external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-02-12 11:01:52 +00:00
Code Issues Releases Wiki Activity

fix oidc sync groups

Browse source 
Signed-off-by: si458 <simonsmith5521@gmail.com>
This commit is contained in:
si458 2024-05-21 16:05:00 +01:00
parent 323ef2d50a
commit 5c13f178be
1 changed files with 27 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
webserver.js
View file

@ -2591,24 +2591,24 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const groups = { 'enabled': typeof strategy.groups == 'object' }
parent.authLog(req.user.strategy.toUpperCase(), `User Authorized: ${JSON.stringify(req.user)}`);
if (groups.enabled) { // Groups only available for OIDC strategy currently
groups.userMemberships = obj.common.convertStrArray(req.user.groups)
groups.syncEnabled = (strategy.groups.sync === true || strategy.groups.sync?.filter) ? true : false
groups.syncMemberships = []
groups.siteAdminEnabled = strategy.groups.siteadmin ? true : false
groups.grantAdmin = false
groups.revokeAdmin = strategy.groups.revokeAdmin ? strategy.groups.revokeAdmin : true
groups.requiredGroups = obj.common.convertStrArray(strategy.groups.required)
groups.siteAdmin = obj.common.convertStrArray(strategy.groups.siteadmin)
groups.syncFilter = obj.common.convertStrArray(strategy.groups.sync?.filter)
groups.userMemberships = obj.common.convertStrArray(req.user.groups);
groups.syncEnabled = (strategy.groups.sync === true || strategy.groups.sync?.filter) ? true : false;
groups.syncMemberships = [];
groups.siteAdminEnabled = strategy.groups.siteadmin ? true : false;
groups.grantAdmin = false;
groups.revokeAdmin = strategy.groups.revokeAdmin ? strategy.groups.revokeAdmin : true;
groups.requiredGroups = obj.common.convertStrArray(strategy.groups.required);
groups.siteAdmin = obj.common.convertStrArray(strategy.groups.siteadmin);
groups.syncFilter = obj.common.convertStrArray(strategy.groups.sync?.filter);
// Fancy Logs
let groupMessage = ''
let groupMessage = '';
if (groups.userMemberships.length == 1) { groupMessage = ` Found membership: "${groups.userMemberships[0]}"` }
else { groupMessage = ` Found ${groups.userMemberships.length} memberships: ["${groups.userMemberships.join('", "')}"]` }
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}"` + groupMessage);
// Check user membership in required groups
if (groups.requiredGroups != null) {
if (groups.requiredGroups.length > 0) {
let match = false
for (var i in groups.requiredGroups) {
if (groups.userMemberships.indexOf(groups.requiredGroups[i]) != -1) {
@ -2617,7 +2617,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}
}
if (match === false) {
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Login denied. No memberhip to required group.`);
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Login denied. No membership to required group.`);
req.session.loginmode = 1;
req.session.messageid = 111; // Access Denied.
res.redirect(domain.url + getQueryPortion(req));
@ -2640,15 +2640,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Check if we need to sync user-memberships (IdP) with user-groups (meshcentral)
if (groups.syncEnabled === true) {
for (var i in groups.syncFilter) {
if (groups.userMemberships.indexOf(groups.syncFilter[i]) >= 0) { groups.syncMemberships.push(groups.syncFilter[i]); }
if (groups.syncFilter.length > 0){ // config.json has specified sync.filter so loop and use it
for (var i in groups.syncFilter) {
if (groups.userMemberships.indexOf(groups.syncFilter[i]) >= 0) { groups.syncMemberships.push(groups.syncFilter[i]); }
}
} else { // config.json doesnt have sync.filter specified so we are going to sync all the users groups from oidc instead
for (var i in groups.userMemberships) {
groups.syncMemberships.push(groups.userMemberships[i]);
}
}
if (groups.syncMemberships.length > 0) {
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Filtered user memberships from config to sync: ${groups.syncMemberships.join(', ')}`);
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" User memberships to sync: ${groups.syncMemberships.join(', ')}`);
} else {
groups.syncMemberships = null;
groups.syncEnabled = false
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" No sync memberships found after filter: ${strategy.groups.sync.filter.join(', ')}`);
groups.syncEnabled = false;
if (groups.syncFilter.length > 0){
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" No sync memberships found using filters: ${groups.syncFilter.join(', ')}`);
} else {
parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" No sync memberships found`);
}
}
}
}