Added newAccountsRights to SSO strategies
This commit is contained in:
parent
1d6c93f3c3
commit
e3360c8e4b
22
common.js
22
common.js
|
@ -269,4 +269,26 @@ module.exports.copyFile = function(source, target, cb) {
|
|||
wr.on('close', function (ex) { done(); });
|
||||
rd.pipe(wr);
|
||||
function done(err) { if (!cbCalled) { cb(err); cbCalled = true; } }
|
||||
}
|
||||
|
||||
module.exports.meshServerRightsArrayToNumber = function (val) {
|
||||
if (val == null) return null;
|
||||
if (typeof val == 'number') return val;
|
||||
if (Array.isArray(val)) {
|
||||
var newAccRights = 0;
|
||||
for (var j in val) {
|
||||
var r = val[j].toLowerCase();
|
||||
if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF
|
||||
if (r == 'serverbackup') { newAccRights |= 1; }
|
||||
if (r == 'manageusers') { newAccRights |= 2; }
|
||||
if (r == 'serverrestore') { newAccRights |= 4; }
|
||||
if (r == 'fileaccess') { newAccRights |= 8; }
|
||||
if (r == 'serverupdate') { newAccRights |= 16; }
|
||||
if (r == 'locked') { newAccRights |= 32; }
|
||||
if (r == 'nonewgroups') { newAccRights |= 64; }
|
||||
if (r == 'notools') { newAccRights |= 128; }
|
||||
}
|
||||
return newAccRights;
|
||||
}
|
||||
return null;
|
||||
}
|
|
@ -1063,23 +1063,8 @@ function CreateMeshCentralServer(config, args) {
|
|||
if ((obj.config.domains[i].auth == 'ldap') || (obj.config.domains[i].auth == 'sspi')) { obj.config.domains[i].newaccounts = 0; } // No new accounts allowed in SSPI/LDAP authentication modes.
|
||||
|
||||
// Convert newAccountsRights from a array of strings to flags number.
|
||||
if (obj.config.domains[i].newaccountsrights && Array.isArray(obj.config.domains[i].newaccountsrights)) {
|
||||
var newAccRights = 0;
|
||||
for (var j in obj.config.domains[i].newaccountsrights) {
|
||||
var r = obj.config.domains[i].newaccountsrights[j].toLowerCase();
|
||||
if (r == 'fulladmin') { newAccRights = 4294967295; } // 0xFFFFFFFF
|
||||
if (r == 'serverbackup') { newAccRights |= 1; }
|
||||
if (r == 'manageusers') { newAccRights |= 2; }
|
||||
if (r == 'serverrestore') { newAccRights |= 4; }
|
||||
if (r == 'fileaccess') { newAccRights |= 8; }
|
||||
if (r == 'serverupdate') { newAccRights |= 16; }
|
||||
if (r == 'locked') { newAccRights |= 32; }
|
||||
if (r == 'nonewgroups') { newAccRights |= 64; }
|
||||
if (r == 'notools') { newAccRights |= 128; }
|
||||
}
|
||||
obj.config.domains[i].newaccountsrights = newAccRights;
|
||||
}
|
||||
if (obj.config.domains[i].newaccountsrights && (typeof (obj.config.domains[i].newaccountsrights) != 'number')) { delete obj.config.domains[i].newaccountsrights; }
|
||||
obj.config.domains[i].newaccountsrights = obj.common.meshServerRightsArrayToNumber(obj.config.domains[i].newaccountsrights);
|
||||
if (typeof (obj.config.domains[i].newaccountsrights) != 'number') { delete obj.config.domains[i].newaccountsrights; }
|
||||
|
||||
// Check if there is a web views path and/or web public path for this domain
|
||||
if ((__dirname.endsWith('/node_modules/meshcentral')) || (__dirname.endsWith('\\node_modules\\meshcentral')) || (__dirname.endsWith('/node_modules/meshcentral/')) || (__dirname.endsWith('\\node_modules\\meshcentral\\'))) {
|
||||
|
|
|
@ -212,6 +212,7 @@
|
|||
"_disableRequestedAuthnContext": true,
|
||||
"newAccounts": true,
|
||||
"_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
|
||||
"_newAccountsRights": [ "nonewgroups", "notools" ],
|
||||
"entityid": "meshcentral",
|
||||
"idpurl": "https://server/saml2",
|
||||
"cert": "saml.pem"
|
||||
|
|
|
@ -1845,6 +1845,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), domain: domain.id };
|
||||
if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; }
|
||||
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights.
|
||||
if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead.
|
||||
if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms).
|
||||
obj.users[userid] = user;
|
||||
|
||||
|
@ -4583,7 +4584,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
|||
path: (typeof domain.authstrategies.intel.callbackurl == 'string') ? domain.authstrategies.intel.callbackurl : (url + 'auth-intel-callback'),
|
||||
entryPoint: domain.authstrategies.intel.idpurl, issuer: 'meshcentral'
|
||||
};
|
||||
if (domain.authstrategies.saml.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.saml.disablerequestedauthncontext; }
|
||||
if (domain.authstrategies.intel.disablerequestedauthncontext != null) { options.disableRequestedAuthnContext = domain.authstrategies.intel.disablerequestedauthncontext; }
|
||||
parent.debug('web', 'Adding Intel SSO with options: ' + JSON.stringify(options));
|
||||
if (typeof domain.authstrategies.intel.entityid == 'string') { options.issuer = domain.authstrategies.intel.entityid; }
|
||||
options.cert = cert.toString().split('-----BEGIN CERTIFICATE-----').join('').split('-----END CERTIFICATE-----').join('');
|
||||
|
|
Loading…
Reference in New Issue