Allow per user access control rules

pull/21/head
Clement Michaud 2017-03-25 15:28:57 +01:00
parent 2a73b1a431
commit e310478e6d
3 changed files with 50 additions and 20 deletions

View File

@ -50,6 +50,9 @@ access_control:
- group: dev - group: dev
allowed_domains: allowed_domains:
- secret2.test.local - secret2.test.local
- user: harry
allowed_domains:
- secret1.test.local
# Configuration of session cookies # Configuration of session cookies

View File

@ -5,13 +5,17 @@ var exceptions = require('../exceptions');
var objectPath = require('object-path'); var objectPath = require('object-path');
var Promise = require('bluebird'); var Promise = require('bluebird');
function get_allowed_domains(access_control, groups) { function get_allowed_domains(access_control, username, groups) {
var allowed_domains = []; var allowed_domains = [];
for(var i = 0; i<access_control.length; ++i) { for(var i = 0; i<access_control.length; ++i) {
var rule = access_control[i]; var rule = access_control[i];
if('group' in rule && 'allowed_domains' in rule) { if('allowed_domains' in rule) {
if(groups.indexOf(rule['group']) >= 0) { if('group' in rule && groups.indexOf(rule['group']) >= 0) {
var domains = rule.allowed_domains;
allowed_domains = allowed_domains.concat(domains);
}
else if('user' in rule && username == rule['user']) {
var domains = rule.allowed_domains; var domains = rule.allowed_domains;
allowed_domains = allowed_domains.concat(domains); allowed_domains = allowed_domains.concat(domains);
} }
@ -58,7 +62,8 @@ function first_factor(req, res) {
objectPath.set(req, 'session.auth_session.email', emails[0]); objectPath.set(req, 'session.auth_session.email', emails[0]);
if(config.access_control) { if(config.access_control) {
var allowed_domains = get_allowed_domains(config.access_control, groups); var allowed_domains = get_allowed_domains(config.access_control,
username, groups);
logger.debug('1st factor: allowed domains are %s', allowed_domains); logger.debug('1st factor: allowed domains are %s', allowed_domains);
objectPath.set(req, 'session.auth_session.allowed_domains', objectPath.set(req, 'session.auth_session.allowed_domains',
allowed_domains); allowed_domains);

View File

@ -74,7 +74,8 @@ describe('test the first factor validation route', function() {
}); });
}); });
it('should store the allowed domains in the auth session', function() { describe('store the allowed domains in the auth session', function() {
it('should store the per group allowed domains', function() {
config.access_control = []; config.access_control = [];
config.access_control.push({ config.access_control.push({
group: 'group1', group: 'group1',
@ -94,6 +95,27 @@ describe('test the first factor validation route', function() {
}); });
}); });
it('should store the per group allowed domains', function() {
config.access_control = [];
config.access_control.push({
user: 'username',
allowed_domains: ['domain1.example.com', 'domain2.example.com']
});
return new Promise(function(resolve, reject) {
res.send = sinon.spy(function(data) {
assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
req.session.auth_session.allowed_domains);
assert.equal(204, res.status.getCall(0).args[0]);
resolve();
});
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
first_factor(req, res);
});
});
});
it('should retrieve email from LDAP', function(done) { it('should retrieve email from LDAP', function(done) {
res.send = sinon.spy(function(data) { done(); }); res.send = sinon.spy(function(data) { done(); });
ldap_interface_mock.bind.returns(Promise.resolve()); ldap_interface_mock.bind.returns(Promise.resolve());