fix(xo-server-auth-ldap): get name from LDAP record not user input

Fixes vatesfr/xo-web#1655
2019-12-23 10:51:44 +01:00
2 changed files with 32 additions and 10 deletions
--- a/packages/xo-server-auth-ldap/src/index.js
+++ b/packages/xo-server-auth-ldap/src/index.js
@@ -1,7 +1,7 @@
 /* eslint no-throw-literal: 0 */
 import eventToPromise from 'event-to-promise'
-import noop from 'lodash/noop'
+import { find, identity, noop } from 'lodash'
 import { createClient } from 'ldapjs'
 import { escape } from 'ldapjs/lib/filters/escape'
 import { promisify } from 'promise-toolbox'
@@ -25,6 +25,22 @@ const evalFilter = (filter, vars) =>
    return escape(value)
  })
 const makeEvalFormat = format =>
  format === undefined
    ? identity
    : (input, record) =>
        format.replace(VAR_RE, (_, name) => {
          if (name === 'input') {
            return input
          }
          let tmp = find(record.attributes, _ => _.type === name)
          if (tmp !== undefined && (tmp = tmp.vals).length !== 0) {
            return tmp[0]
          }
          throw new Error(`invalid entry ${name}`)
        })
 export const configurationSchema = {
  type: 'object',
@@ -100,6 +116,12 @@ Or something like this if you also want to filter by group:
      type: 'string',
      default: DEFAULTS.filter,
    },
    usernameFormat: {
      description: `
 `.trim(),
      type: 'string',
    },
  },
  required: ['uri', 'base'],
 }
@@ -157,15 +179,10 @@ class AuthLdap {
      }
    }
-    const {
+    this._credentials = conf.bind
-      bind: credentials,
+    this._formatUsername = makeEvalFormat(conf.usernameFormat)
-      base: searchBase,
+    this._searchBase = conf.base
-      filter: searchFilter = DEFAULTS.filter,
+    ;({ filter: this._searchFilter = DEFAULTS.filter } = conf)
    } = conf
    this._credentials = credentials
    this._searchBase = searchBase
    this._searchFilter = searchFilter
  }
  load() {
@@ -242,6 +259,9 @@ class AuthLdap {
        try {
          logger(`attempting to bind as ${entry.objectName}`)
          await bind(entry.objectName, password)
          username = this._formatUsername(username, entry)
          logger(
            `successfully bound as ${entry.objectName} => ${username} authenticated`
          )
--- a/packages/xo-server-auth-ldap/src/prompt-schema.js
+++ b/packages/xo-server-auth-ldap/src/prompt-schema.js
@@ -157,6 +157,8 @@ const promptByType = {
          defaultValue && defaultValue[name],
          subpath
        )
      } else {
        value[name] = schema.default
      }
    }