2025-09-25 17:18:16 +02:00
|
|
|
/*
|
|
|
|
|
This file is part of »zeitbild«.
|
|
|
|
|
|
|
|
|
|
Copyright 2025 'kcf' <fenris@folksprak.org>
|
|
|
|
|
|
|
|
|
|
»zeitbild« is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
»zeitbild« is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU Lesser General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
along with »zeitbild«. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
2024-09-18 18:17:25 +02:00
|
|
|
|
|
|
|
|
namespace _zeitbild.auth
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
/**
|
2024-09-19 13:34:07 +02:00
|
|
|
*/
|
2024-09-18 18:17:25 +02:00
|
|
|
let _subject : (
|
|
|
|
|
null
|
|
|
|
|
|
|
2024-09-19 13:34:07 +02:00
|
|
|
lib_plankton.auth.type_auth<any, any, any>
|
2024-09-18 18:17:25 +02:00
|
|
|
) = null;
|
|
|
|
|
|
|
|
|
|
|
2024-10-20 14:26:15 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*/
|
|
|
|
|
let _subject_oidc : (null | lib_plankton.auth.oidc.type_subject) = null;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-09-26 18:59:46 +02:00
|
|
|
/**
|
|
|
|
|
*/
|
|
|
|
|
let _oidc_redict_uri_template_map : (
|
|
|
|
|
null
|
|
|
|
|
|
|
|
|
|
|
lib_plankton.map.type_map<string, string>
|
|
|
|
|
) = null;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*/
|
|
|
|
|
export function oidc_get_redirect_uri_template(
|
|
|
|
|
key : string
|
|
|
|
|
) : string
|
|
|
|
|
{
|
2025-10-06 21:42:50 +02:00
|
|
|
if (_oidc_redict_uri_template_map === null)
|
|
|
|
|
{
|
2024-09-26 18:59:46 +02:00
|
|
|
throw (new Error("apparently not initialized yet"));
|
|
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
else
|
|
|
|
|
{
|
2024-09-26 18:59:46 +02:00
|
|
|
return _oidc_redict_uri_template_map.get(key);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2024-09-18 18:17:25 +02:00
|
|
|
/**
|
|
|
|
|
*/
|
|
|
|
|
export function init(
|
|
|
|
|
) : Promise<void>
|
|
|
|
|
{
|
2024-09-19 13:34:07 +02:00
|
|
|
switch (_zeitbild.conf.get().authentication.kind) {
|
2025-10-06 21:42:50 +02:00
|
|
|
case "internal":
|
|
|
|
|
{
|
2024-09-18 18:17:25 +02:00
|
|
|
_subject = lib_plankton.auth.internal.implementation_auth(
|
|
|
|
|
{
|
2024-09-19 13:34:07 +02:00
|
|
|
"password_image_chest": {
|
|
|
|
|
"setup": (input) => Promise.resolve<void>(undefined),
|
|
|
|
|
"clear": () => Promise.reject<void>("not implemented"),
|
|
|
|
|
"write": (key, item) => _zeitbild.repository.auth_internal.write(key, item),
|
|
|
|
|
"delete": (key) => _zeitbild.repository.auth_internal.delete_(key),
|
|
|
|
|
"read": (key) => _zeitbild.repository.auth_internal.read(key),
|
|
|
|
|
"search": (term) => Promise.reject<any>("not implemented"),
|
|
|
|
|
},
|
|
|
|
|
"check_password": (image, input) => _zeitbild.service.auth_internal.check_raw(image, input),
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
|
|
|
|
);
|
2024-09-19 13:34:07 +02:00
|
|
|
break;
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
case "oidc":
|
|
|
|
|
{
|
2024-10-20 14:26:15 +02:00
|
|
|
_subject_oidc = lib_plankton.auth.oidc.make(
|
|
|
|
|
{
|
|
|
|
|
"url_authorization": _zeitbild.conf.get().authentication.data.url_authorization,
|
|
|
|
|
"url_token": _zeitbild.conf.get().authentication.data.url_token,
|
|
|
|
|
"url_userinfo": _zeitbild.conf.get().authentication.data.url_userinfo,
|
|
|
|
|
"client_id": _zeitbild.conf.get().authentication.data.client_id,
|
|
|
|
|
"client_secret": _zeitbild.conf.get().authentication.data.client_secret,
|
|
|
|
|
"url_redirect": (_zeitbild.conf.get().authentication.data.backend_url_base + "/session/oidc"),
|
|
|
|
|
"scopes": [
|
|
|
|
|
"openid",
|
|
|
|
|
"profile",
|
|
|
|
|
"email",
|
2025-10-23 13:18:25 +02:00
|
|
|
"groups",
|
2024-10-20 14:26:15 +02:00
|
|
|
],
|
|
|
|
|
"label": _zeitbild.conf.get().authentication.data.label,
|
|
|
|
|
}
|
|
|
|
|
);
|
2024-09-26 18:59:46 +02:00
|
|
|
_oidc_redict_uri_template_map = lib_plankton.map.simplemap.implementation_map(
|
|
|
|
|
lib_plankton.map.simplemap.make(
|
|
|
|
|
)
|
2024-09-18 18:17:25 +02:00
|
|
|
);
|
2024-09-26 18:59:46 +02:00
|
|
|
// TODO
|
|
|
|
|
return Promise.resolve(undefined);
|
2024-09-19 13:34:07 +02:00
|
|
|
break;
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
default:
|
|
|
|
|
{
|
2024-09-18 18:17:25 +02:00
|
|
|
// do nothing
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return Promise.resolve<void>(undefined);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2024-09-19 13:34:07 +02:00
|
|
|
*/
|
2024-09-18 18:17:25 +02:00
|
|
|
export function prepare(
|
2024-09-26 18:59:46 +02:00
|
|
|
input : any
|
2024-09-18 18:17:25 +02:00
|
|
|
) : Promise<{kind : string; data : any;}>
|
|
|
|
|
{
|
2025-10-06 21:42:50 +02:00
|
|
|
switch (_zeitbild.conf.get().authentication.kind)
|
|
|
|
|
{
|
|
|
|
|
case "oidc":
|
|
|
|
|
{
|
|
|
|
|
if ((_subject_oidc === null) || (_oidc_redict_uri_template_map === null))
|
|
|
|
|
{
|
2024-10-20 14:26:15 +02:00
|
|
|
throw (new Error("not initialized yet"));
|
2024-09-26 18:59:46 +02:00
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
else
|
|
|
|
|
{
|
2024-10-20 14:26:15 +02:00
|
|
|
const stuff : {state : string; authorization_url : string;} = lib_plankton.auth.oidc.prepare_login(_subject_oidc);
|
2024-09-26 18:59:46 +02:00
|
|
|
_oidc_redict_uri_template_map.set(
|
2024-10-20 14:26:15 +02:00
|
|
|
stuff.state,
|
2024-09-26 18:59:46 +02:00
|
|
|
input["oidc_redirect_uri_template"]
|
|
|
|
|
);
|
|
|
|
|
return Promise.resolve(
|
|
|
|
|
{
|
|
|
|
|
"kind": "oidc",
|
|
|
|
|
"data": {
|
2024-10-20 14:26:15 +02:00
|
|
|
"url": stuff.authorization_url,
|
|
|
|
|
"label": _zeitbild.conf.get().authentication.data.label,
|
2024-09-26 18:59:46 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
default:
|
|
|
|
|
{
|
|
|
|
|
if (_subject === null)
|
|
|
|
|
{
|
2024-09-26 18:59:46 +02:00
|
|
|
return Promise.reject(new Error("not initialized yet"));
|
|
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
else
|
|
|
|
|
{
|
2024-09-26 18:59:46 +02:00
|
|
|
return (
|
|
|
|
|
_subject.login_prepare()
|
|
|
|
|
.then(
|
|
|
|
|
(data : any) => ({
|
|
|
|
|
"kind": _zeitbild.conf.get().authentication.kind,
|
|
|
|
|
"data": data,
|
|
|
|
|
})
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
2024-09-19 13:34:07 +02:00
|
|
|
}
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2024-09-19 13:34:07 +02:00
|
|
|
*/
|
2024-10-20 18:26:24 +02:00
|
|
|
export async function oidc_handle_authorization_callback(
|
2024-10-20 14:26:15 +02:00
|
|
|
cookie : (null | string),
|
|
|
|
|
data : Record<string, string>
|
|
|
|
|
) : Promise<
|
|
|
|
|
{
|
|
|
|
|
token : string;
|
2025-10-23 19:08:00 +02:00
|
|
|
userinfo : lib_plankton.auth.oidc.type_userinfo;
|
2024-10-20 14:26:15 +02:00
|
|
|
redirect_uri_template : string;
|
2024-09-19 13:34:07 +02:00
|
|
|
}
|
2024-10-20 14:26:15 +02:00
|
|
|
>
|
2024-09-18 18:17:25 +02:00
|
|
|
{
|
2025-10-06 21:42:50 +02:00
|
|
|
if ((_subject_oidc === null) || (_oidc_redict_uri_template_map === null))
|
|
|
|
|
{
|
2024-10-20 18:26:24 +02:00
|
|
|
throw (new Error("not initialized yet"));
|
|
|
|
|
}
|
2025-10-06 21:42:50 +02:00
|
|
|
else
|
|
|
|
|
{
|
2024-10-20 18:26:24 +02:00
|
|
|
const state : string = data["state"];
|
|
|
|
|
const result : {
|
2024-10-20 14:26:15 +02:00
|
|
|
token : string;
|
2025-10-23 19:08:00 +02:00
|
|
|
userinfo : lib_plankton.auth.oidc.type_userinfo;
|
2024-10-20 18:26:24 +02:00
|
|
|
} = await lib_plankton.auth.oidc.handle_authorization_callback(
|
|
|
|
|
_subject_oidc,
|
|
|
|
|
cookie,
|
|
|
|
|
data
|
|
|
|
|
);
|
|
|
|
|
return Promise.resolve<
|
|
|
|
|
{
|
|
|
|
|
token : string;
|
2025-10-23 19:08:00 +02:00
|
|
|
userinfo : lib_plankton.auth.oidc.type_userinfo;
|
2024-10-20 18:26:24 +02:00
|
|
|
redirect_uri_template : string;
|
|
|
|
|
}
|
|
|
|
|
>(
|
|
|
|
|
{
|
|
|
|
|
"token": result.token,
|
|
|
|
|
"userinfo": result.userinfo,
|
|
|
|
|
"redirect_uri_template": _oidc_redict_uri_template_map.get(state),
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
}
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
2024-09-19 13:34:07 +02:00
|
|
|
|
2025-10-23 19:08:00 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @todo switch for enabling/disabling auto provisioning
|
|
|
|
|
*/
|
|
|
|
|
export async function oidc_adapt_user(
|
|
|
|
|
userinfo : lib_plankton.auth.oidc.type_userinfo
|
|
|
|
|
)
|
|
|
|
|
: Promise<
|
|
|
|
|
{
|
|
|
|
|
id : _zeitbild.type_user_id;
|
|
|
|
|
object : _zeitbild.type_user_object;
|
|
|
|
|
}
|
|
|
|
|
>
|
|
|
|
|
{
|
|
|
|
|
if (userinfo.name === null)
|
|
|
|
|
{
|
|
|
|
|
return Promise.reject(new Error("IDP did not return user name"));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
// groups
|
|
|
|
|
const group_ids : Array<_zeitbild.type_group_id> = await (async () => {
|
|
|
|
|
const derive_name : ((group_name_raw : string) => string) = (
|
|
|
|
|
(group_name_raw) => lib_plankton.string.coin(
|
|
|
|
|
"auto-{{name_raw}}",
|
|
|
|
|
{
|
|
|
|
|
"name_raw": group_name_raw,
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
const derive_label : ((group_name_raw : string) => string) = (
|
|
|
|
|
(group_name_raw) => lib_plankton.string.coin(
|
|
|
|
|
"{{name_raw}}",
|
|
|
|
|
{
|
|
|
|
|
"name_raw": group_name_raw,
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
return Promise.all<_zeitbild.type_group_id>(
|
|
|
|
|
(userinfo.groups ?? [])
|
|
|
|
|
.map(
|
|
|
|
|
async (group_name_raw) => {
|
|
|
|
|
const group_name : string = derive_name(group_name_raw);
|
|
|
|
|
const group_id_raw : (null | _zeitbild.type_group_id) = await (
|
|
|
|
|
_zeitbild.repository.group.identify(group_name)
|
|
|
|
|
.catch(() => Promise.resolve(null))
|
|
|
|
|
);
|
|
|
|
|
if (group_id_raw === null)
|
|
|
|
|
{
|
|
|
|
|
// create
|
|
|
|
|
const group_id : _zeitbild.type_group_id = await _zeitbild.service.group.add(
|
|
|
|
|
{
|
|
|
|
|
"name": group_name,
|
|
|
|
|
"label": derive_label(group_name_raw),
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
lib_plankton.log.info(
|
|
|
|
|
"zeitbild.oidc_adapt_user.auto_provisioned_group",
|
|
|
|
|
{
|
|
|
|
|
"id": group_id,
|
|
|
|
|
"name": group_name,
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
return group_id;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
// update
|
|
|
|
|
const group_id : _zeitbild.type_group_id = group_id_raw;
|
|
|
|
|
await _zeitbild.service.group.change(
|
|
|
|
|
group_id,
|
|
|
|
|
{
|
|
|
|
|
"name": group_name,
|
|
|
|
|
"label": derive_label(group_name_raw),
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
return group_id;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}) ();
|
|
|
|
|
|
|
|
|
|
// user
|
|
|
|
|
const user : {
|
|
|
|
|
id : _zeitbild.type_user_id;
|
|
|
|
|
object : _zeitbild.type_user_object;
|
|
|
|
|
} = await (async () => {
|
|
|
|
|
const user_id_raw : (null | _zeitbild.type_user_id) = await (
|
|
|
|
|
_zeitbild.service.user.identify(userinfo.name as string)
|
|
|
|
|
.catch(() => Promise.resolve(null))
|
|
|
|
|
);
|
|
|
|
|
if (user_id_raw === null)
|
|
|
|
|
{
|
|
|
|
|
// provision
|
|
|
|
|
const user_object : _zeitbild.type_user_object = {
|
|
|
|
|
"name": (userinfo.name as string),
|
|
|
|
|
"groups": group_ids,
|
|
|
|
|
"email_address": userinfo.email,
|
|
|
|
|
"dav_token": null,
|
|
|
|
|
};
|
|
|
|
|
const user_id : _zeitbild.type_user_id = await _zeitbild.service.user.add(
|
|
|
|
|
user_object
|
|
|
|
|
);
|
|
|
|
|
lib_plankton.log.info(
|
|
|
|
|
"user_provisioned",
|
|
|
|
|
{
|
|
|
|
|
"id": user_id,
|
|
|
|
|
"name": user_object.name,
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
return {"id": user_id, "object": user_object};
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
// update
|
|
|
|
|
const user_id : _zeitbild.type_user_id = user_id_raw;
|
|
|
|
|
const user_object : _zeitbild.type_user_object = await _zeitbild.service.user.get(user_id);
|
|
|
|
|
user_object.name = (userinfo.name as string);
|
|
|
|
|
user_object.groups = group_ids;
|
|
|
|
|
user_object.email_address = userinfo.email;
|
|
|
|
|
await _zeitbild.service.user.change(
|
|
|
|
|
user_id,
|
|
|
|
|
user_object
|
|
|
|
|
);
|
|
|
|
|
lib_plankton.log.info(
|
|
|
|
|
"user_updated",
|
|
|
|
|
{
|
|
|
|
|
"id": user_id,
|
|
|
|
|
"name": user_object.name,
|
|
|
|
|
}
|
|
|
|
|
);
|
|
|
|
|
return {"id": user_id, "object": user_object};
|
|
|
|
|
}
|
|
|
|
|
}) ();
|
|
|
|
|
|
|
|
|
|
return user;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-18 18:17:25 +02:00
|
|
|
}
|
