Merge pull request #1478 from eliemichel/pr-proper-ldap--rebased

Implement a proper LDAP authentication process
This commit is contained in:
Pavel Djundik 2017-09-04 09:02:58 +03:00 committed by GitHub
commit 099fb058c6
6 changed files with 435 additions and 64 deletions

View File

@ -365,6 +365,30 @@ module.exports = {
// @type object
// @default {}
//
// The authentication process works as follows:
//
// 1. Lounge connects to the LDAP server with its system credentials
// 2. It performs a LDAP search query to find the full DN associated to the
// user requesting to log in.
// 3. Lounge tries to connect a second time, but this time using the user's
// DN and password. Auth is validated iff this connection is successful.
//
// The search query takes a couple of parameters in `searchDN`:
// - a base DN `searchDN/base`. Only children nodes of this DN will be likely
// to be returned;
// - a search scope `searchDN/scope` (see LDAP documentation);
// - the query itself, build as (&(<primaryKey>=<username>) <filter>)
// where <username> is the user name provided in the log in request,
// <primaryKey> is provided by the config and <fitler> is a filtering complement
// also given in the config, to filter for instance only for nodes of type
// inetOrgPerson, or whatever LDAP search allows.
//
// Alternatively, you can specify the `bindDN` parameter. This will make the lounge
// ignore searchDN options and assume that the user DN is always:
// <bindDN>,<primaryKey>=<username>
// where <username> is the user name provided in the log in request, and <bindDN>
// and <primaryKey> are provided by the config.
//
ldap: {
//
// Enable LDAP user authentication
@ -382,11 +406,25 @@ module.exports = {
url: "ldaps://example.com",
//
// LDAP base dn
// LDAP connection tls options (only used if scheme is ldaps://)
//
// @type object (see nodejs' tls.connect() options)
// @default {}
//
// Example:
// You can use this option in order to force the use of IPv6:
// {
// host: 'my::ip::v6',
// servername: 'example.com'
// }
tlsOptions: {},
//
// LDAP base dn, alternative to searchDN
//
// @type string
//
baseDN: "ou=accounts,dc=example,dc=com",
// baseDN: "ou=accounts,dc=example,dc=com",
//
// LDAP primary key
@ -394,7 +432,58 @@ module.exports = {
// @type string
// @default "uid"
//
primaryKey: "uid"
primaryKey: "uid",
//
// LDAP search dn settings. This defines the procedure by which the
// lounge first look for user DN before authenticating her.
// Ignored if baseDN is specified
//
// @type object
//
searchDN: {
//
// LDAP searching bind DN
// This bind DN is used to query the server for the DN of the user.
// This is supposed to be a system user that has access in read only to
// the DNs of the people that are allowed to log in.
//
// @type string
//
rootDN: "cn=thelounge,ou=system-users,dc=example,dc=com",
//
// Password of the lounge LDAP system user
//
// @type string
//
rootPassword: "1234",
//
// LDAP filter
//
// @type string
// @default "uid"
//
filter: "(objectClass=person)(memberOf=ou=accounts,dc=example,dc=com)",
//
// LDAP search base (search only within this node)
//
// @type string
//
base: "dc=example,dc=com",
//
// LDAP search scope
//
// @type string
// @default "sub"
//
scope: "sub"
}
},
// Extra debugging

132
src/plugins/auth/ldap.js Normal file
View File

@ -0,0 +1,132 @@
"use strict";
const Helper = require("../../helper");
const ldap = require("ldapjs");
function ldapAuthCommon(user, bindDN, password, callback) {
const config = Helper.config;
const ldapclient = ldap.createClient({
url: config.ldap.url,
tlsOptions: config.ldap.tlsOptions
});
ldapclient.on("error", function(err) {
log.error(`Unable to connect to LDAP server: ${err}`);
callback(!err);
});
ldapclient.bind(bindDN, password, function(err) {
ldapclient.unbind();
callback(!err);
});
}
function simpleLdapAuth(user, password, callback) {
if (!user) {
return callback(false);
}
const config = Helper.config;
const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
const bindDN = `${config.ldap.primaryKey}=${userDN},${config.ldap.baseDN}`;
log.info(`Auth against LDAP ${config.ldap.url} with provided bindDN ${bindDN}`);
ldapAuthCommon(user, bindDN, password, callback);
}
/**
* LDAP auth using initial DN search (see config comment for ldap.searchDN)
*/
function advancedLdapAuth(user, password, callback) {
if (!user) {
return callback(false);
}
const config = Helper.config;
const userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
const ldapclient = ldap.createClient({
url: config.ldap.url,
tlsOptions: config.ldap.tlsOptions
});
const base = config.ldap.searchDN.base;
const searchOptions = {
scope: config.ldap.searchDN.scope,
filter: `(&(${config.ldap.primaryKey}=${userDN})${config.ldap.searchDN.filter})`,
attributes: ["dn"]
};
ldapclient.on("error", function(err) {
log.error(`Unable to connect to LDAP server: ${err}`);
callback(!err);
});
ldapclient.bind(config.ldap.searchDN.rootDN, config.ldap.searchDN.rootPassword, function(err) {
if (err) {
log.error("Invalid LDAP root credentials");
ldapclient.unbind();
callback(false);
} else {
ldapclient.search(base, searchOptions, function(err2, res) {
if (err2) {
log.warning(`User not found: ${userDN}`);
ldapclient.unbind();
callback(false);
} else {
let found = false;
res.on("searchEntry", function(entry) {
found = true;
const bindDN = entry.objectName;
log.info(`Auth against LDAP ${config.ldap.url} with found bindDN ${bindDN}`);
ldapclient.unbind();
ldapAuthCommon(user, bindDN, password, callback);
});
res.on("error", function(err3) {
log.error(`LDAP error: ${err3}`);
callback(false);
});
res.on("end", function() {
if (!found) {
callback(false);
}
});
}
});
}
});
}
function ldapAuth(manager, client, user, password, callback) {
// TODO: Enable the use of starttls() as an alternative to ldaps
// TODO: move this out of here and get rid of `manager` and `client` in
// auth plugin API
function callbackWrapper(valid) {
if (valid && !client) {
manager.addUser(user, null);
}
callback(valid);
}
let auth;
if ("baseDN" in Helper.config.ldap) {
auth = simpleLdapAuth;
} else {
auth = advancedLdapAuth;
}
return auth(user, password, callbackWrapper);
}
function isLdapEnabled() {
return !Helper.config.public && Helper.config.ldap.enable;
}
module.exports = {
auth: ldapAuth,
isEnabled: isLdapEnabled
};

42
src/plugins/auth/local.js Normal file
View File

@ -0,0 +1,42 @@
"use strict";
const Helper = require("../../helper");
const colors = require("colors/safe");
function localAuth(manager, client, user, password, callback) {
// If no user is found, or if the client has not provided a password,
// fail the authentication straight away
if (!client || !password) {
return callback(false);
}
// If this user has no password set, fail the authentication
if (!client.config.password) {
log.error(`User ${colors.bold(user)} with no local password set tried to sign in. (Probably a LDAP user)`);
return callback(false);
}
Helper.password
.compare(password, client.config.password)
.then((matching) => {
if (matching && Helper.password.requiresUpdate(client.config.password)) {
const hash = Helper.password.hash(password);
client.setPassword(hash, (success) => {
if (success) {
log.info(`User ${colors.bold(client.name)} logged in and their hashed password has been updated to match new security requirements`);
}
});
}
callback(matching);
}).catch((error) => {
log.error(`Error while checking users password. Error: ${error}`);
});
}
module.exports = {
auth: localAuth,
isEnabled: () => true
};

View File

@ -11,11 +11,17 @@ var path = require("path");
var io = require("socket.io");
var dns = require("dns");
var Helper = require("./helper");
var ldap = require("ldapjs");
var colors = require("colors/safe");
const net = require("net");
const Identification = require("./identification");
// The order defined the priority: the first available plugin is used
// ALways keep local auth in the end, which should always be enabled.
const authPlugins = [
require("./plugins/auth/ldap"),
require("./plugins/auth/local"),
];
var manager = null;
module.exports = function() {
@ -411,62 +417,6 @@ function initializeClient(socket, client, token) {
}
}
function localAuth(client, user, password, callback) {
// If no user is found, or if the client has not provided a password,
// fail the authentication straight away
if (!client || !password) {
return callback(false);
}
// If this user has no password set, fail the authentication
if (!client.config.password) {
log.error(`User ${colors.bold(user)} with no local password set tried to sign in. (Probably a LDAP user)`);
return callback(false);
}
Helper.password
.compare(password, client.config.password)
.then((matching) => {
if (matching && Helper.password.requiresUpdate(client.config.password)) {
const hash = Helper.password.hash(password);
client.setPassword(hash, (success) => {
if (success) {
log.info(`User ${colors.bold(client.name)} logged in and their hashed password has been updated to match new security requirements`);
}
});
}
callback(matching);
}).catch((error) => {
log.error(`Error while checking users password. Error: ${error}`);
});
}
function ldapAuth(client, user, password, callback) {
var userDN = user.replace(/([,\\/#+<>;"= ])/g, "\\$1");
var bindDN = Helper.config.ldap.primaryKey + "=" + userDN + "," + Helper.config.ldap.baseDN;
var ldapclient = ldap.createClient({
url: Helper.config.ldap.url
});
ldapclient.on("error", function(err) {
log.error("Unable to connect to LDAP server", err);
callback(!err);
});
ldapclient.bind(bindDN, password, function(err) {
if (!err && !client) {
if (!manager.addUser(user, null)) {
log.error("Unable to create new user", user);
}
}
ldapclient.unbind();
callback(!err);
});
}
function performAuthentication(data) {
const socket = this;
let client;
@ -530,11 +480,16 @@ function performAuthentication(data) {
}
// Perform password checking
if (!Helper.config.public && Helper.config.ldap.enable) {
ldapAuth(client, data.user, data.password, authCallback);
} else {
localAuth(client, data.user, data.password, authCallback);
let auth = () => {
log.error("None of the auth plugins is enabled");
};
for (let i = 0; i < authPlugins.length; ++i) {
if (authPlugins[i].isEnabled()) {
auth = authPlugins[i].auth;
break;
}
}
auth(manager, client, data.user, data.password, authCallback);
}
function reverseDnsLookup(ip, callback) {

148
test/plugins/auth/ldap.js Normal file
View File

@ -0,0 +1,148 @@
"use strict";
const ldapAuth = require("../../../src/plugins/auth/ldap");
const Helper = require("../../../src/helper");
const ldap = require("ldapjs");
const expect = require("chai").expect;
const user = "johndoe";
const wrongUser = "eve";
const correctPassword = "loremipsum";
const wrongPassword = "dolorsitamet";
const baseDN = "ou=accounts,dc=example,dc=com";
const primaryKey = "uid";
const serverPort = 1389;
function normalizeDN(dn) {
return ldap.parseDN(dn).toString();
}
function startLdapServer(callback) {
const server = ldap.createServer();
const searchConf = Helper.config.ldap.searchDN;
const userDN = primaryKey + "=" + user + "," + baseDN;
// Two users are authorized: john doe and the root user in case of
// advanced auth (the user that does the search for john's actual
// bindDN)
const authorizedUsers = {};
authorizedUsers[normalizeDN(searchConf.rootDN)] = searchConf.rootPassword;
authorizedUsers[normalizeDN(userDN)] = correctPassword;
function authorize(req, res, next) {
const bindDN = req.connection.ldap.bindDN;
if (bindDN in authorizedUsers) {
return next();
}
return next(new ldap.InsufficientAccessRightsError());
}
Object.keys(authorizedUsers).forEach(function(dn) {
server.bind(dn, function(req, res, next) {
const bindDN = req.dn.toString();
const password = req.credentials;
if (bindDN in authorizedUsers && authorizedUsers[bindDN] === password) {
req.connection.ldap.bindDN = req.dn;
res.end();
return next();
}
return next(new ldap.InsufficientAccessRightsError());
});
});
server.search(searchConf.base, authorize, function(req, res) {
const obj = {
dn: userDN,
attributes: {
objectclass: ["person", "top"],
cn: ["john doe"],
sn: ["johnny"],
uid: ["johndoe"],
memberof: [baseDN]
}
};
if (req.filter.matches(obj.attributes)) {
// TODO: check req.scope if ldapjs does not
res.send(obj);
}
res.end();
});
server.listen(serverPort, callback);
return server;
}
function testLdapAuth() {
// Create mock manager and client. When client is true, manager should not
// be used. But ideally the auth plugin should not use any of those.
const manager = {};
const client = true;
it("should successfully authenticate with correct password", function(done) {
ldapAuth.auth(manager, client, user, correctPassword, function(valid) {
expect(valid).to.equal(true);
done();
});
});
it("should fail to authenticate with incorrect password", function(done) {
ldapAuth.auth(manager, client, user, wrongPassword, function(valid) {
expect(valid).to.equal(false);
done();
});
});
it("should fail to authenticate with incorrect username", function(done) {
ldapAuth.auth(manager, client, wrongUser, correctPassword, function(valid) {
expect(valid).to.equal(false);
done();
});
});
}
describe("LDAP authentication plugin", function() {
before(function(done) {
this.server = startLdapServer(done);
});
after(function(done) {
this.server.close();
done();
});
beforeEach(function(done) {
Helper.config.public = false;
Helper.config.ldap.enable = true;
Helper.config.ldap.url = "ldap://localhost:" + String(serverPort);
Helper.config.ldap.primaryKey = primaryKey;
done();
});
describe("LDAP authentication availability", function() {
it("checks that the configuration is correctly tied to isEnabled()", function(done) {
Helper.config.ldap.enable = true;
expect(ldapAuth.isEnabled()).to.equal(true);
Helper.config.ldap.enable = false;
expect(ldapAuth.isEnabled()).to.equal(false);
done();
});
});
describe("Simple LDAP authentication (predefined DN pattern)", function() {
Helper.config.ldap.baseDN = baseDN;
testLdapAuth();
});
describe("Advanced LDAP authentication (DN found by a prior search query)", function() {
delete Helper.config.ldap.baseDN;
testLdapAuth();
});
});

View File

@ -37,6 +37,11 @@ describe("Server", () => {
describe("WebSockets", () => {
let client;
before((done) => {
Helper.config.public = true;
done();
});
beforeEach(() => {
client = io(webURL, {
path: "/socket.io/",