From b1e8e8933dead071e520fd554549742f1d570ab0 Mon Sep 17 00:00:00 2001 From: Douglas Barone Date: Thu, 19 Oct 2023 19:42:33 -0400 Subject: [PATCH] Basic UserID mapping OK --- .gitignore | 2 + package-lock.json | 66 ++++++++++++++++++++----------- src/server/auth/FakeAuth.ts | 6 ++- src/server/auth/LdapAuth.ts | 3 +- src/server/interfaces/Auth.ts | 1 + src/server/lib/login.ts | 20 ++++++++-- src/server/paloalto/PaFirewall.ts | 33 ++++++++++++++++ src/server/trpc.ts | 4 +- 8 files changed, 106 insertions(+), 29 deletions(-) create mode 100644 src/server/paloalto/PaFirewall.ts diff --git a/.gitignore b/.gitignore index 834fd88..f2ee3a1 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ pnpm-debug.log* *.sw? .env + +/src/server/db diff --git a/package-lock.json b/package-lock.json index 7612c11..d645761 100644 --- a/package-lock.json +++ b/package-lock.json @@ -954,6 +954,20 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" }, + "node_modules/body-parser/node_modules/qs": { + "version": "6.11.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", + "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "dependencies": { + "side-channel": "^1.0.4" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/brace-expansion": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", @@ -1366,6 +1380,20 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" }, + "node_modules/express/node_modules/qs": { + "version": "6.11.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", + "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "dependencies": { + "side-channel": "^1.0.4" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/express/node_modules/raw-body": { "version": "2.5.1", "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz", @@ -2026,20 +2054,6 @@ "node": ">= 0.10" } }, - "node_modules/qs": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", - "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", - "dependencies": { - "side-channel": "^1.0.4" - }, - "engines": { - "node": ">=0.6" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -3418,6 +3432,14 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + }, + "qs": { + "version": "6.11.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", + "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "requires": { + "side-channel": "^1.0.4" + } } } }, @@ -3744,6 +3766,14 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" }, + "qs": { + "version": "6.11.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", + "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "requires": { + "side-channel": "^1.0.4" + } + }, "raw-body": { "version": "2.5.1", "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.1.tgz", @@ -4195,14 +4225,6 @@ "ipaddr.js": "1.9.1" } }, - "qs": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", - "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", - "requires": { - "side-channel": "^1.0.4" - } - }, "range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", diff --git a/src/server/auth/FakeAuth.ts b/src/server/auth/FakeAuth.ts index 190e51a..8374371 100644 --- a/src/server/auth/FakeAuth.ts +++ b/src/server/auth/FakeAuth.ts @@ -3,7 +3,11 @@ export class FakeAuth implements Auth { async login(username: string, password: string): Promise { if (username == 'test' && password == 'test') - return { displayName: 'Test User', username: 'test' } + return { + displayName: 'Test User', + username: 'test', + domain: 'test_domain' + } throw new Error('Login failed') } } diff --git a/src/server/auth/LdapAuth.ts b/src/server/auth/LdapAuth.ts index a991a04..8e00e03 100644 --- a/src/server/auth/LdapAuth.ts +++ b/src/server/auth/LdapAuth.ts @@ -19,7 +19,8 @@ export class LdapAuth implements Auth { return { username, - displayName: search.searchEntries[0].displayName as string + displayName: search.searchEntries[0].displayName as string, + domain: this.domain } } catch (error: any) { console.log('Error:', error) diff --git a/src/server/interfaces/Auth.ts b/src/server/interfaces/Auth.ts index 7ad66f2..959ffb1 100644 --- a/src/server/interfaces/Auth.ts +++ b/src/server/interfaces/Auth.ts @@ -1,6 +1,7 @@ type LoginResult = { username: string displayName: string + domain: string jwt?: string } diff --git a/src/server/lib/login.ts b/src/server/lib/login.ts index 611260f..0927588 100644 --- a/src/server/lib/login.ts +++ b/src/server/lib/login.ts @@ -1,15 +1,29 @@ import { Client } from 'ldapts' import { LdapAuth } from '../auth/LdapAuth' +import { PaFirewall } from '../paloalto/PaFirewall' -export async function login(username: string, password: string) { +import { paHosts } from '../db/pa' + +process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' + +export async function login(username: string, password: string, ip: string) { const ldapClient = new Client({ url: 'ldap://10.7.0.18' }) const ldapAuth = new LdapAuth(ldapClient, 'ifms', 'DC=ifms,DC=edu,DC=br') - const user = await ldapAuth.login(username, password) + try { + const user = await ldapAuth.login(username, password) - return user + const pa = new PaFirewall(paHosts[0].ip, paHosts[0].key) + + await pa.mapUserIDToIP(username, ip, user.domain) + + return user + } catch (error) { + console.log(error) + throw new Error('Login failed') + } } diff --git a/src/server/paloalto/PaFirewall.ts b/src/server/paloalto/PaFirewall.ts new file mode 100644 index 0000000..b02ce56 --- /dev/null +++ b/src/server/paloalto/PaFirewall.ts @@ -0,0 +1,33 @@ +const MAP_TIMEOUT_IN_MINUTES = process.env.MAPPING_TIMEOUT || '720' // 12 horas + +export class PaFirewall { + constructor(private ip: string, private key: string) {} + + async mapUserIDToIP(username: string, ip: string, domain: string) { + const command = this.createCommand(username, ip, domain) + + const response = await fetch( + `https://${this.ip}/api/?type=user-id&key=${this.key}&cmd=${command}`, + { + method: 'POST' + } + ) + + const data = await response.text() + + console.log(data) + } + + private createCommand(username: string, ip: string, domain: string) { + return ` + + 1.0 + update + + + + + + ` + } +} diff --git a/src/server/trpc.ts b/src/server/trpc.ts index dbb7caf..3aae7be 100644 --- a/src/server/trpc.ts +++ b/src/server/trpc.ts @@ -21,8 +21,8 @@ export const appRouter = t.router({ login: t.procedure .input(z.object({ username: z.string(), password: z.string() })) - .mutation(async ({ input }) => { - return await login(input.username, input.password) + .mutation(async ({ input, ctx }) => { + return await login(input.username, input.password, getIpFromContext(ctx)) }) })