MeshCentral will now auto-create LDAP user groups and sync users to their membership groups when the login using LDAP. (#4415)

This commit is contained in:
Ylian Saint-Hilaire 2022-08-21 21:19:34 -07:00
parent 2a42639f39
commit 8dd07495f5
3 changed files with 144 additions and 28 deletions

View File

@ -1514,11 +1514,11 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
db.Set(ugrp);
if (db.changeStream == false) { parent.userGroups[ugrpid] = ugrp; }
// Event the device group creation
// Event the user group creation
var event = { etype: 'ugrp', userid: user._id, username: user.name, ugrpid: ugrpid, name: ugrp.name, desc: ugrp.desc, action: 'createusergroup', links: ugrp.links, msgid: 69, msgArgv: [ugrp.name], msg: 'User group created: ' + ugrp.name, ugrpdomain: domain.id };
parent.parent.DispatchEvent(['*', ugrpid, user._id], obj, event); // Even if DB change stream is active, this event must be acted upon.
// Event any pending events, these must be sent out after the group creation event is displatched.
// Event any pending events, these must be sent out after the group creation event is dispatched.
for (var i in pendingDispatchEvents) { var ev = pendingDispatchEvents[i]; parent.parent.DispatchEvent(ev[0], ev[1], ev[2]); }
// Log in the auth log
@ -1561,6 +1561,13 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
}
var group = groups[0];
// If this user group is an externally managed user group, it can't be deleted unless there are no users in it.
if (group.membershipType != null) {
var userCount = 0;
if (group.links != null) { for (var i in group.links) { if (i.startsWith('user/')) { userCount++; } } }
if (userCount > 0) return;
}
// Unlink any user and meshes that have a link to this group
if (group.links) {
for (var i in group.links) {
@ -1621,7 +1628,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
change = '';
var group = parent.userGroups[command.ugrpid];
if (group != null) {
if ((common.validateString(command.name, 1, 64) == true) && (command.name != group.name)) { change = 'User group name changed from "' + group.name + '" to "' + command.name + '"'; group.name = command.name; }
// If this user group is an externally managed user group, the name of the user group can't be edited
if ((group.membershipType == null) && (common.validateString(command.name, 1, 64) == true) && (command.name != group.name)) { change = 'User group name changed from "' + group.name + '" to "' + command.name + '"'; group.name = command.name; }
if ((common.validateString(command.desc, 0, 1024) == true) && (command.desc != group.desc)) { if (change != '') change += ' and description changed'; else change += 'User group "' + group.name + '" description changed'; group.desc = command.desc; }
if ((typeof command.consent == 'number') && (command.consent != group.consent)) { if (change != '') change += ' and consent changed'; else change += 'User group "' + group.name + '" consent changed'; group.consent = command.consent; }
@ -5770,6 +5778,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Get the user group
var group = parent.userGroups[command.ugrpid];
if (group != null) {
// If this user group is an externally managed user group, we can't add users to it.
if ((group != null) && (group.membershipType != null)) return;
if (group.links == null) { group.links = {}; }
var unknownUsers = [], addedCount = 0, failCount = 0, knownUsers = [];
@ -5779,7 +5790,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var chguser = parent.users[chguserid];
if (chguser == null) { chguserid = 'user/' + addUserDomain.id + '/' + command.usernames[i]; chguser = parent.users[chguserid]; }
if (chguser != null) {
// Add mesh to user
// Add usr group to user
if (chguser.links == null) { chguser.links = {}; }
chguser.links[group._id] = { rights: 1 };
db.SetUser(chguser);
@ -6235,6 +6246,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
var chguser = parent.users[command.userid];
if (chguser != null) {
// Get the user group
var group = parent.userGroups[command.ugrpid];
// If this user group is an externally managed user group, we can't remove a user from it.
if ((group != null) && (group.membershipType != null)) return;
if ((chguser.links != null) && (chguser.links[command.ugrpid] != null)) {
delete chguser.links[command.ugrpid];
@ -6248,8 +6265,6 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
parent.parent.DispatchEvent([chguser._id], obj, 'resubscribe');
}
// Get the user group
var group = parent.userGroups[command.ugrpid];
if (group != null) {
// Remove the user from the group
if ((group.links != null) && (group.links[command.userid] != null)) {

View File

@ -7539,7 +7539,7 @@
if (usergroups != null) {
var userGroupCount = 0, newUserGroup = false;
for (var i in usergroups) {
if (usergroups[i]._id.split('/')[1] != nodeid.split('/')[1]) continue;
if ((usergroups[i].membershipType != null) || (usergroups[i]._id.split('/')[1] != nodeid.split('/')[1])) continue;
userGroupCount++; if ((currentNode.links == null) || (currentNode.links[i] == null)) { newUserGroup = true; }
}
if ((userGroupCount > 0) && (newUserGroup)) { x += '<a href=# onclick="return p20showAddMeshUserDialog(6)" style=cursor:pointer;margin-right:10px><img src=images/icon-addnew.png border=0 height=12 width=12> ' + "Add User Group" + '</a>'; }
@ -12562,7 +12562,7 @@
if (usergroups != null) {
var userGroupCount = 0, newUserGroup = false;
for (var i in usergroups) {
if (usergroups[i]._id.split('/')[1] != currentMesh._id.split('/')[1]) continue;
if ((usergroups[i].membershipType != null) || (usergroups[i]._id.split('/')[1] != currentMesh._id.split('/')[1])) continue;
userGroupCount++;
if ((currentMesh.links == null) || (currentMesh.links[i] == null)) { newUserGroup = true; }
}
@ -13035,7 +13035,7 @@
if (selected == null) {
var ousergroups = getOrderedList(usergroups, 'name');
for (var i in ousergroups) {
if (currentNode._id.split('/')[1] != ousergroups[i]._id.split('/')[1]) continue;
if ((ousergroups[i].membershipType != null) || (currentNode._id.split('/')[1] != ousergroups[i]._id.split('/')[1])) continue;
if ((currentNode.links == null) || (currentNode.links[ousergroups[i]._id] == null)) { y += '<option value=' + encodeURIComponentEx(ousergroups[i]._id) + '>' + EscapeHtml(ousergroups[i].name) + '</option>'; }
}
} else {
@ -15151,7 +15151,7 @@
// Add user group name
var gname = EscapeHtml(group.name);
if (gname.length == 0) { gname = '<i>' + "None" + '</i>'; }
if ((userinfo.siteadmin & 256) != 0) { gname = '<span tabindex=0 title="' + "Click here to edit the user group name" + '" onclick=p51editgroup(1) onkeyup="if (event.key == \'Enter\') p51editgroup(1)" style=cursor:pointer>' + gname + ' <img class=hoverButton src="images/link5.png" /></span>'; }
if ((currentUserGroup.membershipType == null) && ((userinfo.siteadmin & 256) != 0)) { gname = '<span tabindex=0 title="' + "Click here to edit the user group name" + '" onclick=p51editgroup(1) onkeyup="if (event.key == \'Enter\') p51editgroup(1)" style=cursor:pointer>' + gname + ' <img class=hoverButton src="images/link5.png" /></span>'; }
QH('p51groupName', gname);
var usercount = 0, meshcount = 0, devicecount = 0;
@ -15172,8 +15172,11 @@
x += addDeviceAttribute("Domain", (d != '')?EscapeHtml(d):('<i>' + "Default" + '</i>'));
x += addDeviceAttribute("Group Identifier", EscapeHtml(group._id));
}
if (currentUserGroup.membershipType != null) {
x += addDeviceAttribute("Group Type", EscapeHtml(currentUserGroup.membershipType));
}
if ((userinfo.siteadmin & 256) != 0) {
x += addDeviceAttribute("Description", '<span onclick=p51editgroup(2) style=cursor:pointer>' + desc + ' <img class=hoverButton src="images/link5.png" /></span>');
x += addDeviceAttribute("Description", '<span onclick=p51editgroup(2,' + (currentUserGroup.membershipType != null) + ') style=cursor:pointer>' + desc + ' <img class=hoverButton src="images/link5.png" /></span>');
} else {
x += addDeviceAttribute("Description", desc);
}
@ -15217,7 +15220,7 @@
QH('p51group', x);
x = '<br />';
if ((userinfo.siteadmin & 256) != 0) {
if ((currentUserGroup.membershipType == null) && ((userinfo.siteadmin & 256) != 0)) {
x += '<a href=# onclick="return p51showAddUserDialog()" style=cursor:pointer;margin-right:10px><img src=images/icon-addnew.png border=0 height=12 width=12> ' + "Add Users" + '</a>';
}
x += '<table style="color:black;background-color:#EEE;border-color:#AAA;border-width:1px;border-style:solid;border-collapse:collapse" border=0 cellpadding=2 cellspacing=0 width=100%><tbody><tr style=background-color:#AAAAAA;font-weight:bold><th scope=col style=text-align:left;width:430px>' + "Group Members" + '</th><th scope=col style=text-align:left></th></tr>';
@ -15235,7 +15238,8 @@
// Display all users for this user group
for (var i in sortedusers) {
var trash = '<a href=# onclick=\'return p51deleteUser(event,"' + encodeURIComponentEx(sortedusers[i].id) + '")\' title="' + "Remove user rights to this device group" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>';
var trash = '';
if (currentUserGroup.membershipType == null) { trash = '<a href=# onclick=\'return p51deleteUser(event,"' + encodeURIComponentEx(sortedusers[i].id) + '")\' title="' + "Remove user rights to this device group" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>'; }
var username = EscapeHtml(decodeURIComponent(sortedusers[i].name));
if (users != null) { username = '<a href=# onclick=\'gotoUser("' + encodeURIComponentEx(sortedusers[i].id) + '");haltEvent(event);\'>' + username + '</a>'; }
x += '<tr ' + (((count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td><div title="' + "User" + '" class=m2></div><div>&nbsp;' + username + '<div></div></div></td><td><div style=float:right>' + trash + '</div></td></tr>';
@ -15294,7 +15298,7 @@
if (count == 1) { x += '<tr><td><div style=padding:6px>&nbsp;<i>' + "No devices in common" + '</i><div></div></div></td><td></td></tr>'; }
x += '</tbody></table>';
if ((userinfo.siteadmin & 256) != 0) {
if (((currentUserGroup.membershipType == null) || (usercount == 0)) && ((userinfo.siteadmin & 256) != 0)) {
x += '<div style=font-size:small;text-align:right><span><a href=# onclick=p51showDeleteUserGroupDialog() style=cursor:pointer>' + "Delete User Group" + '</a></span></div>';
}
@ -15349,9 +15353,9 @@
meshserver.send({ action: 'removemeshuser', meshid: meshid, userid: currentUserGroup._id });
}
function p51editgroup(focus) {
function p51editgroup(focus, nameReadOnly) {
if (xxdialogMode) return;
var x = addHtmlValue("Name", '<input id=dp51name style=width:230px maxlength=32 onchange=p51editgroupValidate() onkeyup=p51editgroupValidate(event) />');
var x = addHtmlValue("Name", '<input id=dp51name style=width:230px maxlength=32 onchange=p51editgroupValidate() onkeyup=p51editgroupValidate(event) ' + (nameReadOnly ? 'readonly disabled' : '') + '/>');
x += addHtmlValue("Description", '<div style=width:230px;margin:0;padding:0><textarea id=dp51desc maxlength=1024 style=width:100%;resize:none></textarea></div>');
setDialogMode(2, "Edit User Group", 3, p51editgroupEx, x);
Q('dp51name').value = currentUserGroup.name;
@ -15893,7 +15897,7 @@
if ((userinfo.siteadmin & 256) != 0) {
var userGroupCount = 0, newUserGroup = false;
for (var i in usergroups) {
if (usergroups[i]._id.split('/')[1] != currentUser._id.split('/')[1]) continue;
if ((usergroups[i].membershipType != null) || (usergroups[i]._id.split('/')[1] != currentUser._id.split('/')[1])) continue;
userGroupCount++;
if ((currentUser.links == null) || (currentUser.links[i] == null)) { newUserGroup = true; }
}
@ -15911,7 +15915,7 @@
groupname = EscapeHtml(group.name);
if (usergroups != null) { groupname = '<a href=# onclick=\'gotoUserGroup("' + encodeURIComponentEx(ougroups[i]._id) + '");haltEvent(event);\'>' + groupname + '</a>'; }
}
if ((userinfo.siteadmin & 256) != 0) { trash = '<a href=# onclick=\'return p30RemoveUserGroup(event,"' + encodeURIComponentEx(ougroups[i]._id) + '")\' title="' + "Remove user group membership" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>'; }
if ((group.membershipType == null) && ((userinfo.siteadmin & 256) != 0)) { trash = '<a href=# onclick=\'return p30RemoveUserGroup(event,"' + encodeURIComponentEx(ougroups[i]._id) + '")\' title="' + "Remove user group membership" + '" style=cursor:pointer><img src=images/trash.png border=0 height=10 width=10></a>'; }
x += '<tr ' + (((++count % 2) == 0) ? 'style=background-color:#DDD' : '') + '><td><div title="' + "User Group" + '" class=m4></div><div>&nbsp;' + groupname + '<div></div></div></td><td><div style=float:right>' + trash + '</div></td></tr>';
}
}
@ -15986,7 +15990,7 @@
if (xxdialogMode || (usergroups == null)) return;
var y = '';
for (var i in usergroups) {
if (usergroups[i]._id.split('/')[1] != currentUser._id.split('/')[1]) continue;
if ((usergroups[i].membershipType != null) || (usergroups[i]._id.split('/')[1] != currentUser._id.split('/')[1])) continue;
if ((currentUser.links == null) || (currentUser.links[i] == null)) { y += '<option value=' + encodeURIComponentEx(i) + '>' + EscapeHtml(usergroups[i].name) + '</option>'; }
}
var x = addHtmlValue("User Group", '<div style=width:230px;margin:0;padding:0><select id=dp2groupid style=width:100%>' + y + '</select></div>');

View File

@ -472,21 +472,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (username == null) { username = shortname; }
var userid = 'user/' + domain.id + '/' + shortname;
// Get the list of groups this user is a member of.
var userMemberships = xxuser[(typeof domain.ldapusergroups == 'string') ? domain.ldapusergroups : 'memberOf'];
if (typeof userMemberships == 'string') { userMemberships = [userMemberships]; }
if (Array.isArray(userMemberships) == false) { userMemberships = []; }
// See if the user is required to be part of an LDAP user group in order to log into this server.
if (typeof domain.ldapuserrequiredgroupmembership == 'string') { domain.ldapuserrequiredgroupmembership = [domain.ldapuserrequiredgroupmembership]; }
if (Array.isArray(domain.ldapuserrequiredgroupmembership) && (domain.ldapuserrequiredgroupmembership.length > 0)) {
// We must be part of a LDAP user group, lets get the list of groups this user is a member of.
const memberOfKey = (typeof domain.ldapusergroups == 'string') ? domain.ldapusergroups : 'memberOf';
var userMemberships = xxuser[memberOfKey];
if (typeof userMemberships == 'string') { userMemberships = [userMemberships]; }
if (Array.isArray(userMemberships) == false) { userMemberships = []; }
// Look for a matching LDAP user group
var userMembershipMatch = false;
for (var i in domain.ldapuserrequiredgroupmembership) { if (userMemberships.indexOf(domain.ldapuserrequiredgroupmembership[i]) >= 0) { userMembershipMatch = true; } }
// If there is no match, deny the login
if (userMembershipMatch === false) { fn('denied'); return; }
if (userMembershipMatch === false) { fn('denied'); return; } // If there is no match, deny the login
}
// Get the email address for this LDAP user
@ -578,6 +575,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Indicate that this user has a image
if (userimage != null) { user.flags = 1; }
// Synd the user with LDAP matching user groups
if (syncExternalUserGroups(domain, user, userMemberships, 'ldap') == true) { userChanged = true; }
obj.users[user._id] = user;
obj.db.SetUser(user);
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountcreate', msgid: 128, msgArgs: [user.name], msg: 'Account created, name is ' + user.name, domain: domain.id };
@ -612,6 +612,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if ((userimage != null) && ((user.flags == null) || ((user.flags & 1) == 0))) { if (user.flags == null) { user.flags = 1; } else { user.flags += 1; } userChanged = true; }
if ((userimage == null) && (user.flags != null) && ((user.flags & 1) != 0)) { if (user.flags == 1) { delete user.flags; } else { user.flags -= 1; } userChanged = true; }
// Synd the user with LDAP matching user groups
if (syncExternalUserGroups(domain, user, userMemberships, 'ldap') == true) { userChanged = true; }
// If the user changed, save the changes to the database here
if (userChanged) {
obj.db.SetUser(user);
@ -8694,5 +8697,99 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
return r;
}
// Sync an account with an external user group.
// Return true if the user was changed
function syncExternalUserGroups(domain, user, userMemberships, userMembershipType) {
var userChanged = false;
if (user.links == null) { user.links = {}; }
// Create a user of memberships for this user that type
var existingUserMemberships = {};
for (var i in user.links) {
if (i.startsWith('ugrp/') && (obj.userGroups[i] != null) && (obj.userGroups[i].membershipType == userMembershipType)) { existingUserMemberships[i] = obj.userGroups[i]; }
}
// Go thru the list user memberships and create and add to any user groups as needed
for (var i in userMemberships) {
const membership = userMemberships[i];
var ugrpid = 'ugrp/' + domain.id + '/' + obj.crypto.createHash('sha384').update(membership).digest('base64').replace(/\+/g, '@').replace(/\//g, '$');
var ugrp = obj.userGroups[ugrpid];
if (ugrp == null) {
// This user group does not exist, create it
ugrp = { type: 'ugrp', _id: ugrpid, name: membership, domain: domain.id, membershipType: userMembershipType, links: {} };
// Save the new group
db.Set(ugrp);
if (db.changeStream == false) { obj.userGroups[ugrpid] = ugrp; }
// Event the user group creation
var event = { etype: 'ugrp', ugrpid: ugrpid, name: ugrp.name, action: 'createusergroup', links: ugrp.links, msgid: 69, msgArgv: [ugrp.name], msg: 'User group created: ' + ugrp.name, ugrpdomain: domain.id };
parent.DispatchEvent(['*', ugrpid, user._id], obj, event); // Even if DB change stream is active, this event must be acted upon.
// Log in the auth log
if (parent.authlog) { parent.authLog('https', 'Created ' + userMembershipType + ' user group ' + ugrp.name); }
}
if (existingUserMemberships[ugrpid] == null) {
// This user is not part of the user group, add it.
if (user.links == null) { user.links = {}; }
user.links[ugrp._id] = { rights: 1 };
userChanged = true;
db.SetUser(user);
parent.DispatchEvent([user._id], obj, 'resubscribe');
// Notify user change
var targets = ['*', 'server-users', user._id];
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msgid: 67, msgArgs: [user.name], msg: 'User group membership changed: ' + user.name, domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(targets, obj, event);
// Add a user to the user group
ugrp.links[user._id] = { userid: user._id, name: user.name, rights: 1 };
db.Set(ugrp);
// Notify user group change
var event = { etype: 'ugrp', userid: user._id, username: user.name, ugrpid: ugrp._id, name: ugrp.name, desc: ugrp.desc, action: 'usergroupchange', links: ugrp.links, msgid: 71, msgArgs: [user.name, ugrp.name], msg: 'Added user(s) ' + user.name + ' to user group ' + ugrp.name, addUserDomain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugrp._id, user._id], obj, event);
} else {
// User is already part of this user group
delete existingUserMemberships[ugrpid];
}
}
// Remove the user from any memberships they don't belong to anymore
for (var ugrpid in existingUserMemberships) {
var ugrp = obj.userGroups[ugrpid];
if ((user.links != null) && (user.links[ugrpid] != null)) {
delete user.links[ugrpid];
// Notify user change
var targets = ['*', 'server-users', user._id, user._id];
var event = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msgid: 67, msgArgs: [user.name], msg: 'User group membership changed: ' + user.name, domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user. Another event will come.
parent.DispatchEvent(targets, obj, event);
db.SetUser(user);
parent.DispatchEvent([user._id], obj, 'resubscribe');
}
if (ugrp != null) {
// Remove the user from the group
if ((ugrp.links != null) && (ugrp.links[user._id] != null)) {
delete ugrp.links[user._id];
db.Set(ugrp);
// Notify user group change
var event = { etype: 'ugrp', userid: user._id, username: user.name, ugrpid: ugrp._id, name: ugrp.name, desc: ugrp.desc, action: 'usergroupchange', links: ugrp.links, msgid: 72, msgArgs: [user.name, ugrp.name], msg: 'Removed user ' + user.name + ' from user group ' + ugrp.name, domain: domain.id };
if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to change the user group. Another event will come.
parent.DispatchEvent(['*', ugrp._id, user._id], obj, event);
}
}
}
return userChanged;
}
return obj;
};