From 5619948d31206a5a3d241b08ec0d2087a6705a83 Mon Sep 17 00:00:00 2001 From: mstrhakr <37352843+mstrhakr@users.noreply.github.com> Date: Tue, 6 Sep 2022 00:29:22 -0400 Subject: [PATCH] Added Group Support to OIDC Supports choosing groups to.. -Allow or restrict login to server -Sync with user groups (with / without filter) -Grant or revoke site admin privileges --- meshcentral.js | 2 +- webserver.js | 159 +++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 128 insertions(+), 33 deletions(-) diff --git a/meshcentral.js b/meshcentral.js index 25624fbd..5baee7ee 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -3941,7 +3941,7 @@ function mainStart() { if ((typeof config.domains[i].authstrategies.github == 'object') && (typeof config.domains[i].authstrategies.github.clientid == 'string') && (typeof config.domains[i].authstrategies.github.clientsecret == 'string') && (passport.indexOf('passport-github2') == -1)) { passport.push('passport-github2'); } if ((typeof config.domains[i].authstrategies.reddit == 'object') && (typeof config.domains[i].authstrategies.reddit.clientid == 'string') && (typeof config.domains[i].authstrategies.reddit.clientsecret == 'string') && (passport.indexOf('passport-reddit') == -1)) { passport.push('passport-reddit'); } if ((typeof config.domains[i].authstrategies.azure == 'object') && (typeof config.domains[i].authstrategies.azure.clientid == 'string') && (typeof config.domains[i].authstrategies.azure.clientsecret == 'string') && (typeof config.domains[i].authstrategies.azure.tenantid == 'string') && (passport.indexOf('passport-azure-oauth2') == -1)) { passport.push('passport-azure-oauth2'); passport.push('jwt-simple'); } - if ((typeof config.domains[i].authstrategies.oidc == 'object') && (typeof config.domains[i].authstrategies.oidc.clientid == 'string') && (typeof config.domains[i].authstrategies.oidc.clientsecret == 'string') && (typeof config.domains[i].authstrategies.oidc.issuer == 'string') && (passport.indexOf('passport-openidconnect') == -1)) { passport.push('passport-openidconnect'); passport.push('openid-client'); } + if ((typeof config.domains[i].authstrategies.oidc == 'object') && (typeof config.domains[i].authstrategies.oidc.clientid == 'string') && (typeof config.domains[i].authstrategies.oidc.clientsecret == 'string') && (typeof config.domains[i].authstrategies.oidc.issuer == 'string') && (passport.indexOf('@mstrhakr/passport-openidconnect') == -1)) { passport.push('@mstrhakr/passport-openidconnect'); passport.push('openid-client'); } if ((typeof config.domains[i].authstrategies.saml == 'object') || (typeof config.domains[i].authstrategies.jumpcloud == 'object')) { passport.push('passport-saml'); } } if (config.domains[i].sessionrecording != null) { sessionRecording = true; } diff --git a/webserver.js b/webserver.js index 1e6b1c16..494f77ce 100644 --- a/webserver.js +++ b/webserver.js @@ -2492,9 +2492,70 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // This is called after a succesful Oauth to Twitter, Google, GitHub... function handleStrategyLogin(req, res) { const domain = checkUserIpAddress(req, res); + const authStrategy = req.user.strategy if (domain == null) { return; } - parent.debug('web', 'handleStrategyLogin: ' + JSON.stringify(req.user)); + parent.debug(authStrategy, 'handleStrategyLogin: ' + JSON.stringify(req.user)); if ((req.user != null) && (req.user.sid != null)) { + + // Check if any group related options exist + if (typeof domain.authstrategies[authStrategy].groups !== 'undefined' && domain.authstrategies[authStrategy].groups !== null) { + if (typeof req.user.groups !== 'undefined' && req.user.groups !== null) { var userMemberships = req.user.groups; } + if (typeof userMemberships == 'string') { userMemberships = [userMemberships]; } + if (Array.isArray(userMemberships) == false) { userMemberships = []; } + parent.debug(authStrategy, `Groups: Reported User Memberships from IdP: ${userMemberships.join(', ')}`); + + // See if the user is required to be part of a specific group in order to log into this server. + if (typeof domain.authstrategies[authStrategy].groups.required !== 'undefined' && domain.authstrategies[authStrategy].groups.required !== null){ + if (typeof domain.authstrategies[authStrategy].groups.required == 'string') { domain.authstrategies[authStrategy].groups.required = [domain.authstrategies[authStrategy].groups.required]; } + if (Array.isArray(domain.authstrategies[authStrategy].groups.required) && (domain.authstrategies[authStrategy].groups.required.length > 0)) { + var userMembershipMatch = false; + for (var i in domain.authstrategies[authStrategy].groups.required) { + if (userMemberships.indexOf(domain.authstrategies[authStrategy].groups.required[i]) >= 0) { + userMembershipMatch = true; + parent.debug(authStrategy, `Groups: User found in required group: ${domain.authstrategies[authStrategy].groups.required[i]}`); + } + } + if (userMembershipMatch === false) { parent.debug(authStrategy, 'Groups: DENIED - User not found in required group.'); fn('denied'); return;} + } + } + + // Check if user is in admin group + var siteadminGroup = false + if (typeof domain.authstrategies[authStrategy].groups.siteadmin !== 'undefined' && domain.authstrategies[authStrategy].groups.siteadmin !== null) { + if (typeof domain.authstrategies[authStrategy].groups.siteadmin == 'string') { domain.authstrategies[authStrategy].groups.siteadmin = [domain.authstrategies[authStrategy].groups.siteadmin]; } + if (Array.isArray(domain.authstrategies[authStrategy].groups.siteadmin) && (domain.authstrategies[authStrategy].groups.siteadmin.length > 0)) { + for (var i in domain.authstrategies[authStrategy].groups.siteadmin) { + if (userMemberships.indexOf(domain.authstrategies[authStrategy].groups.siteadmin[i]) >= 0) { + siteadminGroup = true; + } + } + } + } + + // See if we need to sync user-memberships (IdP) with user-groups (meshcentral) + if (domain.authstrategies[authStrategy].groups.sync.enabled === true || domain.authstrategies[authStrategy].groups.sync === true) { + if (domain.authstrategies[authStrategy].groups.sync === true) { domain.authstrategies[authStrategy].groups.sync = {"enabled":true}; } + if (typeof domain.authstrategies[authStrategy].groups.sync.filter !== 'undefined' && domain.authstrategies[authStrategy].groups.sync.filter !== null) { + const filteredMemberships = []; + if (typeof domain.authstrategies[authStrategy].groups.sync.filter == 'string') { domain.authstrategies[authStrategy].groups.sync.filter = [domain.authstrategies[authStrategy].groups.sync.filter]; } + if (Array.isArray(domain.authstrategies[authStrategy].groups.sync.filter)) { + for (var i in userMemberships) { + for (var j in domain.authstrategies[authStrategy].groups.sync.filter) { + if (userMemberships[i].indexOf(domain.authstrategies[authStrategy].groups.sync.filter[j]) >= 0) { filteredMemberships.push(userMemberships[i]); } + } + } + } + if (Array.isArray(filteredMemberships)) { + if (filteredMemberships.length > 0) { + parent.debug(authStrategy, `Groups: Filtered user memberships from config: ${filteredMemberships.join(', ')}`); + } + } else { + parent.debug(authStrategy, `Groups: No groups found with filter: ${domain.authstrategies[authStrategy].groups.sync.filter.join(', ')}`); + } + userMemberships = filteredMemberships; + } + } + } const userid = 'user/' + domain.id + '/' + req.user.sid; var user = obj.users[userid]; if (user == null) { @@ -2504,25 +2565,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (domain.newaccounts === true) { newAccountAllowed = true; } if (obj.common.validateStrArray(domain.newaccountrealms)) { newAccountRealms = domain.newaccountrealms; } - if ((domain.authstrategies != null) && (domain.authstrategies[req.user.strategy] != null)) { - if (domain.authstrategies[req.user.strategy].newaccounts === true) { newAccountAllowed = true; } - if (obj.common.validateStrArray(domain.authstrategies[req.user.strategy].newaccountrealms)) { newAccountRealms = domain.authstrategies[req.user.strategy].newaccountrealms; } + if ((domain.authstrategies != null) && (domain.authstrategies[authStrategy] != null)) { + if (domain.authstrategies[authStrategy].newaccounts === true) { newAccountAllowed = true; } + if (obj.common.validateStrArray(domain.authstrategies[authStrategy].newaccountrealms)) { newAccountRealms = domain.authstrategies[req.user.strategy].newaccountrealms; } } if (newAccountAllowed === true) { // Create the user - parent.debug('web', 'handleStrategyLogin: creating new user: ' + userid); + parent.debug(authStrategy, 'handleStrategyLogin: creating new user: ' + userid); user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id }; if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; } if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights. - if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead. + if (domain.authstrategies[authStrategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead. if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms). obj.users[userid] = user; // Auto-join any user groups var newaccountsusergroups = null; if (typeof domain.newaccountsusergroups == 'object') { newaccountsusergroups = domain.newaccountsusergroups; } - if (typeof domain.authstrategies[req.user.strategy].newaccountsusergroups == 'object') { newaccountsusergroups = domain.authstrategies[req.user.strategy].newaccountsusergroups; } + if (typeof domain.authstrategies[authStrategy].newaccountsusergroups == 'object') { newaccountsusergroups = domain.authstrategies[req.user.strategy].newaccountsusergroups; } if (newaccountsusergroups) { for (var i in newaccountsusergroups) { var ugrpid = newaccountsusergroups[i]; @@ -2545,6 +2606,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF } } + + // Sync the user groups if enabled + if (domain.authstrategies[authStrategy].groups.sync.enabled === true) { syncExternalUserGroups(domain, user, userMemberships, authStrategy) } + + // See if the user is a member of the site admin group. + if (typeof domain.authstrategies[authStrategy].groups.siteadmin !== 'undefined' && domain.authstrategies[authStrategy].groups.siteadmin !== null) + if (siteadminGroup === true && user.siteadmin != 4294967295) { + parent.debug(authStrategy, `Groups: GRANTING ADMIN PRIVLEGE - User found in admin group: ${domain.authstrategies[authStrategy].groups.siteadmin[i]}`); + user.siteadmin = 4294967295; + } + // Save the user obj.db.SetUser(user); @@ -2565,18 +2637,36 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF obj.parent.DispatchEvent(targets, obj, loginEvent); } else { // New users not allowed - parent.debug('web', 'handleStrategyLogin: Can\'t create new accounts'); + parent.debug(authStrategy, 'handleStrategyLogin: Can\'t create new accounts'); req.session.loginmode = 1; req.session.messageid = 100; // Unable to create account. res.redirect(domain.url + getQueryPortion(req)); return; } - } else { - // Login success - var userChange = false; - if ((req.user.name != null) && (req.user.name != user.name)) { user.name = req.user.name; userChange = true; } - if ((req.user.email != null) && (req.user.email != user.email)) { user.email = req.user.email; user.emailVerified = true; userChange = true; } - if (userChange) { + } else { // Login success + // Check for basic changes + var userChanged = false; + if ((req.user.name != null) && (req.user.name != user.name)) { user.name = req.user.name; userChanged = true; } + if ((req.user.email != null) && (req.user.email != user.email)) { user.email = req.user.email; user.emailVerified = true; userChanged = true; } + + // Sync the user groups if enabled + if (domain.authstrategies[authStrategy].groups.sync.enabled === true) { syncExternalUserGroups(domain, user, userMemberships, authStrategy) } + + // See if the user is a member of the site admin group. + if (typeof domain.authstrategies[authStrategy].groups.siteadmin !== 'undefined' && domain.authstrategies[authStrategy].groups.siteadmin !== null) { + if (siteadminGroup === true && user.siteadmin != 4294967295) { + parent.debug(authStrategy, 'Groups: GRANTING ADMIN PRIVLEGE - User found in admin group.'); + user.siteadmin = 4294967295; + userChanged = true; + } else if (siteadminGroup === false && user.siteadmin == 4294967295) { + parent.debug(authStrategy, 'Groups: REVOKING ADMIN PRIVLEGE - User NOT found in admin group!'); + user.siteadmin = null; + userChanged = true; + } + } + + // Update db record for user if there are changes detected + if (userChanged) { obj.db.SetUser(user); // Event user change @@ -2585,7 +2675,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (db.changeStream) { event.noact = 1; } // If DB change stream is active, don't use this event to create the user. Another event will come. parent.DispatchEvent(targets, obj, event); } - parent.debug('web', 'handleStrategyLogin: succesful login: ' + userid); + parent.debug(authStrategy, 'handleStrategyLogin: succesful login: ' + userid); req.session.userid = userid; setSessionRandom(req); @@ -2596,7 +2686,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' }; obj.parent.DispatchEvent(targets, obj, loginEvent); } - } + } else { parent.debug('warn', 'handleStrategyLogin: FAILED - No user'); } //res.redirect(domain.url); // This does not handle cookie correctly. res.set('Content-Type', 'text/html'); res.end(''); @@ -6895,33 +6985,38 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Generic OpenID Connect if ((typeof domain.authstrategies.oidc == 'object') && (typeof domain.authstrategies.oidc.clientid == 'string') && (typeof domain.authstrategies.oidc.clientsecret == 'string') && (typeof domain.authstrategies.oidc.issuer == 'string')) { - const OIDCStrategy = require('passport-openidconnect'); + const OIDCStrategy = require('@mstrhakr/passport-openidconnect'); var options = { issuer: domain.authstrategies.oidc.issuer, clientID: domain.authstrategies.oidc.clientid, clientSecret: domain.authstrategies.oidc.clientsecret, - scope: ['profile email'], + scope: ['profile', 'email', 'groups'], }; async function discoverOptions(options){ if ((typeof domain.authstrategies.oidc.authorizationurl != 'string') || (typeof domain.authstrategies.oidc.tokenurl != 'string') || (typeof domain.authstrategies.oidc.userinfourl != 'string')) { const Issuer = require('openid-client').Issuer; - parent.debug('web', 'Attempting to discover well known endpoints for ' + options.issuer); + parent.debug('oidc', 'Attempting to discover well known endpoints for ' + options.issuer); var issuer = await Issuer.discover(options.issuer) if (typeof domain.authstrategies.oidc.authorizationurl == 'string') { options.authorizationURL = domain.authstrategies.oidc.authorizationurl; } else { options.authorizationURL = issuer.metadata.authorization_endpoint; } if (typeof domain.authstrategies.oidc.tokenurl == 'string') { options.tokenURL = domain.authstrategies.oidc.tokenurl; } else { options.tokenURL = issuer.metadata.token_endpoint; } if (typeof domain.authstrategies.oidc.userinfourl == 'string') { options.userInfoURL = domain.authstrategies.oidc.userinfourl; } else { options.userInfoURL = issuer.metadata.userinfo_endpoint; } if (typeof domain.authstrategies.oidc.callbackurl == 'string') { options.callbackURL = domain.authstrategies.oidc.callbackurl; } else { options.callbackURL = url + 'oidc-callback'; } + parent.debug('oidc', 'Discovered ' + JSON.stringify(options)); } - parent.debug('web', 'Discovered ' + JSON.stringify(options)); - return options + return options; } - discoverOptions(options).then((options)=>{passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options, - function verify(issuer, profile, verified) { - var user = { sid: '~oidc:' + profile.id, name: profile.displayName, email: profile.email, strategy: 'oidc' }; - parent.debug('AUTH', `OIDC: Configured user: ${JSON.stringify(user)} using ${issuer}`); - return verified(null, user); - } - ))}); + discoverOptions(options).then((options)=>{ + passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options, + function verify(issuer, profile, verified) { + parent.debug('oidc', 'Connecting to ' + issuer + ' with the following options ' + JSON.stringify(options)); + var user = { sid: '~oidc:' + profile.id, name: profile.displayName, strategy: 'oidc' }; + if ( Array.isArray(profile.emails[0].value) ) { user.email = profile.emails[0].value[0]; } else { user.email = profile.emails[0].value; } + if ( Array.isArray(profile.groups[0].value) ) { user.groups = profile.groups[0].value; } else { user.groups = [profile.groups[0].value]; } + parent.debug('oidc', `Configured: User: ${JSON.stringify(user)} FROM Profile: ${JSON.stringify(profile)}`); + return verified(null, user); + } + )) + }); authStrategyFlags |= domainAuthStrategyConsts.oidc; } @@ -8821,7 +8916,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF function syncExternalUserGroups(domain, user, userMemberships, userMembershipType) { var userChanged = false; if (user.links == null) { user.links = {}; } - + var authType = userMembershipType // Create a user of memberships for this user that type var existingUserMemberships = {}; for (var i in user.links) { @@ -8835,7 +8930,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF var ugrp = obj.userGroups[ugrpid]; if (ugrp == null) { // This user group does not exist, create it - parent.debug('ldap', 'Creating new LDAP user group ' + userMemberships[i] + '.'); + parent.debug(authType, 'Creating new ' + authType + ' user group ' + userMemberships[i] + '.'); ugrp = { type: 'ugrp', _id: ugrpid, name: membership, domain: domain.id, membershipType: userMembershipType, links: {} }; // Save the new group @@ -8852,7 +8947,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (existingUserMemberships[ugrpid] == null) { // This user is not part of the user group, add it. - parent.debug('ldap', 'Adding ' + user.name + ' to LDAP user group ' + userMemberships[i] + '.'); + parent.debug(authType, 'Adding ' + user.name + ' to ' + authType + ' user group ' + userMemberships[i] + '.'); if (user.links == null) { user.links = {}; } user.links[ugrp._id] = { rights: 1 }; userChanged = true; @@ -8882,7 +8977,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Remove the user from any memberships they don't belong to anymore for (var ugrpid in existingUserMemberships) { var ugrp = obj.userGroups[ugrpid]; - parent.debug('ldap', 'Removing ' + user.name + ' from LDAP user group ' + ugrp.name + '.'); + parent.debug(authType, 'Removing ' + user.name + ' from ' + authType + ' user group ' + ugrp.name + '.'); if ((user.links != null) && (user.links[ugrpid] != null)) { delete user.links[ugrpid];