mirror of
https://github.com/penpot/penpot.git
synced 2025-01-09 00:10:11 -05:00
🐛 Fix issues on ldap provider and rpc method
This commit is contained in:
Andrey Antukh
parent
853be27780
commit
6cdf696fc4
4 changed files with 34 additions and 28 deletions
|
|
@ -41,15 +41,18 @@
|
||||||
(reduce-kv clojure.string/replace s replacements))
|
(reduce-kv clojure.string/replace s replacements))
|
||||||
|
|
||||||
(defn- search-user
|
(defn- search-user
|
||||||
[{:keys [conn attrs base-dn] :as cfg} email]
|
[{:keys [::conn base-dn] :as cfg} email]
|
||||||
(let [query (replace-several (:query cfg) ":username" email)
|
(let [query (replace-several (:query cfg) ":username" email)
|
||||||
|
attrs [(:attrs-username cfg)
|
||||||
|
(:attrs-email cfg)
|
||||||
|
(:attrs-fullname cfg)]
|
||||||
params {:filter query
|
params {:filter query
|
||||||
:sizelimit 1
|
:sizelimit 1
|
||||||
:attributes attrs}]
|
:attributes attrs}]
|
||||||
(first (ldap/search conn base-dn params))))
|
(first (ldap/search conn base-dn params))))
|
||||||
|
|
||||||
(defn- retrieve-user
|
(defn- retrieve-user
|
||||||
[{:keys [conn] :as cfg} {:keys [email password]}]
|
[{:keys [::conn] :as cfg} {:keys [email password]}]
|
||||||
(when-let [{:keys [dn] :as user} (search-user cfg email)]
|
(when-let [{:keys [dn] :as user} (search-user cfg email)]
|
||||||
(when (ldap/bind? conn dn password)
|
(when (ldap/bind? conn dn password)
|
||||||
{:fullname (get user (-> cfg :attrs-fullname keyword))
|
{:fullname (get user (-> cfg :attrs-fullname keyword))
|
||||||
|
|
@ -66,7 +69,7 @@
|
||||||
(defn authenticate
|
(defn authenticate
|
||||||
[cfg params]
|
[cfg params]
|
||||||
(with-open [conn (connect cfg)]
|
(with-open [conn (connect cfg)]
|
||||||
(when-let [user (-> (assoc cfg :conn conn)
|
(when-let [user (-> (assoc cfg ::conn conn)
|
||||||
(retrieve-user params))]
|
(retrieve-user params))]
|
||||||
(when-not (s/valid? ::info-data user)
|
(when-not (s/valid? ::info-data user)
|
||||||
(let [explain (s/explain-str ::info-data user)]
|
(let [explain (s/explain-str ::info-data user)]
|
||||||
|
|
@ -100,17 +103,6 @@
|
||||||
:host (:host cfg) :port (:port cfg) :cause cause)
|
:host (:host cfg) :port (:port cfg) :cause cause)
|
||||||
nil))))
|
nil))))
|
||||||
|
|
||||||
(defn- prepare-attributes
|
|
||||||
[cfg]
|
|
||||||
(assoc cfg :attrs [(:attrs-username cfg)
|
|
||||||
(:attrs-email cfg)
|
|
||||||
(:attrs-fullname cfg)]))
|
|
||||||
|
|
||||||
(defmethod ig/init-key ::provider
|
|
||||||
[_ cfg]
|
|
||||||
(when (:enabled? cfg)
|
|
||||||
(some-> cfg try-connectivity prepare-attributes)))
|
|
||||||
|
|
||||||
(s/def ::enabled? ::us/boolean)
|
(s/def ::enabled? ::us/boolean)
|
||||||
(s/def ::host ::cf/ldap-host)
|
(s/def ::host ::cf/ldap-host)
|
||||||
(s/def ::port ::cf/ldap-port)
|
(s/def ::port ::cf/ldap-port)
|
||||||
|
|
@ -124,8 +116,7 @@
|
||||||
(s/def ::attrs-fullname ::cf/ldap-attrs-fullname)
|
(s/def ::attrs-fullname ::cf/ldap-attrs-fullname)
|
||||||
(s/def ::attrs-username ::cf/ldap-attrs-username)
|
(s/def ::attrs-username ::cf/ldap-attrs-username)
|
||||||
|
|
||||||
(defmethod ig/pre-init-spec ::provider
|
(s/def ::provider-params
|
||||||
[_]
|
|
||||||
(s/keys :opt-un [::host ::port
|
(s/keys :opt-un [::host ::port
|
||||||
::ssl ::tls
|
::ssl ::tls
|
||||||
::enabled?
|
::enabled?
|
||||||
|
|
@ -135,3 +126,14 @@
|
||||||
::attrs-email
|
::attrs-email
|
||||||
::attrs-username
|
::attrs-username
|
||||||
::attrs-fullname]))
|
::attrs-fullname]))
|
||||||
|
(s/def ::provider
|
||||||
|
(s/nilable ::provider-params))
|
||||||
|
|
||||||
|
(defmethod ig/pre-init-spec ::provider
|
||||||
|
[_]
|
||||||
|
(s/spec ::provider))
|
||||||
|
|
||||||
|
(defmethod ig/init-key ::provider
|
||||||
|
[_ cfg]
|
||||||
|
(when (:enabled? cfg)
|
||||||
|
(try-connectivity cfg)))
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
(ns app.main
|
(ns app.main
|
||||||
(:require
|
(:require
|
||||||
|
[app.auth.ldap :as-alias ldap]
|
||||||
[app.auth.oidc :as-alias oidc]
|
[app.auth.oidc :as-alias oidc]
|
||||||
[app.auth.oidc.providers :as-alias oidc.providers]
|
[app.auth.oidc.providers :as-alias oidc.providers]
|
||||||
[app.common.logging :as l]
|
[app.common.logging :as l]
|
||||||
|
|
@ -231,7 +232,7 @@
|
||||||
:max-body-size (cf/get :http-server-max-body-size)
|
:max-body-size (cf/get :http-server-max-body-size)
|
||||||
:max-multipart-body-size (cf/get :http-server-max-multipart-body-size)}
|
:max-multipart-body-size (cf/get :http-server-max-multipart-body-size)}
|
||||||
|
|
||||||
:app.auth.ldap/provider
|
::ldap/provider
|
||||||
{:host (cf/get :ldap-host)
|
{:host (cf/get :ldap-host)
|
||||||
:port (cf/get :ldap-port)
|
:port (cf/get :ldap-port)
|
||||||
:ssl (cf/get :ldap-ssl)
|
:ssl (cf/get :ldap-ssl)
|
||||||
|
|
@ -327,6 +328,7 @@
|
||||||
::db/pool (ig/ref ::db/pool)
|
::db/pool (ig/ref ::db/pool)
|
||||||
::wrk/executor (ig/ref ::wrk/executor)
|
::wrk/executor (ig/ref ::wrk/executor)
|
||||||
::props (ig/ref :app.setup/props)
|
::props (ig/ref :app.setup/props)
|
||||||
|
::ldap/provider (ig/ref ::ldap/provider)
|
||||||
:pool (ig/ref ::db/pool)
|
:pool (ig/ref ::db/pool)
|
||||||
:session (ig/ref :app.http.session/manager)
|
:session (ig/ref :app.http.session/manager)
|
||||||
:sprops (ig/ref :app.setup/props)
|
:sprops (ig/ref :app.setup/props)
|
||||||
|
|
@ -335,7 +337,6 @@
|
||||||
:msgbus (ig/ref :app.msgbus/msgbus)
|
:msgbus (ig/ref :app.msgbus/msgbus)
|
||||||
:public-uri (cf/get :public-uri)
|
:public-uri (cf/get :public-uri)
|
||||||
:redis (ig/ref ::rds/redis)
|
:redis (ig/ref ::rds/redis)
|
||||||
:ldap (ig/ref :app.auth.ldap/provider)
|
|
||||||
:http-client (ig/ref ::http.client/client)
|
:http-client (ig/ref ::http.client/client)
|
||||||
:climit (ig/ref :app.rpc/climit)
|
:climit (ig/ref :app.rpc/climit)
|
||||||
:rlimit (ig/ref :app.rpc/rlimit)
|
:rlimit (ig/ref :app.rpc/rlimit)
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
(ns app.rpc
|
(ns app.rpc
|
||||||
(:require
|
(:require
|
||||||
|
[app.auth.ldap :as-alias ldap]
|
||||||
[app.common.data :as d]
|
[app.common.data :as d]
|
||||||
[app.common.exceptions :as ex]
|
[app.common.exceptions :as ex]
|
||||||
[app.common.logging :as l]
|
[app.common.logging :as l]
|
||||||
|
|
@ -319,6 +320,7 @@
|
||||||
(s/keys :req [::audit/collector
|
(s/keys :req [::audit/collector
|
||||||
::http.client/client
|
::http.client/client
|
||||||
::db/pool
|
::db/pool
|
||||||
|
::ldap/provider
|
||||||
::wrk/executor]
|
::wrk/executor]
|
||||||
:req-un [::sto/storage
|
:req-un [::sto/storage
|
||||||
::http.session/session
|
::http.session/session
|
||||||
|
|
@ -329,8 +331,7 @@
|
||||||
::climit
|
::climit
|
||||||
::wrk/executor
|
::wrk/executor
|
||||||
::mtx/metrics
|
::mtx/metrics
|
||||||
::db/pool
|
::db/pool]))
|
||||||
::ldap]))
|
|
||||||
|
|
||||||
(defmethod ig/init-key ::methods
|
(defmethod ig/init-key ::methods
|
||||||
[_ cfg]
|
[_ cfg]
|
||||||
|
|
|
||||||
|
|
@ -12,10 +12,13 @@
|
||||||
[app.db :as db]
|
[app.db :as db]
|
||||||
[app.http.session :as session]
|
[app.http.session :as session]
|
||||||
[app.loggers.audit :as-alias audit]
|
[app.loggers.audit :as-alias audit]
|
||||||
|
[app.main :as-alias main]
|
||||||
|
[app.rpc :as-alias rpc]
|
||||||
[app.rpc.commands.auth :as cmd.auth]
|
[app.rpc.commands.auth :as cmd.auth]
|
||||||
[app.rpc.doc :as-alias doc]
|
[app.rpc.doc :as-alias doc]
|
||||||
[app.rpc.helpers :as rph]
|
[app.rpc.helpers :as rph]
|
||||||
[app.rpc.queries.profile :as profile]
|
[app.rpc.queries.profile :as profile]
|
||||||
|
[app.tokens :as tokens]
|
||||||
[app.util.services :as sv]
|
[app.util.services :as sv]
|
||||||
[clojure.spec.alpha :as s]))
|
[clojure.spec.alpha :as s]))
|
||||||
|
|
||||||
|
|
@ -34,15 +37,15 @@
|
||||||
(sv/defmethod ::login-with-ldap
|
(sv/defmethod ::login-with-ldap
|
||||||
"Performs the authentication using LDAP backend. Only works if LDAP
|
"Performs the authentication using LDAP backend. Only works if LDAP
|
||||||
is properly configured and enabled with `login-with-ldap` flag."
|
is properly configured and enabled with `login-with-ldap` flag."
|
||||||
{:auth false
|
{::rpc/auth false
|
||||||
::doc/added "1.15"}
|
::doc/added "1.15"}
|
||||||
[{:keys [session tokens ldap] :as cfg} params]
|
[{:keys [::main/props ::ldap/provider session] :as cfg} params]
|
||||||
(when-not ldap
|
(when-not provider
|
||||||
(ex/raise :type :restriction
|
(ex/raise :type :restriction
|
||||||
:code :ldap-not-initialized
|
:code :ldap-not-initialized
|
||||||
:hide "ldap auth provider is not initialized"))
|
:hide "ldap auth provider is not initialized"))
|
||||||
|
|
||||||
(let [info (ldap/authenticate ldap params)]
|
(let [info (ldap/authenticate provider params)]
|
||||||
(when-not info
|
(when-not info
|
||||||
(ex/raise :type :validation
|
(ex/raise :type :validation
|
||||||
:code :wrong-credentials))
|
:code :wrong-credentials))
|
||||||
|
|
@ -58,12 +61,11 @@
|
||||||
;; user comes from team-invitation process; in this case,
|
;; user comes from team-invitation process; in this case,
|
||||||
;; regenerate token and send back to the user a new invitation
|
;; regenerate token and send back to the user a new invitation
|
||||||
;; token (and mark current session as logged).
|
;; token (and mark current session as logged).
|
||||||
(let [claims (tokens :verify {:token token :iss :team-invitation})
|
(let [claims (tokens/verify props {:token token :iss :team-invitation})
|
||||||
claims (assoc claims
|
claims (assoc claims
|
||||||
:member-id (:id profile)
|
:member-id (:id profile)
|
||||||
:member-email (:email profile))
|
:member-email (:email profile))
|
||||||
token (tokens :generate claims)]
|
token (tokens/generate props claims)]
|
||||||
|
|
||||||
(-> {:invitation-token token}
|
(-> {:invitation-token token}
|
||||||
(rph/with-transform (session/create-fn session (:id profile)))
|
(rph/with-transform (session/create-fn session (:id profile)))
|
||||||
(rph/with-meta {::audit/props (:props profile)
|
(rph/with-meta {::audit/props (:props profile)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue