07:00
debug('start: server error ', error);
Handle ldap server errors grazefully
2019-04-25 13:10:52 +02:00
});
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
gServer.search('ou=users,dc=cloudron', authenticateApp, userSearch);
gServer.search('ou=groups,dc=cloudron', authenticateApp, groupSearch);
gServer.bind('ou=users,dc=cloudron', authenticateApp, authenticateUser, authorizeUserForApp);
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
// http://www.ietf.org/proceedings/43/I-D/draft-srivastava-ldap-mail-00.txt
mail: owner can be a group
2020-11-12 23:25:33 -08:00
gServer.search('ou=mailboxes,dc=cloudron', mailboxSearch); // haraka (address translation), dovecot (LMTP), sogo (mailbox search)
Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo) (cherry picked from commit 6589ba09880c9073312d34c883c2a6f6869aa185)
2018-12-16 18:04:30 -08:00
gServer.bind('ou=mailboxes,dc=cloudron', authenticateUserMailbox); // apps like sogo can use domain=${domain} to authenticate a mailbox
gServer.search('ou=mailaliases,dc=cloudron', mailAliasSearch); // haraka
gServer.search('ou=mailinglists,dc=cloudron', mailingListSearch); // haraka
Add alias and list ldap routes
2016-09-25 18:59:11 -07:00
add some comments on the ldap routes
2020-11-12 22:13:24 -08:00
gServer.bind('ou=recvmail,dc=cloudron', authenticateMailAddon); // dovecot (IMAP auth)
gServer.bind('ou=sendmail,dc=cloudron', authenticateMailAddon); // haraka (MSA auth)
add mailbox ldap auth point
2016-05-29 17:25:23 -07:00
containerize sftp
2019-04-04 20:46:01 -07:00
gServer.bind('ou=sftp,dc=cloudron', authenticateSftp); // sftp
Add option to allow non-admins to access SFTP
2020-10-21 22:31:59 -07:00
gServer.search('ou=sftp,dc=cloudron', loadSftpConfig, userSearchSftp);
Make initial sftp connection work
2019-03-18 21:15:50 -07:00
Attach req.app for further use in ldap routes
2018-09-03 15:38:50 +02:00
gServer.compare('cn=users,ou=groups,dc=cloudron', authenticateApp, groupUsersCompare);
gServer.compare('cn=admins,ou=groups,dc=cloudron', authenticateApp, groupAdminsCompare);
Support ldap group compare Fixes #463
2017-10-24 01:35:35 +02:00
create a new ou for addons
2016-05-12 13:20:57 -07:00
// this is the bind for addons (after bind, they might search and authenticate)
Allow admins to access all apps Fixes #420
2017-11-15 18:07:10 -08:00
gServer.bind('ou=addons,dc=cloudron', function(req, res /*, next */) {
create a new ou for addons
2016-05-12 13:20:57 -07:00
debug('addons bind: %s', req.dn.toString()); // note: cn can be email or id
add ou=recvmail for dovecot
2016-05-11 14:26:34 -07:00
res.end();
});
create a new ou for addons
2016-05-12 13:20:57 -07:00
// this is the bind for apps (after bind, they might search and authenticate user)
Allow admins to access all apps Fixes #420
2017-11-15 18:07:10 -08:00
gServer.bind('ou=apps,dc=cloudron', function(req, res /*, next */) {
ldap: allow non-anonymous searches Add LDAP_BIND_DN and LDAP_BIND_PASSWORD that allow apps to bind before a search. There appear to be two kinds of ldap flows: 1. App simply binds using cn=<username>,$LDAP_USERS_BASE_DN. This works swimmingly today. 2. App searches the username under a "bind_dn" using some admin credentials. It takes the result and uses the first dn in the result as the user dn. It then binds as step 1. This commit tries to help out the case 2) apps. These apps really insist on having some credentials for searching.
2015-09-25 21:17:48 -07:00
// TODO: validate password
fix ldap debug ("ldap" already appears as part of debug)
2016-03-04 17:50:48 -08:00
debug('application bind: %s', req.dn.toString());
ldap: allow non-anonymous searches Add LDAP_BIND_DN and LDAP_BIND_PASSWORD that allow apps to bind before a search. There appear to be two kinds of ldap flows: 1. App simply binds using cn=<username>,$LDAP_USERS_BASE_DN. This works swimmingly today. 2. App searches the username under a "bind_dn" using some admin credentials. It takes the result and uses the first dn in the result as the user dn. It then binds as step 1. This commit tries to help out the case 2) apps. These apps really insist on having some credentials for searching.
2015-09-25 21:17:48 -07:00
res.end();
});
Add ldap debug for unhandled routes
2021-02-13 18:56:36 +01:00
// just log that an attempt was made to unknown route, this helps a lot during app packaging
gServer.use(function(req, res, next) {
debug('not handled: dn %s, scope %s, filter %s (from %s)', req.dn ? req.dn.toString() : '-', req.scope, req.filter ? req.filter.toString() : '-', req.connection.ldap.id);
return next();
});
Make ldap and docker proxy port as constants
2019-07-25 15:33:34 -07:00
gServer.listen(constants.LDAP_PORT, '0.0.0.0', callback);
app.portBindings and newManifest.tcpPorts may be null
2015-07-20 00:09:47 -07:00
}
Add ldap.stop
2015-09-14 10:59:05 -07:00
function stop(callback) {
Fix typo in assert
2015-09-14 11:09:37 -07:00
assert.strictEqual(typeof callback, 'function');
Add ldap.stop
2015-09-14 10:59:05 -07:00
do not crash if the service was never started fixes #51
2016-09-15 11:53:28 -07:00
if (gServer) gServer.close();
Add ldap.stop
2015-09-14 10:59:05 -07:00
callback();
}
Reference in New Issue Copy Permalink