chore: convert CAS integration code to typescript (#31492)
Pierre Lehnen
2 years ago
committed by
GitHub
parent
4c2771fd0c
commit
4ff8bb9e48
@ -1,43 +0,0 @@ |
||||
import { Logger } from '@rocket.chat/logger'; |
||||
import { ServiceConfiguration } from 'meteor/service-configuration'; |
||||
|
||||
import { settings } from '../../settings/server'; |
||||
|
||||
export const logger = new Logger('CAS'); |
||||
|
||||
let timer; |
||||
|
||||
async function updateServices(/* record*/) { |
||||
if (typeof timer !== 'undefined') { |
||||
clearTimeout(timer); |
||||
} |
||||
|
||||
timer = setTimeout(async () => { |
||||
const data = { |
||||
// These will pe passed to 'node-cas' as options
|
||||
enabled: settings.get('CAS_enabled'), |
||||
base_url: settings.get('CAS_base_url'), |
||||
login_url: settings.get('CAS_login_url'), |
||||
// Rocketchat Visuals
|
||||
buttonLabelText: settings.get('CAS_button_label_text'), |
||||
buttonLabelColor: settings.get('CAS_button_label_color'), |
||||
buttonColor: settings.get('CAS_button_color'), |
||||
width: settings.get('CAS_popup_width'), |
||||
height: settings.get('CAS_popup_height'), |
||||
autoclose: settings.get('CAS_autoclose'), |
||||
}; |
||||
|
||||
// Either register or deregister the CAS login service based upon its configuration
|
||||
if (data.enabled) { |
||||
logger.info('Enabling CAS login service'); |
||||
await ServiceConfiguration.configurations.upsertAsync({ service: 'cas' }, { $set: data }); |
||||
} else { |
||||
logger.info('Disabling CAS login service'); |
||||
await ServiceConfiguration.configurations.removeAsync({ service: 'cas' }); |
||||
} |
||||
}, 2000); |
||||
} |
||||
|
||||
settings.watchByRegex(/^CAS_.+/, async (key, value) => { |
||||
await updateServices(value); |
||||
}); |
||||
@ -1,272 +0,0 @@ |
||||
import url from 'url'; |
||||
|
||||
import { validate } from '@rocket.chat/cas-validate'; |
||||
import { CredentialTokens, Rooms, Users } from '@rocket.chat/models'; |
||||
import { Accounts } from 'meteor/accounts-base'; |
||||
import { Meteor } from 'meteor/meteor'; |
||||
import { RoutePolicy } from 'meteor/routepolicy'; |
||||
import { WebApp } from 'meteor/webapp'; |
||||
import _ from 'underscore'; |
||||
|
||||
import { createRoom } from '../../lib/server/functions/createRoom'; |
||||
import { _setRealName } from '../../lib/server/functions/setRealName'; |
||||
import { settings } from '../../settings/server'; |
||||
import { logger } from './cas_rocketchat'; |
||||
|
||||
RoutePolicy.declare('/_cas/', 'network'); |
||||
|
||||
const closePopup = function (res) { |
||||
res.writeHead(200, { 'Content-Type': 'text/html' }); |
||||
const content = '<html><head><script>window.close()</script></head></html>'; |
||||
res.end(content, 'utf-8'); |
||||
}; |
||||
|
||||
const casTicket = function (req, token, callback) { |
||||
// get configuration
|
||||
if (!settings.get('CAS_enabled')) { |
||||
logger.error('Got ticket validation request, but CAS is not enabled'); |
||||
callback(); |
||||
} |
||||
|
||||
// get ticket and validate.
|
||||
const parsedUrl = url.parse(req.url, true); |
||||
const ticketId = parsedUrl.query.ticket; |
||||
const baseUrl = settings.get('CAS_base_url'); |
||||
const cas_version = parseFloat(settings.get('CAS_version')); |
||||
const appUrl = Meteor.absoluteUrl().replace(/\/$/, '') + __meteor_runtime_config__.ROOT_URL_PATH_PREFIX; |
||||
logger.debug(`Using CAS_base_url: ${baseUrl}`); |
||||
|
||||
validate( |
||||
{ |
||||
base_url: baseUrl, |
||||
version: cas_version, |
||||
service: `${appUrl}/_cas/${token}`, |
||||
}, |
||||
ticketId, |
||||
async (err, status, username, details) => { |
||||
if (err) { |
||||
logger.error(`error when trying to validate: ${err.message}`); |
||||
} else if (status) { |
||||
logger.info(`Validated user: ${username}`); |
||||
const user_info = { username }; |
||||
|
||||
// CAS 2.0 attributes handling
|
||||
if (details && details.attributes) { |
||||
_.extend(user_info, { attributes: details.attributes }); |
||||
} |
||||
await CredentialTokens.create(token, user_info); |
||||
} else { |
||||
logger.error(`Unable to validate ticket: ${ticketId}`); |
||||
} |
||||
// logger.debug("Received response: " + JSON.stringify(details, null , 4));
|
||||
|
||||
callback(); |
||||
}, |
||||
); |
||||
}; |
||||
|
||||
const middleware = function (req, res, next) { |
||||
// Make sure to catch any exceptions because otherwise we'd crash
|
||||
// the runner
|
||||
try { |
||||
const barePath = req.url.substring(0, req.url.indexOf('?')); |
||||
const splitPath = barePath.split('/'); |
||||
|
||||
// Any non-cas request will continue down the default
|
||||
// middlewares.
|
||||
if (splitPath[1] !== '_cas') { |
||||
next(); |
||||
return; |
||||
} |
||||
|
||||
// get auth token
|
||||
const credentialToken = splitPath[2]; |
||||
if (!credentialToken) { |
||||
closePopup(res); |
||||
return; |
||||
} |
||||
|
||||
// validate ticket
|
||||
casTicket(req, credentialToken, () => { |
||||
closePopup(res); |
||||
}); |
||||
} catch (err) { |
||||
logger.error({ msg: 'Unexpected error', err }); |
||||
closePopup(res); |
||||
} |
||||
}; |
||||
|
||||
// Listen to incoming OAuth http requests
|
||||
WebApp.connectHandlers.use((req, res, next) => { |
||||
middleware(req, res, next); |
||||
}); |
||||
|
||||
/* |
||||
* Register a server-side login handle. |
||||
* It is call after Accounts.callLoginMethod() is call from client. |
||||
* |
||||
*/ |
||||
Accounts.registerLoginHandler('cas', async (options) => { |
||||
if (!options.cas) { |
||||
return undefined; |
||||
} |
||||
|
||||
// TODO: Sync wrapper due to the chain conversion to async models
|
||||
const credentials = await CredentialTokens.findOneNotExpiredById(options.cas.credentialToken); |
||||
if (credentials === undefined) { |
||||
throw new Meteor.Error(Accounts.LoginCancelledError.numericError, 'no matching login attempt found'); |
||||
} |
||||
|
||||
const result = credentials.userInfo; |
||||
const syncUserDataFieldMap = settings.get('CAS_Sync_User_Data_FieldMap').trim(); |
||||
const cas_version = parseFloat(settings.get('CAS_version')); |
||||
const sync_enabled = settings.get('CAS_Sync_User_Data_Enabled'); |
||||
const trustUsername = settings.get('CAS_trust_username'); |
||||
const verified = settings.get('Accounts_Verify_Email_For_External_Accounts'); |
||||
const userCreationEnabled = settings.get('CAS_Creation_User_Enabled'); |
||||
|
||||
// We have these
|
||||
const ext_attrs = { |
||||
username: result.username, |
||||
}; |
||||
|
||||
// We need these
|
||||
const int_attrs = { |
||||
email: undefined, |
||||
name: undefined, |
||||
username: undefined, |
||||
rooms: undefined, |
||||
}; |
||||
|
||||
// Import response attributes
|
||||
if (cas_version >= 2.0) { |
||||
// Clean & import external attributes
|
||||
_.each(result.attributes, (value, ext_name) => { |
||||
if (value) { |
||||
ext_attrs[ext_name] = value[0]; |
||||
} |
||||
}); |
||||
} |
||||
|
||||
// Source internal attributes
|
||||
if (syncUserDataFieldMap) { |
||||
// Our mapping table: key(int_attr) -> value(ext_attr)
|
||||
// Spoken: Source this internal attribute from these external attributes
|
||||
const attr_map = JSON.parse(syncUserDataFieldMap); |
||||
|
||||
_.each(attr_map, (source, int_name) => { |
||||
// Source is our String to interpolate
|
||||
if (source && typeof source.valueOf() === 'string') { |
||||
let replacedValue = source; |
||||
_.each(ext_attrs, (value, ext_name) => { |
||||
replacedValue = replacedValue.replace(`%${ext_name}%`, ext_attrs[ext_name]); |
||||
}); |
||||
|
||||
if (source !== replacedValue) { |
||||
int_attrs[int_name] = replacedValue; |
||||
logger.debug(`Sourced internal attribute: ${int_name} = ${replacedValue}`); |
||||
} else { |
||||
logger.debug(`Sourced internal attribute: ${int_name} skipped.`); |
||||
} |
||||
} |
||||
}); |
||||
} |
||||
|
||||
// Search existing user by its external service id
|
||||
logger.debug(`Looking up user by id: ${result.username}`); |
||||
// First, look for a user that has logged in from CAS with this username before
|
||||
let user = await Users.findOne({ 'services.cas.external_id': result.username }); |
||||
if (!user) { |
||||
// If that user was not found, check if there's any Rocket.Chat user with that username
|
||||
// With this, CAS login will continue to work if the user is renamed on both sides and also if the user is renamed only on Rocket.Chat.
|
||||
// It'll also allow non-CAS users to switch to CAS based login
|
||||
if (trustUsername) { |
||||
const username = new RegExp(`^${result.username}$`, 'i'); |
||||
user = await Users.findOne({ username }); |
||||
if (user) { |
||||
// Update the user's external_id to reflect this new username.
|
||||
await Users.updateOne({ _id: user._id }, { $set: { 'services.cas.external_id': result.username } }); |
||||
} |
||||
} |
||||
} |
||||
|
||||
if (user) { |
||||
logger.debug(`Using existing user for '${result.username}' with id: ${user._id}`); |
||||
if (sync_enabled) { |
||||
logger.debug('Syncing user attributes'); |
||||
// Update name
|
||||
if (int_attrs.name) { |
||||
await _setRealName(user._id, int_attrs.name); |
||||
} |
||||
|
||||
// Update email
|
||||
if (int_attrs.email) { |
||||
await Users.updateOne({ _id: user._id }, { $set: { emails: [{ address: int_attrs.email, verified }] } }); |
||||
} |
||||
} |
||||
} else if (userCreationEnabled) { |
||||
// Define new user
|
||||
const newUser = { |
||||
username: result.username, |
||||
active: true, |
||||
globalRoles: ['user'], |
||||
emails: [], |
||||
services: { |
||||
cas: { |
||||
external_id: result.username, |
||||
version: cas_version, |
||||
attrs: int_attrs, |
||||
}, |
||||
}, |
||||
}; |
||||
|
||||
// Add username
|
||||
if (int_attrs.username) { |
||||
_.extend(newUser, { |
||||
username: int_attrs.username, |
||||
}); |
||||
} |
||||
|
||||
// Add User.name
|
||||
if (int_attrs.name) { |
||||
_.extend(newUser, { |
||||
name: int_attrs.name, |
||||
}); |
||||
} |
||||
|
||||
// Add email
|
||||
if (int_attrs.email) { |
||||
_.extend(newUser, { |
||||
emails: [{ address: int_attrs.email, verified }], |
||||
}); |
||||
} |
||||
|
||||
// Create the user
|
||||
logger.debug(`User "${result.username}" does not exist yet, creating it`); |
||||
const userId = Accounts.insertUserDoc({}, newUser); |
||||
|
||||
// Fetch and use it
|
||||
user = await Users.findOneById(userId); |
||||
logger.debug(`Created new user for '${result.username}' with id: ${user._id}`); |
||||
// logger.debug(JSON.stringify(user, undefined, 4));
|
||||
|
||||
logger.debug(`Joining user to attribute channels: ${int_attrs.rooms}`); |
||||
if (int_attrs.rooms) { |
||||
const roomNames = int_attrs.rooms.split(','); |
||||
for await (const roomName of roomNames) { |
||||
if (roomName) { |
||||
let room = await Rooms.findOneByNameAndType(roomName, 'c'); |
||||
if (!room) { |
||||
room = await createRoom('c', roomName, user); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
} else { |
||||
// Should fail as no user exist and can't be created
|
||||
logger.debug(`User "${result.username}" does not exist yet, will fail as no user creation is enabled`); |
||||
throw new Meteor.Error(Accounts.LoginCancelledError.numericError, 'no matching user account found'); |
||||
} |
||||
|
||||
return { userId: user._id }; |
||||
}); |
||||
@ -1,2 +0,0 @@ |
||||
import './cas_rocketchat'; |
||||
import './cas_server'; |
||||
@ -0,0 +1,35 @@ |
||||
import type { Awaited } from '@rocket.chat/core-typings'; |
||||
import debounce from 'lodash.debounce'; |
||||
import { RoutePolicy } from 'meteor/routepolicy'; |
||||
import { WebApp } from 'meteor/webapp'; |
||||
|
||||
import { settings } from '../../app/settings/server/cached'; |
||||
import { loginHandlerCAS } from '../lib/cas/loginHandler'; |
||||
import { middlewareCAS } from '../lib/cas/middleware'; |
||||
import { updateCasServices } from '../lib/cas/updateCasService'; |
||||
|
||||
const _updateCasServices = debounce(updateCasServices, 2000); |
||||
|
||||
settings.watchByRegex(/^CAS_.+/, async () => { |
||||
await _updateCasServices(); |
||||
}); |
||||
|
||||
RoutePolicy.declare('/_cas/', 'network'); |
||||
|
||||
// Listen to incoming OAuth http requests
|
||||
WebApp.connectHandlers.use((req, res, next) => { |
||||
middlewareCAS(req, res, next); |
||||
}); |
||||
|
||||
/* |
||||
* Register a server-side login handler. |
||||
* It is called after Accounts.callLoginMethod() is called from client. |
||||
* |
||||
*/ |
||||
Accounts.registerLoginHandler('cas', (options) => { |
||||
const promise = loginHandlerCAS(options); |
||||
|
||||
// Pretend the promise has been awaited so the types will match -
|
||||
// #TODO: Fix registerLoginHandler's type definitions (it accepts promises)
|
||||
return promise as unknown as Awaited<typeof promise>; |
||||
}); |
||||
@ -0,0 +1,63 @@ |
||||
import type { IUser } from '@rocket.chat/core-typings'; |
||||
import { Rooms, Users } from '@rocket.chat/models'; |
||||
import { pick } from '@rocket.chat/tools'; |
||||
import { Accounts } from 'meteor/accounts-base'; |
||||
|
||||
import { createRoom } from '../../../app/lib/server/functions/createRoom'; |
||||
import { logger } from './logger'; |
||||
|
||||
type CASUserOptions = { |
||||
attributes: Record<string, string | undefined>; |
||||
casVersion: number; |
||||
flagEmailAsVerified: boolean; |
||||
}; |
||||
|
||||
export const createNewUser = async (username: string, { attributes, casVersion, flagEmailAsVerified }: CASUserOptions): Promise<IUser> => { |
||||
// Define new user
|
||||
const newUser = { |
||||
username: attributes.username || username, |
||||
active: true, |
||||
globalRoles: ['user'], |
||||
emails: [attributes.email] |
||||
.filter((e) => e) |
||||
.map((address) => ({ |
||||
address, |
||||
verified: flagEmailAsVerified, |
||||
})), |
||||
services: { |
||||
cas: { |
||||
external_id: username, |
||||
version: casVersion, |
||||
attrs: attributes, |
||||
}, |
||||
}, |
||||
...pick(attributes, 'name'), |
||||
}; |
||||
|
||||
// Create the user
|
||||
logger.debug(`User "${username}" does not exist yet, creating it`); |
||||
const userId = Accounts.insertUserDoc({}, newUser); |
||||
|
||||
// Fetch and use it
|
||||
const user = await Users.findOneById(userId); |
||||
if (!user) { |
||||
throw new Error('Unexpected error: Unable to find user after its creation.'); |
||||
} |
||||
|
||||
logger.debug(`Created new user for '${username}' with id: ${user._id}`); |
||||
|
||||
logger.debug(`Joining user to attribute channels: ${attributes.rooms}`); |
||||
if (attributes.rooms) { |
||||
const roomNames = attributes.rooms.split(','); |
||||
for await (const roomName of roomNames) { |
||||
if (roomName) { |
||||
let room = await Rooms.findOneByNameAndType(roomName, 'c'); |
||||
if (!room) { |
||||
room = await createRoom('c', roomName, user); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
return user; |
||||
}; |
||||
@ -0,0 +1,27 @@ |
||||
import type { IUser } from '@rocket.chat/core-typings'; |
||||
import { Users } from '@rocket.chat/models'; |
||||
|
||||
import { settings } from '../../../app/settings/server'; |
||||
|
||||
export const findExistingCASUser = async (username: string): Promise<IUser | undefined> => { |
||||
const casUser = await Users.findOne({ 'services.cas.external_id': username }); |
||||
if (casUser) { |
||||
return casUser; |
||||
} |
||||
|
||||
if (!settings.get<boolean>('CAS_trust_username')) { |
||||
return; |
||||
} |
||||
|
||||
// If that user was not found, check if there's any Rocket.Chat user with that username
|
||||
// With this, CAS login will continue to work if the user is renamed on both sides and also if the user is renamed only on Rocket.Chat.
|
||||
// It'll also allow non-CAS users to switch to CAS based login
|
||||
// #TODO: Remove regex based search
|
||||
const regex = new RegExp(`^${username}$`, 'i'); |
||||
const user = await Users.findOne({ regex }); |
||||
if (user) { |
||||
// Update the user's external_id to reflect this new username.
|
||||
await Users.updateOne({ _id: user._id }, { $set: { 'services.cas.external_id': username } }); |
||||
return user; |
||||
} |
||||
}; |
||||
@ -0,0 +1,3 @@ |
||||
import { Logger } from '@rocket.chat/logger'; |
||||
|
||||
export const logger = new Logger('CAS'); |
||||
@ -0,0 +1,121 @@ |
||||
import { CredentialTokens, Users } from '@rocket.chat/models'; |
||||
import { getObjectKeys, wrapExceptions } from '@rocket.chat/tools'; |
||||
import { Accounts } from 'meteor/accounts-base'; |
||||
|
||||
import { _setRealName } from '../../../app/lib/server/functions/setRealName'; |
||||
import { settings } from '../../../app/settings/server'; |
||||
import { createNewUser } from './createNewUser'; |
||||
import { findExistingCASUser } from './findExistingCASUser'; |
||||
import { logger } from './logger'; |
||||
|
||||
export const loginHandlerCAS = async (options: any): Promise<undefined | Accounts.LoginMethodResult> => { |
||||
if (!options.cas) { |
||||
return undefined; |
||||
} |
||||
|
||||
// TODO: Sync wrapper due to the chain conversion to async models
|
||||
const credentials = await CredentialTokens.findOneNotExpiredById(options.cas.credentialToken); |
||||
if (credentials === undefined || credentials === null) { |
||||
throw new Meteor.Error(Accounts.LoginCancelledError.numericError, 'no matching login attempt found'); |
||||
} |
||||
|
||||
const result = credentials.userInfo; |
||||
const syncUserDataFieldMap = settings.get<string>('CAS_Sync_User_Data_FieldMap').trim(); |
||||
const casVersion = parseFloat(settings.get('CAS_version') ?? '1.0'); |
||||
const syncEnabled = settings.get('CAS_Sync_User_Data_Enabled'); |
||||
const flagEmailAsVerified = settings.get<boolean>('Accounts_Verify_Email_For_External_Accounts'); |
||||
const userCreationEnabled = settings.get('CAS_Creation_User_Enabled'); |
||||
|
||||
const { username, attributes: credentialsAttributes } = result as { username: string; attributes: Record<string, string[]> }; |
||||
|
||||
// We have these
|
||||
const externalAttributes: Record<string, string> = { |
||||
username, |
||||
}; |
||||
|
||||
// We need these
|
||||
const internalAttributes: Record<string, string | undefined> = { |
||||
email: undefined, |
||||
name: undefined, |
||||
username: undefined, |
||||
rooms: undefined, |
||||
}; |
||||
|
||||
// Import response attributes
|
||||
if (casVersion >= 2.0) { |
||||
// Clean & import external attributes
|
||||
for await (const [externalName, value] of Object.entries(credentialsAttributes)) { |
||||
if (value) { |
||||
externalAttributes[externalName] = value[0]; |
||||
} |
||||
} |
||||
} |
||||
|
||||
// Source internal attributes
|
||||
if (syncUserDataFieldMap) { |
||||
// Our mapping table: key(int_attr) -> value(ext_attr)
|
||||
// Spoken: Source this internal attribute from these external attributes
|
||||
const attributeMap = wrapExceptions(() => JSON.parse(syncUserDataFieldMap) as Record<string, any>).catch((err) => { |
||||
logger.error({ msg: 'Invalid JSON for attribute mapping', err }); |
||||
throw err; |
||||
}); |
||||
|
||||
for await (const [internalName, source] of Object.entries(attributeMap)) { |
||||
if (!source || typeof source.valueOf() !== 'string') { |
||||
continue; |
||||
} |
||||
|
||||
let replacedValue = source as string; |
||||
for await (const externalName of getObjectKeys(externalAttributes)) { |
||||
replacedValue = replacedValue.replace(`%${externalName}%`, externalAttributes[externalName]); |
||||
} |
||||
|
||||
if (source !== replacedValue) { |
||||
internalAttributes[internalName] = replacedValue; |
||||
logger.debug(`Sourced internal attribute: ${internalName} = ${replacedValue}`); |
||||
} else { |
||||
logger.debug(`Sourced internal attribute: ${internalName} skipped.`); |
||||
} |
||||
} |
||||
} |
||||
|
||||
// Search existing user by its external service id
|
||||
logger.debug(`Looking up user by id: ${username}`); |
||||
// First, look for a user that has logged in from CAS with this username before
|
||||
const user = await findExistingCASUser(username); |
||||
|
||||
if (user) { |
||||
logger.debug(`Using existing user for '${username}' with id: ${user._id}`); |
||||
if (syncEnabled) { |
||||
logger.debug('Syncing user attributes'); |
||||
// Update name
|
||||
if (internalAttributes.name) { |
||||
await _setRealName(user._id, internalAttributes.name); |
||||
} |
||||
|
||||
// Update email
|
||||
if (internalAttributes.email) { |
||||
await Users.updateOne( |
||||
{ _id: user._id }, |
||||
{ $set: { emails: [{ address: internalAttributes.email, verified: flagEmailAsVerified }] } }, |
||||
); |
||||
} |
||||
} |
||||
|
||||
return { userId: user._id }; |
||||
} |
||||
|
||||
if (!userCreationEnabled) { |
||||
// Should fail as no user exist and can't be created
|
||||
logger.debug(`User "${username}" does not exist yet, will fail as no user creation is enabled`); |
||||
throw new Meteor.Error(Accounts.LoginCancelledError.numericError, 'no matching user account found'); |
||||
} |
||||
|
||||
const newUser = await createNewUser(username, { |
||||
attributes: internalAttributes, |
||||
casVersion, |
||||
flagEmailAsVerified, |
||||
}); |
||||
|
||||
return { userId: newUser._id }; |
||||
}; |
||||
@ -0,0 +1,97 @@ |
||||
import type { IncomingMessage, ServerResponse } from 'http'; |
||||
import url from 'url'; |
||||
|
||||
import { validate } from '@rocket.chat/cas-validate'; |
||||
import type { ICredentialToken } from '@rocket.chat/core-typings'; |
||||
import { CredentialTokens } from '@rocket.chat/models'; |
||||
import _ from 'underscore'; |
||||
|
||||
import { settings } from '../../../app/settings/server'; |
||||
import { logger } from './logger'; |
||||
|
||||
const closePopup = function (res: ServerResponse): void { |
||||
res.writeHead(200, { 'Content-Type': 'text/html' }); |
||||
const content = '<html><head><script>window.close()</script></head></html>'; |
||||
res.end(content, 'utf-8'); |
||||
}; |
||||
|
||||
type IncomingMessageWithUrl = IncomingMessage & Required<Pick<IncomingMessage, 'url'>>; |
||||
|
||||
const casTicket = function (req: IncomingMessageWithUrl, token: string, callback: () => void): void { |
||||
// get configuration
|
||||
if (!settings.get('CAS_enabled')) { |
||||
logger.error('Got ticket validation request, but CAS is not enabled'); |
||||
callback(); |
||||
} |
||||
|
||||
// get ticket and validate.
|
||||
const parsedUrl = url.parse(req.url, true); |
||||
const ticketId = parsedUrl.query.ticket as string; |
||||
const baseUrl = settings.get<string>('CAS_base_url'); |
||||
const version = parseFloat(settings.get('CAS_version') ?? '1.0') as 1.0 | 2.0; |
||||
const appUrl = Meteor.absoluteUrl().replace(/\/$/, '') + __meteor_runtime_config__.ROOT_URL_PATH_PREFIX; |
||||
logger.debug(`Using CAS_base_url: ${baseUrl}`); |
||||
|
||||
validate( |
||||
{ |
||||
base_url: baseUrl, |
||||
version, |
||||
service: `${appUrl}/_cas/${token}`, |
||||
}, |
||||
ticketId, |
||||
async (err, status, username, details) => { |
||||
if (err) { |
||||
logger.error(`error when trying to validate: ${err.message}`); |
||||
} else if (status) { |
||||
logger.info(`Validated user: ${username}`); |
||||
const userInfo: Partial<ICredentialToken['userInfo']> = { username: username as string }; |
||||
|
||||
// CAS 2.0 attributes handling
|
||||
if (details?.attributes) { |
||||
_.extend(userInfo, { attributes: details.attributes }); |
||||
} |
||||
await CredentialTokens.create(token, userInfo); |
||||
} else { |
||||
logger.error(`Unable to validate ticket: ${ticketId}`); |
||||
} |
||||
// logger.debug("Received response: " + JSON.stringify(details, null , 4));
|
||||
|
||||
callback(); |
||||
}, |
||||
); |
||||
}; |
||||
|
||||
export const middlewareCAS = function (req: IncomingMessage, res: ServerResponse, next: (err?: any) => void) { |
||||
// Make sure to catch any exceptions because otherwise we'd crash
|
||||
// the runner
|
||||
try { |
||||
if (!req.url) { |
||||
throw new Error('Invalid request url'); |
||||
} |
||||
|
||||
const barePath = req.url.substring(0, req.url.indexOf('?')); |
||||
const splitPath = barePath.split('/'); |
||||
|
||||
// Any non-cas request will continue down the default
|
||||
// middlewares.
|
||||
if (splitPath[1] !== '_cas') { |
||||
next(); |
||||
return; |
||||
} |
||||
|
||||
// get auth token
|
||||
const credentialToken = splitPath[2]; |
||||
if (!credentialToken) { |
||||
closePopup(res); |
||||
return; |
||||
} |
||||
|
||||
// validate ticket
|
||||
casTicket(req as IncomingMessageWithUrl, credentialToken, () => { |
||||
closePopup(res); |
||||
}); |
||||
} catch (err) { |
||||
logger.error({ msg: 'Unexpected error', err }); |
||||
closePopup(res); |
||||
} |
||||
}; |
||||
@ -0,0 +1,30 @@ |
||||
import type { LoginServiceConfiguration } from '@rocket.chat/core-typings'; |
||||
import { ServiceConfiguration } from 'meteor/service-configuration'; |
||||
|
||||
import { settings } from '../../../app/settings/server/cached'; |
||||
import { logger } from './logger'; |
||||
|
||||
export async function updateCasServices(): Promise<void> { |
||||
const data: Partial<LoginServiceConfiguration> = { |
||||
// These will pe passed to 'node-cas' as options
|
||||
enabled: settings.get('CAS_enabled'), |
||||
base_url: settings.get('CAS_base_url'), |
||||
login_url: settings.get('CAS_login_url'), |
||||
// Rocketchat Visuals
|
||||
buttonLabelText: settings.get('CAS_button_label_text'), |
||||
buttonLabelColor: settings.get('CAS_button_label_color'), |
||||
buttonColor: settings.get('CAS_button_color'), |
||||
width: settings.get('CAS_popup_width'), |
||||
height: settings.get('CAS_popup_height'), |
||||
autoclose: settings.get('CAS_autoclose'), |
||||
}; |
||||
|
||||
// Either register or deregister the CAS login service based upon its configuration
|
||||
if (data.enabled) { |
||||
logger.info('Enabling CAS login service'); |
||||
await ServiceConfiguration.configurations.upsertAsync({ service: 'cas' }, { $set: data }); |
||||
} else { |
||||
logger.info('Disabling CAS login service'); |
||||
await ServiceConfiguration.configurations.removeAsync({ service: 'cas' }); |
||||
} |
||||
} |
||||
@ -0,0 +1 @@ |
||||
export const getObjectKeys = <T extends object>(object: T) => Object.keys(object) as (keyof T)[]; |
||||
Loading…
Reference in new issue