salix/modules/account/back/models/ldap-config.js


const app = require('vn-loopback/server/server');
const ldap = require('../util/ldapjs-extra');
const crypto = require('crypto');
const nthash = require('smbhash').nthash;
const isProduction = require('vn-loopback/server/boot/isProduction');

module.exports = Self => {
    const shouldSync = isProduction();

    Self.getLinker = async function() {
        return await Self.findOne({
            fields: [
                'server',
                'rdn',
                'password',
                'userDn',
                'groupDn'
            ]
        });
    };

    Object.assign(Self.prototype, {
        async init() {
            this.client = ldap.createClient({
                url: this.server
            });
            this.client.on('error', () => {});
            await this.client.bind(this.rdn, this.password);
        },

        async deinit() {
            await this.client.unbind();
        },

        async syncUser(userName, info, password) {
            let {
                client,
                accountConfig
            } = this;

            let dn = `uid=${userName},${this.userDn}`;

            if (info.hasAccount) {
                let {user} = info;

                let oldUser = await client.searchOne(this.userDn, {
                    scope: 'sub',
                    filter: `&(uid=${userName})`
                });

                let nickname = user.nickname || userName;
                let nameArgs = nickname.trim().split(' ');
                let sn = nameArgs.length > 1
                    ? nameArgs.splice(1).join(' ')
                    : '-';

                let newEntry = {
                    uid: userName,
                    objectClass: [
                        'inetOrgPerson',
                        'posixAccount',
                        'sambaSamAccount'
                    ],
                    cn: nickname,
                    displayName: nickname,
                    givenName: nameArgs[0],
                    sn,
                    mail: info.corporateMail,
                    preferredLanguage: user.lang || 'en',
                    homeDirectory: `${accountConfig.homedir}/${userName}`,
                    loginShell: accountConfig.shell,
                    uidNumber: info.uidNumber,
                    gidNumber: accountConfig.idBase + user.roleFk,
                    sambaSID: '-'
                };

                if (password) {
                    let salt = crypto
                        .randomBytes(8)
                        .toString('base64');

                    let hash = crypto.createHash('sha1');
                    hash.update(password);
                    hash.update(salt, 'binary');
                    let digest = hash.digest('binary');

                    let ssha = Buffer
                        .from(digest + salt, 'binary')
                        .toString('base64');

                    Object.assign(newEntry, {
                        userPassword: `{SSHA}${ssha}`,
                        sambaNTPassword: nthash(password)
                    });
                } else if (oldUser) {
                    Object.assign(newEntry, {
                        userPassword: oldUser.userPassword,
                        sambaNTPassword: oldUser.sambaNTPassword
                    });
                }

                for (let prop in newEntry) {
                    if (newEntry[prop] == null)
                        delete newEntry[prop];
                }

                if (oldUser) {
                    let changes = [];
                    let skipProps = new Set([
                        'dn',
                        'controls'
                    ]);

                    for (let prop in oldUser) {
                        let deleteProp = !skipProps.has(prop)
                            && !newEntry.hasOwnProperty(prop);
                        if (!deleteProp) continue;
                        changes.push(new ldap.Change({
                            operation: 'delete',
                            modification: {
                                [prop]: oldUser[prop]
                            }
                        }));
                    }
                    for (let prop in newEntry) {
                        if (this.isEqual(oldUser[prop], newEntry[prop]))
                            continue;
                        changes.push(new ldap.Change({
                            operation: 'replace',
                            modification: {
                                [prop]: newEntry[prop]
                            }
                        }));
                    }

                    if (shouldSync && changes.length)
                        await client.modify(dn, changes);
                } else if (shouldSync)
                    await client.add(dn, newEntry);
            } else {
                try {
                    if (shouldSync)
                        await client.del(dn);
                    // eslint-disable-next-line no-console
                    console.log(` -> User '${userName}' removed from LDAP`);
                } catch (e) {
                    if (e.name !== 'NoSuchObjectError') throw e;
                }
            }
        },

        isEqual(a, b) {
            if (Array.isArray(a) && Array.isArray(b)) {
                if (a.length !== b.length)
                    return false;
                for (let element of a) {
                    if (b.indexOf(element) === -1)
                        return false;
                }
                return true;
            } else
                return a == b;
        },

        async syncUserGroups(userName, info) {
            let {client} = this;
            let {user} = info;
            let groupDn = this.groupDn;

            let opts = {
                scope: 'sub',
                attributes: ['dn', 'cn'],
                filter: `&(memberUid=${userName})(objectClass=posixGroup)`
            };
            let oldGroups = await client.searchAll(groupDn, opts);

            let deleteGroups = [];
            let addGroups = [];

            if (info.hasAccount) {
                let oldSet = new Set();
                oldGroups.forEach(e => oldSet.add(e.cn));

                let newSet = new Set();
                user.roles().forEach(e => newSet.add(e.inherits().name));

                for (let group of oldGroups) {
                    if (!newSet.has(group.cn))
                        deleteGroups.push(group.cn);
                }
                for (let role of user.roles()) {
                    if (!oldSet.has(role.inherits().name))
                        addGroups.push(role.inherits().name);
                }
            } else {
                for (let group of oldGroups)
                    deleteGroups.push(group.cn);
            }

            async function applyOperations(groups, operation) {
                for (let group of groups) {
                    try {
                        let dn = `cn=${group},${groupDn}`;
                        if (shouldSync) {
                            await client.modify(dn, new ldap.Change({
                                operation,
                                modification: {memberUid: userName}
                            }));
                        }
                    } catch (err) {
                        if (err.name !== 'NoSuchObjectError')
                            throw err;
                    }
                }
            }

            await applyOperations(deleteGroups, 'delete');
            await applyOperations(addGroups, 'add');
        },

        async getUsers(usersToSync) {
            let {client} = this;

            let opts = {
                scope: 'sub',
                attributes: ['uid'],
                filter: `uid=*`
            };
            await client.searchForeach(this.userDn, opts,
                o => usersToSync.add(o.uid));
        },

        async syncRoles() {
            let $ = app.models;
            let {
                client,
                accountConfig
            } = this;

            // Prepare data

            let roles = await $.VnRole.find({
                fields: ['id', 'name', 'description']
            });
            let roleRoles = await $.RoleRole.find({
                fields: ['role', 'inheritsFrom']
            });
            let roleMap = toMap(roleRoles, e => {
                return {key: e.inheritsFrom, val: e.role};
            });

            let accounts = await $.Account.find({
                fields: ['id'],
                include: {
                    relation: 'user',
                    scope: {
                        fields: ['name', 'roleFk'],
                        where: {active: true}
                    }
                }
            });
            let accountMap = toMap(accounts, e => {
                let user = e.user();
                if (!user) return;
                return {key: user.roleFk, val: user.name};
            });

            // Delete roles

            let opts = {
                scope: 'sub',
                attributes: ['dn'],
                filter: 'objectClass=posixGroup'
            };
            let reqs = [];
            await client.searchForeach(this.groupDn, opts, object => {
                if (shouldSync)
                    reqs.push(client.del(object.dn));
            });
            await Promise.all(reqs);

            // Recreate roles

            reqs = [];
            for (let role of roles) {
                let newEntry = {
                    objectClass: ['top', 'posixGroup'],
                    cn: role.name,
                    description: role.description,
                    gidNumber: accountConfig.idBase + role.id
                };

                let memberUid = [];
                for (let subrole of roleMap.get(role.id) || [])
                    memberUid = memberUid.concat(accountMap.get(subrole) || []);

                if (memberUid.length) {
                    memberUid.sort((a, b) => a.localeCompare(b));
                    newEntry.memberUid = memberUid;
                }

                let dn = `cn=${role.name},${this.groupDn}`;
                if (shouldSync)
                    reqs.push(client.add(dn, newEntry));
            }
            await Promise.all(reqs);
        }
    });
};

function toMap(array, fn) {
    let map = new Map();
    for (let item of array) {
        let keyVal = fn(item);
        if (!keyVal) continue;
        let key = keyVal.key;
        if (!map.has(key)) map.set(key, []);
        map.get(key).push(keyVal.val);
    }
    return map;
}
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
			`const app = require('vn-loopback/server/server');`
			`const ldap = require('../util/ldapjs-extra');`
			`const crypto = require('crypto');`
			`const nthash = require('smbhash').nthash;`
fix: move to boot 2024-05-21 13:11:32 +00:00			`const isProduction = require('vn-loopback/server/boot/isProduction');`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
			`module.exports = Self => {`
fix: checking process.env.NODE_ENV 2024-05-21 11:50:45 +00:00			`const shouldSync = isProduction();`
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00
fix: refs #6432, #5848 account sync fixes 2023-11-20 17:39:37 +00:00			`Self.getLinker = async function() {`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`return await Self.findOne({`
			`fields: [`
			`'server',`
			`'rdn',`
			`'password',`
			`'userDn',`
			`'groupDn'`
			`]`
			`});`
			`};`

			`Object.assign(Self.prototype, {`
			`async init() {`
			`this.client = ldap.createClient({`
			`url: this.server`
			`});`
fix: refs #6432, #5848 account sync fixes 2023-11-20 17:39:37 +00:00			`this.client.on('error', () => {});`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`await this.client.bind(this.rdn, this.password);`
			`},`

			`async deinit() {`
			`await this.client.unbind();`
			`},`

			`async syncUser(userName, info, password) {`
			`let {`
			`client,`
			`accountConfig`
			`} = this;`

LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			let dn = `uid=${userName},${this.userDn}`;
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`if (info.hasAccount) {`
			`let {user} = info;`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`let oldUser = await client.searchOne(this.userDn, {`
			`scope: 'sub',`
			filter: `&(uid=${userName})`
			`});`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`let nickname = user.nickname \|\| userName;`
			`let nameArgs = nickname.trim().split(' ');`
			`let sn = nameArgs.length > 1`
			`? nameArgs.splice(1).join(' ')`
			`: '-';`

LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`let newEntry = {`
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`uid: userName,`
			`objectClass: [`
			`'inetOrgPerson',`
			`'posixAccount',`
			`'sambaSamAccount'`
			`],`
			`cn: nickname,`
			`displayName: nickname,`
			`givenName: nameArgs[0],`
			`sn,`
			`mail: info.corporateMail,`
			`preferredLanguage: user.lang \|\| 'en',`
			homeDirectory: `${accountConfig.homedir}/${userName}`,
			`loginShell: accountConfig.shell,`
			`uidNumber: info.uidNumber,`
			`gidNumber: accountConfig.idBase + user.roleFk,`
			`sambaSID: '-'`
			`};`

			`if (password) {`
			`let salt = crypto`
			`.randomBytes(8)`
			`.toString('base64');`

			`let hash = crypto.createHash('sha1');`
			`hash.update(password);`
			`hash.update(salt, 'binary');`
			`let digest = hash.digest('binary');`

			`let ssha = Buffer`
			`.from(digest + salt, 'binary')`
			`.toString('base64');`

			`Object.assign(newEntry, {`
			userPassword: `{SSHA}${ssha}`,
			`sambaNTPassword: nthash(password)`
			`});`
			`} else if (oldUser) {`
			`Object.assign(newEntry, {`
			`userPassword: oldUser.userPassword,`
			`sambaNTPassword: oldUser.sambaNTPassword`
			`});`
			`}`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`for (let prop in newEntry) {`
			`if (newEntry[prop] == null)`
			`delete newEntry[prop];`
			`}`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`if (oldUser) {`
			`let changes = [];`
			`let skipProps = new Set([`
			`'dn',`
			`'controls'`
			`]);`

			`for (let prop in oldUser) {`
			`let deleteProp = !skipProps.has(prop)`
			`&& !newEntry.hasOwnProperty(prop);`
			`if (!deleteProp) continue;`
			`changes.push(new ldap.Change({`
			`operation: 'delete',`
			`modification: {`
			`[prop]: oldUser[prop]`
			`}`
			`}));`
			`}`
			`for (let prop in newEntry) {`
			`if (this.isEqual(oldUser[prop], newEntry[prop]))`
			`continue;`
			`changes.push(new ldap.Change({`
			`operation: 'replace',`
			`modification: {`
			`[prop]: newEntry[prop]`
			`}`
			`}));`
			`}`

refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`if (shouldSync && changes.length)`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`await client.modify(dn, changes);`
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`} else if (shouldSync)`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`await client.add(dn, newEntry);`
			`} else {`
			`try {`
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`if (shouldSync)`
			`await client.del(dn);`
fix: refs #6432 account sync fixes 2023-11-16 22:07:26 +00:00			`// eslint-disable-next-line no-console`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			console.log(` -> User '${userName}' removed from LDAP`);
			`} catch (e) {`
			`if (e.name !== 'NoSuchObjectError') throw e;`
			`}`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`}`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`},`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`isEqual(a, b) {`
			`if (Array.isArray(a) && Array.isArray(b)) {`
			`if (a.length !== b.length)`
			`return false;`
			`for (let element of a) {`
			`if (b.indexOf(element) === -1)`
			`return false;`
			`}`
			`return true;`
			`} else`
			`return a == b;`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`},`

			`async syncUserGroups(userName, info) {`
			`let {client} = this;`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`let {user} = info;`
			`let groupDn = this.groupDn;`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`let opts = {`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`scope: 'sub',`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`attributes: ['dn', 'cn'],`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			filter: `&(memberUid=${userName})(objectClass=posixGroup)`
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`};`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`let oldGroups = await client.searchAll(groupDn, opts);`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`let deleteGroups = [];`
			`let addGroups = [];`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`if (info.hasAccount) {`
			`let oldSet = new Set();`
			`oldGroups.forEach(e => oldSet.add(e.cn));`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`let newSet = new Set();`
			`user.roles().forEach(e => newSet.add(e.inherits().name));`
LDAP sync hotfix 2020-11-30 17:50:04 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`for (let group of oldGroups) {`
			`if (!newSet.has(group.cn))`
			`deleteGroups.push(group.cn);`
			`}`
			`for (let role of user.roles()) {`
			`if (!oldSet.has(role.inherits().name))`
			`addGroups.push(role.inherits().name);`
			`}`
			`} else {`
			`for (let group of oldGroups)`
			`deleteGroups.push(group.cn);`
			`}`
LDAP sync hotfix 2020-11-30 17:50:04 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`async function applyOperations(groups, operation) {`
			`for (let group of groups) {`
			`try {`
			let dn = `cn=${group},${groupDn}`;
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`if (shouldSync) {`
			`await client.modify(dn, new ldap.Change({`
			`operation,`
			`modification: {memberUid: userName}`
			`}));`
			`}`
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`} catch (err) {`
			`if (err.name !== 'NoSuchObjectError')`
			`throw err;`
			`}`
LDAP sync hotfix 2020-11-30 17:50:04 +00:00			`}`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`}`
refs #4480 Fix: VnUser before save hook removed -> setting password attribute 2023-04-14 23:51:38 +00:00
LDAP user sync only syncs changed attributes 2020-12-09 11:28:18 +00:00			`await applyOperations(deleteGroups, 'delete');`
			`await applyOperations(addGroups, 'add');`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`},`

			`async getUsers(usersToSync) {`
			`let {client} = this;`

Account synchronization fixes 2020-11-13 12:20:37 +00:00			`let opts = {`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`scope: 'sub',`
			`attributes: ['uid'],`
			filter: `uid=*`
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`};`
			`await client.searchForeach(this.userDn, opts,`
			`o => usersToSync.add(o.uid));`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`},`

			`async syncRoles() {`
			`let $ = app.models;`
			`let {`
			`client,`
			`accountConfig`
			`} = this;`

Account synchronization fixes 2020-11-13 12:20:37 +00:00			`// Prepare data`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00
refs #5666 perf: replace Role by VnRole 2023-12-05 06:16:12 +00:00			`let roles = await $.VnRole.find({`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`fields: ['id', 'name', 'description']`
			`});`
			`let roleRoles = await $.RoleRole.find({`
			`fields: ['role', 'inheritsFrom']`
			`});`
			`let roleMap = toMap(roleRoles, e => {`
			`return {key: e.inheritsFrom, val: e.role};`
			`});`

Account refactor 2023-01-31 13:57:24 +00:00			`let accounts = await $.Account.find({`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`fields: ['id'],`
			`include: {`
			`relation: 'user',`
			`scope: {`
			`fields: ['name', 'roleFk'],`
			`where: {active: true}`
			`}`
			`}`
			`});`
			`let accountMap = toMap(accounts, e => {`
			`let user = e.user();`
			`if (!user) return;`
			`return {key: user.roleFk, val: user.name};`
			`});`

Account synchronization fixes 2020-11-13 12:20:37 +00:00			`// Delete roles`

			`let opts = {`
			`scope: 'sub',`
			`attributes: ['dn'],`
			`filter: 'objectClass=posixGroup'`
			`};`
			`let reqs = [];`
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`await client.searchForeach(this.groupDn, opts, object => {`
			`if (shouldSync)`
			`reqs.push(client.del(object.dn));`
			`});`
Account synchronization fixes 2020-11-13 12:20:37 +00:00			`await Promise.all(reqs);`

			`// Recreate roles`

User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`reqs = [];`
			`for (let role of roles) {`
			`let newEntry = {`
			`objectClass: ['top', 'posixGroup'],`
			`cn: role.name,`
			`description: role.description,`
			`gidNumber: accountConfig.idBase + role.id`
			`};`

			`let memberUid = [];`
			`for (let subrole of roleMap.get(role.id) \|\| [])`
			`memberUid = memberUid.concat(accountMap.get(subrole) \|\| []);`

			`if (memberUid.length) {`
			`memberUid.sort((a, b) => a.localeCompare(b));`
			`newEntry.memberUid = memberUid;`
			`}`

			let dn = `cn=${role.name},${this.groupDn}`;
refs #2818 sincronización quitada en test 2022-11-02 09:18:38 +00:00			`if (shouldSync)`
			`reqs.push(client.add(dn, newEntry));`
User syncronization fixes, improvements, refactor 2020-11-12 22:20:25 +00:00			`}`
			`await Promise.all(reqs);`
			`}`
			`});`
			`};`
Account synchronization fixes 2020-11-13 12:20:37 +00:00
			`function toMap(array, fn) {`
			`let map = new Map();`
			`for (let item of array) {`
			`let keyVal = fn(item);`
			`if (!keyVal) continue;`
			`let key = keyVal.key;`
			`if (!map.has(key)) map.set(key, []);`
			`map.get(key).push(keyVal.val);`
			`}`
			`return map;`
			`}`