2019-08-28 18:22:07 +02:00
'use strict' ;
exports = module . exports = {
2019-11-19 09:53:00 +01:00
search : search ,
2019-08-29 22:43:06 +02:00
verifyPassword : verifyPassword ,
2019-11-19 09:53:00 +01:00
createAndVerifyUserIfNotExist : createAndVerifyUserIfNotExist ,
2019-08-29 22:43:06 +02:00
2019-08-28 18:22:07 +02:00
testConfig : testConfig ,
2019-08-29 17:19:51 +02:00
startSyncer : startSyncer ,
2019-08-28 18:22:07 +02:00
2019-10-25 15:58:11 -07:00
injectPrivateFields : injectPrivateFields ,
removePrivateFields : removePrivateFields ,
2019-08-28 18:22:07 +02:00
sync : sync
} ;
var assert = require ( 'assert' ) ,
2019-08-29 22:56:48 +02:00
async = require ( 'async' ) ,
2019-10-30 11:02:21 -07:00
auditSource = require ( './auditsource.js' ) ,
2019-10-24 13:41:41 -07:00
BoxError = require ( './boxerror.js' ) ,
2019-10-25 15:58:11 -07:00
constants = require ( './constants.js' ) ,
2019-08-30 19:11:27 +02:00
debug = require ( 'debug' ) ( 'box:externalldap' ) ,
2019-08-28 18:22:07 +02:00
ldap = require ( 'ldapjs' ) ,
settings = require ( './settings.js' ) ,
2019-08-29 17:19:51 +02:00
tasks = require ( './tasks.js' ) ,
2019-10-24 15:12:58 -07:00
users = require ( './users.js' ) ;
2019-08-28 18:22:07 +02:00
2019-10-25 15:58:11 -07:00
function injectPrivateFields ( newConfig , currentConfig ) {
if ( newConfig . bindPassword === constants . SECRET _PLACEHOLDER ) newConfig . bindPassword = currentConfig . bindPassword ;
}
function removePrivateFields ( ldapConfig ) {
assert . strictEqual ( typeof ldapConfig , 'object' ) ;
if ( ldapConfig . bindPassword ) ldapConfig . bindPassword = constants . SECRET _PLACEHOLDER ;
return ldapConfig ;
}
2019-11-19 09:53:00 +01:00
function translateUser ( ldapConfig , ldapUser ) {
assert . strictEqual ( typeof ldapConfig , 'object' ) ;
return {
username : ldapUser [ ldapConfig . usernameField ] ,
email : ldapUser . mail ,
displayName : ldapUser . cn // user.giveName + ' ' + user.sn
} ;
}
function validUserRequirements ( user ) {
if ( ! user . username || ! user . email || ! user . displayName ) {
debug ( ` [LDAP user empty username/email/displayName] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
return false ;
} else {
return true ;
}
}
2019-08-28 18:22:07 +02:00
// performs service bind if required
2019-08-29 17:19:51 +02:00
function getClient ( externalLdapConfig , callback ) {
2019-10-30 14:37:48 -07:00
assert . strictEqual ( typeof externalLdapConfig , 'object' ) ;
2019-08-28 18:22:07 +02:00
assert . strictEqual ( typeof callback , 'function' ) ;
2019-08-29 22:51:27 +02:00
// basic validation to not crash
2019-10-24 13:41:41 -07:00
try { ldap . parseDN ( externalLdapConfig . baseDn ) ; } catch ( e ) { return callback ( new BoxError ( BoxError . BAD _FIELD , 'invalid baseDn' ) ) ; }
try { ldap . parseFilter ( externalLdapConfig . filter ) ; } catch ( e ) { return callback ( new BoxError ( BoxError . BAD _FIELD , 'invalid filter' ) ) ; }
2019-08-29 22:51:27 +02:00
2019-08-29 17:19:51 +02:00
var client ;
try {
client = ldap . createClient ( { url : externalLdapConfig . url } ) ;
} catch ( e ) {
2019-10-24 13:41:41 -07:00
if ( e instanceof ldap . ProtocolError ) return callback ( new BoxError ( BoxError . BAD _FIELD , 'url protocol is invalid' ) ) ;
return callback ( new BoxError ( BoxError . INTERNAL _ERROR , e ) ) ;
2019-08-29 17:19:51 +02:00
}
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
if ( ! externalLdapConfig . bindDn ) return callback ( null , client ) ;
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
client . bind ( externalLdapConfig . bindDn , externalLdapConfig . bindPassword , function ( error ) {
2019-10-24 13:41:41 -07:00
if ( error instanceof ldap . InvalidCredentialsError ) return callback ( new BoxError ( BoxError . INVALID _CREDENTIALS ) ) ;
if ( error ) return callback ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
callback ( null , client , externalLdapConfig ) ;
2019-08-28 18:22:07 +02:00
} ) ;
}
2019-11-19 09:53:00 +01:00
// TODO support search by email
2019-10-30 14:37:48 -07:00
function ldapSearch ( externalLdapConfig , options , callback ) {
assert . strictEqual ( typeof externalLdapConfig , 'object' ) ;
assert . strictEqual ( typeof options , 'object' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
getClient ( externalLdapConfig , function ( error , client ) {
if ( error ) return callback ( error ) ;
let searchOptions = {
paged : true ,
filter : ldap . parseFilter ( externalLdapConfig . filter ) ,
scope : 'sub' // We may have to make this configurable
} ;
if ( options . filter ) { // https://github.com/ldapjs/node-ldapjs/blob/master/docs/filters.md
let extraFilter = ldap . parseFilter ( options . filter ) ;
searchOptions . filter = new ldap . AndFilter ( { filters : [ extraFilter , searchOptions . filter ] } ) ;
}
debug ( ` Listing users at ${ externalLdapConfig . baseDn } with filter ${ searchOptions . filter . toString ( ) } ` ) ;
client . search ( externalLdapConfig . baseDn , searchOptions , function ( error , result ) {
if ( error instanceof ldap . NoSuchObjectError ) return callback ( new BoxError ( BoxError . NOT _FOUND ) ) ;
if ( error ) return callback ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
let ldapUsers = [ ] ;
result . on ( 'searchEntry' , entry => ldapUsers . push ( entry . object ) ) ;
result . on ( 'error' , error => callback ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ) ;
result . on ( 'end' , function ( result ) {
client . unbind ( ) ;
if ( result . status !== 0 ) return callback ( new BoxError ( BoxError . EXTERNAL _ERROR , 'Server returned status ' + result . status ) ) ;
callback ( null , ldapUsers ) ;
} ) ;
} ) ;
} ) ;
}
2019-08-28 18:22:07 +02:00
function testConfig ( config , callback ) {
assert . strictEqual ( typeof config , 'object' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
2019-10-25 15:40:22 -07:00
if ( config . provider === 'noop' ) return callback ( ) ;
2019-08-29 12:28:41 +02:00
2019-10-24 13:41:41 -07:00
if ( ! config . url ) return callback ( new BoxError ( BoxError . BAD _FIELD , 'url must not be empty' ) ) ;
2019-10-31 11:46:00 -07:00
if ( ! config . url . startsWith ( 'ldap://' ) && ! config . url . startsWith ( 'ldaps://' ) ) return callback ( new BoxError ( BoxError . BAD _FIELD , 'url is missing ldap:// or ldaps:// prefix' ) ) ;
2019-10-25 15:47:55 -07:00
if ( ! config . usernameField ) config . usernameField = 'uid' ;
2019-10-31 11:46:00 -07:00
2019-10-30 09:35:30 -07:00
// bindDn may not be a dn!
2019-10-31 11:46:00 -07:00
if ( ! config . baseDn ) return callback ( new BoxError ( BoxError . BAD _FIELD , 'basedn must not be empty' ) ) ;
try { ldap . parseDN ( config . baseDn ) ; } catch ( e ) { return callback ( new BoxError ( BoxError . BAD _FIELD , 'invalid baseDn' ) ) ; }
if ( ! config . filter ) return callback ( new BoxError ( BoxError . BAD _FIELD , 'filter must not be empty' ) ) ;
try { ldap . parseFilter ( config . filter ) ; } catch ( e ) { return callback ( new BoxError ( BoxError . BAD _FIELD , 'invalid filter' ) ) ; }
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
getClient ( config , function ( error , client ) {
2019-08-29 14:21:07 +02:00
if ( error ) return callback ( error ) ;
2019-08-28 18:22:07 +02:00
var opts = {
filter : config . filter ,
scope : 'sub'
} ;
client . search ( config . baseDn , opts , function ( error , result ) {
2019-10-24 13:41:41 -07:00
if ( error ) return callback ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
2019-08-28 18:22:07 +02:00
2019-10-23 15:57:01 -07:00
result . on ( 'searchEntry' , function ( /* entry */ ) { } ) ;
2019-10-25 16:58:15 -07:00
result . on ( 'error' , function ( error ) { client . unbind ( ) ; callback ( new BoxError ( BoxError . BAD _FIELD , ` Unable to search directory: ${ error . message } ` ) ) ; } ) ;
result . on ( 'end' , function ( /* result */ ) { client . unbind ( ) ; callback ( ) ; } ) ;
2019-08-28 18:22:07 +02:00
} ) ;
} ) ;
}
2019-11-19 09:53:00 +01:00
function search ( identifier , callback ) {
assert . strictEqual ( typeof identifier , 'string' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
settings . getExternalLdapConfig ( function ( error , externalLdapConfig ) {
if ( error ) return callback ( error ) ;
if ( externalLdapConfig . provider === 'noop' ) return callback ( new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ) ;
ldapSearch ( externalLdapConfig , { filter : ` ${ externalLdapConfig . usernameField } = ${ identifier } ` } , function ( error , ldapUsers ) {
if ( error ) return callback ( error ) ;
// translate ldap properties to ours
2019-11-19 09:53:00 +01:00
let users = ldapUsers . map ( function ( u ) { return translateUser ( externalLdapConfig , u ) ; } ) ;
2019-11-19 09:53:00 +01:00
callback ( null , users ) ;
} ) ;
} ) ;
}
2019-11-19 09:53:00 +01:00
function createAndVerifyUserIfNotExist ( identifier , password , callback ) {
assert . strictEqual ( typeof identifier , 'string' ) ;
assert . strictEqual ( typeof password , 'string' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
settings . getExternalLdapConfig ( function ( error , externalLdapConfig ) {
if ( error ) return callback ( error ) ;
if ( externalLdapConfig . provider === 'noop' ) return callback ( new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ) ;
if ( ! externalLdapConfig . autoCreate ) return callback ( new BoxError ( BoxError . BAD _STATE , 'auto create not enabled' ) ) ;
2019-11-20 10:46:06 +01:00
ldapSearch ( externalLdapConfig , { filter : ` ${ externalLdapConfig . usernameField } = ${ identifier } ` } , function ( error , ldapUsers ) {
2019-11-19 09:53:00 +01:00
if ( error ) return callback ( error ) ;
2019-11-20 10:46:06 +01:00
if ( ldapUsers . length === 0 ) return callback ( new BoxError ( BoxError . NOT _FOUND ) ) ;
if ( ldapUsers . length > 1 ) return callback ( new BoxError ( BoxError . CONFLICT ) ) ;
2019-11-19 09:53:00 +01:00
2019-11-20 10:46:06 +01:00
let user = translateUser ( externalLdapConfig , ldapUsers [ 0 ] ) ;
2019-11-19 09:53:00 +01:00
if ( ! validUserRequirements ( user ) ) return callback ( new BoxError ( BoxError . BAD _FIELD ) ) ;
users . create ( user . username , null /* password */ , user . email , user . displayName , { source : 'ldap' } , auditSource . EXTERNAL _LDAP _AUTO _CREATE , function ( error , user ) {
if ( error ) {
console . error ( 'Failed to auto create user' , user . username , error ) ;
return callback ( new BoxError ( BoxError . INTERNAL _ERROR ) ) ;
}
verifyPassword ( user , password , function ( error ) {
if ( error ) return callback ( error ) ;
callback ( null , user ) ;
} ) ;
} ) ;
} ) ;
} ) ;
}
2019-08-29 22:43:06 +02:00
function verifyPassword ( user , password , callback ) {
assert . strictEqual ( typeof user , 'object' ) ;
assert . strictEqual ( typeof password , 'string' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
settings . getExternalLdapConfig ( function ( error , externalLdapConfig ) {
2019-10-24 18:32:33 -07:00
if ( error ) return callback ( error ) ;
2019-10-25 15:40:22 -07:00
if ( externalLdapConfig . provider === 'noop' ) return callback ( new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ) ;
2019-08-29 22:43:06 +02:00
2019-10-30 14:37:48 -07:00
ldapSearch ( externalLdapConfig , { filter : ` ${ externalLdapConfig . usernameField } = ${ user . username } ` } , function ( error , ldapUsers ) {
2019-08-29 22:43:06 +02:00
if ( error ) return callback ( error ) ;
2019-10-30 14:37:48 -07:00
if ( ldapUsers . length === 0 ) return callback ( new BoxError ( BoxError . NOT _FOUND ) ) ;
if ( ldapUsers . length > 1 ) return callback ( new BoxError ( BoxError . CONFLICT ) ) ;
2019-08-29 22:43:06 +02:00
2019-10-30 14:37:48 -07:00
let client = ldap . createClient ( { url : externalLdapConfig . url } ) ;
2019-11-19 09:53:00 +01:00
client . bind ( ldapUsers [ 0 ] . dn , password , function ( error ) {
2019-10-24 13:41:41 -07:00
if ( error instanceof ldap . InvalidCredentialsError ) return callback ( new BoxError ( BoxError . INVALID _CREDENTIALS ) ) ;
if ( error ) return callback ( new BoxError ( BoxError . EXTERNAL _ERROR , error ) ) ;
2019-08-29 22:43:06 +02:00
2019-11-19 09:53:00 +01:00
callback ( null , translateUser ( externalLdapConfig , ldapUsers [ 0 ] ) ) ;
2019-08-29 22:43:06 +02:00
} ) ;
} ) ;
} ) ;
}
2019-08-29 17:19:51 +02:00
function startSyncer ( callback ) {
2019-08-28 18:22:07 +02:00
assert . strictEqual ( typeof callback , 'function' ) ;
2019-08-29 17:19:51 +02:00
settings . getExternalLdapConfig ( function ( error , externalLdapConfig ) {
2019-10-24 18:32:33 -07:00
if ( error ) return callback ( error ) ;
2019-10-25 15:40:22 -07:00
if ( externalLdapConfig . provider === 'noop' ) return callback ( new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ) ;
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
tasks . add ( tasks . TASK _SYNC _EXTERNAL _LDAP , [ ] , function ( error , taskId ) {
2019-10-24 18:32:33 -07:00
if ( error ) return callback ( error ) ;
2019-08-28 18:22:07 +02:00
2019-08-29 17:19:51 +02:00
tasks . startTask ( taskId , { } , function ( error , result ) {
debug ( 'sync: done' , error , result ) ;
2019-08-28 18:22:07 +02:00
} ) ;
2019-08-29 17:19:51 +02:00
callback ( null , taskId ) ;
} ) ;
} ) ;
}
function sync ( progressCallback , callback ) {
assert . strictEqual ( typeof progressCallback , 'function' ) ;
assert . strictEqual ( typeof callback , 'function' ) ;
2019-11-04 12:05:35 -08:00
progressCallback ( { percent : 10 , message : 'Starting ldap user sync' } ) ;
2019-08-30 19:11:27 +02:00
2019-08-29 17:19:51 +02:00
settings . getExternalLdapConfig ( function ( error , externalLdapConfig ) {
2019-10-24 18:32:33 -07:00
if ( error ) return callback ( error ) ;
2019-10-25 15:40:22 -07:00
if ( externalLdapConfig . provider === 'noop' ) return callback ( new BoxError ( BoxError . BAD _STATE , 'not enabled' ) ) ;
2019-08-29 17:19:51 +02:00
2019-10-30 14:37:48 -07:00
ldapSearch ( externalLdapConfig , { } , function ( error , ldapUsers ) {
2019-08-29 17:19:51 +02:00
if ( error ) return callback ( error ) ;
2019-10-30 14:37:48 -07:00
debug ( ` Found ${ ldapUsers . length } users ` ) ;
2019-11-04 12:05:35 -08:00
let percent = 10 ;
let step = 90 / ( ldapUsers . length + 1 ) ; // ensure no divide by 0
2019-08-29 22:56:48 +02:00
2019-10-30 14:37:48 -07:00
// we ignore all errors here and just log them for now
async . eachSeries ( ldapUsers , function ( user , iteratorCallback ) {
2019-11-19 09:53:00 +01:00
user = translateUser ( externalLdapConfig , user ) ;
2019-10-25 15:47:55 -07:00
2019-11-19 09:53:00 +01:00
if ( ! validUserRequirements ( user ) ) return iteratorCallback ( ) ;
2019-10-25 16:58:15 -07:00
2019-11-04 12:05:35 -08:00
percent += step ;
2019-11-19 09:53:00 +01:00
progressCallback ( { percent , message : ` Syncing... ${ user . username } ` } ) ;
2019-11-04 12:05:35 -08:00
2019-11-19 09:53:00 +01:00
users . getByUsername ( user . username , function ( error , result ) {
2019-10-30 14:37:48 -07:00
if ( error && error . reason !== BoxError . NOT _FOUND ) {
2019-11-19 09:53:00 +01:00
debug ( ` Could not find user with username ${ user . username } : ${ error . message } ` ) ;
2019-11-14 17:39:55 -08:00
return iteratorCallback ( ) ;
2019-10-30 14:37:48 -07:00
}
2019-08-29 22:56:48 +02:00
2019-10-30 14:37:48 -07:00
if ( error ) {
2019-11-19 09:53:00 +01:00
debug ( ` [adding user] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
2019-08-29 23:13:23 +02:00
2019-11-19 09:53:00 +01:00
users . create ( user . username , null /* password */ , user . email , user . displayName , { source : 'ldap' } , auditSource . EXTERNAL _LDAP _TASK , function ( error ) {
2019-10-30 14:37:48 -07:00
if ( error ) console . error ( 'Failed to create user' , user , error ) ;
2019-11-14 17:39:55 -08:00
iteratorCallback ( ) ;
2019-10-30 14:37:48 -07:00
} ) ;
} else if ( result . source !== 'ldap' ) {
2019-11-19 09:53:00 +01:00
debug ( ` [conflicting user] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
2019-08-29 23:13:23 +02:00
2019-11-14 17:39:55 -08:00
iteratorCallback ( ) ;
2019-11-19 09:53:00 +01:00
} else if ( result . email !== user . email || result . displayName !== user . displayName ) {
debug ( ` [updating user] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
2019-10-25 16:13:41 -07:00
2020-02-13 20:45:00 -08:00
users . update ( result , { email : user . email , fallbackEmail : user . email , displayName : user . displayName } , auditSource . EXTERNAL _LDAP _TASK , function ( error ) {
2019-10-30 14:37:48 -07:00
if ( error ) debug ( 'Failed to update user' , user , error ) ;
2019-10-25 16:13:41 -07:00
2019-11-14 17:39:55 -08:00
iteratorCallback ( ) ;
2019-08-29 22:56:48 +02:00
} ) ;
2019-10-30 14:37:48 -07:00
} else {
// user known and up-to-date
2019-11-19 09:53:00 +01:00
debug ( ` [up-to-date user] username= ${ user . username } email= ${ user . email } displayName= ${ user . displayName } ` ) ;
2019-10-30 14:37:48 -07:00
2019-11-14 17:39:55 -08:00
iteratorCallback ( ) ;
2019-10-30 14:37:48 -07:00
}
2019-08-29 17:19:51 +02:00
} ) ;
2019-10-30 14:37:48 -07:00
} , function ( error ) {
debug ( 'sync: ldap sync is done' , error ) ;
callback ( error ) ;
2019-08-28 18:22:07 +02:00
} ) ;
} ) ;
} ) ;
}
