Add a JWT-based LDAP/AD authenticator.

2025-10-05 02:29:26 +02:00 · 2014-01-23 22:51:46 +09:00 · 2014-01-23 22:51:46 +09:00 · 697e552ef0
commit 697e552ef0
parent 11ad1ffc38
6 changed files with 342 additions and 1 deletions
--- a/lib/util/jwtutil.js
+++ b/lib/util/jwtutil.js
@ -0,0 +1,33 @@
+var assert = require('assert')
+var jws = require('jws')
+
+module.exports.encode = function(options) {
+  assert.ok(options.payload, 'payload required')
+  assert.ok(options.secret, 'secret required')
+
+  return jws.sign({
+    header: {
+      alg: 'HS256'
+    , exp: Date.now() + 24 * 3600
+    }
+  , payload: options.payload
+  , secret: options.secret
+  })
+}
+
+module.exports.decode = function(payload, secret) {
+  if (!jws.verify(payload, secret)) {
+    return null
+  }
+
+  var decoded = jws.decode(payload, {
+        json: true
+      })
+    , exp = decoded.header.exp
+
+  if (exp && exp <= Date.now()) {
+    return null
+  }
+
+  return decoded.payload
+}
--- a/lib/util/ldaputil.js
+++ b/lib/util/ldaputil.js
@ -0,0 +1,111 @@
+var util = require('util')
+
+var ldap = require('ldapjs')
+var Promise = require('bluebird')
+
+function InvalidCredentialsError(user) {
+  Error.call(this, util.format('Invalid credentials for user "%s"', user))
+  this.name = 'InvalidCredentialsError'
+  this.user = user
+  Error.captureStackTrace(this, InvalidCredentialsError)
+}
+
+util.inherits(InvalidCredentialsError, Error)
+
+// Export
+module.exports.InvalidCredentialsError = InvalidCredentialsError
+
+// Export
+module.exports.login = function(options, username, password) {
+  function tryConnect() {
+    var resolver = Promise.defer()
+      , client = ldap.createClient({
+          url: options.url
+        , timeout: options.timeout
+        , maxConnections: 1
+        })
+
+    client.bind(options.bind.dn, options.bind.credentials, function(err) {
+      if (err) {
+        resolver.reject(err)
+      }
+      else {
+        resolver.resolve(client)
+      }
+    })
+
+    return resolver.promise
+  }
+
+  function tryFind(client) {
+    var resolver = Promise.defer()
+      , query = {
+          scope: options.search.scope
+        , filter: new ldap.AndFilter({
+            filters: [
+              new ldap.EqualityFilter({
+                attribute: 'objectClass'
+              , value: options.search.objectClass
+              })
+            , new ldap.EqualityFilter({
+                attribute: options.search.loginField
+              , value: username
+              })
+            ]
+          })
+        }
+
+    client.search(options.search.dn, query, function(err, search) {
+      if (err) {
+        return resolver.reject(err)
+      }
+
+      function entryListener(entry) {
+        resolver.resolve(entry)
+      }
+
+      function endListener() {
+        resolver.reject(new InvalidCredentialsError(username))
+      }
+
+      function errorListener(err) {
+        resolver.reject(err)
+      }
+
+      search.on('searchEntry', entryListener)
+      search.on('end', endListener)
+      search.on('error', errorListener)
+
+      resolver.promise.finally(function() {
+        search.removeListener('searchEntry', entryListener)
+        search.removeListener('end', endListener)
+        search.removeListener('error', errorListener)
+      })
+    })
+
+    return resolver.promise
+  }
+
+  function tryBind(client, entry) {
+    return new Promise(function(resolve, reject) {
+      client.bind(entry.object.dn, password, function(err) {
+        if (err) {
+          reject(new InvalidCredentialsError(username))
+        }
+        else {
+          resolve(entry.object)
+        }
+      })
+    })
+  }
+
+  return tryConnect().then(function(client) {
+    return tryFind(client)
+      .then(function(entry) {
+        return tryBind(client, entry)
+      })
+      .finally(function() {
+        client.unbind()
+      })
+  })
+}
--- a/lib/util/logger.js
+++ b/lib/util/logger.js
@ -11,6 +11,11 @@ function Log(tag, stream) {
  , ERROR: 'ERR'.red
  , FATAL: 'FTL'.red
  }
+  this.localIdentifier = null
+}
+
+Log.prototype.setLocalIdentifier = function(identifier) {
+  this.localIdentifier = identifier
 }

 Log.prototype.debug = function() {
@ -39,7 +44,8 @@ Log.prototype.fatal = function() {

 Log.prototype._format = function(priority, args) {
  return util.format('%s/%s %d [%s] %s',
-    priority, this.tag, process.pid, Log.globalIdentifier,
+    priority, this.tag, process.pid,
+    this.localIdentifier || Log.globalIdentifier,
    util.format.apply(util, args))
 }

--- a/lib/util/requtil.js
+++ b/lib/util/requtil.js
@ -0,0 +1,28 @@
+var util = require('util')
+
+var Promise = require('bluebird')
+
+function ValidationError(message, errors) {
+  Error.call(this, message)
+  this.name = 'ValidationError'
+  this.errors = errors
+  Error.captureStackTrace(this, ValidationError)
+}
+
+util.inherits(ValidationError, Error)
+
+module.exports.ValidationError = ValidationError
+
+module.exports.validate = function(req, rules) {
+  return new Promise(function(resolve, reject) {
+    rules()
+
+    var errors = req.validationErrors()
+    if (!errors) {
+      resolve()
+    }
+    else {
+      reject(new ValidationError('validation error', errors))
+    }
+  })
+}