diff --git a/common.js b/common.js index 721de3b6..b1d5d6a6 100644 --- a/common.js +++ b/common.js @@ -269,4 +269,26 @@ module.exports.copyFile = function(source, target, cb) { wr.on('close', function (ex) { done(); }); rd.pipe(wr); function done(err) { if (!cbCalled) { cb(err); cbCalled = true; } } +} + +module.exports.meshServerRightsArrayToNumber = function (val) { + if (val == null) return null; + if (typeof val == 'number') return val; + if (Array.isArray(val)) { + var newAccRights = 0; + for (var j in val) { + var r = val[j].toLowerCase(); + if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF + if (r == 'serverbackup') { newAccRights |= 1; } + if (r == 'manageusers') { newAccRights |= 2; } + if (r == 'serverrestore') { newAccRights |= 4; } + if (r == 'fileaccess') { newAccRights |= 8; } + if (r == 'serverupdate') { newAccRights |= 16; } + if (r == 'locked') { newAccRights |= 32; } + if (r == 'nonewgroups') { newAccRights |= 64; } + if (r == 'notools') { newAccRights |= 128; } + } + return newAccRights; + } + return null; } \ No newline at end of file diff --git a/meshcentral.js b/meshcentral.js index 8cade757..b38e4811 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1063,23 +1063,8 @@ function CreateMeshCentralServer(config, args) { if ((obj.config.domains[i].auth == 'ldap') || (obj.config.domains[i].auth == 'sspi')) { obj.config.domains[i].newaccounts = 0; } // No new accounts allowed in SSPI/LDAP authentication modes. // Convert newAccountsRights from a array of strings to flags number. - if (obj.config.domains[i].newaccountsrights && Array.isArray(obj.config.domains[i].newaccountsrights)) { - var newAccRights = 0; - for (var j in obj.config.domains[i].newaccountsrights) { - var r = obj.config.domains[i].newaccountsrights[j].toLowerCase(); - if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF - if (r == 'serverbackup') { newAccRights |= 1; } - if (r == 'manageusers') { newAccRights |= 2; } - if (r == 'serverrestore') { newAccRights |= 4; } - if (r == 'fileaccess') { newAccRights |= 8; } - if (r == 'serverupdate') { newAccRights |= 16; } - if (r == 'locked') { newAccRights |= 32; } - if (r == 'nonewgroups') { newAccRights |= 64; } - if (r == 'notools') { newAccRights |= 128; } - } - obj.config.domains[i].newaccountsrights = newAccRights; - } - if (obj.config.domains[i].newaccountsrights && (typeof (obj.config.domains[i].newaccountsrights) != 'number')) { delete obj.config.domains[i].newaccountsrights; } + obj.config.domains[i].newaccountsrights = obj.common.meshServerRightsArrayToNumber(obj.config.domains[i].newaccountsrights); + if (typeof (obj.config.domains[i].newaccountsrights) != 'number') { delete obj.config.domains[i].newaccountsrights; } // Check if there is a web views path and/or web public path for this domain if ((__dirname.endsWith('/node_modules/meshcentral')) || (__dirname.endsWith('\\node_modules\\meshcentral')) || (__dirname.endsWith('/node_modules/meshcentral/')) || (__dirname.endsWith('\\node_modules\\meshcentral\\'))) { diff --git a/sample-config-advanced.json b/sample-config-advanced.json index 34a17c8c..e9cba05a 100644 --- a/sample-config-advanced.json +++ b/sample-config-advanced.json @@ -212,6 +212,7 @@ "_disableRequestedAuthnContext": true, "newAccounts": true, "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ], + "_newAccountsRights": [ "nonewgroups", "notools" ], "entityid": "meshcentral", "idpurl": "https://server/saml2", "cert": "saml.pem" diff --git a/webserver.js b/webserver.js index 61610964..0f9f9d45 100644 --- a/webserver.js +++ b/webserver.js @@ -1845,6 +1845,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), domain: domain.id }; if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; } if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights. + if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead. if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms). obj.users[userid] = user; @@ -4583,7 +4584,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { path: (typeof domain.authstrategies.intel.callbackurl == 'string') ? domain.authstrategies.intel.callbackurl : (url + 'auth-intel-callback'), entryPoint: domain.authstrategies.intel.idpurl, issuer: 'meshcentral' }; - if (domain.authstrategies.saml.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.saml.disablerequestedauthncontext; } + if (domain.authstrategies.intel.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.intel.disablerequestedauthncontext; } parent.debug('web', 'Adding Intel SSO with options: ' + JSON.stringify(options)); if (typeof domain.authstrategies.intel.entityid == 'string') { options.issuer = domain.authstrategies.intel.entityid; } options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');