Merge pull request #279 from alecdwm/ldap-auth

Support for LDAP server authentication
2017-01-09 00:49:40 +08:00
parent 23a12dd927 94abfaba7c
commit b13635aac9
11 changed files with 191 additions and 6 deletions
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
 var GitlabStrategy = require('passport-gitlab2').Strategy;
 var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
 var LocalStrategy = require('passport-local').Strategy;
 var validator = require('validator');

@@ -110,6 +111,62 @@ if (config.google) {
        callbackURL: config.serverurl + '/auth/google/callback'
    }, callback));
 }
+// ldap
+if (config.ldap) {
+    passport.use(new LdapStrategy({
+        server: {
+            url: config.ldap.url || null,
+            bindDn: config.ldap.bindDn || null,
+            bindCredentials: config.ldap.bindCredentials || null,
+            searchBase: config.ldap.searchBase || null,
+            searchFilter: config.ldap.searchFilter || null,
+            searchAttributes: config.ldap.searchAttributes || null,
+            tlsOptions: config.ldap.tlsOptions || null
+        },
+    },
+    function(user, done) {
+        var profile = {
+            id: 'LDAP-' + user.uidNumber,
+            username: user.uid,
+            displayName: user.displayName,
+            emails: user.mail ? [user.mail] : [],
+            avatarUrl: null,
+            profileUrl: null,
+            provider: 'ldap',
+        }
+        var stringifiedProfile = JSON.stringify(profile);
+        models.User.findOrCreate({
+            where: {
+                profileid: profile.id.toString()
+            },
+            defaults: {
+                profile: stringifiedProfile,
+            }
+        }).spread(function (user, created) {
+            if (user) {
+                var needSave = false;
+                if (user.profile != stringifiedProfile) {
+                    user.profile = stringifiedProfile;
+                    needSave = true;
+                }
+                if (needSave) {
+                    user.save().then(function () {
+                        if (config.debug)
+                            logger.info('user login: ' + user.id);
+                        return done(null, user);
+                    });
+                } else {
+                    if (config.debug)
+                        logger.info('user login: ' + user.id);
+                    return done(null, user);
+                }
+            }
+        }).catch(function (err) {
+            logger.error('ldap auth failed: ' + err);
+            return done(err, null);
+        });
+    }));
+}
 // email
 if (config.email) {
    passport.use(new LocalStrategy({
@@ -130,4 +187,4 @@ if (config.email) {
            return done(err);
        });
    }));
-}
+}
--- a/lib/config.js
+++ b/lib/config.js
@@ -95,6 +95,37 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
    clientID: process.env.HMD_GOOGLE_CLIENTID,
    clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
 } : config.google || false;
+var ldap = config.ldap || (
+    process.env.HMD_LDAP_URL ||
+    process.env.HMD_LDAP_BINDDN ||
+    process.env.HMD_LDAP_BINDCREDENTIALS ||
+    process.env.HMD_LDAP_TOKENSECRET ||
+    process.env.HMD_LDAP_SEARCHBASE ||
+    process.env.HMD_LDAP_SEARCHFILTER ||
+    process.env.HMD_LDAP_SEARCHATTRIBUTES
+) || false;
+if (ldap == true)
+    ldap = {};
+if (process.env.HMD_LDAP_URL)
+    ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+    ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+    ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+    ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+    ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+    ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+    ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
+if (process.env.HMD_LDAP_TLS_CA) {
+    var ca = {
+        ca: process.env.HMD_LDAP_TLS_CA
+    }
+    ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca
+}
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL ? (process.env.HMD_EMAIL === 'true') : !!config.email;

@@ -156,6 +187,7 @@ module.exports = {
    gitlab: gitlab,
    dropbox: dropbox,
    google: google,
+    ldap: ldap,
    imgur: imgur,
    email: email,
    imageUploadType: imageUploadType,
--- a/lib/letter-avatars.js
+++ b/lib/letter-avatars.js
@@ -0,0 +1,25 @@
+"use strict";
+
+// external modules
+var randomcolor = require('randomcolor');
+
+// core
+module.exports = function(name) {
+    var color = randomcolor({
+        seed: name,
+        luminosity: 'dark'
+    });
+    var letter = name.substring(0, 1).toUpperCase();
+
+    var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
+    svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">';
+    svg += '<g>';
+    svg += '<rect width="96" height="96" fill="' + color + '" />';
+    svg += '<text font-size="64px" font-family="sans-serif" text-anchor="middle" fill="#ffffff">';
+    svg += '<tspan x="48" y="72" stroke-width=".26458px" fill="#ffffff">' + letter + '</tspan>';
+    svg += '</text>';
+    svg += '</g>';
+    svg += '</svg>';
+
+    return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64');
+};
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -7,6 +7,7 @@ var scrypt = require('scrypt');

 // core
 var logger = require("../logger.js");
+var letterAvatars = require('../letter-avatars.js');

 module.exports = function (sequelize, DataTypes) {
    var User = sequelize.define("User", {
@@ -105,6 +106,16 @@ module.exports = function (sequelize, DataTypes) {
                    case "google":
                        photo = profile.photos[0].value.replace(/(\?sz=)\d*$/i, '$196');
                        break;
+                    case "ldap":
+                        //no image api provided,
+                        //use gravatar if email exists,
+                        //otherwise generate a letter avatar
+                        if (profile.emails[0]) {
+                            photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + '?s=96';
+                        } else {
+                            photo = letterAvatars(profile.username);
+                        }
+                        break;
                }
                return photo;
            },
--- a/lib/response.js
+++ b/lib/response.js
@@ -66,6 +66,7 @@ function showIndex(req, res, next) {
        gitlab: config.gitlab,
        dropbox: config.dropbox,
        google: config.google,
+        ldap: config.ldap,
        email: config.email,
        signin: req.isAuthenticated(),
        infoMessage: req.flash('info'),
@@ -94,6 +95,7 @@ function responseHackMD(res, note) {
        gitlab: config.gitlab,
        dropbox: config.dropbox,
        google: config.google,
+        ldap: config.ldap,
        email: config.email
    });
 }