freenetdigital · CoolDuke · Jul 23, 2018 · Jul 23, 2018 · Jul 23, 2018 · Jul 23, 2018
diff --git a/src/api/userAuthentication.js b/src/api/userAuthentication.js
@@ -86,7 +86,8 @@ export default class UserAuthentication {
         this.mapping.getLdapAttributes()
       );
 
-      let data = this.mapping.ldapToKubernetes(user);
+      let data = await this.mapping.ldapToKubernetes(user);
+
       let token = jwt.sign(data, this.key, {
         expiresIn: this.tokenLifetime,
       });

diff --git a/src/app.js b/src/app.js
@@ -19,28 +19,34 @@ let ldapClient = new Client(
     reconnect: {
       initialDelay: config.ldap.reconnectInitialDelay,
       maxDelay: config.ldap.reconnectMaxDelay,
-      failAfter: config.ldap.reconnectFailAfter
-    }
+      failAfter: config.ldap.reconnectFailAfter,
+    },
   }),
   config.ldap.baseDn,
   config.ldap.bindDn,
-  config.ldap.bindPw
+  config.ldap.bindPw,
+  logger
 );
+
 let authenticator = new Authenticator(ldapClient, config.ldap.filter, logger);
 
 // setup api dependencies
 let healthz = new Healthz();
+
 let userAuthentication = new UserAuthentication(
   authenticator,
   config.jwt.tokenLifetime,
   config.jwt.key,
   new Mapping(
+    ldapClient,
     config.mapping.username,
     config.mapping.uid,
     config.mapping.groups,
     config.mapping.extraFields,
+    logger
   ),
   logger);
+
 let tokenAuthentication = new TokenAuthentication(config.jwt.key, logger);
 
 // setup express
@@ -53,7 +59,9 @@ app.use(morgan('combined', {
     },
   },
 }));
+
 app.get('/healthz', healthz.run);
+//
 app.get('/auth', userAuthentication.run);
 app.post('/token', bodyParser.json(), tokenAuthentication.run);
 

diff --git a/src/ldap/authenticator.js b/src/ldap/authenticator.js
@@ -21,6 +21,8 @@ export default class Authenticator {
     this.logger = logger;
   }
 
+
+
   /**
   * Authenticate user on ldap.
   * @param {string} username - username to authenticate.
@@ -30,8 +32,10 @@ export default class Authenticator {
   async authenticate(username: string, password: string): Promise<boolean> {
     let filter = util.format(this.filter, username);
     try {
+      // searches for the user supplied in Auth header
       let user = await this.client.search(filter);
-      return await this.client.bind(user.dn, password);
+
+      return await this.client.bind(user[0].dn, password);
     } catch (error) {
       this.logger.info(error.message);
       return false;
@@ -51,14 +55,15 @@ export default class Authenticator {
     let filter = util.format(this.filter, username);
     try {
       let result = await this.client.search(filter, attributes);
-      return Object.keys(result)
-        .filter((attribute) => attributes.includes(attribute))
-        .reduce((object, attribute) => {
+      let user = result[0]
+      return Object.keys(user)
+        .filter((attribute) => attributes.includes(attribute)).reduce((object, attribute) => {
           return {
             ...object,
-            [attribute]: result[attribute],
+            [attribute]: user[attribute],
           };
-        }, {});
+        },
+        {});
     } catch (error) {
       throw error;
     }

diff --git a/src/ldap/client.js b/src/ldap/client.js
@@ -69,6 +69,7 @@ export default class Client {
         reject(new Error('ldap connection not tls protected'));
       }
       let that = this;
+
       this.client.bind(this.binddn, this.bindpw, [], (err, res) => {
         if (err) {
           reject(err);
@@ -84,15 +85,18 @@ export default class Client {
             reject(err);
           }
 
+          var entries = []
           res.on('searchEntry', function(entry) {
-            resolve(entry.object);
+            entries.push(entry.object)
           });
           res.on('error', function(err) {
             reject(err);
           });
           res.on('end', function(result) {
             if (result.status !== 0) {
               reject(result.status);
+            } else {
+              resolve(entries)
             }
             reject(new Error(`no object found with filter [${filter}]`));
           });

diff --git a/src/ldap/mapping.js b/src/ldap/mapping.js
@@ -1,30 +1,41 @@
 // @flow
 import {canonicalizeDn} from '../ldap';
+import {Logger} from 'winston';
+import Client from './client';
+
 
 /** Class for an Kubernetes<=>LDAP attribute mapping */
 class Mapping {
+  client: Client;
   username: string;
   uid: string;
   groups: string;
+  logger: Logger;
   extraFields: Array<string>
 
   /**
   * Create an Kubernetes<=>LDAP attribute mapping.
+  * @param {Client} client - The ldap client.
   * @param {string} username - Attribute name for the kubernetes username.
   * @param {string} uid - Attribute name for the kubernetes uid.
   * @param {string} groups - Attribute name for the kubernetes groups array.
   * @param {Array<string>} extraFields - Array of kubernetes extra attributes
+  * @param {Logger} logger - Logger to use.
   */
   constructor(
+    client: Client,
     username: string,
     uid: string,
     groups: string,
-    extraFields: Array<string>
+    extraFields: Array<string>,
+    logger: Logger
   ) {
+    this.client = client;
     this.username = username;
     this.uid = uid;
     this.groups = groups;
     this.extraFields = extraFields;
+    this.logger = logger;
   }
 
   /**
@@ -36,20 +47,54 @@ class Mapping {
     return attributes.concat(this.extraFields);
   }
 
+  /**
+  *
+  *
+  */
+  recurseNestedGroups(groups: Array<string>) {
+    for (let group in groups) {
+      console.log(group);
+    }
+  }
+
   /**
   * Convert ldap object to kubernetes
   * @param {Object} ldapObject - Ldap object to convert
   * @return {Ôbject}
   */
-  ldapToKubernetes(ldapObject: Object): Object {
-    let object = {
-      username: ldapObject[this.username],
-      uid: ldapObject[this.uid],
-      groups: ldapObject[this.groups].map((group) => {
-        return canonicalizeDn(group);
-      }),
-      extra: {},
-    };
+  async ldapToKubernetes(ldapObject: Object): Object {
+    // If the ldapObject "user" is not a member of any groups
+    // the conversion to a map fails and causes an exception.
+    var object
+    // Get nested group memebership now
+    // Our code here
+    // LDAP_MATCHING_RULE_IN_CHAIN (https://ldapwiki.com/wiki/1.2.840.113556.1.4.1941)
+    // MS AD specific
+    let matchingChainFilter = "(member:1.2.840.113556.1.4.1941:=" + ldapObject.dn +")"
+    let ldapNestedGroups = await this.client.search(matchingChainFilter)
+    for (var i in ldapNestedGroups) {
+      if (ldapObject[this.groups].includes(ldapNestedGroups[i].dn) == false) {
+        ldapObject[this.groups].push(ldapNestedGroups[i].dn)
+      }
+    }
+
+    if (ldapObject[this.groups]) {
+      object = {
+        username: ldapObject[this.username],
+        uid: ldapObject[this.uid],
+        groups: ldapObject[this.groups].map((group) => {
+          return canonicalizeDn(group);
+        }),
+        extra: {},
+      };
+    } else {
+      object = {
+        username: ldapObject[this.username],
+        uid: ldapObject[this.uid],
+        groups: [],
+        extra: {},
+      };
+    }
     for (let extraField of this.extraFields) {
       object.extra[extraField] = ldapObject[extraField];
     }