You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@helix.apache.org by hu...@apache.org on 2019/05/22 23:41:34 UTC

[helix] 09/14: Add adminGroup check for write operations

This is an automated email from the ASF dual-hosted git repository.

hulee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/helix.git

commit 241baae6831e08eb2807f01fbf670c00b154dbbb
Author: Yi Wang <yw...@linkedin.com>
AuthorDate: Fri Mar 8 15:28:35 2019 -0800

    Add adminGroup check for write operations
    
    ACLOVERRIDE
    RB=1590175
    BUG=HELIX-1682
    G=helix-reviewers
    A=jxue
    
    Signed-off-by: Hunter Lee <hu...@linkedin.com>
---
 helix-front/client/app/app.component.ts |  8 +++---
 helix-front/server/config.ts            |  7 ++----
 helix-front/server/controllers/user.ts  | 44 ++++++++++++++++++++++-----------
 3 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/helix-front/client/app/app.component.ts b/helix-front/client/app/app.component.ts
index 06f7f5e..4c691ae 100644
--- a/helix-front/client/app/app.component.ts
+++ b/helix-front/client/app/app.component.ts
@@ -14,6 +14,7 @@ import { Angulartics2Piwik } from 'angulartics2';
 import { UserService } from './core/user.service';
 import { InputDialogComponent } from './shared/dialog/input-dialog/input-dialog.component';
 import { HelperService } from './shared/helper.service';
+import {LDAP} from "../../server/config";
 
 @Component({
   selector: 'hi-root',
@@ -85,10 +86,11 @@ export class AppComponent implements OnInit {
           this.service
             .login(result.username.value, result.password.value)
             .subscribe(
-              isAuthroized => {
-                if (isAuthroized) {
-                  location.reload();
+              isAuthorized => {
+                if (!isAuthorized) {
+                  this.helper.showError("You're not part of " + LDAP.adminGroup + " group or password incorrect");
                 }
+                this.currentUser = this.service.getCurrentUser();
               },
               error => this.helper.showError(error)
             );
diff --git a/helix-front/server/config.ts b/helix-front/server/config.ts
index 1a4265b..35ee27d 100644
--- a/helix-front/server/config.ts
+++ b/helix-front/server/config.ts
@@ -17,9 +17,6 @@ export const SSL = {
 export const LDAP = {
   uri: 'ldap://example.com',
   base: 'DC=example,DC=com',
-  principalSuffix: '@example.com'
+  principalSuffix: '@example.com',
+  adminGroup: 'admin'
 };
-
-export function CheckAdmin(username: string, callback: (boolean) => void) {
-  callback(username === 'root');
-}
diff --git a/helix-front/server/controllers/user.ts b/helix-front/server/controllers/user.ts
index 980d97c..7727255 100644
--- a/helix-front/server/controllers/user.ts
+++ b/helix-front/server/controllers/user.ts
@@ -1,9 +1,7 @@
-import { Request, Response, Router } from 'express';
-
-import * as request from 'request';
+import {Request, Response, Router} from 'express';
 import * as LdapClient from 'ldapjs';
 
-import { LDAP, CheckAdmin } from '../config';
+import {LDAP} from '../config';
 
 export class UserCtrl {
 
@@ -34,10 +32,10 @@ export class UserCtrl {
     res.json(req.session.isAdmin ? true : false);
   }
 
-  protected login(req: Request, res: Response) {
-    const credential = req.body;
+  protected login(request: Request, response: Response) {
+    const credential = request.body;
     if (!credential.username || !credential.password) {
-      res.status(401).json(false);
+      response.status(401).json(false);
       return;
     }
 
@@ -45,16 +43,34 @@ export class UserCtrl {
     const ldap = LdapClient.createClient({ url: LDAP.uri });
     ldap.bind(credential.username + LDAP.principalSuffix, credential.password, err => {
       if (err) {
-        res.status(401).json(false);
+        response.status(401).json(false);
       } else {
-        // authroized
-        req.session.username = credential.username;
-        CheckAdmin(req.session.username, (isAdmin: boolean) => {
-          req.session.isAdmin = isAdmin;
-          res.json(true);
+        // login success
+        let opts = {
+          filter: '(&(sAMAccountName=' + credential.username + ')(objectcategory=person))',
+          scope: 'sub'
+        };
+
+        ldap.search(LDAP.base, opts, function(err, result) {
+          var isInAdminGroup = false;
+          result.on('searchEntry', function (entry) {
+            if (entry.object && !err) {
+              let groups = entry.object["memberOf"];
+              for (var group of groups) {
+                const groupName = group.split(",", 1)[0].split("=")[1];
+                if (groupName == LDAP.adminGroup) {
+                  isInAdminGroup = true;
+                  break;
+                }
+              }
+            }
+
+            request.session.username = credential.username;
+            request.session.isAdmin = isInAdminGroup;
+            response.json(isInAdminGroup);
+          });
         });
       }
     });
   }
-
 }