Allow per user access control rules
parent
2a73b1a431
commit
e310478e6d
|
@ -50,6 +50,9 @@ access_control:
|
||||||
- group: dev
|
- group: dev
|
||||||
allowed_domains:
|
allowed_domains:
|
||||||
- secret2.test.local
|
- secret2.test.local
|
||||||
|
- user: harry
|
||||||
|
allowed_domains:
|
||||||
|
- secret1.test.local
|
||||||
|
|
||||||
|
|
||||||
# Configuration of session cookies
|
# Configuration of session cookies
|
||||||
|
|
|
@ -5,13 +5,17 @@ var exceptions = require('../exceptions');
|
||||||
var objectPath = require('object-path');
|
var objectPath = require('object-path');
|
||||||
var Promise = require('bluebird');
|
var Promise = require('bluebird');
|
||||||
|
|
||||||
function get_allowed_domains(access_control, groups) {
|
function get_allowed_domains(access_control, username, groups) {
|
||||||
var allowed_domains = [];
|
var allowed_domains = [];
|
||||||
|
|
||||||
for(var i = 0; i<access_control.length; ++i) {
|
for(var i = 0; i<access_control.length; ++i) {
|
||||||
var rule = access_control[i];
|
var rule = access_control[i];
|
||||||
if('group' in rule && 'allowed_domains' in rule) {
|
if('allowed_domains' in rule) {
|
||||||
if(groups.indexOf(rule['group']) >= 0) {
|
if('group' in rule && groups.indexOf(rule['group']) >= 0) {
|
||||||
|
var domains = rule.allowed_domains;
|
||||||
|
allowed_domains = allowed_domains.concat(domains);
|
||||||
|
}
|
||||||
|
else if('user' in rule && username == rule['user']) {
|
||||||
var domains = rule.allowed_domains;
|
var domains = rule.allowed_domains;
|
||||||
allowed_domains = allowed_domains.concat(domains);
|
allowed_domains = allowed_domains.concat(domains);
|
||||||
}
|
}
|
||||||
|
@ -58,7 +62,8 @@ function first_factor(req, res) {
|
||||||
objectPath.set(req, 'session.auth_session.email', emails[0]);
|
objectPath.set(req, 'session.auth_session.email', emails[0]);
|
||||||
|
|
||||||
if(config.access_control) {
|
if(config.access_control) {
|
||||||
var allowed_domains = get_allowed_domains(config.access_control, groups);
|
var allowed_domains = get_allowed_domains(config.access_control,
|
||||||
|
username, groups);
|
||||||
logger.debug('1st factor: allowed domains are %s', allowed_domains);
|
logger.debug('1st factor: allowed domains are %s', allowed_domains);
|
||||||
objectPath.set(req, 'session.auth_session.allowed_domains',
|
objectPath.set(req, 'session.auth_session.allowed_domains',
|
||||||
allowed_domains);
|
allowed_domains);
|
||||||
|
|
|
@ -74,7 +74,8 @@ describe('test the first factor validation route', function() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should store the allowed domains in the auth session', function() {
|
describe('store the allowed domains in the auth session', function() {
|
||||||
|
it('should store the per group allowed domains', function() {
|
||||||
config.access_control = [];
|
config.access_control = [];
|
||||||
config.access_control.push({
|
config.access_control.push({
|
||||||
group: 'group1',
|
group: 'group1',
|
||||||
|
@ -94,6 +95,27 @@ describe('test the first factor validation route', function() {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should store the per group allowed domains', function() {
|
||||||
|
config.access_control = [];
|
||||||
|
config.access_control.push({
|
||||||
|
user: 'username',
|
||||||
|
allowed_domains: ['domain1.example.com', 'domain2.example.com']
|
||||||
|
});
|
||||||
|
return new Promise(function(resolve, reject) {
|
||||||
|
res.send = sinon.spy(function(data) {
|
||||||
|
assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
|
||||||
|
req.session.auth_session.allowed_domains);
|
||||||
|
assert.equal(204, res.status.getCall(0).args[0]);
|
||||||
|
resolve();
|
||||||
|
});
|
||||||
|
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
||||||
|
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
||||||
|
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
||||||
|
first_factor(req, res);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
it('should retrieve email from LDAP', function(done) {
|
it('should retrieve email from LDAP', function(done) {
|
||||||
res.send = sinon.spy(function(data) { done(); });
|
res.send = sinon.spy(function(data) { done(); });
|
||||||
ldap_interface_mock.bind.returns(Promise.resolve());
|
ldap_interface_mock.bind.returns(Promise.resolve());
|
||||||
|
|
Loading…
Reference in New Issue