2019-08-28 18:22:07 +02:00
'use strict' ;
exports = module . exports = {
2023-08-03 02:06:07 +05:30
getConfig ,
setConfig ,
2021-05-01 11:21:09 -07:00
verifyPassword ,
2021-07-15 09:50:11 -07:00
maybeCreateUser ,
2019-08-29 22:43:06 +02:00
2021-05-01 11:21:09 -07:00
startSyncer ,
2019-08-28 18:22:07 +02:00
2021-05-01 11:21:09 -07:00
removePrivateFields ,
2019-10-25 15:58:11 -07:00
2021-05-01 11:21:09 -07:00
sync
2019-08-28 18:22:07 +02:00
} ;
2021-06-28 15:15:28 -07:00
const assert = require ( 'assert' ) ,
2021-09-30 09:50:30 -07:00
AuditSource = require ( './auditsource.js' ) ,
2019-10-24 13:41:41 -07:00
BoxError = require ( './boxerror.js' ) ,
2019-10-25 15:58:11 -07:00
constants = require ( './constants.js' ) ,
2019-08-30 19:11:27 +02:00
debug = require ( 'debug' ) ( 'box:externalldap' ) ,
2020-06-04 13:26:13 +02:00
groups = require ( './groups.js' ) ,
2019-08-28 18:22:07 +02:00
ldap = require ( 'ldapjs' ) ,
2022-04-15 19:01:35 -05:00
once = require ( './once.js' ) ,
2021-06-28 15:15:28 -07:00
safe = require ( 'safetydance' ) ,
2019-08-28 18:22:07 +02:00
settings = require ( './settings.js' ) ,
2019-08-29 17:19:51 +02:00
tasks = require ( './tasks.js' ) ,
2021-06-28 15:15:28 -07:00
users = require ( './users.js' ) ,
util = require ( 'util' ) ;
2019-08-28 18:22:07 +02:00
2019-10-25 15:58:11 -07:00
function injectPrivateFields ( newConfig , currentConfig ) {
if ( newConfig . bindPassword === constants . SECRET _PLACEHOLDER ) newConfig . bindPassword = currentConfig . bindPassword ;
}
function removePrivateFields ( ldapConfig ) {
assert . strictEqual ( typeof ldapConfig , 'object' ) ;
if ( ldapConfig . bindPassword ) ldapConfig . bindPassword = constants . SECRET _PLACEHOLDER ;
return ldapConfig ;
}
2019-11-19 09:53:00 +01:00
function translateUser ( ldapConfig , ldapUser ) {
assert . strictEqual ( typeof ldapConfig , 'object' ) ;
2022-02-18 17:31:02 +01:00
// RFC: https://datatracker.ietf.org/doc/html/rfc2798
2019-11-19 09:53:00 +01:00
return {
2022-04-23 11:11:46 +02:00
username : ldapUser [ ldapConfig . usernameField ] . toLowerCase ( ) ,
2020-07-01 14:34:28 +02:00
email : ldapUser . mail || ldapUser . mailPrimaryAddress ,
2022-08-02 14:02:35 +02:00
twoFactorAuthenticationEnabled : ! ! ldapUser . twoFactorAuthenticationEnabled ,
2022-02-18 17:31:02 +01:00
displayName : ldapUser . displayName || ldapUser . cn // user.giveName + ' ' + user.sn
2019-11-19 09:53:00 +01:00
} ;
}
function validUserRequirements ( user ) {
if ( ! user . username || ! user . email || ! user . displayName ) {
2020-07-01 14:34:28 +02:00
debug ( ` [Invalid LDAP user] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
2019-11-19 09:53:00 +01:00
return false ;
} else {
return true ;
}
}
2023-08-03 02:06:07 +05:30
async function getConfig ( ) {
const value = await settings . get ( settings . EXTERNAL _LDAP _KEY ) ;
if ( value === null ) return { provider : 'noop' , autoCreate : false } ;
const config = JSON . parse ( value ) ;
if ( ! config . autoCreate ) config . autoCreate = false ; // ensure new keys
return config ;
}
async function setConfig ( newConfig ) {
assert . strictEqual ( typeof newConfig , 'object' ) ;
2023-08-04 14:13:30 +05:30
if ( constants . DEMO ) throw new BoxError ( BoxError . BAD _FIELD , 'Not allowed in demo mode' ) ;
2023-08-03 02:06:07 +05:30
const currentConfig = await getConfig ( ) ;
injectPrivateFields ( newConfig , currentConfig ) ;
const error = await testConfig ( newConfig ) ;
if ( error ) throw error ;
2023-08-03 11:34:33 +05:30
await settings . setJson ( settings . EXTERNAL _LDAP _KEY , newConfig ) ;
2023-08-03 02:06:07 +05:30
}
2019-08-28 18:22:07 +02:00
// performs service bind if required
2023-08-03 02:06:07 +05:30
async function getClient ( config , options ) {
assert . strictEqual ( typeof config , 'object' ) ;
2021-09-01 13:09:49 -07:00
assert . strictEqual ( typeof options , 'object' ) ;
2020-06-26 14:08:16 +02:00
2019-08-29 22:51:27 +02:00
// basic validation to not crash
2023-08-03 02:06:07 +05:30
try { ldap . parseDN ( config . baseDn ) ; } catch ( e ) { throw new BoxError ( BoxError . BAD _FIELD , 'invalid baseDn' ) ; }
try { ldap . parseFilter ( config . filter ) ; } catch ( e ) { throw new BoxError ( BoxError . BAD _FIELD , 'invalid filter' ) ; }
2020-06-25 17:36:23 +02:00
2021-09-01 13:09:49 -07:00
let client ;
2019-08-29 17:19:51 +02:00
try {
2023-08-03 02:06:07 +05:30
const ldapConfig = {
url : config . url ,
tlsOptions : {
rejectUnauthorized : config . acceptSelfSignedCerts ? false : true
}
} ;
client = ldap . createClient ( ldapConfig ) ;
2019-08-29 17:19:51 +02:00
} catch ( e ) {
2021-09-01 13:09:49 -07:00
if ( e instanceof ldap . ProtocolError ) throw new BoxError ( BoxError . BAD _FIELD , 'url protocol is invalid' ) ;
throw new BoxError ( BoxError . INTERNAL _ERROR , e ) ;
2019-08-29 17:19:51 +02:00
}
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
return await new Promise ( ( resolve , reject ) => {
reject = once ( reject ) ;
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
// ensure we don't just crash
client . on ( 'error' , function ( error ) {
2023-04-30 21:49:28 +02:00
debug ( 'getClient: ExternalLdap client error:' , error ) ;
2021-09-01 13:09:49 -07:00
reject ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
} ) ;
2019-08-28 18:22:07 +02:00
2023-01-12 14:39:58 +01:00
// skip bind auth if none exist or if not wanted
2023-08-03 02:06:07 +05:30
if ( ! config . bindDn || ! options . bind ) return resolve ( client ) ;
2023-01-12 14:39:58 +01:00
2023-08-03 02:06:07 +05:30
client . bind ( config . bindDn , config . bindPassword , function ( error ) {
2021-09-01 13:09:49 -07:00
if ( error instanceof ldap . InvalidCredentialsError ) return reject ( new BoxError ( BoxError . INVALID _CREDENTIALS ) ) ;
if ( error ) return reject ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
resolve ( client ) ;
} ) ;
2019-08-28 18:22:07 +02:00
} ) ;
}
2021-09-01 13:09:49 -07:00
async function clientSearch ( client , dn , searchOptions ) {
assert . strictEqual ( typeof client , 'object' ) ;
2020-06-05 10:29:36 +02:00
assert . strictEqual ( typeof dn , 'string' ) ;
2021-09-01 13:09:49 -07:00
assert . strictEqual ( typeof searchOptions , 'object' ) ;
2020-06-05 10:29:36 +02:00
2021-09-01 13:09:49 -07:00
// basic validation to not crash
try { ldap . parseDN ( dn ) ; } catch ( e ) { throw new BoxError ( BoxError . BAD _FIELD , 'invalid DN' ) ; }
2020-07-30 15:08:01 +02:00
2021-09-01 13:09:49 -07:00
return await new Promise ( ( resolve , reject ) => {
2020-06-05 10:29:36 +02:00
client . search ( dn , searchOptions , function ( error , result ) {
2021-09-01 13:09:49 -07:00
if ( error instanceof ldap . NoSuchObjectError ) return reject ( new BoxError ( BoxError . NOT _FOUND ) ) ;
if ( error ) return reject ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
2020-06-05 10:29:36 +02:00
let ldapObjects = [ ] ;
result . on ( 'searchEntry' , entry => ldapObjects . push ( entry . object ) ) ;
2021-09-01 13:09:49 -07:00
result . on ( 'error' , error => reject ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ) ;
2020-06-05 10:29:36 +02:00
result . on ( 'end' , function ( result ) {
2021-09-01 13:09:49 -07:00
if ( result . status !== 0 ) return reject ( new BoxError ( BoxError . EXTERNAL _ERROR , 'Server returned status ' + result . status ) ) ;
2020-06-05 10:29:36 +02:00
2021-09-01 13:09:49 -07:00
resolve ( ldapObjects ) ;
2020-06-05 10:29:36 +02:00
} ) ;
} ) ;
} ) ;
}
2019-11-19 09:53:00 +01:00
2023-08-03 02:06:07 +05:30
async function ldapGetByDN ( config , dn ) {
assert . strictEqual ( typeof config , 'object' ) ;
2021-09-01 13:09:49 -07:00
assert . strictEqual ( typeof dn , 'string' ) ;
2019-10-30 14:37:48 -07:00
2021-09-01 13:09:49 -07:00
const searchOptions = {
paged : true ,
scope : 'sub' // We may have to make this configurable
} ;
2019-10-30 14:37:48 -07:00
2021-09-01 13:09:49 -07:00
debug ( ` ldapGetByDN: Get object at ${ dn } ` ) ;
2019-10-30 14:37:48 -07:00
2023-08-03 02:06:07 +05:30
const client = await getClient ( config , { bind : true } ) ;
2021-09-01 13:09:49 -07:00
const result = await clientSearch ( client , dn , searchOptions ) ;
client . unbind ( ) ;
if ( result . length === 0 ) throw new BoxError ( BoxError . NOT _FOUND ) ;
return result [ 0 ] ;
2019-10-30 14:37:48 -07:00
}
2021-09-01 13:09:49 -07:00
// TODO support search by email
2023-08-03 02:06:07 +05:30
async function ldapUserSearch ( config , options ) {
assert . strictEqual ( typeof config , 'object' ) ;
2020-06-03 21:23:53 +02:00
assert . strictEqual ( typeof options , 'object' ) ;
2021-09-01 13:09:49 -07:00
const searchOptions = {
paged : true ,
2023-08-03 02:06:07 +05:30
filter : ldap . parseFilter ( config . filter ) ,
2021-09-01 13:09:49 -07:00
scope : 'sub' // We may have to make this configurable
} ;
2020-06-03 21:23:53 +02:00
2021-09-01 13:09:49 -07:00
if ( options . filter ) { // https://github.com/ldapjs/node-ldapjs/blob/master/docs/filters.md
const extraFilter = ldap . parseFilter ( options . filter ) ;
searchOptions . filter = new ldap . AndFilter ( { filters : [ extraFilter , searchOptions . filter ] } ) ;
}
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
const client = await getClient ( config , { bind : true } ) ;
const result = await clientSearch ( client , config . baseDn , searchOptions ) ;
2021-09-01 13:09:49 -07:00
client . unbind ( ) ;
return result ;
}
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
async function ldapGroupSearch ( config , options ) {
assert . strictEqual ( typeof config , 'object' ) ;
2021-09-01 13:09:49 -07:00
assert . strictEqual ( typeof options , 'object' ) ;
2020-06-03 21:23:53 +02:00
2021-09-01 13:09:49 -07:00
const searchOptions = {
paged : true ,
scope : 'sub' // We may have to make this configurable
} ;
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
if ( config . groupFilter ) searchOptions . filter = ldap . parseFilter ( config . groupFilter ) ;
2020-06-03 21:23:53 +02:00
2021-09-01 13:09:49 -07:00
if ( options . filter ) { // https://github.com/ldapjs/node-ldapjs/blob/master/docs/filters.md
const extraFilter = ldap . parseFilter ( options . filter ) ;
searchOptions . filter = new ldap . AndFilter ( { filters : [ extraFilter , searchOptions . filter ] } ) ;
}
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
const client = await getClient ( config , { bind : true } ) ;
const result = await clientSearch ( client , config . groupBaseDn , searchOptions ) ;
2021-09-01 13:09:49 -07:00
client . unbind ( ) ;
return result ;
2020-06-03 21:23:53 +02:00
}
2021-09-01 13:09:49 -07:00
async function testConfig ( config ) {
2019-08-28 18:22:07 +02:00
assert . strictEqual ( typeof config , 'object' ) ;
2021-09-01 13:09:49 -07:00
if ( config . provider === 'noop' ) return null ;
2019-08-29 12:28:41 +02:00
2021-09-01 13:09:49 -07:00
if ( ! config . url ) return new BoxError ( BoxError . BAD _FIELD , 'url must not be empty' ) ;
if ( ! config . url . startsWith ( 'ldap://' ) && ! config . url . startsWith ( 'ldaps://' ) ) return new BoxError ( BoxError . BAD _FIELD , 'url is missing ldap:// or ldaps:// prefix' ) ;
2019-10-25 15:47:55 -07:00
if ( ! config . usernameField ) config . usernameField = 'uid' ;
2019-10-31 11:46:00 -07:00
2019-10-30 09:35:30 -07:00
// bindDn may not be a dn!
2021-09-01 13:09:49 -07:00
if ( ! config . baseDn ) return new BoxError ( BoxError . BAD _FIELD , 'basedn must not be empty' ) ;
try { ldap . parseDN ( config . baseDn ) ; } catch ( e ) { return new BoxError ( BoxError . BAD _FIELD , 'invalid baseDn' ) ; }
2019-10-31 11:46:00 -07:00
2021-09-01 13:09:49 -07:00
if ( ! config . filter ) return new BoxError ( BoxError . BAD _FIELD , 'filter must not be empty' ) ;
try { ldap . parseFilter ( config . filter ) ; } catch ( e ) { return new BoxError ( BoxError . BAD _FIELD , 'invalid filter' ) ; }
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
if ( 'syncGroups' in config && typeof config . syncGroups !== 'boolean' ) return new BoxError ( BoxError . BAD _FIELD , 'syncGroups must be a boolean' ) ;
if ( 'acceptSelfSignedCerts' in config && typeof config . acceptSelfSignedCerts !== 'boolean' ) return new BoxError ( BoxError . BAD _FIELD , 'acceptSelfSignedCerts must be a boolean' ) ;
2020-06-07 13:49:01 +02:00
if ( config . syncGroups ) {
2021-09-01 13:09:49 -07:00
if ( ! config . groupBaseDn ) return new BoxError ( BoxError . BAD _FIELD , 'groupBaseDn must not be empty' ) ;
try { ldap . parseDN ( config . groupBaseDn ) ; } catch ( e ) { return new BoxError ( BoxError . BAD _FIELD , 'invalid groupBaseDn' ) ; }
2020-06-07 13:49:01 +02:00
2021-09-01 13:09:49 -07:00
if ( ! config . groupFilter ) return new BoxError ( BoxError . BAD _FIELD , 'groupFilter must not be empty' ) ;
try { ldap . parseFilter ( config . groupFilter ) ; } catch ( e ) { return new BoxError ( BoxError . BAD _FIELD , 'invalid groupFilter' ) ; }
2020-06-07 13:49:01 +02:00
2021-09-01 13:09:49 -07:00
if ( ! config . groupnameField || typeof config . groupnameField !== 'string' ) return new BoxError ( BoxError . BAD _FIELD , 'groupFilter must not be empty' ) ;
2020-06-07 13:49:01 +02:00
}
2021-09-01 13:09:49 -07:00
const [ error , client ] = await safe ( getClient ( config , { bind : true } ) ) ;
if ( error ) return error ;
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
const opts = {
filter : config . filter ,
scope : 'sub'
} ;
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
const [ searchError , ] = await safe ( clientSearch ( client , config . baseDn , opts ) ) ;
client . unbind ( ) ;
if ( searchError ) return searchError ;
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
return null ;
2019-08-28 18:22:07 +02:00
}
2021-10-26 18:04:25 +02:00
async function maybeCreateUser ( identifier ) {
2019-11-19 09:53:00 +01:00
assert . strictEqual ( typeof identifier , 'string' ) ;
2023-08-03 02:06:07 +05:30
const config = await getConfig ( ) ;
if ( config . provider === 'noop' ) throw new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ;
if ( ! config . autoCreate ) throw new BoxError ( BoxError . BAD _STATE , 'auto create not enabled' ) ;
2019-11-19 09:53:00 +01:00
2023-08-03 02:06:07 +05:30
const ldapUsers = await ldapUserSearch ( config , { filter : ` ${ config . usernameField } = ${ identifier } ` } ) ;
2021-09-01 13:09:49 -07:00
if ( ldapUsers . length === 0 ) throw new BoxError ( BoxError . NOT _FOUND ) ;
if ( ldapUsers . length > 1 ) throw new BoxError ( BoxError . CONFLICT ) ;
2019-11-19 09:53:00 +01:00
2023-08-03 02:06:07 +05:30
const user = translateUser ( config , ldapUsers [ 0 ] ) ;
2021-09-01 13:09:49 -07:00
if ( ! validUserRequirements ( user ) ) throw new BoxError ( BoxError . BAD _FIELD ) ;
2019-11-19 09:53:00 +01:00
2023-03-12 15:09:20 +01:00
return await users . add ( user . email , { username : user . username , password : null , displayName : user . displayName , source : 'ldap' } , AuditSource . EXTERNAL _LDAP _AUTO _CREATE ) ;
2022-08-02 14:02:35 +02:00
}
2023-03-12 15:09:20 +01:00
async function verifyPassword ( user , password , totpToken ) {
2022-08-02 14:02:35 +02:00
assert . strictEqual ( typeof user , 'object' ) ;
assert . strictEqual ( typeof password , 'string' ) ;
2023-03-12 15:09:20 +01:00
assert ( totpToken === null || typeof totpToken === 'string' ) ;
2022-08-02 14:02:35 +02:00
2023-08-03 02:06:07 +05:30
const config = await getConfig ( ) ;
if ( config . provider === 'noop' ) throw new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ;
2022-08-02 14:02:35 +02:00
2023-08-03 02:06:07 +05:30
const ldapUsers = await ldapUserSearch ( config , { filter : ` ${ config . usernameField } = ${ user . username } ` } ) ;
2022-08-02 14:02:35 +02:00
if ( ldapUsers . length === 0 ) throw new BoxError ( BoxError . NOT _FOUND ) ;
if ( ldapUsers . length > 1 ) throw new BoxError ( BoxError . CONFLICT ) ;
2023-08-03 02:06:07 +05:30
const client = await getClient ( config , { bind : false } ) ;
2022-08-02 14:02:35 +02:00
2023-03-12 15:09:20 +01:00
let userAuthDn ;
if ( totpToken ) {
// inject totptoken into first attribute
const rdns = ldapUsers [ 0 ] . dn . split ( ',' ) ;
userAuthDn = ` ${ rdns [ 0 ] } +totptoken= ${ totpToken } , ` + rdns . slice ( 1 ) . join ( ',' ) ;
} else {
userAuthDn = ldapUsers [ 0 ] . dn ;
}
2022-08-02 14:02:35 +02:00
2023-03-12 15:09:20 +01:00
const [ error ] = await safe ( util . promisify ( client . bind . bind ( client ) ) ( userAuthDn , password ) ) ;
2022-08-02 14:02:35 +02:00
client . unbind ( ) ;
if ( error instanceof ldap . InvalidCredentialsError ) throw new BoxError ( BoxError . INVALID _CREDENTIALS ) ;
2021-09-01 13:09:49 -07:00
if ( error ) throw new BoxError ( BoxError . EXTERNAL _ERROR , error ) ;
2020-07-01 14:59:26 +02:00
2023-08-03 02:06:07 +05:30
return translateUser ( config , ldapUsers [ 0 ] ) ;
2019-08-29 22:43:06 +02:00
}
2021-09-01 13:09:49 -07:00
async function startSyncer ( ) {
2023-08-03 02:06:07 +05:30
const config = await getConfig ( ) ;
if ( config . provider === 'noop' ) throw new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ;
2019-08-28 18:22:07 +02:00
2021-09-01 13:09:49 -07:00
const taskId = await tasks . add ( tasks . TASK _SYNC _EXTERNAL _LDAP , [ ] ) ;
2021-07-12 23:35:30 -07:00
2021-09-01 13:09:49 -07:00
tasks . startTask ( taskId , { } , function ( error , result ) {
2023-04-16 10:49:59 +02:00
debug ( 'sync: done. %o %j' , error , result ) ;
2019-08-29 17:19:51 +02:00
} ) ;
2021-09-01 13:09:49 -07:00
return taskId ;
2019-08-29 17:19:51 +02:00
}
2023-08-03 02:06:07 +05:30
async function syncUsers ( config , progressCallback ) {
assert . strictEqual ( typeof config , 'object' ) ;
2019-08-29 17:19:51 +02:00
assert . strictEqual ( typeof progressCallback , 'function' ) ;
2023-08-03 02:06:07 +05:30
const ldapUsers = await ldapUserSearch ( config , { } ) ;
2019-08-29 17:19:51 +02:00
2021-09-01 13:09:49 -07:00
debug ( ` syncUsers: Found ${ ldapUsers . length } users ` ) ;
2019-08-29 17:19:51 +02:00
2021-09-01 13:09:49 -07:00
let percent = 10 ;
let step = 30 / ( ldapUsers . length + 1 ) ; // ensure no divide by 0
2019-08-29 22:56:48 +02:00
2021-09-01 13:09:49 -07:00
// we ignore all errors here and just log them for now
for ( let i = 0 ; i < ldapUsers . length ; i ++ ) {
2023-08-03 02:06:07 +05:30
let ldapUser = translateUser ( config , ldapUsers [ i ] ) ;
2021-09-01 13:09:49 -07:00
if ( ! validUserRequirements ( ldapUser ) ) continue ;
2019-10-25 16:58:15 -07:00
2021-09-01 13:09:49 -07:00
percent += step ;
progressCallback ( { percent , message : ` Syncing... ${ ldapUser . username } ` } ) ;
2021-09-01 14:37:09 +02:00
2021-09-01 13:09:49 -07:00
const user = await users . getByUsername ( ldapUser . username ) ;
2021-09-01 14:37:09 +02:00
2021-09-01 13:09:49 -07:00
if ( ! user ) {
debug ( ` syncUsers: [adding user] username= ${ ldapUser . username } email= ${ ldapUser . email } displayName= ${ ldapUser . displayName } ` ) ;
2021-09-30 09:50:30 -07:00
const [ userAddError ] = await safe ( users . add ( ldapUser . email , { username : ldapUser . username , password : null , displayName : ldapUser . displayName , source : 'ldap' } , AuditSource . EXTERNAL _LDAP _TASK ) ) ;
2023-04-16 10:49:59 +02:00
if ( userAddError ) debug ( 'syncUsers: Failed to create user. %j %o' , ldapUser , userAddError ) ;
2021-09-01 13:09:49 -07:00
} else if ( user . source !== 'ldap' ) {
2021-09-13 21:17:27 +02:00
debug ( ` syncUsers: [mapping user] username= ${ ldapUser . username } email= ${ ldapUser . email } displayName= ${ ldapUser . displayName } ` ) ;
2021-09-30 09:50:30 -07:00
const [ userMappingError ] = await safe ( users . update ( user , { email : ldapUser . email , fallbackEmail : ldapUser . email , displayName : ldapUser . displayName , source : 'ldap' } , AuditSource . EXTERNAL _LDAP _TASK ) ) ;
2023-04-16 10:49:59 +02:00
if ( userMappingError ) debug ( 'Failed to map user. %j %o' , ldapUser , userMappingError ) ;
2021-09-01 13:09:49 -07:00
} else if ( user . email !== ldapUser . email || user . displayName !== ldapUser . displayName ) {
debug ( ` syncUsers: [updating user] username= ${ ldapUser . username } email= ${ ldapUser . email } displayName= ${ ldapUser . displayName } ` ) ;
2021-09-30 09:50:30 -07:00
const [ userUpdateError ] = await safe ( users . update ( user , { email : ldapUser . email , fallbackEmail : ldapUser . email , displayName : ldapUser . displayName } , AuditSource . EXTERNAL _LDAP _TASK ) ) ;
2023-04-16 10:49:59 +02:00
if ( userUpdateError ) debug ( 'Failed to update user. %j %o' , ldapUser , userUpdateError ) ;
2021-09-01 13:09:49 -07:00
} else {
// user known and up-to-date
debug ( ` syncUsers: [up-to-date user] username= ${ ldapUser . username } email= ${ ldapUser . email } displayName= ${ ldapUser . displayName } ` ) ;
2021-09-01 14:37:09 +02:00
}
2021-09-01 13:09:49 -07:00
}
2019-10-30 14:37:48 -07:00
2021-09-01 13:09:49 -07:00
debug ( 'syncUsers: done' ) ;
2020-06-05 09:26:52 +02:00
}
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
async function syncGroups ( config , progressCallback ) {
assert . strictEqual ( typeof config , 'object' ) ;
2020-06-05 09:26:52 +02:00
assert . strictEqual ( typeof progressCallback , 'function' ) ;
2020-06-03 21:23:53 +02:00
2023-08-03 02:06:07 +05:30
if ( ! config . syncGroups ) {
2021-09-01 13:09:49 -07:00
debug ( 'syncGroups: Group sync is disabled' ) ;
2020-06-07 13:49:01 +02:00
progressCallback ( { percent : 70 , message : 'Skipping group sync...' } ) ;
2021-09-01 13:09:49 -07:00
return [ ] ;
2020-06-05 09:26:52 +02:00
}
2023-08-03 02:06:07 +05:30
const ldapGroups = await ldapGroupSearch ( config , { } ) ;
2020-06-04 13:26:13 +02:00
2021-09-01 13:09:49 -07:00
debug ( ` syncGroups: Found ${ ldapGroups . length } groups ` ) ;
2020-06-04 13:26:13 +02:00
2021-09-01 13:09:49 -07:00
let percent = 40 ;
let step = 30 / ( ldapGroups . length + 1 ) ; // ensure no divide by 0
2020-06-04 13:26:13 +02:00
2021-09-01 13:09:49 -07:00
// we ignore all non internal errors here and just log them for now
for ( const ldapGroup of ldapGroups ) {
2023-08-03 02:06:07 +05:30
let groupName = ldapGroup [ config . groupnameField ] ;
2021-09-01 13:09:49 -07:00
if ( ! groupName ) return ;
// some servers return empty array for unknown properties :-/
if ( typeof groupName !== 'string' ) return ;
2020-06-05 10:13:19 +02:00
2021-09-01 13:09:49 -07:00
// groups are lowercase
groupName = groupName . toLowerCase ( ) ;
2020-06-05 09:03:26 +02:00
2021-09-01 13:09:49 -07:00
percent += step ;
progressCallback ( { percent , message : ` Syncing... ${ groupName } ` } ) ;
2020-06-04 12:28:31 +02:00
2021-09-01 13:09:49 -07:00
const result = await groups . getByName ( groupName ) ;
2020-06-05 09:26:52 +02:00
2021-09-01 13:09:49 -07:00
if ( ! result ) {
debug ( ` syncGroups: [adding group] groupname= ${ groupName } ` ) ;
2020-06-05 09:26:52 +02:00
2021-09-01 13:09:49 -07:00
const [ error ] = await safe ( groups . add ( { name : groupName , source : 'ldap' } ) ) ;
if ( error ) debug ( 'syncGroups: Failed to create group' , groupName , error ) ;
} else {
debug ( ` syncGroups: [up-to-date group] groupname= ${ groupName } ` ) ;
}
}
2020-06-05 09:26:52 +02:00
2021-09-01 13:09:49 -07:00
debug ( 'syncGroups: sync done' ) ;
2020-06-05 09:26:52 +02:00
}
2023-08-03 02:06:07 +05:30
async function syncGroupUsers ( config , progressCallback ) {
assert . strictEqual ( typeof config , 'object' ) ;
2020-06-05 09:26:52 +02:00
assert . strictEqual ( typeof progressCallback , 'function' ) ;
2023-08-03 02:06:07 +05:30
if ( ! config . syncGroups ) {
2021-09-01 13:09:49 -07:00
debug ( 'syncGroupUsers: Group users sync is disabled' ) ;
2020-06-05 09:26:52 +02:00
progressCallback ( { percent : 99 , message : 'Skipping group users sync...' } ) ;
2021-09-01 13:09:49 -07:00
return [ ] ;
2020-06-05 09:26:52 +02:00
}
2021-09-01 13:09:49 -07:00
const allGroups = await groups . list ( ) ;
const ldapGroups = allGroups . filter ( function ( g ) { return g . source === 'ldap' ; } ) ;
debug ( ` syncGroupUsers: Found ${ ldapGroups . length } groups to sync users ` ) ;
for ( const group of ldapGroups ) {
debug ( ` syncGroupUsers: Sync users for group ${ group . name } ` ) ;
2023-08-03 02:06:07 +05:30
const result = await ldapGroupSearch ( config , { } ) ;
2021-09-01 13:09:49 -07:00
if ( ! result || result . length === 0 ) {
debug ( ` syncGroupUsers: Unable to find group ${ group . name } ignoring for now. ` ) ;
continue ;
}
// since our group names are lowercase we cannot use potentially case matching ldap filters
let found = result . find ( function ( r ) {
2023-08-03 02:06:07 +05:30
if ( ! r [ config . groupnameField ] ) return false ;
return r [ config . groupnameField ] . toLowerCase ( ) === group . name ;
2021-09-01 13:09:49 -07:00
} ) ;
if ( ! found ) {
debug ( ` syncGroupUsers: Unable to find group ${ group . name } ignoring for now. ` ) ;
continue ;
}
2023-07-31 13:12:39 +02:00
let ldapGroupMembers = found . member || found . uniquemember || [ ] ;
2021-09-01 13:09:49 -07:00
// if only one entry is in the group ldap returns a string, not an array!
if ( typeof ldapGroupMembers === 'string' ) ldapGroupMembers = [ ldapGroupMembers ] ;
debug ( ` syncGroupUsers: Group ${ group . name } has ${ ldapGroupMembers . length } members. ` ) ;
for ( const memberDn of ldapGroupMembers ) {
2023-08-03 02:06:07 +05:30
const [ ldapError , result ] = await safe ( ldapGetByDN ( config , memberDn ) ) ;
2021-09-01 13:09:49 -07:00
if ( ldapError ) {
2023-04-16 10:49:59 +02:00
debug ( ` syncGroupUsers: Failed to get ${ memberDn } : %o ` , ldapError ) ;
2021-09-01 13:09:49 -07:00
continue ;
}
debug ( ` syncGroupUsers: Found member object at ${ memberDn } adding to group ${ group . name } ` ) ;
2023-08-03 02:06:07 +05:30
const username = result [ config . usernameField ] . toLowerCase ( ) ;
2021-09-01 13:09:49 -07:00
if ( ! username ) continue ;
const [ getError , userObject ] = await safe ( users . getByUsername ( username ) ) ;
if ( getError || ! userObject ) {
2023-04-16 10:49:59 +02:00
debug ( ` syncGroupUsers: Failed to get user by username ${ username } . %o ` , getError ? getError : 'User not found' ) ;
2021-09-01 13:09:49 -07:00
continue ;
}
const [ addError ] = await safe ( groups . addMember ( group . id , userObject . id ) ) ;
2023-04-16 10:49:59 +02:00
if ( addError && addError . reason !== BoxError . ALREADY _EXISTS ) debug ( 'syncGroupUsers: Failed to add member. %o' , addError ) ;
2021-09-01 13:09:49 -07:00
}
}
debug ( 'syncGroupUsers: done' ) ;
2020-06-05 09:26:52 +02:00
}
2021-09-01 13:09:49 -07:00
async function sync ( progressCallback ) {
2020-06-05 09:26:52 +02:00
assert . strictEqual ( typeof progressCallback , 'function' ) ;
progressCallback ( { percent : 10 , message : 'Starting ldap user sync' } ) ;
2023-08-03 02:06:07 +05:30
const config = await getConfig ( ) ;
if ( config . provider === 'noop' ) throw new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ;
2020-06-05 09:26:52 +02:00
2023-08-03 02:06:07 +05:30
await syncUsers ( config , progressCallback ) ;
await syncGroups ( config , progressCallback ) ;
await syncGroupUsers ( config , progressCallback ) ;
2020-06-05 09:26:52 +02:00
2021-09-01 13:09:49 -07:00
progressCallback ( { percent : 100 , message : 'Done' } ) ;
2020-06-05 09:26:52 +02:00
2021-09-01 13:09:49 -07:00
debug ( 'sync: done' ) ;
2019-08-28 18:22:07 +02:00
}
