Add LDAP Authentication

apps/backend/.env-example

@@ -10,3 +10,18 @@ JWT_EXPIRE_TIME=<JSON Web Token Length of time before signature expires (if noth
 NODE_ENV=<development, production, or test (no default, must be set)>
 HEIMDALL_HEADLESS_TESTS=<run integration tests in a headless browser (default=true)>
 ADMIN_PASSWORD=<Password for admin user (if nothing is provided, defaults to a randomly generated password)>
+
+# LDAP Configuration
+LDAP_ENABLED=<If you want to enable LDAP login (true/false)>
+LDAP_HOST=<Your LDAP target server>
+LDAP_PORT=<Your LDAP target port (if nothing is provided, defaults to 389)>
+LDAP_BINDDN=<The Dn of the user used for lookups>
+LDAP_PASSWORD=<Your LDAP user's passwords used for lookups>
+# Here you set your LDAP searchbase, for more info see https://docs.oracle.com/cd/E19693-01/819-0997/auto45/index.html
+# If you're using Active Directory, you probably want "OU=Users, DC=<yourdomain>, DC=local"
+LDAP_SEARCHBASE="<Your LDAP search base>"
+# Here you set your LDAP search filter, for more info see https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
+# If you are using Active Directory Users, you probably want "(sAMAccountName={{username}}"
+LDAP_SEARCHFILTER="<Your LDAP search filter (if nothing is provided, defaults to (sAMAccountName={{username}}>"
+LDAP_NAMEFIELD="<The field that contains the user's full name (if nothing is provided, defaults to name)>"
+LDAP_MAILFIELD="<The field that contains the user's email (if nothing is provided, defaults to mail)>"

apps/backend/package.json

@@ -68,6 +68,7 @@
     "js-levenshtein": "^1.1.6",
     "passport": "^0.4.1",
     "passport-jwt": "^4.0.0",
+    "passport-ldapauth": "^3.0.1",
     "passport-local": "^1.0.0",
     "pg": "^8.2.1",
     "reflect-metadata": "^0.1.13",

apps/backend/src/authn/authn.controller.ts

@@ -1,4 +1,5 @@
 import {Controller, Post, Req, UseGuards} from '@nestjs/common';
+import {AuthGuard} from '@nestjs/passport';
 import {Request} from 'express';
 import {LocalAuthGuard} from '../guards/local-auth.guard';
 import {User} from '../users/user.model';
@@ -13,4 +14,10 @@ export class AuthnController {
   async login(@Req() req: Request): Promise<any> {
     return this.authnService.login(req.user as User);
   }
+
+  @UseGuards(AuthGuard('ldap'))
+  @Post('login/ldap')
+  async loginToLDAP(@Req() req: Request): Promise<any> {
+    return this.authnService.login(req.user as User);
+  }
 }

apps/backend/src/authn/authn.module.ts

@@ -6,11 +6,12 @@ import {UsersModule} from '../users/users.module';
 import {AuthnController} from './authn.controller';
 import {AuthnService} from './authn.service';
 import {JwtStrategy} from './jwt.strategy';
+import {LDAPStrategy} from './ldap.strategy';
 import {LocalStrategy} from './local.strategy';
 
 @Module({
   imports: [UsersModule, PassportModule, TokenModule, ConfigModule],
-  providers: [AuthnService, LocalStrategy, JwtStrategy],
+  providers: [AuthnService, LocalStrategy, JwtStrategy, LDAPStrategy],
   controllers: [AuthnController]
 })
 export class AuthnModule {}

apps/backend/src/authn/authn.service.ts

@@ -1,13 +1,17 @@
 import {Injectable, UnauthorizedException} from '@nestjs/common';
 import {JwtService} from '@nestjs/jwt';
 import {compare} from 'bcrypt';
+import * as crypto from 'crypto';
+import {ConfigService} from '../config/config.service';
+import {CreateUserDto} from '../users/dto/create-user.dto';
 import {User} from '../users/user.model';
 import {UsersService} from '../users/users.service';
 
 @Injectable()
 export class AuthnService {
   constructor(
     private usersService: UsersService,
+    private readonly configService: ConfigService,
     private jwtService: JwtService
   ) {}
 
@@ -26,6 +30,37 @@ export class AuthnService {
     }
   }
 
+  async validateOrCreateUser(
+    email: string,
+    firstName: string,
+    lastName: string
+  ): Promise<any> {
+    let user: User;
+    try {
+      user = await this.usersService.findByEmail(email);
+    } catch {
+      const randomPass = crypto.randomBytes(128).toString('hex');
+      const createUser: CreateUserDto = {
+        email: email,
+        password: randomPass,
+        passwordConfirmation: randomPass,
+        firstName: firstName,
+        lastName: lastName,
+        organization: '',
+        title: '',
+        role: ''
+      };
+      await this.usersService.create(createUser);
+      user = await this.usersService.findByEmail(email);
+    }
+
+    if (user) {
+      this.usersService.updateLoginMetadata(user);
+    }
+
+    return user;
+  }
+
   async login(user: {
     id: string;
     email: string;
@@ -51,4 +86,12 @@ export class AuthnService {
       };
     }
   }
+
+  splitName(fullName: string): {firstName: string; lastName: string} {
+    const nameArray = fullName.split(' ');
+    return {
+      firstName: nameArray.slice(0, -1).join(' '),
+      lastName: nameArray[nameArray.length - 1]
+    };
+  }
 }

apps/backend/src/authn/ldap.strategy.ts

@@ -0,0 +1,46 @@
+import {Injectable} from '@nestjs/common';
+import {PassportStrategy} from '@nestjs/passport';
+import {Request} from 'express';
+import Strategy from 'passport-ldapauth';
+import {ConfigService} from '../config/config.service';
+import {AuthnService} from './authn.service';
+
+@Injectable()
+export class LDAPStrategy extends PassportStrategy(Strategy, 'ldap') {
+  constructor(
+    private readonly authnService: AuthnService,
+    private readonly configService: ConfigService
+  ) {
+    super(
+      {
+        passReqToCallback: true,
+        server: {
+          url: `ldap://${configService.get('LDAP_HOST')}:${
+            configService.get('LDAP_PORT') || 389
+          }`,
+          bindDN: configService.get('LDAP_BINDDN'),
+          bindCredentials: configService.get('LDAP_PASSWORD'),
+          searchBase: configService.get('LDAP_SEARCHBASE') || 'disabled',
+          searchFilter:
+            configService.get('LDAP_SEARCHFILTER') ||
+            '(sAMAccountName={{username}})',
+          passReqToCallback: true
+        }
+      },
+      async (req: Request, user: any, done: any) => {
+        const {firstName, lastName} = this.authnService.splitName(
+          user[configService.get('LDAP_NAMEFIELD') || 'name']
+        );
+        const email: string =
+          user[configService.get('LDAP_MAILFIELD') || 'mail'];
+
+        req.user = this.authnService.validateOrCreateUser(
+          email,
+          firstName,
+          lastName
+        );
+        return done(null, req.user);
+      }
+    );
+  }
+}

apps/backend/src/config/config.service.ts

@@ -10,7 +10,10 @@ export class ConfigService {
   }
 
   frontendStartupSettings(): StartupSettingsDto {
-    return new StartupSettingsDto({banner: this.get('WARNING_BANNER') || ''});
+    return new StartupSettingsDto({
+      banner: this.get('WARNING_BANNER') || '',
+      ldap: this.get('LDAP_ENABLED')?.toLocaleLowerCase() === 'true' || false
+    });
   }
 
   getDbConfig(): SequelizeOptions {

apps/backend/src/config/dto/startup-settings.dto.ts

@@ -2,8 +2,10 @@ import {IStartupSettings} from '@heimdall/interfaces';
 
 export class StartupSettingsDto implements IStartupSettings {
   readonly banner: string;
+  readonly ldap: boolean;
 
   constructor(settings: IStartupSettings) {
     this.banner = settings.banner;
+    this.ldap = settings.ldap;
   }
 }

apps/frontend/src/components/global/login/LDAPLogin.vue

@@ -0,0 +1,84 @@
+<template>
+  <v-card-text>
+    <v-form id="login_form" ref="form" name="login_form">
+      <v-text-field
+        id="username_field"
+        v-model="username"
+        :error-messages="requiredFieldError($v.username, 'Username')"
+        name="username"
+        label="Username"
+        prepend-icon="mdi-account"
+        type="text"
+        required
+        @keyup.enter="$refs.password.focus"
+        @blur="$v.username.$touch()"
+      />
+      <v-text-field
+        id="password_field"
+        ref="password"
+        v-model="password"
+        :error-messages="requiredFieldError($v.password, 'Password')"
+        type="password"
+        name="password"
+        label="Password"
+        prepend-icon="mdi-lock"
+        @keyup.enter="ldapLogin()"
+        @blur="$v.password.$touch()"
+      />
+      <v-btn
+        id="login_button"
+        depressed
+        large
+        color="primary"
+        @click="ldapLogin()"
+      >
+        Login
+      </v-btn>
+    </v-form>
+  </v-card-text>
+</template>
+
+<script lang="ts">
+import Vue from 'vue';
+import Component from 'vue-class-component';
+import {required} from 'vuelidate/lib/validators';
+import UserValidatorMixin from '@/mixins/UserValidatorMixin';
+import {ServerModule} from '@/store/server';
+import {SnackbarModule} from '@/store/snackbar';
+
+export interface LDAPLoginHash {
+  username: string;
+  password: string;
+}
+
+@Component({
+    mixins: [UserValidatorMixin],
+    validations: {
+        username: {
+            required
+        },
+        password: {
+            required
+        }
+    }
+})
+export default class LDAPLogin extends Vue {
+    username: string = '';
+    password: string = '';
+
+    ldapLogin() {
+        const creds: LDAPLoginHash = {
+        username: this.username,
+        password: this.password
+        };
+        ServerModule.LoginLDAP(creds)
+        .then(() => {
+            this.$router.push('/');
+            SnackbarModule.notify('You have successfully signed in.');
+        })
+        .catch((error) => {
+            SnackbarModule.notify(error.response.data.message);
+        });
+    }
+}
+</script>

apps/frontend/src/components/global/login/LocalLogin.vue

@@ -0,0 +1,98 @@
+<template>
+  <v-card class="elevation-12 rounded-t-0">
+    <v-card-text>
+      <v-form id="login_form" ref="form" name="login_form">
+        <v-text-field
+          id="email_field"
+          v-model="email"
+          :error-messages="emailErrors($v.email)"
+          name="email"
+          label="Email"
+          prepend-icon="mdi-account"
+          type="text"
+          required
+          @keyup.enter="$refs.password.focus"
+          @blur="$v.email.$touch()"
+        />
+        <v-text-field
+          id="password_field"
+          ref="password"
+          v-model="password"
+          :error-messages="requiredFieldError($v.password, 'Password')"
+          type="password"
+          name="password"
+          label="Password"
+          prepend-icon="mdi-lock"
+          @keyup.enter="login"
+          @blur="$v.password.$touch()"
+        />
+        <v-btn
+          id="login_button"
+          depressed
+          large
+          color="primary"
+          :disabled="$v.$invalid"
+          @click="login"
+        >
+          Login
+        </v-btn>
+      </v-form>
+    </v-card-text>
+    <v-card-actions>
+      <v-spacer />
+      <div class="my-2">
+        <v-btn id="sign_up_button" depressed small @click="signup">
+          Sign Up
+        </v-btn>
+      </div>
+    </v-card-actions>
+  </v-card>
+</template>
+<script lang="ts">
+import Vue from 'vue';
+import Component from 'vue-class-component';
+import {ServerModule} from '@/store/server';
+import {required, email} from 'vuelidate/lib/validators';
+import UserValidatorMixin from '@/mixins/UserValidatorMixin';
+import {SnackbarModule} from '@/store/snackbar';
+
+interface LoginHash {
+  email: string;
+  password: string;
+}
+@Component({
+    mixins: [UserValidatorMixin],
+    validations: {
+    email: {
+      required,
+      email
+    },
+    password: {
+      required
+    }
+  }
+})
+export default class LocalLogin extends Vue {
+    email: string = '';
+    password: string = '';
+
+  signup() {
+    this.$router.push('/signup');
+  }
+
+  login() {
+    let creds: LoginHash = {
+      email: this.email,
+      password: this.password
+    };
+    ServerModule.Login(creds)
+      .then(() => {
+        this.$router.push('/');
+        SnackbarModule.notify('You have successfully signed in.');
+      })
+      .catch((error) => {
+        SnackbarModule.notify(error.response.data.message);
+      });
+  }
+}
+</script>