Add LDAP Authentication

.github/workflows/e2e-ui-tests.yml

@@ -2,9 +2,9 @@ name: Run E2E Backend + Frontend Tests
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   build:
@@ -19,54 +19,58 @@ jobs:
           POSTGRES_PASSWORD: postgres
         ports:
           - 5432:5432
+      ldap:
+        image: rroemhild/test-openldap
+        ports:
+          - 10389:10389
 
     steps:
-     - uses: actions/checkout@v2
+      - uses: actions/checkout@v2
 
-     - name: Cache node modules
-       uses: actions/cache@v2
-       env:
-         cache-name: cache-node-modules
-       with:
-         # npm cache files are stored in `~/.npm` on Linux/macOS
-         path: ~/.npm
-         key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
-         restore-keys: |
-           ${{ runner.os }}-build-${{ env.cache-name }}-
-           ${{ runner.os }}-build-
-           ${{ runner.os }}-
+      - name: Cache node modules
+        uses: actions/cache@v2
+        env:
+          cache-name: cache-node-modules
+        with:
+          # npm cache files are stored in `~/.npm` on Linux/macOS
+          path: ~/.npm
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ env.cache-name }}-
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
 
-     - name: Setup Node.js
-       uses: actions/setup-node@v1
-       with:
-        node-version: '14.x'
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: "14.x"
 
-     - name: Install project dependencies
-       run: yarn install --frozen-lockfile
+      - name: Install project dependencies
+        run: yarn install --frozen-lockfile
 
-     - name: Copy .env-ci to .env
-       run: cp apps/backend/test/.env-ci apps/backend/.env
+      - name: Copy .env-ci to .env
+        run: cp apps/backend/test/.env-ci apps/backend/.env
 
-     - name: Create/migrate db
-       run: |
-        yarn backend sequelize-cli db:create
-        yarn backend sequelize-cli db:migrate
-        yarn backend sequelize-cli db:seed:all
+      - name: Create/migrate db
+        run: |
+          yarn backend sequelize-cli db:create
+          yarn backend sequelize-cli db:migrate
+          yarn backend sequelize-cli db:seed:all
 
-     - name: Build Heimdall
-       run: yarn build
-       env:
-        NODE_ENV: production
+      - name: Build Heimdall
+        run: yarn build
+        env:
+          NODE_ENV: production
 
-     - name: Cypress run
-       uses: cypress-io/github-action@v2
-       with:
-         start: yarn start
-         wait-on: http://127.0.0.1:3000
+      - name: Cypress run
+        uses: cypress-io/github-action@v2
+        with:
+          start: yarn start
+          wait-on: http://127.0.0.1:3000
 
-     - name: Upload test screenshots
-       if: failure()
-       uses: actions/upload-artifact@master
-       with:
-         name: cypress-screenshots
-         path: test/screenshots
+      - name: Upload test screenshots
+        if: failure()
+        uses: actions/upload-artifact@master
+        with:
+          name: cypress-screenshots
+          path: test/screenshots

README.md

@@ -157,7 +157,7 @@ Proper API documentation does not exist yet. In the meantime here are quick inst
 
 ```sh
 # Create a user (only needs to be done once)
-curl -X POST -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password", "passwordConfirmation": "password", "role": "user" }' http://localhost:3000/users
+curl -X POST -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password", "passwordConfirmation": "password", "role": "user", "creationMethod": "local" }' http://localhost:3000/users
 # Log in
 curl -X POST -H "Content-Type: application/json" -d '{"email": "[email protected]", "password": "password" }' http://localhost:3000/authn/login
 # The previous command returns a Bearer Token that needs to get placed in the following command

apps/backend/.env-example

@@ -10,3 +10,18 @@ JWT_EXPIRE_TIME=<JSON Web Token Length of time before signature expires (if noth
 NODE_ENV=<development, production, or test (no default, must be set)>
 HEIMDALL_HEADLESS_TESTS=<run integration tests in a headless browser (default=true)>
 ADMIN_PASSWORD=<Password for admin user (if nothing is provided, defaults to a randomly generated password)>
+
+# LDAP Configuration
+LDAP_ENABLED=<If you want to enable LDAP login (true/false)>
+LDAP_HOST=<Your LDAP target server>
+LDAP_PORT=<Your LDAP target port (if nothing is provided, defaults to 389)>
+LDAP_BINDDN=<The Dn of the user used for lookups>
+LDAP_PASSWORD=<Your LDAP user's passwords used for lookups>
+# Here you set your LDAP searchbase, for more info see https://docs.oracle.com/cd/E19693-01/819-0997/auto45/index.html
+# If you're using Active Directory, you probably want "OU=Users, DC=<yourdomain>, DC=local"
+LDAP_SEARCHBASE="<Your LDAP search base>"
+# Here you set your LDAP search filter, for more info see https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
+# If you are using Active Directory Users, you probably want "sAMAccountName={{username}}"
+LDAP_SEARCHFILTER="<Your LDAP search filter (if nothing is provided, defaults to (sAMAccountName={{username}})>"
+LDAP_NAMEFIELD="<The field that contains the user's full name (if nothing is provided, defaults to name)>"
+LDAP_MAILFIELD="<The field that contains the user's email (if nothing is provided, defaults to mail)>"

apps/backend/config/app_config.ts

@@ -64,8 +64,8 @@ export default class AppConfig {
       dialectOptions: {
         ssl: Boolean(this.get('DATABASE_SSL'))
           ? {
-            rejectUnauthorized: false
-          }
+              rejectUnauthorized: false
+            }
           : false
       },
       ssl: Boolean(this.get('DATABASE_SSL')) || false

apps/backend/migrations/20210128142318-add_account_creation_method_to_users.js

@@ -0,0 +1,24 @@
+'use strict';
+
+const sequelize = require("sequelize");
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    return queryInterface.sequelize.transaction((t) => {
+      return Promise.all([
+        queryInterface.addColumn('Users', 'creationMethod', {
+          type: sequelize.STRING,
+          defaultValue: 'local'
+        })
+      ])
+    })
+  },
+
+  down: async (queryInterface, Sequelize) => {
+    return queryInterface.sequelize.transaction((t) => {
+      return Promise.all([
+        queryInterface.removeColumn('Users', 'creationMethod', { transaction: t })
+      ])
+    })
+  }
+};

apps/backend/package.json

@@ -68,6 +68,7 @@
     "js-levenshtein": "^1.1.6",
     "passport": "^0.4.1",
     "passport-jwt": "^4.0.0",
+    "passport-ldapauth": "^3.0.1",
     "passport-local": "^1.0.0",
     "pg": "^8.2.1",
     "reflect-metadata": "^0.1.13",

apps/backend/src/authn/authn.controller.ts

@@ -1,4 +1,5 @@
 import {Controller, Post, Req, UseGuards} from '@nestjs/common';
+import {AuthGuard} from '@nestjs/passport';
 import {Request} from 'express';
 import {LocalAuthGuard} from '../guards/local-auth.guard';
 import {User} from '../users/user.model';
@@ -10,7 +11,17 @@ export class AuthnController {
 
   @UseGuards(LocalAuthGuard)
   @Post('login')
-  async login(@Req() req: Request): Promise<any> {
+  async login(
+    @Req() req: Request
+  ): Promise<{userID: string; accessToken: string}> {
+    return this.authnService.login(req.user as User);
+  }
+
+  @UseGuards(AuthGuard('ldap'))
+  @Post('login/ldap')
+  async loginToLDAP(
+    @Req() req: Request
+  ): Promise<{userID: string; accessToken: string}> {
     return this.authnService.login(req.user as User);
   }
 }

apps/backend/src/authn/authn.module.ts

@@ -6,11 +6,12 @@ import {UsersModule} from '../users/users.module';
 import {AuthnController} from './authn.controller';
 import {AuthnService} from './authn.service';
 import {JwtStrategy} from './jwt.strategy';
+import {LDAPStrategy} from './ldap.strategy';
 import {LocalStrategy} from './local.strategy';
 
 @Module({
   imports: [UsersModule, PassportModule, TokenModule, ConfigModule],
-  providers: [AuthnService, LocalStrategy, JwtStrategy],
+  providers: [AuthnService, LocalStrategy, JwtStrategy, LDAPStrategy],
   controllers: [AuthnController]
 })
 export class AuthnModule {}

apps/backend/src/authn/authn.service.ts

@@ -1,17 +1,21 @@
 import {Injectable, UnauthorizedException} from '@nestjs/common';
 import {JwtService} from '@nestjs/jwt';
 import {compare} from 'bcrypt';
+import * as crypto from 'crypto';
+import {ConfigService} from '../config/config.service';
+import {CreateUserDto} from '../users/dto/create-user.dto';
 import {User} from '../users/user.model';
 import {UsersService} from '../users/users.service';
 
 @Injectable()
 export class AuthnService {
   constructor(
     private usersService: UsersService,
+    private readonly configService: ConfigService,
     private jwtService: JwtService
   ) {}
 
-  async validateUser(email: string, password: string): Promise<any> {
+  async validateUser(email: string, password: string): Promise<User | null> {
     let user: User;
     try {
       user = await this.usersService.findByEmail(email);
@@ -26,6 +30,46 @@ export class AuthnService {
     }
   }
 
+  async validateOrCreateUser(
+    email: string,
+    firstName: string,
+    lastName: string,
+    creationMethod: string
+  ): Promise<User> {
+    let user: User;
+    try {
+      user = await this.usersService.findByEmail(email);
+    } catch {
+      const randomPass = crypto.randomBytes(128).toString('hex');
+      const createUser: CreateUserDto = {
+        email: email,
+        password: randomPass,
+        passwordConfirmation: randomPass,
+        firstName: firstName,
+        lastName: lastName,
+        organization: '',
+        title: '',
+        role: 'user',
+        creationMethod: creationMethod
+      };
+      await this.usersService.create(createUser);
+      user = await this.usersService.findByEmail(email);
+    }
+
+    if (user) {
+      // If the users info has changed since they last logged in it will be reflected here.
+      // Because we find the user by their email, we can't detect a change in email.
+      if (user.firstName !== firstName || user.lastName !== lastName) {
+        user.firstName = firstName;
+        user.lastName = lastName;
+        user.save();
+      }
+      this.usersService.updateLoginMetadata(user);
+    }
+
+    return user;
+  }
+
   async login(user: {
     id: string;
     email: string;
@@ -51,4 +95,12 @@ export class AuthnService {
       };
     }
   }
+
+  splitName(fullName: string): {firstName: string; lastName: string} {
+    const nameArray = fullName.split(' ');
+    return {
+      firstName: nameArray.slice(0, -1).join(' '),
+      lastName: nameArray[nameArray.length - 1]
+    };
+  }
 }

apps/backend/src/authn/ldap.strategy.ts

@@ -0,0 +1,47 @@
+import {Injectable} from '@nestjs/common';
+import {PassportStrategy} from '@nestjs/passport';
+import {Request} from 'express';
+import Strategy from 'passport-ldapauth';
+import {ConfigService} from '../config/config.service';
+import {AuthnService} from './authn.service';
+
+@Injectable()
+export class LDAPStrategy extends PassportStrategy(Strategy, 'ldap') {
+  constructor(
+    private readonly authnService: AuthnService,
+    private readonly configService: ConfigService
+  ) {
+    super(
+      {
+        passReqToCallback: true,
+        server: {
+          url: `ldap://${configService.get('LDAP_HOST')}:${
+            configService.get('LDAP_PORT') || 389
+          }`,
+          bindDN: configService.get('LDAP_BINDDN'),
+          bindCredentials: configService.get('LDAP_PASSWORD'),
+          searchBase: configService.get('LDAP_SEARCHBASE') || 'disabled',
+          searchFilter:
+            configService.get('LDAP_SEARCHFILTER') ||
+            '(sAMAccountName={{username}})',
+          passReqToCallback: true
+        }
+      },
+      async (req: Request, user: any, done: any) => {
+        const {firstName, lastName} = this.authnService.splitName(
+          user[configService.get('LDAP_NAMEFIELD') || 'name']
+        );
+        const email: string =
+          user[configService.get('LDAP_MAILFIELD') || 'mail'];
+
+        req.user = this.authnService.validateOrCreateUser(
+          email,
+          firstName,
+          lastName,
+          'ldap'
+        );
+        return done(null, req.user);
+      }
+    );
+  }
+}

apps/backend/src/config/config.service.ts

@@ -10,7 +10,10 @@ export class ConfigService {
   }
 
   frontendStartupSettings(): StartupSettingsDto {
-    return new StartupSettingsDto({banner: this.get('WARNING_BANNER') || ''});
+    return new StartupSettingsDto({
+      banner: this.get('WARNING_BANNER') || '',
+      ldap: this.get('LDAP_ENABLED')?.toLocaleLowerCase() === 'true' || false
+    });
   }
 
   getDbConfig(): SequelizeOptions {

apps/backend/src/config/dto/startup-settings.dto.ts

@@ -2,8 +2,10 @@ import {IStartupSettings} from '@heimdall/interfaces';
 
 export class StartupSettingsDto implements IStartupSettings {
   readonly banner: string;
+  readonly ldap: boolean;
 
   constructor(settings: IStartupSettings) {
     this.banner = settings.banner;
+    this.ldap = settings.ldap;
   }
 }

apps/backend/src/users/dto/create-user.dto.ts

@@ -34,4 +34,9 @@ export class CreateUserDto implements ICreateUser {
   @IsString()
   @IsIn(['user'])
   readonly role!: string;
+
+  @IsNotEmpty()
+  @IsString()
+  @IsIn(['local', 'ldap', 'oauth'])
+  readonly creationMethod!: string;
 }