You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@helix.apache.org by hu...@apache.org on 2019/05/22 23:41:34 UTC
[helix] 09/14: Add adminGroup check for write operations
This is an automated email from the ASF dual-hosted git repository.
hulee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/helix.git
commit 241baae6831e08eb2807f01fbf670c00b154dbbb
Author: Yi Wang <yw...@linkedin.com>
AuthorDate: Fri Mar 8 15:28:35 2019 -0800
Add adminGroup check for write operations
ACLOVERRIDE
RB=1590175
BUG=HELIX-1682
G=helix-reviewers
A=jxue
Signed-off-by: Hunter Lee <hu...@linkedin.com>
---
helix-front/client/app/app.component.ts | 8 +++---
helix-front/server/config.ts | 7 ++----
helix-front/server/controllers/user.ts | 44 ++++++++++++++++++++++-----------
3 files changed, 37 insertions(+), 22 deletions(-)
diff --git a/helix-front/client/app/app.component.ts b/helix-front/client/app/app.component.ts
index 06f7f5e..4c691ae 100644
--- a/helix-front/client/app/app.component.ts
+++ b/helix-front/client/app/app.component.ts
@@ -14,6 +14,7 @@ import { Angulartics2Piwik } from 'angulartics2';
import { UserService } from './core/user.service';
import { InputDialogComponent } from './shared/dialog/input-dialog/input-dialog.component';
import { HelperService } from './shared/helper.service';
+import {LDAP} from "../../server/config";
@Component({
selector: 'hi-root',
@@ -85,10 +86,11 @@ export class AppComponent implements OnInit {
this.service
.login(result.username.value, result.password.value)
.subscribe(
- isAuthroized => {
- if (isAuthroized) {
- location.reload();
+ isAuthorized => {
+ if (!isAuthorized) {
+ this.helper.showError("You're not part of " + LDAP.adminGroup + " group or password incorrect");
}
+ this.currentUser = this.service.getCurrentUser();
},
error => this.helper.showError(error)
);
diff --git a/helix-front/server/config.ts b/helix-front/server/config.ts
index 1a4265b..35ee27d 100644
--- a/helix-front/server/config.ts
+++ b/helix-front/server/config.ts
@@ -17,9 +17,6 @@ export const SSL = {
export const LDAP = {
uri: 'ldap://example.com',
base: 'DC=example,DC=com',
- principalSuffix: '@example.com'
+ principalSuffix: '@example.com',
+ adminGroup: 'admin'
};
-
-export function CheckAdmin(username: string, callback: (boolean) => void) {
- callback(username === 'root');
-}
diff --git a/helix-front/server/controllers/user.ts b/helix-front/server/controllers/user.ts
index 980d97c..7727255 100644
--- a/helix-front/server/controllers/user.ts
+++ b/helix-front/server/controllers/user.ts
@@ -1,9 +1,7 @@
-import { Request, Response, Router } from 'express';
-
-import * as request from 'request';
+import {Request, Response, Router} from 'express';
import * as LdapClient from 'ldapjs';
-import { LDAP, CheckAdmin } from '../config';
+import {LDAP} from '../config';
export class UserCtrl {
@@ -34,10 +32,10 @@ export class UserCtrl {
res.json(req.session.isAdmin ? true : false);
}
- protected login(req: Request, res: Response) {
- const credential = req.body;
+ protected login(request: Request, response: Response) {
+ const credential = request.body;
if (!credential.username || !credential.password) {
- res.status(401).json(false);
+ response.status(401).json(false);
return;
}
@@ -45,16 +43,34 @@ export class UserCtrl {
const ldap = LdapClient.createClient({ url: LDAP.uri });
ldap.bind(credential.username + LDAP.principalSuffix, credential.password, err => {
if (err) {
- res.status(401).json(false);
+ response.status(401).json(false);
} else {
- // authroized
- req.session.username = credential.username;
- CheckAdmin(req.session.username, (isAdmin: boolean) => {
- req.session.isAdmin = isAdmin;
- res.json(true);
+ // login success
+ let opts = {
+ filter: '(&(sAMAccountName=' + credential.username + ')(objectcategory=person))',
+ scope: 'sub'
+ };
+
+ ldap.search(LDAP.base, opts, function(err, result) {
+ var isInAdminGroup = false;
+ result.on('searchEntry', function (entry) {
+ if (entry.object && !err) {
+ let groups = entry.object["memberOf"];
+ for (var group of groups) {
+ const groupName = group.split(",", 1)[0].split("=")[1];
+ if (groupName == LDAP.adminGroup) {
+ isInAdminGroup = true;
+ break;
+ }
+ }
+ }
+
+ request.session.username = credential.username;
+ request.session.isAdmin = isInAdminGroup;
+ response.json(isInAdminGroup);
+ });
});
}
});
}
-
}